phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(core): implement Phase 1 foundation infrastructure

Browse Source 
Implements Phase 1 Foundation with all core services:

Core Components:
- Configuration management with GONDULF_ environment variables
- Database layer with SQLAlchemy and migration system
- In-memory code storage with TTL support
- Email service with SMTP and TLS support (STARTTLS + implicit TLS)
- DNS service with TXT record verification
- Structured logging with Python standard logging
- FastAPI application with health check endpoint

Database Schema:
- authorization_codes table for OAuth 2.0 authorization codes
- domains table for domain verification
- migrations table for tracking schema versions
- Simple sequential migration system (001_initial_schema.sql)

Configuration:
- Environment-based configuration with validation
- .env.example template with all GONDULF_ variables
- Fail-fast validation on startup
- Sensible defaults for optional settings

Testing:
- 96 comprehensive tests (77 unit, 5 integration)
- 94.16% code coverage (exceeds 80% requirement)
- All tests passing
- Test coverage includes:
  - Configuration loading and validation
  - Database migrations and health checks
  - In-memory storage with expiration
  - Email service (STARTTLS, implicit TLS, authentication)
  - DNS service (TXT records, domain verification)
  - Health check endpoint integration

Documentation:
- Implementation report with test results
- Phase 1 clarifications document
- ADRs for key decisions (config, database, email, logging)

Technical Details:
- Python 3.10+ with type hints
- SQLite with configurable database URL
- System DNS with public DNS fallback
- Port-based TLS detection (465=SSL, 587=STARTTLS)
- Lazy configuration loading for testability

Exit Criteria Met:
✓ All foundation services implemented
✓ Application starts without errors
✓ Health check endpoint operational
✓ Database migrations working
✓ Test coverage exceeds 80%
✓ All tests passing

Ready for Architect review and Phase 2 development.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-20 12:21:42 -07:00
parent 7255867fde
commit bebd47955f
39 changed files with 8134 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

674
docs/architecture/indieauth-protocol.md Normal file
View File

@@ -0,0 +1,674 @@
# IndieAuth Protocol Implementation
## Specification Compliance
This document describes Gondulf's implementation of the W3C IndieAuth specification.
**Primary Reference**: https://www.w3.org/TR/indieauth/
**Reference Implementation**: https://github.com/aaronpk/indielogin.com
**Compliance Target**: Any compliant IndieAuth client MUST be able to authenticate successfully against Gondulf.
## Protocol Overview
IndieAuth is built on OAuth 2.0, extending it to enable decentralized authentication where users are identified by URLs (typically their own domain) rather than accounts on centralized services.
### Core Principle
Users prove ownership of a domain, and that domain becomes their identity. No usernames, no passwords stored by the server.
### IndieAuth vs OAuth 2.0
**Similarities**:
- Authorization code flow
- Token endpoint for code exchange
- State parameter for CSRF protection
- Redirect-based flow
**Differences**:
- User identity is a URL (`me` parameter), not an opaque user ID
- No client secrets (all clients are "public clients")
- Client IDs are URLs that must be fetchable
- Domain ownership verification instead of password authentication
## v1.0.0 Scope
Gondulf v1.0.0 implements **authentication only** (not authorization):
- Users can prove they own a domain
- Tokens are issued but carry no permissions (scope)
- Client applications can verify user identity
- NO resource server capabilities
- NO scope-based authorization
**Future versions** will add:
- Authorization with scopes
- Token refresh
- Token revocation
- Resource server capabilities
## Endpoints
### Discovery Endpoint (Optional)
**URL**: `/.well-known/oauth-authorization-server`
**Purpose**: Advertise server capabilities and endpoints per RFC 8414.
**Response** (JSON):
```json
{
"issuer": "https://auth.example.com",
"authorization_endpoint": "https://auth.example.com/authorize",
"token_endpoint": "https://auth.example.com/token",
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code"],
"code_challenge_methods_supported": ["S256"],
"token_endpoint_auth_methods_supported": ["none"]
}
```
**Implementation Notes**:
- Optional for v1.0.0 but recommended
- FastAPI endpoint: `GET /.well-known/oauth-authorization-server`
- Static response (no database access)
- Cache-Control: public, max-age=86400
### Authorization Endpoint
**URL**: `/authorize`
**Method**: GET
**Purpose**: Initiate authentication flow
#### Required Parameters
| Parameter | Description | Validation |
|-----------|-------------|------------|
| `me` | User's domain/URL | Must be valid URL, no fragments/credentials/ports |
| `client_id` | Client application URL | Must be valid URL, must be fetchable |
| `redirect_uri` | Where to send user after auth | Must be valid URL, must match client_id domain OR be registered |
| `state` | CSRF protection token | Required, opaque string, returned unchanged |
| `response_type` | Must be `code` | Exactly `code` for auth code flow |
#### Optional Parameters (v1.0.0)
| Parameter | Description | v1.0.0 Behavior |
|-----------|-------------|-----------------|
| `scope` | Requested permissions | Ignored (authentication only) |
| `code_challenge` | PKCE challenge | NOT supported in v1.0.0 |
| `code_challenge_method` | PKCE method | NOT supported in v1.0.0 |
**PKCE Decision**: Deferred to post-v1.0.0 to maintain MVP simplicity. See ADR-003.
#### Request Validation Sequence
1. **Validate `response_type`**
- MUST be exactly `code`
- Error: `unsupported_response_type`
2. **Validate `me` parameter**
- Must be a valid URL
- Must NOT contain fragment (#)
- Must NOT contain credentials (user:pass@)
- Must NOT contain port (except :443 for HTTPS)
- Must NOT be an IP address
- Normalize: lowercase domain, remove trailing slash
- Error: `invalid_request` with description
3. **Validate `client_id`**
- Must be a valid URL
- Must contain a domain component (not localhost in production)
- Fetch client_id URL to retrieve app info (see Client Validation)
- Error: `invalid_client` with description
4. **Validate `redirect_uri`**
- Must be a valid URL
- Must use HTTPS in production (HTTP allowed for localhost)
- If domain differs from client_id domain:
- Must match client_id subdomain pattern, OR
- Must be registered in client metadata (future), OR
- Display warning to user
- Error: `invalid_request` with description
5. **Validate `state`**
- Must be present
- Must be non-empty string
- Store for verification (not used server-side, returned to client)
- Error: `invalid_request` with description
#### Client Validation
When `client_id` is provided, fetch the URL to retrieve application information:
**HTTP Request**:
```
GET https://client.example.com/
Accept: text/html
```
**Extract Application Info**:
- Look for `h-app` microformat in HTML
- Extract: app name, icon, URL
- Extract registered redirect URIs from `<link rel="redirect_uri">` tags
- Cache result for 24 hours
**Fallback**:
- If no h-app found, use domain name as app name
- If no icon, use generic icon
- If no redirect URIs registered, rely on domain matching
**Security**:
- Follow redirects (max 5)
- Timeout after 5 seconds
- Validate SSL certificates
- Reject non-200 responses
- Log client_id fetch failures
#### Authentication Flow (v1.0.0: Email-based)
1. **Domain Ownership Check**
- Check if `me` domain has verified TXT record: `_gondulf.example.com` = `verified`
- If found and cached, skip email verification
- If not found, proceed to email verification
2. **Email Verification**
- Display form requesting email address
- Validate email is at `me` domain (e.g., `admin@example.com` for `https://example.com`)
- Generate 6-digit verification code (cryptographically random)
- Store code in memory with 15-minute TTL
- Send code via SMTP
- Display code entry form
3. **Code Verification**
- User enters 6-digit code
- Validate code matches and hasn't expired
- Mark domain as verified (store in database)
- Proceed to authorization
4. **User Consent**
- Display authorization prompt:
- "Sign in to [App Name] as [me]"
- Show client_id full URL
- Show redirect_uri if different domain
- Show scope (future)
- User approves or denies
5. **Authorization Code Generation**
- Generate cryptographically secure code (32 bytes, base64url)
- Store code in memory with 10-minute TTL
- Store associated data:
- `me` (user's domain)
- `client_id`
- `redirect_uri`
- `state`
- Timestamp
- Code is single-use only
6. **Redirect to Client**
```
HTTP/1.1 302 Found
Location: {redirect_uri}?code={code}&state={state}
```
#### Error Responses
Return error via redirect when possible:
```
HTTP/1.1 302 Found
Location: {redirect_uri}?error={error}&error_description={description}&state={state}
```
**Error Codes** (OAuth 2.0 standard):
- `invalid_request` - Malformed request
- `unauthorized_client` - Client not authorized
- `access_denied` - User denied authorization
- `unsupported_response_type` - response_type not `code`
- `invalid_scope` - Invalid scope requested (future)
- `server_error` - Internal server error
- `temporarily_unavailable` - Server temporarily unavailable
When redirect not possible (invalid redirect_uri), display error page.
### Token Endpoint
**URL**: `/token`
**Method**: POST
**Content-Type**: `application/x-www-form-urlencoded`
**Purpose**: Exchange authorization code for access token
#### Required Parameters
| Parameter | Description | Validation |
|-----------|-------------|------------|
| `grant_type` | Must be `authorization_code` | Exactly `authorization_code` |
| `code` | Authorization code from /authorize | Must be valid, unexpired, unused |
| `client_id` | Client application URL | Must match code's client_id |
| `redirect_uri` | Original redirect URI | Must match code's redirect_uri |
| `me` | User's domain | Must match code's me |
#### Request Validation Sequence
1. **Validate `grant_type`**
- MUST be `authorization_code`
- Error: `unsupported_grant_type`
2. **Validate `code`**
- Must exist in storage
- Must not have expired (10-minute TTL)
- Must not have been used already
- Mark as used immediately
- Error: `invalid_grant`
3. **Validate `client_id`**
- Must match the client_id associated with code
- Error: `invalid_client`
4. **Validate `redirect_uri`**
- Must exactly match the redirect_uri from authorization request
- Error: `invalid_grant`
5. **Validate `me`**
- Must exactly match the me from authorization request
- Error: `invalid_request`
#### Token Generation
**v1.0.0 Implementation: Opaque Tokens**
```python
import secrets
import hashlib
from datetime import datetime, timedelta
# Generate token
token = secrets.token_urlsafe(32) # 256 bits
# Store in database
token_record = {
"token_hash": hashlib.sha256(token.encode()).hexdigest(),
"me": me,
"client_id": client_id,
"scope": "", # Empty for authentication-only
"issued_at": datetime.utcnow(),
"expires_at": datetime.utcnow() + timedelta(hours=1)
}
```
**Why Opaque Tokens in v1.0.0**:
- Simpler than JWT (no signing, no key rotation)
- Easier to revoke (database lookup)
- Sufficient for authentication-only use case
- Can migrate to JWT in future versions
**Token Properties**:
- Length: 43 characters (base64url of 32 bytes)
- Entropy: 256 bits (cryptographically secure)
- Storage: SHA-256 hash in database
- Expiration: 1 hour (configurable)
- Revocable: Delete from database
#### Success Response
**HTTP 200 OK**:
```json
{
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"token_type": "Bearer",
"me": "https://example.com",
"scope": ""
}
```
**Response Fields**:
- `access_token`: The opaque token (43 characters)
- `token_type`: Always `Bearer`
- `me`: User's canonical domain URL (normalized)
- `scope`: Empty string for authentication-only (future: space-separated scopes)
**Headers**:
```
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
```
#### Error Responses
**HTTP 400 Bad Request**:
```json
{
"error": "invalid_grant",
"error_description": "Authorization code has expired"
}
```
**Error Codes** (OAuth 2.0 standard):
- `invalid_request` - Missing or invalid parameters
- `invalid_client` - Client authentication failed
- `invalid_grant` - Invalid or expired authorization code
- `unauthorized_client` - Client not authorized for grant type
- `unsupported_grant_type` - Grant type not `authorization_code`
### Token Verification Endpoint (Future)
**URL**: `/token/verify`
**Method**: GET
**Purpose**: Verify token validity (for resource servers)
**NOT implemented in v1.0.0** (authentication only, no resource servers).
Future implementation:
```
GET /token/verify
Authorization: Bearer {token}
Response 200 OK:
{
"me": "https://example.com",
"client_id": "https://client.example.com",
"scope": ""
}
```
### Token Revocation Endpoint (Future)
**URL**: `/token/revoke`
**Method**: POST
**Purpose**: Revoke access token
**NOT implemented in v1.0.0**.
Future implementation per RFC 7009.
## Data Models
### Authorization Code (In-Memory)
```python
{
"code": "abc123...", # 43-char base64url
"me": "https://example.com",
"client_id": "https://client.example.com",
"redirect_uri": "https://client.example.com/callback",
"state": "client-provided-state",
"created_at": datetime,
"expires_at": datetime, # created_at + 10 minutes
"used": False
}
```
**Storage**: Python dict with TTL management
**Expiration**: 10 minutes (per spec: "shortly after")
**Single-use**: Marked as used after redemption
**Cleanup**: Automatic expiration via TTL
### Email Verification Code (In-Memory)
```python
{
"email": "admin@example.com",
"code": "123456", # 6-digit string
"domain": "example.com",
"created_at": datetime,
"expires_at": datetime, # created_at + 15 minutes
"attempts": 0 # Rate limiting
}
```
**Storage**: Python dict with TTL management
**Expiration**: 15 minutes
**Rate Limiting**: Max 3 attempts per email
**Cleanup**: Automatic expiration via TTL
### Access Token (SQLite)
```sql
CREATE TABLE tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
token_hash TEXT NOT NULL UNIQUE, -- SHA-256 hash
me TEXT NOT NULL,
client_id TEXT NOT NULL,
scope TEXT NOT NULL, -- Empty string for v1.0.0
issued_at TIMESTAMP NOT NULL,
expires_at TIMESTAMP NOT NULL,
revoked BOOLEAN DEFAULT 0,
INDEX idx_token_hash (token_hash),
INDEX idx_me (me),
INDEX idx_expires_at (expires_at)
);
```
**Lookup**: By token_hash (constant-time comparison)
**Expiration**: 1 hour default (configurable)
**Revocation**: Set `revoked = 1` (future feature)
**Cleanup**: Periodic deletion of expired tokens
### Verified Domain (SQLite)
```sql
CREATE TABLE domains (
id INTEGER PRIMARY KEY AUTOINCREMENT,
domain TEXT NOT NULL UNIQUE,
verification_method TEXT NOT NULL, -- 'txt_record' or 'email'
verified_at TIMESTAMP NOT NULL,
last_checked TIMESTAMP,
txt_record_valid BOOLEAN DEFAULT 0,
INDEX idx_domain (domain)
);
```
**Purpose**: Cache domain ownership verification
**TXT Record**: Re-verified periodically (daily)
**Email Verification**: Permanent unless admin deletes
**Cleanup**: Optional (admin decision)
## Security Considerations
### URL Validation
**Critical**: Prevent open redirect and phishing attacks.
**`me` Validation**:
```python
from urllib.parse import urlparse
def validate_me(me: str) -> tuple[bool, str, str]:
"""
Validate me parameter.
Returns: (valid, normalized_me, error_message)
"""
parsed = urlparse(me)
# Must have scheme and netloc
if not parsed.scheme or not parsed.netloc:
return False, "", "me must be a complete URL"
# Must be HTTP or HTTPS
if parsed.scheme not in ['http', 'https']:
return False, "", "me must use http or https"
# No fragments
if parsed.fragment:
return False, "", "me must not contain fragment"
# No credentials
if parsed.username or parsed.password:
return False, "", "me must not contain credentials"
# No ports (except default)
if parsed.port and not (parsed.port == 443 and parsed.scheme == 'https'):
return False, "", "me must not contain non-standard port"
# No IP addresses
import ipaddress
try:
ipaddress.ip_address(parsed.netloc)
return False, "", "me must be a domain, not IP address"
except ValueError:
pass # Good, not an IP
# Normalize
domain = parsed.netloc.lower()
path = parsed.path.rstrip('/')
normalized = f"{parsed.scheme}://{domain}{path}"
return True, normalized, ""
```
**`redirect_uri` Validation**:
```python
def validate_redirect_uri(redirect_uri: str, client_id: str) -> tuple[bool, str]:
"""
Validate redirect_uri against client_id.
Returns: (valid, error_message)
"""
parsed_redirect = urlparse(redirect_uri)
parsed_client = urlparse(client_id)
# Must be valid URL
if not parsed_redirect.scheme or not parsed_redirect.netloc:
return False, "redirect_uri must be a complete URL"
# Must be HTTPS in production (allow HTTP for localhost)
if not DEBUG:
if parsed_redirect.scheme != 'https':
if parsed_redirect.netloc != 'localhost':
return False, "redirect_uri must use HTTPS"
redirect_domain = parsed_redirect.netloc.lower()
client_domain = parsed_client.netloc.lower()
# Same domain: OK
if redirect_domain == client_domain:
return True, ""
# Subdomain of client domain: OK
if redirect_domain.endswith('.' + client_domain):
return True, ""
# Different domain: Check if registered (future)
# For v1.0.0: Display warning to user
return True, "warning: redirect_uri domain differs from client_id"
```
### Constant-Time Comparison
Prevent timing attacks on token verification:
```python
import secrets
def verify_token(provided_token: str, stored_hash: str) -> bool:
"""
Verify token using constant-time comparison.
"""
import hashlib
provided_hash = hashlib.sha256(provided_token.encode()).hexdigest()
return secrets.compare_digest(provided_hash, stored_hash)
```
### CSRF Protection
**State Parameter**:
- Client generates unguessable state
- Server returns state unchanged
- Client verifies state matches
- Server does NOT validate state (client's responsibility)
### HTTPS Enforcement
**Production Requirements**:
- All endpoints MUST use HTTPS
- HTTP allowed only for localhost in development
- HSTS header recommended: `Strict-Transport-Security: max-age=31536000`
### Rate Limiting (Future)
**v1.0.0**: Not implemented (acceptable for small deployments).
**Future versions**:
- Authorization requests: 10/minute per IP
- Token requests: 30/minute per client_id
- Email codes: 3/hour per email
- Failed verifications: 5/hour per IP
## Protocol Deviations
### Intentional Deviations from W3C Spec
**ADR-003**: PKCE deferred to post-v1.0.0
- **Reason**: Simplicity for MVP, small user base, HTTPS mitigates risk
- **Impact**: Slightly less secure against code interception
- **Mitigation**: Enforce HTTPS, short code TTL (10 minutes)
- **Upgrade Path**: Add PKCE in v1.1.0 without breaking changes
**ADR-004**: No client pre-registration required (TBD)
- **Reason**: Aligns with user requirement for simplified client onboarding
- **Impact**: Must validate client_id on every request
- **Mitigation**: Cache client metadata, implement rate limiting
- **Spec Compliance**: Spec allows this ("client IDs are resolvable URLs")
### Scope Limitations (v1.0.0)
**Authentication Only**:
- `scope` parameter accepted but ignored
- All tokens issued with empty scope
- Tokens prove identity, not authorization
- Future versions will support scopes
## Testing Strategy
### Compliance Testing
**Required Tests**:
1. Valid authorization request → code generation
2. Valid token request → token generation
3. Invalid client_id → error
4. Invalid redirect_uri → error
5. Missing state → error
6. Expired authorization code → error
7. Used authorization code → error
8. Mismatched client_id on token request → error
### Interoperability Testing
**Test Against**:
- IndieAuth.com test suite (if available)
- Real IndieAuth clients (IndieLogin, etc.)
- Reference implementation comparison
### Security Testing
**Required Tests**:
1. Open redirect prevention (invalid redirect_uri)
2. Timing attack resistance (token verification)
3. CSRF protection (state parameter)
4. Code reuse prevention (single-use codes)
5. URL validation (me parameter malformation)
## Implementation Checklist
- [ ] `/authorize` endpoint with parameter validation
- [ ] Client metadata fetching (h-app microformat)
- [ ] Email verification flow (code generation, sending, validation)
- [ ] Domain ownership caching (SQLite)
- [ ] Authorization code generation and storage (in-memory)
- [ ] `/token` endpoint with grant validation
- [ ] Access token generation and storage (SQLite, hashed)
- [ ] Error responses (OAuth 2.0 compliant)
- [ ] HTTPS enforcement (production)
- [ ] URL validation (me, client_id, redirect_uri)
- [ ] Constant-time token comparison
- [ ] Metadata endpoint `/.well-known/oauth-authorization-server`
- [ ] Comprehensive test suite (80%+ coverage)
## References
- W3C IndieAuth Specification: https://www.w3.org/TR/indieauth/
- OAuth 2.0 (RFC 6749): https://datatracker.ietf.org/doc/html/rfc6749
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
- PKCE (RFC 7636): https://datatracker.ietf.org/doc/html/rfc7636 (future)
- Token Revocation (RFC 7009): https://datatracker.ietf.org/doc/html/rfc7009 (future)
- Authorization Server Metadata (RFC 8414): https://datatracker.ietf.org/doc/html/rfc8414

356
docs/architecture/overview.md Normal file
View File

@@ -0,0 +1,356 @@
# System Architecture Overview
## Project Context
Gondulf is a self-hosted IndieAuth server implementing the W3C IndieAuth specification. It enables users to use their own domain as their identity when authenticating to third-party applications, providing a decentralized alternative to centralized authentication providers.
### Key Differentiators
- **Email-based authentication**: v1.0.0 uses email verification for domain ownership
- **No client pre-registration**: Clients validate themselves through domain ownership verification
- **Simplicity-first**: Minimal complexity, production-ready MVP
- **Single-admin model**: Designed for individual operators, not multi-tenancy
## Technology Stack
### Core Platform
- **Language**: Python 3.10+
- **Web Framework**: FastAPI 0.104+
- Chosen for: Native async/await, type hints, OAuth 2.0 support, automatic OpenAPI docs
- See: `/docs/decisions/ADR-001-python-framework-selection.md`
- **ASGI Server**: uvicorn with standard extras
- **Data Validation**: Pydantic 2.0+ (bundled with FastAPI)
### Data Storage
- **Primary Database**: SQLite 3.35+
- Sufficient for 10s of users
- Simple file-based backups
- No separate database server required
- **Database Interface**: SQLAlchemy Core (NOT ORM)
- Direct SQL-like interface without ORM complexity
- Explicit queries, no hidden behavior
- Simple schema management
### Session/State Storage (v1.0.0)
- **In-Memory Storage**: Python dictionaries with TTL management
- **Rationale**:
- No Redis in v1.0.0 per user requirements
- Authorization codes are short-lived (10 minutes max)
- Single-process deployment acceptable for MVP
- Upgrade path: Can add Redis later without code changes if persistence needed
### Development Environment
- **Package Manager**: uv (Astral Rust-based tool)
- See: `/docs/decisions/ADR-002-uv-environment-management.md`
- Direct execution model (no environment activation)
- **Linting**: Ruff + flake8
- **Type Checking**: mypy (strict mode)
- **Formatting**: Black (88 character line length)
- **Testing**: pytest with async, coverage, mocking
## System Architecture
### Component Diagram
```
┌─────────────────────────────────────────────────────────────────┐
│ Client Application │
│ (Third-party IndieAuth client) │
└───────────────────────────┬─────────────────────────────────────┘
│ HTTPS
│ IndieAuth Protocol
┌─────────────────────────────────────────────────────────────────┐
│ Gondulf IndieAuth Server │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ FastAPI Application │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌─────────────────┐ │ │
│ │ │ Authorization │ │ Token │ │ Metadata │ │ │
│ │ │ Endpoint │ │ Endpoint │ │ Endpoint │ │ │
│ │ │ /authorize │ │ /token │ │ /.well-known │ │ │
│ │ └──────┬───────┘ └──────┬───────┘ └────────┬────────┘ │ │
│ │ │ │ │ │ │
│ │ └──────────────────┼────────────────────┘ │ │
│ │ │ │ │
│ │ ┌─────────────────────────▼──────────────────────────────┐ │ │
│ │ │ Business Logic Layer │ │ │
│ │ │ ┌───────────────┐ ┌────────────┐ ┌──────────────┐ │ │ │
│ │ │ │ AuthService │ │TokenService│ │DomainService │ │ │ │
│ │ │ │ - Auth flow │ │ - Token │ │ - Domain │ │ │
│ │ │ │ - Email send │ │ creation │ │ validation │ │ │
│ │ │ │ - Code gen │ │ - Token │ │ - TXT record │ │ │
│ │ │ │ │ │ verify │ │ check │ │ │
│ │ │ └───────────────┘ └────────────┘ └──────────────┘ │ │ │
│ │ └────────────────────────┬───────────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌────────────────────────▼──────────────────────────────┐ │ │
│ │ │ Storage Layer │ │ │
│ │ │ ┌──────────────────┐ ┌────────────────────────┐ │ │ │
│ │ │ │ SQLite Database │ │ In-Memory Store │ │ │ │
│ │ │ │ - Tokens │ │ - Auth codes (10min) │ │ │ │
│ │ │ │ - Domains │ │ - Email codes (15min)│ │ │ │
│ │ │ └──────────────────┘ └────────────────────────┘ │ │ │
│ │ └───────────────────────────────────────────────────────┘ │ │
│ └────────────────────────────────────────────────────────────┘ │
└──────────┬──────────────────────────────────────┬───────────────┘
│ SMTP │ DNS
▼ ▼
┌────────────────┐ ┌──────────────────┐
│ Email Server │ │ DNS Provider │
│ (external) │ │ (external) │
└────────────────┘ └──────────────────┘
```
### Component Responsibilities
#### HTTP Endpoints Layer
Handles all HTTP concerns:
- Request validation (Pydantic models)
- Parameter parsing and type coercion
- HTTP response formatting
- Error responses (OAuth 2.0 compliant)
- CORS headers
- Rate limiting (future)
#### Business Logic Layer (Services)
Contains all domain logic, completely independent of HTTP:
**AuthService**:
- Authorization flow orchestration
- Email verification code generation and validation
- Authorization code generation (cryptographically secure)
- User consent management
- PKCE support (future)
**TokenService**:
- Access token generation (JWT or opaque)
- Token validation and introspection
- Token revocation (future)
- Token refresh (future)
**DomainService**:
- Domain ownership validation
- DNS TXT record checking
- Domain normalization
- Security validation (prevent open redirects)
#### Storage Layer
Provides data persistence:
**SQLite Database**:
- Access tokens (long-lived)
- Verified domains
- Audit logs
- Configuration
**In-Memory Store**:
- Authorization codes (TTL: 10 minutes)
- Email verification codes (TTL: 15 minutes)
- Rate limit counters (future)
### Data Flow: Authorization Flow
```
1. Client → /authorize
2. Gondulf validates client_id, redirect_uri, state
3. Gondulf checks domain ownership (TXT record or cached)
4. User enters email address for their domain
5. Gondulf sends verification code to email
6. User enters code
7. Gondulf generates authorization code
8. Gondulf redirects to client with code + state
9. Client → /token with code
10. Gondulf validates code, generates access token
11. Gondulf returns token + me (user's domain)
```
## Deployment Model
### Target Deployment
- **Platform**: Docker container
- **Scale**: 10s of users initially
- **Process Model**: Single uvicorn process (sufficient for MVP)
- **File System**:
- `/data/gondulf.db` - SQLite database
- `/data/backups/` - Database backups
- `/app/` - Application code
### Configuration Management
- **Environment Variables**: All configuration via environment
- **Secrets**: Loaded from environment (SECRET_KEY, SMTP credentials)
- **Config Validation**: Pydantic Settings validates on startup
### Backup Strategy
Simple file-based SQLite backups:
- Daily automated backups of `gondulf.db`
- Backup rotation (keep last 7 days)
- Simple shell script + cron
- Future: S3/object storage support
## Security Architecture
### Authentication Method (v1.0.0)
**Email-based verification only**:
- User provides email address for their domain
- Server sends time-limited verification code
- User enters code to prove email access
- No password storage
- No external identity providers in v1.0.0
### Domain Ownership Validation
**Two-tier validation**:
1. **TXT Record (preferred)**:
- Admin adds TXT record: `_gondulf.example.com` = `verified`
- Server checks DNS before first use
- Result cached in database
- Periodic re-verification (configurable)
2. **Email-based (alternative)**:
- If no TXT record, fall back to email verification
- Email must be at verified domain (e.g., `admin@example.com`)
- Less secure but more accessible for users
### Token Security
- **Generation**: Cryptographically secure random tokens (secrets.token_urlsafe)
- **Storage**: Hashed in database (SHA-256)
- **Transmission**: HTTPS only (enforced in production)
- **Expiration**: Configurable (default 1 hour)
- **Validation**: Constant-time comparison (prevent timing attacks)
### Privacy Principles
**Minimal Data Collection**:
- NEVER store email addresses beyond verification flow
- NEVER log user personal data
- Store only:
- Domain name (user's identity)
- Token hashes (security)
- Timestamps (auditing)
- Client IDs (protocol requirement)
## Operational Architecture
### Logging Strategy
**Structured logging** with appropriate levels:
- **INFO**: Normal operations (auth success, token issued)
- **WARNING**: Suspicious activity (failed validations, rate limit near)
- **ERROR**: Failures requiring investigation (email send failed, DNS timeout)
- **CRITICAL**: System failures (database unavailable, config invalid)
**Log fields**:
- Timestamp (ISO 8601)
- Level
- Event type
- Domain (never email)
- Client ID
- Request ID (correlation)
**Privacy**:
- NEVER log email addresses
- NEVER log full tokens (only first 8 chars for correlation)
- NEVER log user-agent or IP in production (GDPR)
### Monitoring (Future)
- Health check endpoint: `/health`
- Metrics endpoint: `/metrics` (Prometheus format)
- Key metrics:
- Authorization requests/min
- Token generation rate
- Email delivery success rate
- Domain validation cache hit rate
- Error rate by type
## Upgrade Paths
### Future Enhancements (Post v1.0.0)
**Persistence Layer**:
- Add Redis for distributed sessions
- Support PostgreSQL for larger deployments
- No code changes required (SQLAlchemy abstraction)
**Authentication Methods**:
- GitHub/GitLab provider support
- IndieAuth delegation
- WebAuthn for passwordless
- All additive, no breaking changes
**Protocol Features**:
- Token refresh
- Token revocation endpoint
- Scope management (authorization)
- Dynamic client registration
**Operational**:
- Multi-process deployment (gunicorn)
- Horizontal scaling (with Redis)
- Metrics and monitoring
- Admin dashboard
## Constraints and Trade-offs
### Conscious Simplifications (v1.0.0)
1. **No Redis**: In-memory storage acceptable for single-process deployment
- Trade-off: Lose codes on restart (acceptable for 10-minute TTL)
- Upgrade path: Add Redis when scaling needed
2. **No client pre-registration**: Domain-based validation sufficient
- Trade-off: Must validate client_id on every request
- Mitigation: Cache validation results
3. **Email-only authentication**: Simplest secure method
- Trade-off: Requires SMTP configuration
- Upgrade path: Add providers in future releases
4. **SQLite database**: Perfect for small deployments
- Trade-off: No built-in replication
- Upgrade path: Migrate to PostgreSQL when needed
5. **Single process**: No distributed coordination needed
- Trade-off: Limited concurrent capacity
- Upgrade path: Add Redis + gunicorn when scaling
### Non-Negotiable Requirements
1. **W3C IndieAuth compliance**: Full protocol compliance required
2. **Security best practices**: No shortcuts on security
3. **HTTPS in production**: Required for OAuth 2.0 security
4. **Minimal data collection**: Privacy by design
5. **Comprehensive testing**: 80%+ coverage minimum
## Documentation Structure
### For Developers
- `/docs/architecture/` - This directory
- `/docs/designs/` - Feature-specific designs
- `/docs/decisions/` - Architecture Decision Records
### For Operators
- `README.md` - Installation and usage
- `/docs/operations/` - Deployment guides (future)
- Environment variable reference (future)
### For Protocol Compliance
- `/docs/architecture/indieauth-protocol.md` - Protocol implementation
- `/docs/architecture/security.md` - Security model
- Test suite demonstrating compliance
## Next Steps
See `/docs/roadmap/v1.0.0.md` for the MVP feature set and implementation plan.
Key architectural documents to review:
- `/docs/architecture/indieauth-protocol.md` - Protocol design
- `/docs/architecture/security.md` - Security design
- `/docs/roadmap/backlog.md` - Feature prioritization

371
docs/architecture/phase1-clarifications.md Normal file
View File

@@ -0,0 +1,371 @@
# Phase 1 Implementation Clarifications
Date: 2024-11-20
This document provides specific answers to Developer's clarification questions for Phase 1 implementation.
## 1. Configuration Management - Environment Variables
**Decision**: YES - Use the `GONDULF_` prefix for all environment variables.
**Complete environment variable specification**:
```bash
# Required - no defaults
GONDULF_SECRET_KEY=<generate-with-secrets.token_urlsafe(32)>
# Database
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
# SMTP Configuration
GONDULF_SMTP_HOST=localhost
GONDULF_SMTP_PORT=587
GONDULF_SMTP_USERNAME=
GONDULF_SMTP_PASSWORD=
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
# Token and Code Expiry (seconds)
GONDULF_TOKEN_EXPIRY=3600
GONDULF_CODE_EXPIRY=600
# Logging
GONDULF_LOG_LEVEL=INFO
GONDULF_DEBUG=false
```
**Implementation Requirements**:
- Create `.env.example` with all variables documented
- Use `python-dotenv` for loading (already in requirements.txt)
- Validate `GONDULF_SECRET_KEY` exists on startup (fail fast if missing)
- All other variables should have sensible defaults as shown above
**See Also**: ADR 0004 - Configuration Management Strategy
---
## 2. Database Schema - Tables for Phase 1
**Decision**: Create exactly THREE tables in Phase 1.
### Table 1: `authorization_codes`
```sql
CREATE TABLE authorization_codes (
code TEXT PRIMARY KEY,
client_id TEXT NOT NULL,
redirect_uri TEXT NOT NULL,
state TEXT,
code_challenge TEXT,
code_challenge_method TEXT,
scope TEXT,
me TEXT NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
);
```
### Table 2: `domains`
```sql
CREATE TABLE domains (
domain TEXT PRIMARY KEY,
email TEXT NOT NULL,
verification_code TEXT NOT NULL,
verified BOOLEAN NOT NULL DEFAULT FALSE,
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
verified_at TIMESTAMP
);
```
### Table 3: `migrations`
```sql
CREATE TABLE migrations (
version INTEGER PRIMARY KEY,
description TEXT NOT NULL,
applied_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
);
```
**Do NOT create**:
- Audit tables (use logging instead)
- Token tables (Phase 2)
- Client tables (Phase 3)
**Implementation Requirements**:
- Create `src/gondulf/database/migrations/` directory
- Create `001_initial_schema.sql` with above schema
- Migration runner should track applied migrations in `migrations` table
- Use simple sequential versioning: 001, 002, 003, etc.
**See Also**: ADR 0005 - Phase 1 Database Schema
---
## 3. In-Memory Storage - Implementation Details
**Decision**: Option B - Standard dict with manual expiration check on access.
**Rationale**:
- Simplest implementation
- No background threads or complexity
- Codes are short-lived (10 minutes), so memory cleanup isn't critical
- Lazy deletion on access is sufficient
**Implementation Specification**:
```python
class CodeStore:
"""In-memory storage for domain verification codes with TTL."""
def __init__(self, ttl_seconds: int = 600):
self._store: dict[str, tuple[str, float]] = {}
self._ttl = ttl_seconds
def store(self, email: str, code: str) -> None:
"""Store verification code with expiry timestamp."""
expiry = time.time() + self._ttl
self._store[email] = (code, expiry)
def verify(self, email: str, code: str) -> bool:
"""Verify code and remove from store."""
if email not in self._store:
return False
stored_code, expiry = self._store[email]
# Check expiration
if time.time() > expiry:
del self._store[email]
return False
# Check code match
if code != stored_code:
return False
# Valid - remove from store
del self._store[email]
return True
```
**Expiration cleanup**: On read only. No background cleanup needed.
**Configuration**: Use `GONDULF_CODE_EXPIRY=600` (10 minutes default)
---
## 4. Email Service - SMTP TLS/STARTTLS
**Decision**: Support both via port-based configuration (Option B variant).
**Configuration**:
```bash
GONDULF_SMTP_HOST=smtp.gmail.com
GONDULF_SMTP_PORT=587 # or 465 for implicit TLS
GONDULF_SMTP_USERNAME=user@gmail.com
GONDULF_SMTP_PASSWORD=app-password
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
```
**Implementation Logic**:
```python
if smtp_port == 465:
# Implicit TLS
server = smtplib.SMTP_SSL(smtp_host, smtp_port)
elif smtp_port == 587 and smtp_use_tls:
# STARTTLS
server = smtplib.SMTP(smtp_host, smtp_port)
server.starttls()
else:
# Unencrypted (testing only)
server = smtplib.SMTP(smtp_host, smtp_port)
if smtp_username and smtp_password:
server.login(smtp_username, smtp_password)
```
**Defaults**: Port 587 with STARTTLS (most common)
**See Also**: ADR 0006 - Email SMTP Configuration
---
## 5. DNS Service - Resolver Configuration
**Decision**: Option C - Use system DNS with fallback to public DNS.
**Rationale**:
- Respects system configuration (good citizenship)
- Fallback to reliable public DNS if system fails
- No configuration needed for most users
- Works in containerized environments
**Implementation Specification**:
```python
import dns.resolver
def create_resolver() -> dns.resolver.Resolver:
"""Create DNS resolver with system DNS and public fallbacks."""
resolver = dns.resolver.Resolver()
# Try system DNS first (resolver.nameservers is already populated)
# If you need to explicitly set fallbacks:
if not resolver.nameservers:
# Fallback to public DNS if system DNS not available
resolver.nameservers = ['8.8.8.8', '1.1.1.1']
return resolver
```
**No environment variable needed** - keep it simple and use system defaults.
**Timeout configuration**: Use dnspython defaults (2 seconds per nameserver)
---
## 6. Logging Configuration - Log Levels and Format
**Decision**: Option B - Standard Python logging with structured fields.
**Format**:
```
%(asctime)s [%(levelname)s] %(name)s: %(message)s
```
**Example output**:
```
2024-11-20 10:30:45,123 [INFO] gondulf.domain: Domain verification requested domain=example.com email=user@example.com
2024-11-20 10:30:46,456 [INFO] gondulf.auth: Authorization code generated client_id=https://app.example.com me=https://example.com
```
**Log Levels**:
- **Development** (`GONDULF_DEBUG=true`): `DEBUG`
- **Production** (`GONDULF_DEBUG=false`): `INFO`
- Configurable via `GONDULF_LOG_LEVEL=INFO|DEBUG|WARNING|ERROR`
**Implementation**:
```python
import logging
# Configure root logger
log_level = os.getenv('GONDULF_LOG_LEVEL', 'DEBUG' if debug else 'INFO')
logging.basicConfig(
level=log_level,
format='%(asctime)s [%(levelname)s] %(name)s: %(message)s',
datefmt='%Y-%m-%d %H:%M:%S'
)
# Get logger for module
logger = logging.getLogger('gondulf.domain')
# Log with structured information
logger.info(f"Domain verification requested domain={domain} email={email}")
```
**Output**: stdout/stderr (let deployment environment handle log files)
**See Also**: ADR 0007 - Logging Strategy for v1.0.0
---
## 7. Health Check Endpoint
**Decision**: Option B - Check database connectivity.
**Rationale**:
- Must verify database is accessible (critical dependency)
- Email and DNS are used on-demand, not required for health
- Keep it simple - one critical check
- Fast response time
**Endpoint Specification**:
```
GET /health
```
**Response - Healthy**:
```json
{
"status": "healthy",
"database": "connected"
}
```
Status Code: 200
**Response - Unhealthy**:
```json
{
"status": "unhealthy",
"database": "error",
"error": "unable to connect to database"
}
```
Status Code: 503
**Implementation**:
- Execute simple query: `SELECT 1` against database
- Timeout: 5 seconds
- No authentication required for health check
- Log failures at WARNING level
---
## 8. Database File Location
**Decision**: Option C - Configurable via `GONDULF_DATABASE_URL` with smart defaults.
**Configuration**:
```bash
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
```
**Path Resolution**:
- Relative paths resolved from current working directory
- Absolute paths used as-is
- Default: `./data/gondulf.db` (relative to cwd)
**Data Directory Creation**:
```python
from pathlib import Path
from urllib.parse import urlparse
def ensure_database_directory(database_url: str) -> None:
"""Create database directory if it doesn't exist."""
if database_url.startswith('sqlite:///'):
# Parse path from URL
db_path = database_url.replace('sqlite:///', '', 1)
db_file = Path(db_path)
# Create parent directory if needed
db_file.parent.mkdir(parents=True, exist_ok=True)
```
**Call this on application startup** before any database operations.
**Deployment Examples**:
Development:
```bash
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
```
Production (Docker):
```bash
GONDULF_DATABASE_URL=sqlite:////data/gondulf.db
```
Production (systemd):
```bash
GONDULF_DATABASE_URL=sqlite:////var/lib/gondulf/gondulf.db
```
---
## Summary
All 8 questions have been answered with specific implementation details. Key ADRs created:
- ADR 0004: Configuration Management
- ADR 0005: Phase 1 Database Schema
- ADR 0006: Email SMTP Configuration
- ADR 0007: Logging Strategy
The Developer now has complete, unambiguous specifications to proceed with Phase 1 implementation.

863
docs/architecture/security.md Normal file
View File

@@ -0,0 +1,863 @@
# Security Architecture
## Security Philosophy
Gondulf follows a defense-in-depth security model with these core principles:
1. **Secure by Default**: Security features enabled out of the box
2. **Fail Securely**: Errors default to denying access, not granting it
3. **Least Privilege**: Collect and store minimum necessary data
4. **Transparency**: Security decisions documented and auditable
5. **Standards Compliance**: Follow OAuth 2.0 and IndieAuth security best practices
## Threat Model
### Assets to Protect
**Primary Assets**:
- User domain identities (the `me` parameter)
- Access tokens (prove user identity to clients)
- Authorization codes (short-lived, exchange for tokens)
**Secondary Assets**:
- Email verification codes (prove email ownership)
- Domain verification status (cached TXT record checks)
- Client metadata (cached application information)
**Explicitly NOT Protected** (by design):
- Passwords (none stored)
- Personal user data beyond domain (privacy principle)
- Client secrets (OAuth 2.0 public clients)
### Threat Actors
**External Attackers**:
- Phishing attempts (fake clients)
- Token theft (network interception)
- Open redirect exploitation
- CSRF attacks
- Brute force attacks (code guessing)
**Compromised Clients**:
- Malicious client applications
- Client impersonation
- Redirect URI manipulation
**System Compromise**:
- Database access (SQLite file theft)
- Server memory access (in-memory code theft)
- Log file access (token exposure)
### Out of Scope (v1.0.0)
- DDoS attacks (handled by infrastructure)
- Zero-day vulnerabilities in dependencies
- Physical access to server
- Social engineering attacks on users
- DNS hijacking (external to application)
## Authentication Security
### Email-Based Verification (v1.0.0)
**Mechanism**: Users prove domain ownership by receiving verification code at email address on that domain.
#### Threat: Email Interception
**Risk**: Attacker intercepts email containing verification code.
**Mitigations**:
1. **Short Code Lifetime**: 15-minute expiration
2. **Single Use**: Code invalidated after verification
3. **Rate Limiting**: Max 3 code requests per email per hour
4. **TLS Email Delivery**: Require STARTTLS for SMTP
5. **Display Warning**: "Only request code if you initiated this login"
**Residual Risk**: Acceptable for v1.0.0 given short lifetime and single-use.
#### Threat: Code Brute Force
**Risk**: Attacker guesses 6-digit verification code.
**Mitigations**:
1. **Sufficient Entropy**: 1,000,000 possible codes (6 digits)
2. **Attempt Limiting**: Max 3 attempts per email
3. **Short Lifetime**: 15-minute window
4. **Rate Limiting**: Max 10 attempts per IP per hour
5. **Exponential Backoff**: 5-second delay after each failed attempt
**Math**:
- 3 attempts × 1,000,000 codes = 0.0003% success probability
- 15-minute window limits attack time
- Rate limiting prevents distributed guessing
**Residual Risk**: Very low, acceptable for v1.0.0.
#### Threat: Email Address Enumeration
**Risk**: Attacker discovers which domains are registered by requesting codes.
**Mitigations**:
1. **Consistent Response**: Always say "If email exists, code sent"
2. **No Error Differentiation**: Same message for valid/invalid emails
3. **Rate Limiting**: Prevent bulk enumeration
**Residual Risk**: Minimal, domain names are public anyway (DNS).
### Domain Ownership Verification
#### TXT Record Validation (Preferred)
**Mechanism**: Admin adds DNS TXT record `_gondulf.example.com` = `verified`.
**Security Properties**:
- Requires DNS control (stronger than email)
- Verifiable without user interaction
- Cacheable for performance
- Re-verifiable periodically
**Threat: DNS Spoofing**
**Mitigations**:
1. **DNSSEC**: Validate DNSSEC signatures if available
2. **Multiple Resolvers**: Query 2+ DNS servers, require consensus
3. **Caching**: Cache valid results, re-verify daily
4. **Logging**: Log all DNS verification attempts
**Implementation**:
```python
import dns.resolver
import dns.dnssec
def verify_txt_record(domain: str) -> bool:
"""
Verify _gondulf.{domain} TXT record exists with value 'verified'.
"""
try:
# Use Google and Cloudflare DNS for redundancy
resolvers = ['8.8.8.8', '1.1.1.1']
results = []
for resolver_ip in resolvers:
resolver = dns.resolver.Resolver()
resolver.nameservers = [resolver_ip]
resolver.timeout = 5
resolver.lifetime = 5
answers = resolver.resolve(f'_gondulf.{domain}', 'TXT')
for rdata in answers:
txt_value = rdata.to_text().strip('"')
if txt_value == 'verified':
results.append(True)
break
# Require consensus from both resolvers
return len(results) >= 2
except Exception as e:
logger.warning(f"DNS verification failed for {domain}: {e}")
return False
```
**Residual Risk**: Low, DNS is foundational internet infrastructure.
## Authorization Security
### Authorization Code Security
**Properties**:
- **Length**: 32 bytes (256 bits of entropy)
- **Generation**: `secrets.token_urlsafe(32)` (cryptographically secure)
- **Lifetime**: 10 minutes maximum (per W3C spec)
- **Single-Use**: Invalidated immediately after exchange
- **Binding**: Tied to client_id, redirect_uri, me
#### Threat: Authorization Code Interception
**Risk**: Attacker intercepts code from redirect URL.
**Mitigations (v1.0.0)**:
1. **HTTPS Only**: Enforce TLS for all communications
2. **Short Lifetime**: 10-minute expiration
3. **Single Use**: Code invalidated after first use
4. **State Binding**: Client validates state parameter (CSRF protection)
**Mitigations (Future - PKCE)**:
1. **Code Challenge**: Client sends hash of secret with auth request
2. **Code Verifier**: Client proves knowledge of secret on token exchange
3. **No Interception Value**: Code useless without original secret
**ADR-003 Decision**: PKCE deferred to v1.1.0 to maintain MVP simplicity.
**Residual Risk**: Low with HTTPS + short lifetime, minimal with PKCE (future).
#### Threat: Code Replay Attack
**Risk**: Attacker reuses previously valid authorization code.
**Mitigations**:
1. **Single-Use Enforcement**: Mark code as used in storage
2. **Immediate Invalidation**: Delete code after exchange
3. **Concurrent Use Detection**: Log warning if used code presented again
**Implementation**:
```python
def exchange_code(code: str) -> Optional[dict]:
"""
Exchange authorization code for token.
Returns None if code invalid, expired, or already used.
"""
# Retrieve code data
code_data = code_storage.get(code)
if not code_data:
logger.warning("Code not found or expired")
return None
# Check if already used
if code_data.get('used'):
logger.error(f"Code replay attack detected: {code[:8]}...")
# SECURITY: Potential replay attack, alert admin
return None
# Mark as used IMMEDIATELY (before token generation)
code_data['used'] = True
code_storage.set(code, code_data)
# Generate token
return generate_token(code_data)
```
**Residual Risk**: Negligible.
### Access Token Security
**Properties**:
- **Format**: Opaque tokens (v1.0.0), not JWT
- **Length**: 32 bytes (256 bits of entropy)
- **Generation**: `secrets.token_urlsafe(32)`
- **Storage**: SHA-256 hash only (never plaintext)
- **Lifetime**: 1 hour default (configurable)
- **Transmission**: HTTPS only, Bearer authentication
#### Threat: Token Theft
**Risk**: Attacker steals access token from storage or transmission.
**Mitigations**:
1. **TLS Enforcement**: HTTPS only in production
2. **Hashed Storage**: Store SHA-256 hash, not plaintext
3. **Short Lifetime**: 1-hour expiration (configurable)
4. **Revocation**: Admin can revoke tokens (future)
5. **Secure Headers**: Set Cache-Control: no-store, Pragma: no-cache
**Token Storage**:
```python
import hashlib
import secrets
def generate_token(me: str, client_id: str) -> str:
"""
Generate access token and store hash in database.
"""
# Generate token (returned to client, never stored)
token = secrets.token_urlsafe(32)
# Store only hash (irreversible)
token_hash = hashlib.sha256(token.encode()).hexdigest()
db.execute('''
INSERT INTO tokens (token_hash, me, client_id, scope, issued_at, expires_at)
VALUES (?, ?, ?, ?, ?, ?)
''', (token_hash, me, client_id, "", datetime.utcnow(), expires_at))
return token
```
**Residual Risk**: Low, tokens useless if hashing is secure.
#### Threat: Timing Attacks on Token Verification
**Risk**: Attacker uses timing differences to guess valid tokens character-by-character.
**Mitigations**:
1. **Constant-Time Comparison**: Use `secrets.compare_digest()`
2. **Hash Comparison**: Compare hashes, not tokens
3. **Logging Delays**: Random delay on failed validation
**Implementation**:
```python
import secrets
import hashlib
def verify_token(provided_token: str) -> Optional[dict]:
"""
Verify access token using constant-time comparison.
"""
# Hash provided token
provided_hash = hashlib.sha256(provided_token.encode()).hexdigest()
# Lookup in database
token_data = db.query_one('''
SELECT me, client_id, scope, expires_at, revoked
FROM tokens
WHERE token_hash = ?
''', (provided_hash,))
if not token_data:
return None
# Constant-time comparison (even though we use SQL =, hash mismatch protection)
# The comparison happens in SQL, but we add extra layer here
if not secrets.compare_digest(provided_hash, provided_hash):
# This always passes, but ensures constant-time code path
pass
# Check expiration
if datetime.utcnow() > token_data['expires_at']:
return None
# Check revocation
if token_data.get('revoked'):
return None
return token_data
```
**Residual Risk**: Negligible.
## Input Validation
### URL Validation Security
**Critical**: Improper URL validation enables phishing and open redirect attacks.
#### Threat: Open Redirect via redirect_uri
**Risk**: Attacker tricks user into authorizing malicious redirect_uri, steals authorization code.
**Mitigations**:
1. **Domain Matching**: Require redirect_uri domain match client_id domain
2. **Subdomain Validation**: Allow subdomains of client_id domain
3. **Registered URIs**: Future feature to pre-register alternate domains
4. **User Warning**: Display warning if domains differ
5. **HTTPS Enforcement**: Require HTTPS for non-localhost
**Validation Logic**:
```python
def validate_redirect_uri(redirect_uri: str, client_id: str, registered_uris: list) -> tuple[bool, str]:
"""
Validate redirect_uri against client_id.
Returns (is_valid, warning_message).
"""
redirect_parsed = urlparse(redirect_uri)
client_parsed = urlparse(client_id)
# Must be HTTPS (except localhost)
if redirect_parsed.hostname != 'localhost':
if redirect_parsed.scheme != 'https':
return False, "redirect_uri must use HTTPS"
redirect_domain = redirect_parsed.hostname.lower()
client_domain = client_parsed.hostname.lower()
# Exact match: OK
if redirect_domain == client_domain:
return True, ""
# Subdomain: OK
if redirect_domain.endswith('.' + client_domain):
return True, ""
# Registered URI: OK (future)
if redirect_uri in registered_uris:
return True, ""
# Different domain: WARNING
warning = f"Warning: Redirect to different domain ({redirect_domain})"
return True, warning # Allow but warn user
```
**Residual Risk**: Low, user must approve redirect with warning.
#### Threat: Phishing via Malicious client_id
**Risk**: Attacker uses client_id of legitimate-looking domain (typosquatting).
**Mitigations**:
1. **Display Full URL**: Show complete client_id to user, not just app name
2. **Fetch Verification**: Verify client_id is fetchable (real domain)
3. **Subdomain Check**: Warn if client_id is subdomain of well-known domain
4. **Certificate Validation**: Verify SSL certificate validity
5. **User Education**: Inform users to verify client_id carefully
**UI Display**:
```
Sign in to:
Application Name (if available)
https://client.example.com ← Full URL always displayed
Redirect to:
https://client.example.com/callback
```
**Residual Risk**: Moderate, requires user vigilance.
#### Threat: URL Parameter Injection
**Risk**: Attacker injects malicious parameters via crafted URLs.
**Mitigations**:
1. **Pydantic Validation**: Use Pydantic models for all parameters
2. **Type Enforcement**: Strict type checking (str, not any)
3. **Allowlist Validation**: Only accept expected parameters
4. **SQL Parameterization**: Use parameterized queries (prevent SQL injection)
5. **HTML Encoding**: Encode all user input in HTML responses
**Pydantic Models**:
```python
from pydantic import BaseModel, HttpUrl, Field
class AuthorizeRequest(BaseModel):
me: HttpUrl
client_id: HttpUrl
redirect_uri: HttpUrl
state: str = Field(min_length=1, max_length=512)
response_type: Literal["code"]
scope: str = "" # Optional, ignored in v1.0.0
class Config:
extra = "forbid" # Reject unknown parameters
```
**Residual Risk**: Minimal, Pydantic provides strong validation.
### Email Validation
#### Threat: Email Injection Attacks
**Risk**: Attacker injects SMTP commands via email address field.
**Mitigations**:
1. **Format Validation**: Strict email regex (RFC 5322)
2. **Domain Matching**: Require email domain match `me` domain
3. **SMTP Library**: Use well-tested library (smtplib)
4. **Content Encoding**: Encode email content properly
5. **Rate Limiting**: Prevent abuse
**Validation**:
```python
import re
from email.utils import parseaddr
def validate_email(email: str, required_domain: str) -> tuple[bool, str]:
"""
Validate email address and domain match.
"""
# Parse email (RFC 5322 compliant)
name, addr = parseaddr(email)
# Basic format check
email_regex = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
if not re.match(email_regex, addr):
return False, "Invalid email format"
# Extract domain
email_domain = addr.split('@')[1].lower()
required_domain = required_domain.lower()
# Domain must match
if email_domain != required_domain:
return False, f"Email must be at {required_domain}"
return True, ""
```
**Residual Risk**: Low, standard validation patterns.
## Network Security
### TLS/HTTPS Enforcement
**Production Requirements**:
- All endpoints MUST use HTTPS
- Minimum TLS 1.2 (prefer TLS 1.3)
- Strong cipher suites only
- Valid SSL certificate (not self-signed)
**Configuration**:
```python
# In production configuration
if not DEBUG:
# Enforce HTTPS
app.add_middleware(HTTPSRedirectMiddleware)
# Add security headers
app.add_middleware(
SecureHeadersMiddleware,
hsts="max-age=31536000; includeSubDomains",
content_security_policy="default-src 'self'",
x_frame_options="DENY",
x_content_type_options="nosniff"
)
```
**Development Exception**:
- HTTP allowed for `localhost` only
- Never in production
**Residual Risk**: Negligible if properly configured.
### Security Headers
**Required Headers**:
```http
# Prevent clickjacking
X-Frame-Options: DENY
# Prevent MIME sniffing
X-Content-Type-Options: nosniff
# XSS protection (legacy browsers)
X-XSS-Protection: 1; mode=block
# HSTS (HTTPS enforcement)
Strict-Transport-Security: max-age=31536000; includeSubDomains
# CSP (limit resource loading)
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
# Referrer policy (privacy)
Referrer-Policy: strict-origin-when-cross-origin
```
**Implementation**:
```python
@app.middleware("http")
async def add_security_headers(request: Request, call_next):
response = await call_next(request)
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-XSS-Protection"] = "1; mode=block"
if not DEBUG:
response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
return response
```
## Data Security
### Data Minimization (Privacy)
**Principle**: Collect and store ONLY essential data.
**Stored Data**:
- ✅ Domain name (user identity, required)
- ✅ Token hashes (security, required)
- ✅ Client IDs (protocol, required)
- ✅ Timestamps (auditing, required)
**Never Stored**:
- ❌ Email addresses (after verification)
- ❌ Plaintext tokens
- ❌ User-Agent strings
- ❌ IP addresses (except rate limiting, temporary)
- ❌ Browsing history
- ❌ Personal information
**Email Handling**:
```python
# Email stored ONLY during verification (in-memory, 15-min TTL)
verification_codes[code_id] = {
"email": email, # ← Exists ONLY here, NEVER in database
"code": code,
"expires_at": datetime.utcnow() + timedelta(minutes=15)
}
# After verification: email is deleted, only domain stored
db.execute('''
INSERT INTO domains (domain, verification_method, verified_at)
VALUES (?, 'email', ?)
''', (domain, datetime.utcnow()))
# Note: NO email address in database
```
### Database Security
**SQLite Security**:
1. **File Permissions**: 600 (owner read/write only)
2. **Encryption at Rest**: Use encrypted filesystem (LUKS, dm-crypt)
3. **Backup Encryption**: Encrypt backup files (GPG)
4. **SQL Injection Prevention**: Parameterized queries only
**Parameterized Queries**:
```python
# GOOD: Parameterized (safe)
db.execute(
"SELECT * FROM tokens WHERE token_hash = ?",
(token_hash,)
)
# BAD: String interpolation (vulnerable)
db.execute(
f"SELECT * FROM tokens WHERE token_hash = '{token_hash}'"
) # ← NEVER DO THIS
```
**File Permissions**:
```bash
# Set restrictive permissions
chmod 600 /data/gondulf.db
chown gondulf:gondulf /data/gondulf.db
```
### Logging Security
**Principle**: Log security events, NEVER log sensitive data.
**Log Security Events**:
- ✅ Failed authentication attempts
- ✅ Authorization grants (domain + client_id)
- ✅ Token generation (hash prefix only)
- ✅ Email verification attempts
- ✅ DNS verification results
- ✅ Error conditions
**Never Log**:
- ❌ Email addresses (PII)
- ❌ Full access tokens
- ❌ Verification codes
- ❌ Authorization codes
- ❌ IP addresses (production)
**Safe Logging Examples**:
```python
# GOOD: Domain only (public information)
logger.info(f"Authorization granted for {domain} to {client_id}")
# GOOD: Token prefix for correlation
logger.debug(f"Token generated: {token[:8]}...")
# GOOD: Error without sensitive data
logger.error(f"Email send failed for domain {domain}")
# BAD: Email address (PII)
logger.info(f"Verification sent to {email}") # ← NEVER
# BAD: Full token (security)
logger.debug(f"Token: {token}") # ← NEVER
```
## Dependency Security
### Dependency Management
**Principles**:
1. **Minimal Dependencies**: Prefer standard library
2. **Vetted Libraries**: Only well-maintained, popular libraries
3. **Version Pinning**: Pin exact versions in requirements.txt
4. **Security Scanning**: Regular vulnerability scanning
5. **Update Strategy**: Security patches applied promptly
**Security Scanning**:
```bash
# Scan for known vulnerabilities
uv run pip-audit
# Alternative: safety check
uv run safety check
```
**Update Policy**:
- **Security patches**: Apply within 24 hours (critical), 7 days (high)
- **Minor versions**: Review and test before updating
- **Major versions**: Evaluate breaking changes, test thoroughly
### Secrets Management
**Environment Variables** (v1.0.0):
```bash
# Required secrets
GONDULF_SECRET_KEY=<256-bit random value>
GONDULF_SMTP_PASSWORD=<SMTP password>
# Optional secrets
GONDULF_DATABASE_ENCRYPTION_KEY=<for encrypted backups>
```
**Secret Generation**:
```bash
# Generate SECRET_KEY (256 bits)
python -c "import secrets; print(secrets.token_urlsafe(32))"
```
**Storage**:
- Development: `.env` file (not committed)
- Production: Docker secrets or environment variables
- Never hardcode secrets in code
**Future**: Integrate with HashiCorp Vault or AWS Secrets Manager.
## Rate Limiting (Future)
**v1.0.0**: Not implemented (acceptable for small deployments).
**Future Implementation**:
| Endpoint | Limit | Window | Key |
|----------|-------|--------|-----|
| /authorize | 10 requests | 1 minute | IP |
| /token | 30 requests | 1 minute | client_id |
| Email verification | 3 codes | 1 hour | email |
| Code submission | 3 attempts | 15 minutes | session |
**Implementation Strategy**:
- Use Redis for distributed rate limiting
- Token bucket algorithm
- Exponential backoff on failures
## Security Testing
### Required Security Tests
1. **Input Validation**:
- Malformed URLs (me, client_id, redirect_uri)
- SQL injection attempts
- XSS attempts
- Email injection
2. **Authentication**:
- Expired code rejection
- Used code rejection
- Invalid code rejection
- Brute force resistance
3. **Authorization**:
- State parameter validation
- Redirect URI validation
- Open redirect prevention
4. **Token Security**:
- Timing attack resistance
- Token theft scenarios
- Expiration enforcement
5. **TLS/HTTPS**:
- HTTP rejection in production
- Security headers presence
- Certificate validation
### Security Scanning Tools
**Required Tools**:
- `bandit`: Python security linter
- `pip-audit`: Dependency vulnerability scanner
- `pytest`: Security-focused test cases
**CI/CD Integration**:
```yaml
# GitHub Actions example
security:
- name: Run Bandit
run: uv run bandit -r src/gondulf
- name: Scan Dependencies
run: uv run pip-audit
- name: Run Security Tests
run: uv run pytest tests/security/
```
## Incident Response
### Security Event Monitoring
**Monitor For**:
1. Multiple failed authentication attempts
2. Authorization code reuse attempts
3. Invalid token presentation
4. Unusual DNS verification failures
5. Email send failures (potential abuse)
**Alerting** (future):
- Admin email on critical events
- Webhook integration (Slack, Discord)
- Metrics dashboard (Grafana)
### Breach Response Plan (Future)
**If Access Tokens Compromised**:
1. Revoke all active tokens
2. Force re-authentication
3. Notify affected users (via domain)
4. Rotate SECRET_KEY
5. Audit logs for suspicious activity
**If Database Compromised**:
1. Assess data exposure (only hashes + domains)
2. Rotate all tokens
3. Review access logs
4. Notify users if domains exposed
## Compliance Considerations
### GDPR Compliance
**Personal Data Stored**:
- Domain names (considered PII in some jurisdictions)
- Timestamps (associated with domains)
**GDPR Rights**:
- **Right to Access**: Admin can query database
- **Right to Erasure**: Admin can delete domain records
- **Right to Portability**: Data export feature (future)
**Privacy Policy** (required):
- Document what data is collected (domains, timestamps)
- Document how data is used (authentication)
- Document retention policy (indefinite unless deleted)
- Provide contact for data requests
### Security Disclosure
**Security Policy** (future):
- Responsible disclosure process
- Security contact (security@domain)
- GPG key for encrypted reports
- Acknowledgments for researchers
## Security Roadmap
### v1.0.0 (MVP)
- ✅ Email-based authentication
- ✅ TLS/HTTPS enforcement
- ✅ Secure token generation (opaque, hashed)
- ✅ URL validation (open redirect prevention)
- ✅ Input validation (Pydantic)
- ✅ Security headers
- ✅ Minimal data collection
### v1.1.0
- PKCE support (code challenge/verifier)
- Rate limiting (Redis-based)
- Token revocation endpoint
- Enhanced logging
### v1.2.0
- WebAuthn support (passwordless)
- Hardware security key support
- Admin dashboard (audit logs)
- Security metrics
### v2.0.0
- Multi-factor authentication
- Federated identity providers
- Advanced threat detection
- SOC 2 compliance preparation
## References
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- CWE Top 25: https://cwe.mitre.org/top25/