Gandalf Authentication Proxy

Explanation

The Gandalf Authentication Proxy manages authentication in your system so that the rest of your system doesn't have to. Motivated by microservice architecture and polyglot aspirations, applying a system-wide authentication filter removes complexity, duplication, and is ultimately more secure due to its simplicity.

How does it work?

Gandalf acts as a reverse proxy protecting any service that requires authentication. A request that does not contain an appropriate authentication header will be immediately rejected. When a request is appropriately authenticated, Gandalf will pass the request to the service with two additional headers:

USER_ID
USERNAME

The protected service need only concern itself with authorization (see Authentication vs. Authorization). If the service needs to know the user, which it certainly will, it can determine the user based on the provided headers.

Why?

Authentication is often a layer of complexity that interferes with testing and is often reproduced many times in a system. Docker has driven a new software movement in which we build reusable processes of software as opposed to reusable libraries, and so Gandalf exists as its own entity, protecting your system from the evils of the world.

Gandalf also works to reject a user from the system as soon as possible, thus reducing the load unauthorized traffic will create on your system. Gandalf may not be able to survive record breaking Denial-of-service attacks, but it will take a much harder beating than your system can.

tl;dr:

Gandalf takes care of authentication in an attempt to make testing business functionality much easier to do.
Gandalf shuts out unauthorized access so that it doesn't create inappropriate load on your system.
Gandalf allows a consistent, scalable layer of authentication that can be applied to many different services.

How to use it

Docker Image

The Docker image is hosted here. It currently binds to port 8888.

To use the Docker image, configure the following environment variables:

GANDALF_PROXIED_HOST: the hostname:port to proxy authenticated requests
GANDALF_ALLOWED_HOSTS: A Python regular expression of hosts that have the ability to change data within Gandalf (usually the same as GANDALF_PROXIED_HOST)
GANDALF_SIGNING_SECRET: A secret seed used to ensure that access tokens originate from Gandalf
GANDALF_POSTGRES_HOST: the hostname of the PostgreSQL server
GANDALF_POSTGRES_USER: The user used to authenticate with PostgreSQL
GANDALF_POSTGRES_PASSWORD: The password used to authenticate with PostgreSQL
GANDALF_POSTGRES_DB: The database used to store Gandalf data
GANDALF_REDIS_HOST: The hostanme of the Redis server

API Contract

The following endpoints exist for working with Gandalf:

`GET /auth/live`

Returns 200 OK when ready to take requests.

`GET /auth/ready`

Returns 200 OK after confirming that Redis and PostgreSQL are properly configured. Returns 503 w/ an error when not ready.

`POST /auth/login`

Takes a form of credentials (username & password) and returns an access token if successfully authenticated.

Example access token response:

{"access_token": "ZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKSVV6STFOaUo5LmV5SjFjMlZ5U1dRaU9pSTRZVEprTWpZMk5pMDVNR016TFRSaFpqa3RZamsxTUMwNE1HRTRaV0kwTURGaE5HUWlMQ0oxYzJWeWJtRnRaU0k2SW5SbGMzUjFjMlZ5UUcxaWN5SjkuckZlQi1ScXVha3FpLTkxTDJBVjBBM05XNzZ4MW01Y2R5M1hPSm41aGdqVQ=="}

After logging in, to allow use of the system, add the following header to each request:

Authorization: Bearer {access_token}

`GET /auth/logout`

Invalidates the provided access_token. Attempting to use the system with the same access_token will fail for all future requests.

`POST /auth/users/search`

Search for user information (user_id & username) by either a list of user_id or username, but not both. The post expects a form with one-to-many user_id's or username's.