sig_auth v0.1.0 SigAuth.ExampleCredentialServer
This is an example of the CredentialServer
behavior; this GenServer holds
the public keys of the authorized users for an application.
In a production environment, rather than an in-memory store, a database or
file-backed CredentialServer
would be appropriate.
To validate nonces, this server simply insists that nonces are monotonically increasing; Linux Epoch time (perhaps given in milliseconds) is an obvious way to accomplish this goal. Further validation could insist that the nonce represents a time +/- N minutes of the server’s system time.
Use
Startup
iex> {:ok, _pid} = SigAuth.ExampleCredentialServer.start_link
...> pub_key = SigAuth.load_key("./test/testing_id_rsa.pub")
...> SigAuth.ExampleCredentialServer.add_user("bob", pub_key)
Authorization
In your top-level api routing plug:
defmodule MyApp.ApiRouter do
use Plug.Router
# invalid requests will not make it past this line:
plug SigAuth.Plug, credential_server: SigAuth.ExampleCredentialServer
# From here on, we are certain that the request is authentiated, and can
# trust the client:
plug :match
plug :dispatch
forward "/users", to: MyApp.Handlers.Users
# ... and so on with the API routing
match(_), do: send_resp(conn, 404, "")
end