Show permissions and v1.0.0

You can now see what permissions an app has on it’s section on the account page.
And with that, AuthBridge is (mostly) production ready! This marks my last devlog on ft, thank you Flavortown!

Scopes

I am so happy this works now, this was planned from the start but was just now implemented. Every authorization now includes what permissions it was requested with, and if an app requests more then it previously did, the user is asked for permission again. This is a huge jump in security. The account page can also now show when an app was allowed access.

Other

• The UI was refined
• Some text is now more user friendly

Docs

The docs page styling was improved a lot, it is so much easier to follow now (the margins sucked before, way too dense). The code blocks also have padding and a border now. The old code block formatting really sucked because it basically collapsed over the text and made the border radius look weird, anyway, it is a lot better now

Other

It’s probably obvious by now, there were more lint and type checking fixes

I hate typechecking

I just spent i dont even remember how long debugging type errors in my sqlalchemy db file because of the weird way sqlalchemy handles types, anyway, there are still a lot of errors, but not as many i guess. The app still runs, but now the errors tab is cleaner

New editor new me

I just switched to zed (vscode now forces copilot everywhere and I can’t seem to turn it off), so with a new typechecker comes new bugs. Most of the type errors were not actually bugs, but there is a new types.py file that should stop most of them from showing up again.

Screenshot

For reference, this was 100 errors and 600 warnings

Docs

The docs now include the groups scope

Other

• The github action works now, I had the wrong image name.
• i forgor the rest

OIDC Groups

Two OIDC groups can now be assigned based on the user’s relation to the app. This is intended for app developers to get some extra data. The two right now are:

• owner - Owns the current app
• userwhitelisted - The user is restricted to certain apps, this app is on their whitelist

Other

• Build caching for UV
• /codelogin is now /login/code
• Better logs in some places

Action!

I made a github action to automatically build the docker image. I spent forever debugging then realized my branch is not called main, whoops

Refining

I spent some time making the demo smoother. The hack.af regex was removed to allow voters to use temporary emails, because a some people did not want to do that (only 2/12 people used my demo instance). The demo app link is also more obvious now! I spent some time refining some of the other details too, but mostly in the config.

UX

The auth page now shows where you will be redirected after authentication.

Lock app creation by default

You can now lock app creation for new users. It is an environment variable, so it does not affect existing users. You may also manually whitelist individual users via the admin page. These people will have their apps page restored. This has also now become the default, but you can always change it in your docker-compose.override.yml by setting LOCK_NEW_APP_CREATE to false.

Other

• The login flow works again, the cleanup function broke it, oops.
• The demo app on the dashboard was fixed back to the right link

Icon

A banner and favicon have been made (took about ~1hr). It’s basic, but it gets the job done! It is not on the site yet (I don’t have access to the computer with the file rn), but should be soon. Check out lapse if you want to see the timelapse.

2nd log again

I once forgot to log before working on another feature, sorry!
Login/register codes are now automatically deleted from memory after expiry. I couldn’t get scheduling to work, so the dictionary is checked every time an authentication related action is preformed. In theory, this should reduce the ram tax when running for long periods of time (you should still restart your server every once in a while, it’s good practice!)

Delete users

This was long overdue, admins can now delete users. This should only be used in extreme cases, because it may lose them a lot of data.

Keep callback pt 2

Another long devlog, but this is a pretty important feature! When you try and access an app while not logged in, you are now redirected to the login page with a special gota parameter. This is a JWT (I realized keeping just the clientid was not enough because of scopes and a few other things), that contains where you should be redirected after logging in (in this case, the app authorization link). This is kept through every login/signup stage. Once registration is completed, you are either automatically redirected back to the app, or in the case of logging in with another device, a new Continue button appears that will redirect you. Now is also a good time to mention that the login with a device page does not auto-redirect because some legacy devices do not allow setting cookies in a 3xx status code.

Note

This greatly improves the UX for people who do not already have an account. Many sites redirect me to the home page when I log in, which for me, it sucks to go back to the page I want. Also, the backend makes sure the redirect is valid. The JWT is validated against a secret key that is made on app start, and even if the key somehow gets compromised, redirects are still not able to be abused, as the backend makes sure the redirect is to a local path, not to another domain.

Other changes

• More features added to readme featureset
• The homepage now has a link to the developer OIDC docs

Keep callback

Right now, when you try and visit an app but are not logged in, you are redirected to the login page, but the login flow does not automatically redirect you back to the app once logged in. Part of switching to codes for login was so I can fix that. Anyway, I am going to keep a gota “token” through the whole process. It is the client id of the application you are verifying with. Right now, the login flow keeps a copy of it, but it does not use it for anything yet. That will be the next log.

Other changes

The demo build text was updated to link to a demo application

Style it up

Some css and layouts have been changed. There really isnt much to log about here

Changelog

• My apps was moved from the header into the account page
• Code blocks are now styled (like in the docs page from the previous log)
• Readme was slightly improved
• The link to OIDC help is now more obvious

OIDC docs 2

These two devlogs are probably the longest time on one section of the site. Anyway, the OIDC docs are complete now. This covers most of the authentication logic, from creating an app, to authenticating a user, to getting their information. There is a link to this documentation on the modify app page. This doesn’t look good right now, so the next log will probably be styling (probably for the whole site too).

Docs part one

There is now basic help documentation for openid connect. This will be improved upon later, as it is incomplete, but this is a good starting point.

Other changes

• The app clientid has been removed from the issuer url, because no code actually needed it.
• The create app button is now hidden if your app creation permission has been revoked
• The my apps header button is also hidden if your creation permission was revoked, and you also have no apps

Login with code

This took way longer then I thought it would, but logins are now handled with codes instead of via a link. Each login request gets assigned a unique id, which is basically a login session. The ID is provided in the email and login page, so just in case you try logging on using multiple devices, you know which code belongs to which page. This also makes trying to steal a code from a user harder. The codes still expire after five minutes, so an attacker cannot just bruteforce the endpoint. The rate limit gives an attacker 150 code attempts for any given session. Considering there are ~9000000 possible codes, this gives about a 0.0016667% chance of them getting it right. The login endpoint also can only send 10 emails per hour to any given email, so they must wait an hour to get 10 more attempts. I know this is pretty basic information, but at least it’s secure when needed (especially for high-risk admin accounts).

Other

• Minor readme changes
• Rate limit changes
• Other backend stuff that im forgetting about

Restrictions and “guest” accounts

Admins can now restrict accounts to specific apps. When combined with administrator created accounts (especially using emails outside the regex), you can effectively make guest accounts for people who should only be able to access one or two services.

Creating accounts

Administrators can now create user accounts. They bypass most limits, like the email validator. The username and name are still checked client-side, but the admin user creator does not check server side, so feel free to make it whatever. Because the email is not validated for admin created users, you can lock a user account emails to a specific domain while still creating accounts for other people when needed. This goes with another feature that should be ready by next log.

Contact info

You can now add administrator contact info to be displayed on some error pages. Right now it is just restriction messages, but I may add it into more places later. This does mean adding a new ENV variable CONTACT_EMAIL.

Other

The scopes db column was removed because scopes are provided through parameters now.

I did a thing

You can now sign in using another device, for devices where you cannot access your email. This was not needed at all, but it lets me do funny things like access the app via IOS 6, which is pretty cool. Ignore the weird border, my power button is broken so I have to use three finger pinch to screenshot. I also tried getting it to work on the 3ds, and I got the UI working, but I cannot get cookies to save. Anyway, the code feature works well. You input your username and a one time 7 digit code, and it logs you in.

User profile changes

Users can now change their name by themselves! This also means server side validation. I implemented this in the DB stage so all requests (even admin ones) need to follow the username regex. If a request does not follow the formula, it will error and not change anything. Most modern browsers will also preform client side validation because they support regex, but server side is always a good fallback.

Account page and fixes

I forgot to update the expiry code everywhere, so registration was broken, but it is fixed now! Anyway, the dashboard was simplified by moving the revoke access button to the new account page! The page will do more soon, but it just does this for now. A bug was also fixed on the admin page where clicking a non-admin user would remove the admin section from the header because I was accidentally overriding the user variable that the header checks for.

Email expiry

The registration code email now expires after 5 minutes. The rate limits were also increased to allow more attempts, just in case.

More error pages

401 and 403 now have error pages.

Restrict app creation

Admins can now restrict people from creating apps on a per-user basis.

Email verification

You can now set a regex for emails to lock registration to specific domains! You may also specify a message to be put on the login page as a hint.

Form submit

There is now a form submission animation, this is probably overdone, and is the only piece of javascript in the whole application.

Thou shall not authorize!

You can now deny auth prompts. It will return you to the application, but it will return access_denied.

Manage accounts

Admin users can now modify accounts, including disabling them. This is an extension of my last log.

User page

Admins can now see user details. Editing does not work yet.

Hackin da mainframe

There is now an admin page, it lists all apps and users. The apps buttons work, but the users section will have actions next.

Partial redesign

The modify app page was redesigned. It might need more later, but it does its job.

Error pages

A few small changes here, most notably error pages.

Bugs

Before being able to modify an app, you now need to authenticate as the app owner.

Second log

I forgot to hit create on this log, then went back to work, so here is another log:

Deleting apps

You can now delete apps from it’s modify page. This also brings the css for three types of buttons:

• Main (highlighted)
• Secondary (default)
• Danger (red)

Bugfixes (again)

Reaching a 500 error page now prints the traceback to console

Revoke

This devlog took a while because ft would not let me sync my time correctly, so I probably did more that I forgot about. The dashboard now lets you revoke app permissions.

Better app setup

The modify page now shows important information for setup with external apps. Before this, you would need to guess the links or find the .well-known path. Anyway, they are now displayed on the app modify page.

Docs

A simple readme has been made. Not much else to say.

Consent

The auth flows are no longer implicit. The first time you authenticate an app, you will be asked for consent. Every time after, you will not be asked.
Edit: My OBS glitched and didn’t show the auth flow. Oops

Darn it

In the interest of time (and getting this in for lock in), I caved in and used copilot for the backend openid logic, then spent time fixing the places where it did not understand how my code worked. There is no auth page right now, I will make that next.
Anyway, after an hour of debugging nextcloud oidc, I got the first login working! The flow works, but there is no user-facing prompt yet.

OIDC config endpoint working

More will need to be added to this later, but some basic information is now shown in the .well-known of the oidc endpoint. More will need to be added later.

Apps style

The my apps page is now styled. Also, work is being done to get the .well-known address working for OIDC

Modify apps 2

You can now modify apps. The form works now.

Modify apps

You can now modify your new app (not really yet)! The regenerate secret button works, but saving does not. As always, there were also a few backend changes.

Create an app

The create app button actually does something now. It adds an app to the db and redirects you to the modify page.

Other

• Dashboard shows app creator
• Backend changes

Your apps page

The your apps page is here, still nothing to test with though. The dashboard also had the featured section removed.

Auth

Authentication works now, and users can authenticate and access the dashboard, The header also changes content based on whether the request was authenticated or not.

Getting more ready

I don’t have much to show for this log, but I’m trying to log every 30 minutes. I spent my time making the DB support saving user auths. Also, there is a dashboard layout now! No data in it yet though. I’m going to make it look better soon, but I want to make sure the core works before finishing this.

Signup/login

The final login thing is done! You can signup/login, and you automatically get redirected to the right flow when you enter your email. If you set an owner email in the env variables, it can also automatically give you admin!

Codes

The code page works now! If you type an incorrect code, it says so, and if you get it right, it shows a final register page (not complete yet).

Email!

Sending emails works now. You just need to provide an SMTP server and credentials.

Email

The email send logic should be working now. I do not have any SMTP credentials to test it with though. Anyway, the base login logic is mostly done, but I still need to make it fully work.

Style pt 2

I improved the style again. Most form elements have been styled. Not much else to put here.

Style

Nothing much has changed, but the style was improved, and the name was changed from authy to AuthBridge. An env variable (APP_NAME) lets you change it to something else if you want (I can’t decide on a name, this is my way of letting me change it quickly later).

Getting further

After messing with db permissions, there is now a non-working login form. At some point this will email you, but right now it does nothing. Also, the abc is from a header! It’s not done yet but at some point it will be at the top of the screen.

Beginnings ish

There is a working base page now. I spent an hour trying to get docker to play nice with uv. Anyway, images build and I can run the container. A basic DB structure has also been designed, but nothing is final yet.