Note: This is a minimum viable product... that said, it works!
Provides a gateway pattern for centralizing the authorization and session management of incoming HTTP requests through a reverse proxy. Authorization mechanism could be made pluggable since it is facaded by an auth service, but in the default implementation, I'm using a nodejs-based LDAP server (ldapjs).
nodejs/npminstall:
➜ ldap-auth-gateway git:(master) npm install
start ldap:
➜ ldap-auth-gateway git:(master) node ldap.js
start remaining services:
➜ ldap-auth-gateway git:(master) node app.js
title attempt to reach target no auth header client->gateway: get/post gateway->gateway: token? (no) gateway->auth: auth auth->auth: parse basic auth header (no header) auth->gateway: fail auth gateway->client: fail auth
title attempt to reach target, auth header (invalid) client->gateway: get/post gateway->gateway: token? (no) gateway->auth: auth auth->auth: parse basic auth header (okay) auth->ldap: auth via ldap (bind) ldap->ldap: server.bind(creds) ldap->auth: fail auth->gateway: fail auth gateway->client: fail auth
title attempt to reach target, auth header (valid) client->gateway: get/post gateway->gateway: token? (no) gateway->auth: auth auth->auth: parse basic auth header (okay) auth->ldap: auth via ldap (bind) ldap->ldap: server.bind(creds) ldap->auth: succeed auth->gateway: auth success! gateway->client: auth success, set token (cookie)
title attempt to reach target, (valid token) client->gateway: get/post gateway->gateway: token? (yes!) gateway->target: proxy request target->target: echo response target->gateway: proxy response gateway->client: target's responseUser attempts to access target through gateway with no session and no (or invalid) auth credentials.
➜ ~ curl --header "Authorization: Basic cm9iOnJvYg==" localhost:8000 Not authorized.User attempts to access target through gateway with no session and valid auth credentials (login: root, password: secret).
➜ ~ curl --header "Authorization: Basic cm9vdDpzZWNyZXQ=" localhost:8000 Authorized.Here, simple token is validated and forwarded to an echo service. Not the x headers indicating the forward. Note, roadmap item will include client-based secure sessions with TTL... likely via the Express Framework.
➜ ~ curl -X POST -d "foo" --header "Cookie: token=12345678" localhost:8000 Echo service: / { "user-agent": "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5", "host": "localhost:8000", "accept": "*/*", "cookie": "token=12345678", "content-length": "9", "content-type": "application/x-www-form-urlencoded", "x-forwarded-for": "127.0.0.1", "x-forwarded-port": "52581", "x-forwarded-proto": "http", "connection": "keep-alive" }foo
- Make auth a service call from gateway to auth, rather than a proxy.
- Move token check into auth proxy so that all auth session logic is handled here... making gateway rely on auth completely.
- Fix home grown parsing of cookies/basic auth. Likely using Express framework.
- Back LDAP with a user seed file, and offer a non-memory based alternative, ie backed by RIAK.
- Move port and other config to a config file.
- Metrics server falls down on heavy load