Small Hanami 2 Auth-Server using Rodauth

[wuarmin]

Hey 👋 ,

I implement a small auth-server. This should receive login-requests (username, password, realm) and respond with a JWT-token if successful (no refresh-token in the 1st step). The password check should be done via LDAP, so the server does not need to store passwords.
If the LDAP check is successful, only a db query is necessary to check whether the user is authorized for the realm, if so, a successful response with a JWT (I need to set the payload/claims of the token) token should be generated.

There should be 3 endpoints
auth/login = to login a user
auth/userinfo = userinfo endpoint to get infos about a user (here the JWT token is provided via AUTHORIZATION-header
auth/logout = for logout I would need to store the jwt-tokens, otherwise no logout is possible. I used redis in the past for this.

The AuthServer is only requested from other ruby servers. So I just need a very small set of features.

I think rodauth is the right one here or? I have a user table, do I have to rename it to accounts? Which tables do I need for my use-case?

I started with the following code

require "roda"

module Auth
  class RodauthApp < Roda
    plugin :middleware
    plugin :rodauth do
      enable :login, :logout, :jwt

      jwt_secret "your_jwt_secret" # just for test

      # how to create a custom login, to handle ldap and db-query
      route do |r|
        r.rodauth

        rodauth.require_authentication
      end
    end
  end
end

module AuthServer
  class Routes < Hanami::Routes
    # Add your routes here. See https://guides.hanamirb.org/routing/overview/ for details.

    slice :auth, at: "/auth" do
      use Auth::RodauthApp
      post "/login", to: "home.login"
    end
  end
end

module Auth
  module Actions
    module Home
      class Login < Auth::Action
        def handle(request, response)
          # how to access the generated token and respond it
        end
      end
    end
  end
end

At the moment I can't get any further. Can someone please give me a tip/advice? At the moment I get

You're missing a session handler, try using the sessions plugin.

Why do I need a session handler for my use-case?
Thanks

[jeremyevans]

For the sessions issue, try plugin rodauth, json: :only do to indicate you want to run in JSON only mode.

My advice would be to check the database before LDAP authentication, so that you aren't checking passwords if the user isn't valid for the realm anyway.

You would need to set accounts_table :user or whatever that table is named.

I recommend reading the documentation (https://rodauth.jeremyevans.net/documentation.html). Start developing a Roda app just for the authentication, and after that is working, then use the middleware plugin and integrate it into your Hanami app.

[wuarmin]

Thanks @jeremyevans. Now I'm a step further. Now I get

Loaded :postgres in 0ms SELECT * FROM "users" WHERE ("user_name" = 'testuser') LIMIT 1
PG::UndefinedFunction: ERROR:  function rodauth_get_salt(integer) does not exist
LINE 1: SELECT rodauth_get_salt(1) AS "v" LIMIT 1

module Auth
  class RodauthApp < Roda
    plugin :middleware
    plugin :rodauth, json: :only do
      enable :login, :logout, :jwt
      accounts_table :users
      login_route "auth/login"
      login_param  "username"
      login_column :user_name

      jwt_secret "your_jwt_secret" # Replace with your secret
      # jwt_token_identifier "your_jwt_token_identifier"
    end

    route do |r|
      r.rodauth

      rodauth.require_authentication
    end
  end
end

How would you add the check if the user is allowed to login into the realm? before_login. And where to put the custom logic to check LDAP?

Thanks

[wuarmin]

Do you have an opinion about this?

One more thing: The request json-payload has to be

{ "username": "chuck", "password": "abc123", "realm": "test" }

Where's the best place to validate the field realm, to create errors like

{
   "field-error": [
     "realm",
     "no realm set"
   ],
   "error": "There was an error logging in"
 }

[jeremyevans]

Do you only want to require authentication for the /auth branch? Because that is the way it is currently setup.

For the payload, I assume inside the password_match? block, you can call the methods such as set_error_flash and set_field_error if the realm is not valid for the user.

[wuarmin]

Thanks @jeremyevans !

Do you only want to require authentication for the /auth branch? Because that is the way it is currently setup.

Yes I need rodauth only for /auth.

For the payload, I assume inside the password_match? block, you can call the methods such as set_error_flash and set_field_error if the realm is not valid for the user.

I tried this, but I didn't manage to make it work.

Attempt 1

password_match? do |password|
  if param("realm").nil? || param("realm").empty?
    set_field_error("realm", "must be present")
    set_error_flash("error!!")
    return false
   end
  # ...
end

Result 1

{
   "field-error": [
     "password",
     "invalid password"
   ],
   "error": "There was an error logging in"
 }

Attempt 2

password_match? do |password|
  throw_error_status(401, "realm", "must be present) if if param("realm").nil? || param("realm").empty?
  # ...
end

Result 2

{
   "field-error": [
     "realm",
     "must be present"
   ],
   "error": "There was an error logging in"
 }

Attempt 2 seems to work, but I noticed that if I do that I cannot use the after_login_failure. I have not managed to overwrite the error "error": "There was an error logging in" in any of my attempts.
Thanks

[jeremyevans]

You could try overriding login_error_flash for changing the error message. Returning false from password_match? should be what you want. You could use throw_error_status inside after_login_failure to get it to override the behavior. Maybe something like:

password_match? do |password|
  # param always returns string
  if param("realm").empty?
    @bad_realm = true
    return false
   end
  # ...
end

after_login_failure do
  if @bad_realm
    throw_error_status(401, "realm", "must be present)
  end
end

login_error_flash do
  if @bad_realm
    "error!!"
  else
    super
  end
end

[wuarmin]

Thanks @jeremyevans Great, that works!