Page 3:

Authrio

All about my new oss authorization platform

⚠️ Quick note that this is now considered outdated as Authrio is being rewritten with more features, see about it at https://authrio.com! ⚠️


Simple and secure authentication platform, designed for self-hosting 🔒

Over the last couple of months, I have been working on a side project in my spare time whilst working on other (larger) projects – more about that in the next post!

The side project I am referring to is designed to be a simplistic authorization platform, essentially allowing easy api key and password storage whilst being secure by design all at once :)

Details

Examples

Demo using Authrio.py and Flask:

from flask import Flask, request
from authrio import Org, User, BadUserCreds

org = Org.create("qwerty123")
app = Flask(__name__)

@app.route("/protected")
def protected():
    try:
        user = org.auth(request.cookies.get("AUTHRIO_KEY"))
        return f"User {user.id} was created at {user.created}!"
    except BadUserCreds:
        return "Invalid/outdated api key passed!"

@app.route("/signup")
def signup():
    try:
        user = User.create(org, request.args["password"])
        return f"Created user {user.id} at {user.created}!"
    except BadUserCreds:
        return "Password too short/long!"

app.run()

You can also check out the examples/ directory for some more showcases in various languages 📚

Versioning

The following components are currently completed:

Name Basic auth Extended management
Authrio.py - Link 👍 👍
Authrio.js - Link
Authrio.rs - Link
API - Link 👍 👍

As for product versioning, Authrio runs in a datewise release cycle, allowing 1 major release per month at maximum. Patches may also be added as an attached .x version if required.

Flow

Here’s a diagram showing the flow of Authrio you can implement:

Simply pick one of the 3 wrappers for Authrio to integrate into your application. All of these wrappers have been refined with the appropriate web frameworks in mind (such as Authrio.py + Flask) to provide a more convenient structure.

Hosting

Official host

You may use the official and secure Authrio API for free, forever! The only limitation are potential ratelimits due to spam. Here’s the link:

authrio.ogriffiths.com

Self-hosting

Another option is self-hosting; this process is easy and only requires a couple of steps:

  1. Download the latest binary: Releases
  2. Run the file using the “setup” command: ./authrio-api setup
  3. Follow the setup instructions and host the api!

Security

The Authrio platform aims to create a simple authentication and api key management system to provide a single, reliable source of truth for passwords. Each user in Authrio contains a private UUID shared only with the local database and their hashed password:

We store passwords using the industry-leading Argon2 hash. As for salts, there is a global pepper for Authrio stored as an enviroment variable which shouldn’t change and a typical salt attached to each user row.

Another factor in security is that Authrio doesn’t contain any identifiable info about the user other than their UUID, so if either database is breached their password will be secure; due to:

  • Breach in local db: Doesn’t store any passwords apart from user UUIDs which need passwords to be entered, no different from a bruteforce attack
  • Breach in Authrio: Lack of knowledge of where any private UUID connects to, along with password hashing

Links

  • Currently-operating instance: Link
  • Source code: Link

That’s all for now!