phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(core): implement Phase 1 foundation infrastructure

Browse Source 
Implements Phase 1 Foundation with all core services:

Core Components:
- Configuration management with GONDULF_ environment variables
- Database layer with SQLAlchemy and migration system
- In-memory code storage with TTL support
- Email service with SMTP and TLS support (STARTTLS + implicit TLS)
- DNS service with TXT record verification
- Structured logging with Python standard logging
- FastAPI application with health check endpoint

Database Schema:
- authorization_codes table for OAuth 2.0 authorization codes
- domains table for domain verification
- migrations table for tracking schema versions
- Simple sequential migration system (001_initial_schema.sql)

Configuration:
- Environment-based configuration with validation
- .env.example template with all GONDULF_ variables
- Fail-fast validation on startup
- Sensible defaults for optional settings

Testing:
- 96 comprehensive tests (77 unit, 5 integration)
- 94.16% code coverage (exceeds 80% requirement)
- All tests passing
- Test coverage includes:
  - Configuration loading and validation
  - Database migrations and health checks
  - In-memory storage with expiration
  - Email service (STARTTLS, implicit TLS, authentication)
  - DNS service (TXT records, domain verification)
  - Health check endpoint integration

Documentation:
- Implementation report with test results
- Phase 1 clarifications document
- ADRs for key decisions (config, database, email, logging)

Technical Details:
- Python 3.10+ with type hints
- SQLite with configurable database URL
- System DNS with public DNS fallback
- Port-based TLS detection (465=SSL, 587=STARTTLS)
- Lazy configuration loading for testability

Exit Criteria Met:
✓ All foundation services implemented
✓ Application starts without errors
✓ Health check endpoint operational
✓ Database migrations working
✓ Test coverage exceeds 80%
✓ All tests passing

Ready for Architect review and Phase 2 development.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-20 12:21:42 -07:00
parent 7255867fde
commit bebd47955f
39 changed files with 8134 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/decisions/0004-configuration-management.md Normal file
View File

@@ -0,0 +1,43 @@
# 0004. Configuration Management Strategy
Date: 2024-11-20
## Status
Accepted
## Context
We need a consistent approach to configuration management that is simple, clear, and follows industry standards. The system requires configuration for database, email, secrets, and various runtime parameters.
## Decision
We will use environment variables with the `GONDULF_` prefix for all configuration:
- All environment variables must start with `GONDULF_` to avoid namespace collisions
- Use uppercase with underscores for word separation
- Follow standard naming patterns (e.g., `_URL` for connection strings, `_KEY` for secrets)
- Provide sensible defaults where possible
- Use a single `.env.example` file to document all available configuration
Standard variables:
```
GONDULF_SECRET_KEY=<required - no default>
GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
GONDULF_SMTP_HOST=localhost
GONDULF_SMTP_PORT=587
GONDULF_SMTP_USERNAME=
GONDULF_SMTP_PASSWORD=
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
GONDULF_TOKEN_EXPIRY=3600
GONDULF_LOG_LEVEL=INFO
GONDULF_DEBUG=false
```
## Consequences
### Positive
- Clear namespace prevents collision with other applications
- Standard environment variable pattern familiar to developers
- Easy to configure in various deployment scenarios (Docker, systemd, etc.)
- `.env.example` provides self-documentation
### Negative
- Slightly longer variable names
- Must maintain `.env.example` alongside actual configuration

42
docs/decisions/0005-phase1-database-schema.md Normal file
View File

@@ -0,0 +1,42 @@
# 0005. Phase 1 Database Schema
Date: 2024-11-20
## Status
Accepted
## Context
Phase 1 requires database storage for authorization codes and domain verification. We need to determine which tables to create initially while avoiding over-engineering for future needs.
## Decision
Phase 1 will create exactly three tables:
1. **`authorization_codes`** - Temporary storage for OAuth authorization codes
- Required by IndieAuth authorization flow
- Short-lived (10 minutes expiry)
- Contains: code, client_id, redirect_uri, state, code_challenge, code_challenge_method, scope, created_at
2. **`domains`** - Verified domain ownership records
- Required for domain verification flow
- Stores verification codes and status
- Contains: domain, email, verification_code, verified, created_at, verified_at
3. **`migrations`** - Schema version tracking
- Simple migration tracking
- Contains: version, applied_at, description
We will NOT create in Phase 1:
- Audit/logging tables (use structured logging to files instead)
- Token storage table (tokens are handled in Phase 2)
- Client registration table (Phase 3 feature)
## Consequences
### Positive
- Minimal schema focused on immediate Phase 1 needs
- Easy to understand and test
- Fast database operations with minimal tables
- Can add tables in later phases as features require them
### Negative
- No audit trail in database (rely on application logs)
- Will need migration for Phase 2 token storage

40
docs/decisions/0006-email-smtp-configuration.md Normal file
View File

@@ -0,0 +1,40 @@
# 0006. Email SMTP Configuration
Date: 2024-11-20
## Status
Accepted
## Context
Email service needs SMTP configuration for sending domain verification codes. We need to support common email providers while keeping configuration simple. Modern SMTP typically uses STARTTLS on port 587 or implicit TLS on port 465.
## Decision
Support both STARTTLS and implicit TLS via configuration:
Configuration:
```
GONDULF_SMTP_HOST=smtp.example.com
GONDULF_SMTP_PORT=587
GONDULF_SMTP_USERNAME=user@example.com
GONDULF_SMTP_PASSWORD=secret
GONDULF_SMTP_FROM=noreply@example.com
GONDULF_SMTP_USE_TLS=true
```
Implementation logic:
- If `GONDULF_SMTP_PORT=465`: Use implicit TLS (smtplib.SMTP_SSL)
- If `GONDULF_SMTP_PORT=587` and `GONDULF_SMTP_USE_TLS=true`: Use STARTTLS (smtplib.SMTP with starttls())
- If `GONDULF_SMTP_PORT=25` and `GONDULF_SMTP_USE_TLS=false`: Use unencrypted SMTP (testing only)
Default to port 587 with STARTTLS as the most common modern configuration.
## Consequences
### Positive
- Supports all major email providers (Gmail, SendGrid, Mailgun, etc.)
- Simple configuration with sensible defaults
- Port number determines TLS behavior (intuitive)
- Single USE_TLS flag controls STARTTLS
### Negative
- Slightly more complex than hardcoding one approach
- Must document port/TLS combinations in `.env.example`

54
docs/decisions/0007-logging-strategy.md Normal file
View File

@@ -0,0 +1,54 @@
# 0007. Logging Strategy for v1.0.0
Date: 2024-11-20
## Status
Accepted
## Context
We need structured logging for debugging, security auditing, and operational monitoring. The choice is between JSON-structured logs (machine-parseable), Python's standard logging with structured fields, or simple string logging.
## Decision
Use Python's standard logging module with structured string formatting for v1.0.0:
Format pattern:
```
%(asctime)s [%(levelname)s] %(name)s: %(message)s
```
Structured information in message strings:
```python
logger.info("Domain verification requested", extra={
"domain": domain,
"email": email,
"request_id": request_id
})
```
Log levels:
- **Development**: `DEBUG` (default when `GONDULF_DEBUG=true`)
- **Production**: `INFO` (default)
Configuration:
```
GONDULF_LOG_LEVEL=INFO
GONDULF_DEBUG=false
```
Output: stdout/stderr (let deployment environment handle log collection)
## Consequences
### Positive
- Standard Python logging - no additional dependencies
- Simple to implement and test
- Human-readable for local development
- Structured extras can be extracted if needed later
- Easy to redirect to files or syslog via deployment config
### Negative
- Not as machine-parseable as pure JSON logs
- May need to migrate to structured JSON logging in future versions
- Extra fields may not be captured by all log handlers
## Future Consideration
If operational monitoring requires it, we can migrate to JSON-structured logging in a minor version update without breaking changes.

292
docs/decisions/ADR-003-pkce-deferred-to-v1-1-0.md Normal file
View File

@@ -0,0 +1,292 @@
# ADR-003: PKCE Support Deferred to v1.1.0
Date: 2025-11-20
## Status
Accepted
## Context
PKCE (Proof Key for Code Exchange, RFC 7636) is a security extension to OAuth 2.0 that protects against authorization code interception attacks. It works by having the client generate a random secret, send a hash of it during the authorization request, and prove knowledge of the original secret during token exchange.
### PKCE Security Benefits
1. **Code Interception Protection**: Even if an attacker intercepts the authorization code, they cannot exchange it for a token without the code_verifier
2. **Public Client Security**: Essential for native apps and SPAs where client secrets cannot be stored securely
3. **Best Practice**: OAuth 2.0 Security Best Practices (draft-ietf-oauth-security-topics) recommends PKCE for all clients
### W3C IndieAuth Specification
The current W3C IndieAuth specification (published January 2018) does not mention PKCE. However, PKCE has become a standard security measure in modern OAuth 2.0 implementations since then.
### v1.0.0 Constraints
For the MVP release, we face a simplicity vs. security trade-off:
- Target users: 10s of users initially
- Deployment: Single-process Docker container
- Timeline: 6-8 weeks to v1.0.0
- Focus: Prove core authentication functionality
### PKCE Implementation Effort
**Estimated effort**: 1-2 days
**Required changes**:
1. Accept `code_challenge` and `code_challenge_method` parameters in /authorize endpoint
2. Store code challenge with authorization code
3. Accept `code_verifier` parameter in /token endpoint
4. Validate code_verifier hashes to stored challenge using S256 method
5. Update metadata endpoint to advertise PKCE support
6. Add comprehensive tests
**Complexity**:
- Low technical complexity (straightforward hashing and comparison)
- Well-documented in RFC 7636
- Standard library support (hashlib for SHA-256)
## Decision
**PKCE support is deferred to v1.1.0 and will NOT be included in v1.0.0.**
### Rationale
**Simplicity Over Complexity**:
- v1.0.0 is an MVP focused on proving core authentication functionality
- Every additional feature increases risk and development time
- PKCE adds security but is not required for the W3C IndieAuth specification compliance
- Deferring PKCE reduces v1.0.0 scope without compromising compliance
**Acceptable Risk for MVP**:
- Target deployment: Small scale (10s of users), controlled environment
- Mitigation: HTTPS enforcement + short code lifetime (10 minutes) + single-use codes
- Risk window: 10-minute authorization code lifetime only
- Attack complexity: Requires MITM during specific 10-minute window despite HTTPS
**Clear Upgrade Path**:
- PKCE can be added in v1.1.0 without breaking changes
- Implementation is well-understood and straightforward
- Clients that don't use PKCE will continue working (backward compatible)
**Development Focus**:
- Free up 1-2 days of effort for core functionality
- Reduce testing surface area for MVP
- Simplify initial security review
- Gather real-world usage data before adding complexity
## Consequences
### Positive Consequences
1. **Faster Time to Market**: v1.0.0 ships 1-2 days earlier
2. **Reduced Complexity**: Fewer parameters to validate, fewer edge cases
3. **Simpler Testing**: Smaller test surface area for initial release
4. **Focus**: Development effort concentrated on core authentication flow
5. **Learning Opportunity**: Real-world usage informs PKCE implementation in v1.1.0
### Negative Consequences
1. **Slightly Reduced Security**: Authorization codes vulnerable to interception (mitigated by HTTPS)
2. **Not Best Practice**: Modern OAuth 2.0 guidance recommends PKCE for all flows
3. **Client Compatibility**: Clients requiring PKCE cannot use v1.0.0 (upgrade to v1.1.0)
4. **Perception**: Security-conscious users may view absence as weakness
### Mitigation Strategies
**For v1.0.0 (Without PKCE)**:
1. **Enforce HTTPS**: Strictly enforce HTTPS in production (mitigates interception)
```python
if not DEBUG and request.url.scheme != 'https':
raise HTTPException(status_code=400, detail="HTTPS required")
```
2. **Short Code Lifetime**: 10-minute maximum (per W3C spec)
```python
CODE_EXPIRATION = timedelta(minutes=10) # Minimize attack window
```
3. **Single-Use Codes**: Immediately invalidate after use (detect replay attacks)
```python
if code_data.get('used'):
logger.error(f"Code replay attack detected: {code[:8]}...")
raise HTTPException(status_code=400, detail="invalid_grant")
```
4. **Documentation**: Clearly document PKCE absence and planned support
- README security section
- Release notes
- Roadmap (v1.1.0 feature)
5. **Logging**: Monitor for potential code interception attempts
```python
if code_expired:
logger.warning(f"Expired code presented: {code[:8]}... (potential attack)")
```
**For v1.1.0 (Adding PKCE)**:
1. **Backward Compatibility**: PKCE optional, not required
- Clients without PKCE continue working
- Clients with PKCE get enhanced security
- Gradual migration path
2. **Client Detection**: Detect PKCE capability and encourage usage
```python
if code_challenge is None:
logger.info(f"Client {client_id} not using PKCE (consider upgrading)")
```
3. **Future Enforcement**: Option to require PKCE in configuration
```python
if config.REQUIRE_PKCE and not code_challenge:
raise HTTPException(status_code=400, detail="PKCE required")
```
### Implementation Plan for v1.1.0
**Effort**: 1-2 days
**Changes Required**:
1. **Authorization Endpoint** (`/authorize`):
```python
class AuthorizeRequest(BaseModel):
# ... existing fields ...
code_challenge: Optional[str] = None
code_challenge_method: Optional[Literal["S256"]] = None
# Validation
if code_challenge and code_challenge_method != "S256":
raise HTTPException(400, "Only S256 challenge method supported")
# Store challenge with code
code_data = {
# ... existing data ...
"code_challenge": code_challenge,
"code_challenge_method": code_challenge_method
}
```
2. **Token Endpoint** (`/token`):
```python
class TokenRequest(BaseModel):
# ... existing fields ...
code_verifier: Optional[str] = None
# Validate PKCE
if code_data.get('code_challenge'):
if not code_verifier:
raise HTTPException(400, "code_verifier required")
# Verify S256(code_verifier) == code_challenge
import hashlib
import base64
computed = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode()).digest()
).decode().rstrip('=')
if not secrets.compare_digest(computed, code_data['code_challenge']):
raise HTTPException(400, "Invalid code_verifier")
```
3. **Metadata Endpoint**:
```json
{
"code_challenge_methods_supported": ["S256"]
}
```
4. **Tests**:
- PKCE flow success cases
- Invalid code_verifier rejection
- Missing code_verifier when challenge present
- Backward compatibility (no PKCE)
### Risk Assessment
**Attack Scenario Without PKCE**:
1. Attacker performs MITM attack on authorization redirect (despite HTTPS)
2. Attacker intercepts authorization code
3. Attacker exchanges code for token (within 10-minute window)
4. Attacker uses token to impersonate user
**Likelihood**: Very Low
- Requires MITM capability (difficult with proper TLS)
- Requires attack during specific 10-minute window
- Requires client_id and redirect_uri knowledge
**Impact**: High
- Complete account impersonation
- Access to user's identity
**Risk Level**: **Low** (Very Low likelihood × High impact = Low overall risk)
**Acceptable for MVP?**: Yes
- Controlled deployment (small user base)
- Proper TLS mitigates primary attack vector
- Short code lifetime limits exposure window
- Clear upgrade path to full PKCE in v1.1.0
### Monitoring and Review
**v1.0.0 Deployment**:
- Monitor logs for expired code presentations (potential interception attempts)
- Track time between code generation and redemption
- Document any security concerns from real-world usage
**v1.1.0 Planning**:
- Review security logs from v1.0.0 deployment
- Prioritize PKCE based on actual risk observed
- Implement with lessons learned from v1.0.0
## References
- RFC 7636 - PKCE: https://datatracker.ietf.org/doc/html/rfc7636
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
- W3C IndieAuth Specification: https://www.w3.org/TR/indieauth/
- OWASP OAuth 2.0 Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Cheat_Sheet.html
## Alternatives Considered
### Alternative 1: Implement PKCE in v1.0.0
**Pros**:
- Better security from day one
- Follows modern OAuth 2.0 best practices
- No perceived security weakness
**Cons**:
- Adds 1-2 days to development timeline
- Increases testing surface area
- More complexity for MVP
- Not required for W3C spec compliance
**Rejected**: Violates simplicity principle for MVP.
### Alternative 2: Make PKCE Required (not optional) in v1.1.0
**Pros**:
- Forces clients to adopt best security practices
- Simpler server logic (no conditional handling)
**Cons**:
- Breaking change for clients
- Not backward compatible
- W3C spec doesn't require PKCE
**Rejected**: Breaks compatibility, not required by spec.
### Alternative 3: Never Implement PKCE
**Pros**:
- Permanent simplicity
- No additional development
**Cons**:
- Permanent security weakness
- Not following industry best practices
- May limit adoption by security-conscious users
**Rejected**: Security should improve over time, not stagnate.
## Decision History
- 2025-11-20: Proposed (Architect)
- 2025-11-20: Accepted (Architect)
- TBD: Implementation in v1.1.0

434
docs/decisions/ADR-004-opaque-tokens-for-v1-0-0.md Normal file
View File

@@ -0,0 +1,434 @@
# ADR-004: Opaque Tokens for v1.0.0 (Not JWT)
Date: 2025-11-20
## Status
Accepted
## Context
Access tokens in OAuth 2.0 can be implemented in two primary formats:
### 1. Opaque Tokens
Random strings with no inherent meaning. Token validation requires database lookup.
**Characteristics**:
- Random, unpredictable string (e.g., `secrets.token_urlsafe(32)`)
- Server stores token metadata in database
- Validation requires database query
- Easily revocable (delete from database)
- No information leakage (token contains no data)
**Example**:
```
Token: Xy9kP2mN8fR5tQ1wE7aZ4bV6cG3hJ0sL
Database: {
token_hash: sha256(token),
me: "https://example.com",
client_id: "https://client.example.com",
scope: "",
issued_at: 2025-11-20T10:00:00Z,
expires_at: 2025-11-20T11:00:00Z
}
```
### 2. JWT (JSON Web Tokens)
Self-contained tokens encoding claims, signed by server.
**Characteristics**:
- Base64-encoded JSON with signature
- Contains all metadata (me, client_id, scope, expiration)
- Validation via signature verification (no database lookup)
- Stateless (server doesn't store tokens)
- Revocation complex (requires blocklist or short TTL)
**Example**:
```
Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20iLCJjbGllbnRfaWQiOiJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbSIsInNjb3BlIjoiIiwiaWF0IjoxNzAwNDgwNDAwLCJleHAiOjE3MDA0ODQwMDB9.signature
Decoded Payload: {
"me": "https://example.com",
"client_id": "https://client.example.com",
"scope": "",
"iat": 1700480400,
"exp": 1700484000
}
```
### v1.0.0 Requirements
**Use Case**: Authentication only (no authorization)
- Users prove domain ownership
- Tokens confirm user identity to clients
- No resource server in v1.0.0 (no /api endpoints to protect)
- No token introspection endpoint in v1.0.0
**Scale**: 10s of users
- Dozens of active tokens maximum
- Database lookups negligible performance impact
- No distributed system requirements
**Security Priorities**:
1. Simple, auditable security model
2. Easy token revocation (future requirement)
3. No information leakage
4. No key management complexity
**Simplicity Principle**:
- Favor straightforward implementations
- Avoid unnecessary complexity
- Minimize dependencies
## Decision
**Gondulf v1.0.0 will use opaque tokens (NOT JWT).**
Tokens will be:
- Generated using `secrets.token_urlsafe(32)` (256 bits of entropy)
- Stored in SQLite database as SHA-256 hashes
- Validated via database lookup and constant-time comparison
- 1-hour expiration (configurable)
### Rationale
**Simplicity**:
- No signing algorithm selection (HS256 vs RS256 vs ES256)
- No key generation or rotation
- No JWT library dependency
- No clock skew handling
- Simple database lookup, not cryptographic verification
**Security**:
- No information leakage (token reveals nothing)
- Easy revocation (delete from database)
- No risk of algorithm confusion attacks
- No risk of "none" algorithm vulnerability
- Hashed storage prevents token recovery from database
**v1.0.0 Scope Alignment**:
- No resource server = no benefit from stateless validation
- Authentication only = simple token validation sufficient
- Small scale = database lookup performance acceptable
- No token introspection endpoint = no external validation needed
**Future Flexibility**:
- Can migrate to JWT in v2.0.0 if needed
- Database abstraction allows storage changes
- Token format is implementation detail (not exposed to clients)
## Consequences
### Positive Consequences
1. **Simpler Implementation**:
- No JWT library dependency
- No signing key management
- No algorithm selection complexity
- Straightforward database operations
2. **Better Security (for this use case)**:
- No information in token (empty payload = no leakage)
- Trivial revocation (DELETE FROM tokens WHERE ...)
- No cryptographic algorithm vulnerabilities
- No key compromise risk
3. **Easier Auditing**:
- All tokens visible in database
- Clear token lifecycle (creation, usage, expiration)
- Simple query to list all active tokens
- Easy to track token usage
4. **Operational Simplicity**:
- No key rotation required
- No clock synchronization concerns
- No JWT debugging complexity
- Standard database operations
5. **Privacy**:
- Token reveals nothing about user
- No accidental PII in token claims
- Bearer token is just a random string
### Negative Consequences
1. **Database Dependency**:
- Token validation requires database access
- Database outage = token validation fails
- Performance limited by database (acceptable for small scale)
2. **Not Stateless**:
- Cannot validate tokens without database
- Horizontal scaling requires shared database
- Not suitable for distributed resource servers (not needed in v1.0.0)
3. **Larger Storage**:
- Must store all active tokens in database
- Database grows with token count (cleaned up on expiration)
4. **Token Introspection**:
- Resource servers cannot validate tokens independently (not needed in v1.0.0)
- Would require introspection endpoint in future
### Mitigation Strategies
**Database Dependency**:
- Acceptable for v1.0.0 (single-process deployment)
- SQLite is reliable (no network dependency)
- Future: Add Redis caching if performance becomes issue
- Future: Migrate to JWT if distributed validation needed
**Storage Growth**:
- Periodic cleanup of expired tokens
- Configurable expiration (default 1 hour)
- Database indexes on token_hash and expires_at
- Monitor database size, alerts if grows unexpectedly
**Future Scaling**:
- SQLAlchemy abstraction allows migration to PostgreSQL
- Can add Redis for caching if needed
- Can migrate to JWT in v2.0.0 if requirements change
## Implementation
### Token Generation
```python
import secrets
import hashlib
from datetime import datetime, timedelta
def generate_token(me: str, client_id: str, scope: str = "") -> str:
"""
Generate opaque access token.
Returns: 43-character base64url string (256 bits of entropy)
"""
# Generate token (returned to client, never stored)
token = secrets.token_urlsafe(32) # 32 bytes = 256 bits
# Hash for storage (SHA-256)
token_hash = hashlib.sha256(token.encode('utf-8')).hexdigest()
# Store in database
expires_at = datetime.utcnow() + timedelta(hours=1)
db.execute('''
INSERT INTO tokens (token_hash, me, client_id, scope, issued_at, expires_at, revoked)
VALUES (?, ?, ?, ?, ?, ?, 0)
''', (token_hash, me, client_id, scope, datetime.utcnow(), expires_at))
logger.info(f"Token generated for {me} (client: {client_id})")
return token # Return plaintext to client (only time it exists in plaintext)
```
### Token Validation
```python
import secrets
import hashlib
from datetime import datetime
def verify_token(provided_token: str) -> Optional[dict]:
"""
Verify access token and return metadata.
Returns: Token metadata dict or None if invalid
"""
# Hash provided token
token_hash = hashlib.sha256(provided_token.encode('utf-8')).hexdigest()
# Lookup in database (constant-time comparison in SQL)
result = db.query_one('''
SELECT me, client_id, scope, expires_at, revoked
FROM tokens
WHERE token_hash = ?
''', (token_hash,))
if not result:
logger.warning("Token not found")
return None
# Check expiration
if datetime.utcnow() > result['expires_at']:
logger.info(f"Token expired for {result['me']}")
return None
# Check revocation
if result['revoked']:
logger.warning(f"Revoked token presented for {result['me']}")
return None
# Valid token
return {
'me': result['me'],
'client_id': result['client_id'],
'scope': result['scope']
}
```
### Token Revocation (Future)
```python
def revoke_token(provided_token: str) -> bool:
"""
Revoke access token.
Returns: True if revoked, False if not found
"""
token_hash = hashlib.sha256(provided_token.encode('utf-8')).hexdigest()
rows_updated = db.execute('''
UPDATE tokens
SET revoked = 1
WHERE token_hash = ?
''', (token_hash,))
if rows_updated > 0:
logger.info(f"Token revoked: {provided_token[:8]}...")
return True
else:
logger.warning(f"Revoke failed: token not found")
return False
```
### Database Schema
```sql
CREATE TABLE tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
token_hash TEXT NOT NULL UNIQUE, -- SHA-256 hash
me TEXT NOT NULL, -- User's domain
client_id TEXT NOT NULL, -- Client application URL
scope TEXT NOT NULL DEFAULT '', -- Empty for v1.0.0
issued_at TIMESTAMP NOT NULL, -- When token created
expires_at TIMESTAMP NOT NULL, -- When token expires
revoked BOOLEAN NOT NULL DEFAULT 0 -- Revocation flag
-- Indexes for performance
CREATE INDEX idx_tokens_hash ON tokens(token_hash);
CREATE INDEX idx_tokens_expires ON tokens(expires_at);
CREATE INDEX idx_tokens_me ON tokens(me);
);
```
### Periodic Cleanup
```python
def cleanup_expired_tokens():
"""
Delete expired tokens from database.
Run periodically (e.g., hourly cron job).
"""
deleted = db.execute('''
DELETE FROM tokens
WHERE expires_at < ?
''', (datetime.utcnow(),))
logger.info(f"Cleaned up {deleted} expired tokens")
```
## Comparison: Opaque vs JWT
| Aspect | Opaque Tokens | JWT |
|--------|---------------|-----|
| **Complexity** | Low (simple random string) | Medium (encoding, signing, claims) |
| **Dependencies** | None (standard library) | JWT library (python-jose, PyJWT) |
| **Validation** | Database lookup | Signature verification |
| **Performance** | Requires DB query (~1-5ms) | No DB query (~0.1ms) |
| **Revocation** | Trivial (DELETE) | Complex (blocklist required) |
| **Stateless** | No (requires DB) | Yes (self-contained) |
| **Information Leakage** | None (opaque) | Possible (claims readable) |
| **Token Size** | 43 bytes | 150-300 bytes |
| **Key Management** | Not required | Required (signing key) |
| **Clock Skew** | Not relevant | Can cause issues (exp claim) |
| **Debugging** | Simple (query database) | Complex (decode, verify signature) |
| **Scale** | Limited by DB | Unlimited (stateless) |
**Verdict for v1.0.0**: Opaque tokens win on simplicity, security, and alignment with MVP scope.
## Migration Path to JWT (if needed)
If future requirements demand JWT (e.g., distributed resource servers, token introspection), migration is straightforward:
**Step 1**: Implement JWT generation alongside opaque tokens
```python
if config.USE_JWT:
return generate_jwt_token(me, client_id, scope)
else:
return generate_opaque_token(me, client_id, scope)
```
**Step 2**: Support both token types in validation
```python
if token.startswith('ey'): # JWT starts with 'ey' (base64 of {"alg":...)
return verify_jwt_token(token)
else:
return verify_opaque_token(token)
```
**Step 3**: Gradual migration (both types valid)
**Step 4**: Deprecate opaque tokens (future major version)
## Alternatives Considered
### Alternative 1: Use JWT from v1.0.0
**Pros**:
- Industry standard
- Stateless validation
- Self-contained (no DB for validation)
- Better for distributed systems
**Cons**:
- Adds complexity (signing, key management)
- Requires JWT library dependency
- Harder to revoke
- Not needed for v1.0.0 scope (no resource server)
- Risk of implementation mistakes (algorithm confusion, etc.)
**Rejected**: Violates simplicity principle, no benefit for v1.0.0 scope.
---
### Alternative 2: Use JWT but store in database anyway
**Pros**:
- JWT benefits (self-contained)
- Easy revocation (DB lookup)
**Cons**:
- Worst of both worlds (complexity + database dependency)
- No performance benefit (still requires DB)
- Redundant storage (token + database)
**Rejected**: Adds complexity without benefits.
---
### Alternative 3: Use Macaroons (fancy tokens)
**Pros**:
- Advanced capabilities (caveats, delegation)
- Cryptographically interesting
**Cons**:
- Extreme overkill for authentication
- No standard library support
- Complex implementation
- Not OAuth 2.0 standard
**Rejected**: Massive complexity for no benefit.
## References
- OAuth 2.0 Bearer Token Usage (RFC 6750): https://datatracker.ietf.org/doc/html/rfc6750
- JWT (RFC 7519): https://datatracker.ietf.org/doc/html/rfc7519
- Token Introspection (RFC 7662): https://datatracker.ietf.org/doc/html/rfc7662
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
## Decision History
- 2025-11-20: Proposed (Architect)
- 2025-11-20: Accepted (Architect)
- TBD: Review for v2.0.0 (if JWT needed)

573
docs/decisions/ADR-005-email-based-authentication-v1-0-0.md Normal file
View File

@@ -0,0 +1,573 @@
# ADR-005: Email-Based Authentication for v1.0.0
Date: 2025-11-20
## Status
Accepted
## Context
Gondulf requires users to prove domain ownership to authenticate. Multiple authentication methods exist for proving domain control.
### Authentication Methods Evaluated
**1. Email Verification**
- User provides email at their domain
- Server sends verification code to email
- User enters code to prove email access
- Assumes: Email access = domain control
**2. DNS TXT Record**
- Admin adds TXT record to DNS: `_gondulf.example.com` = `verified`
- Server queries DNS to verify record
- Assumes: DNS control = domain control
**3. External Identity Providers** (GitHub, GitLab, etc.)
- User links domain to GitHub/GitLab profile
- Server verifies profile contains domain
- User authenticates via OAuth to provider
- Assumes: Provider verification = domain control
**4. WebAuthn / FIDO2**
- User registers hardware security key
- Authentication via cryptographic challenge
- Assumes: Physical key possession = domain control (after initial registration)
**5. IndieAuth Delegation**
- User's domain delegates to another IndieAuth server
- Server follows delegation chain
- Assumes: Delegated server = domain control
### User Requirements
From project brief:
- **v1.0.0**: Email-based ONLY (no other identity providers)
- **Simplicity**: Keep MVP simple and focused
- **Scale**: 10s of users initially
- **No client registration**: Simplify client onboarding
### Technical Constraints
**SMTP Dependency**:
- Requires email server configuration
- Potential delivery failures (spam filters, configuration errors)
- Dependency on external service (email provider)
**Security Considerations**:
- Email interception risk (transit security)
- Email account compromise risk (user responsibility)
- Code brute-force risk (limited entropy)
**User Experience**:
- Familiar pattern (like password reset)
- Requires email access during authentication
- Additional step vs. provider OAuth (GitHub, etc.)
## Decision
**Gondulf v1.0.0 will use email-based verification as the PRIMARY authentication method, with DNS TXT record verification as an OPTIONAL fast-path.**
### Implementation Approach
**Two-Tier Verification**:
1. **DNS TXT Record (Preferred, Optional)**:
- Check for `_gondulf.{domain}` TXT record = `verified`
- If found: Skip email verification, use cached result
- If not found: Fall back to email verification
- Result cached in database for future use
2. **Email Verification (Required Fallback)**:
- User provides email address at their domain
- Server generates 6-digit verification code
- Server sends code via SMTP
- User enters code (15-minute expiration)
- Domain marked as verified in database
**Why Both?**:
- DNS provides fast path for tech-savvy users
- Email provides accessible path for all users
- DNS requires upfront setup but smoother repeat authentication
- Email requires no setup but requires email access each time
### Rationale
**Meets User Requirements**:
- Email-based authentication as specified
- No external identity providers (GitHub, GitLab) in v1.0.0
- Simple to understand and implement
- Familiar UX pattern
**Simplicity**:
- Email verification is well-understood
- Standard library SMTP support (smtplib)
- No OAuth 2.0 client implementation needed
- No external API dependencies
**Security Sufficient for MVP**:
- Email access typically indicates domain control
- 6-digit codes provide 1,000,000 combinations
- 15-minute expiration limits brute-force window
- Rate limiting prevents abuse
- TLS for email delivery (STARTTLS)
**Operational Simplicity**:
- Requires only SMTP configuration (widely available)
- No API keys or provider accounts needed
- No rate limits from external providers
- Full control over verification flow
**DNS TXT as Enhancement**:
- Provides better UX for repeat authentication
- Demonstrates domain control more directly
- Optional (users not forced to configure DNS)
- Cached result eliminates email requirement
## Consequences
### Positive Consequences
1. **User Simplicity**:
- Familiar email verification pattern
- No need to create accounts on external services
- Works with any email provider
2. **Implementation Simplicity**:
- Standard library support (smtplib, email)
- No external API integration
- Straightforward testing (mock SMTP)
3. **Operational Simplicity**:
- Single external dependency (SMTP server)
- No API rate limits to manage
- No provider outages to worry about
- Admin controls email templates
4. **Privacy**:
- Email addresses NOT stored (deleted after verification)
- No data shared with third parties
- No tracking by external providers
5. **Flexibility**:
- DNS TXT provides fast-path for power users
- Email fallback ensures accessibility
- No user locked out if DNS unavailable
### Negative Consequences
1. **Email Dependency**:
- Requires functioning SMTP configuration
- Email delivery not guaranteed (spam filters)
- Users must have email access during authentication
- Email account compromise = domain compromise
2. **User Experience**:
- Extra step vs. provider OAuth (more clicks)
- Requires checking email inbox
- Potential delay (email delivery time)
- Code expiration can frustrate users
3. **Security Limitations**:
- Email interception risk (mitigated by TLS)
- Email account compromise risk (user responsibility)
- Weaker than hardware-based auth (WebAuthn)
4. **Scalability Concerns**:
- Email delivery at scale (future concern)
- SMTP rate limits (future concern)
- Email provider blocking (spam prevention)
### Mitigation Strategies
**Email Delivery Reliability**:
```python
# Robust SMTP configuration
SMTP_CONFIG = {
'host': os.environ['SMTP_HOST'],
'port': int(os.environ.get('SMTP_PORT', '587')),
'use_tls': True, # STARTTLS required
'username': os.environ['SMTP_USERNAME'],
'password': os.environ['SMTP_PASSWORD'],
'from_email': os.environ['SMTP_FROM'],
'timeout': 10, # Fail fast
}
# Comprehensive error handling
try:
send_email(to=email, code=code)
except SMTPException as e:
logger.error(f"Email send failed: {e}")
# Display user-friendly error
raise HTTPException(500, "Email delivery failed. Try again or contact admin.")
```
**Code Security**:
```python
# Sufficient entropy
code = ''.join(secrets.choice('0123456789') for _ in range(6))
# 1,000,000 possible codes
# Rate limiting
MAX_ATTEMPTS = 3 # Per email
MAX_CODES = 3 # Per hour per email
# Expiration
CODE_LIFETIME = timedelta(minutes=15)
# Attempt tracking
attempts = code_storage.get_attempts(email)
if attempts >= MAX_ATTEMPTS:
raise HTTPException(429, "Too many attempts. Try again in 15 minutes.")
```
**Email Interception**:
```python
# Require TLS for email delivery
smtp.starttls()
# Clear warning to users
"""
We've sent a verification code to your email.
Only enter this code if you initiated this login.
The code expires in 15 minutes.
"""
# Log suspicious activity
if time_between_send_and_verify < 1_second:
logger.warning(f"Suspiciously fast verification: {domain}")
```
**DNS TXT Fast-Path**:
```python
# Check DNS first, skip email if verified
txt_record = dns.query(f'_gondulf.{domain}', 'TXT')
if txt_record == 'verified':
logger.info(f"DNS verification successful: {domain}")
# Use cached verification, skip email
return verified_domain(domain)
# Fall back to email
logger.info(f"DNS verification not found, using email: {domain}")
return email_verification_flow(domain)
```
**User Education**:
```markdown
## Domain Verification
Gondulf offers two ways to verify domain ownership:
### Option 1: DNS TXT Record (Recommended)
Add this DNS record to skip email verification:
- Type: TXT
- Name: _gondulf.example.com
- Value: verified
Benefits:
- Faster authentication (no email required)
- Verify once, use forever
- More secure (DNS control = domain control)
### Option 2: Email Verification
- Enter an email address at your domain
- We'll send a 6-digit code
- Enter the code to verify
Benefits:
- No DNS configuration needed
- Works immediately
- Familiar process
```
## Implementation
### Email Verification Flow
```python
from datetime import datetime, timedelta
import secrets
import smtplib
from email.message import EmailMessage
class EmailVerificationService:
def __init__(self, smtp_config: dict):
self.smtp = smtp_config
self.codes = {} # In-memory storage (short-lived)
def request_code(self, email: str, domain: str) -> None:
"""
Generate and send verification code.
Raises:
ValueError: If email domain doesn't match requested domain
HTTPException: If rate limit exceeded or email send fails
"""
# Validate email matches domain
email_domain = email.split('@')[1].lower()
if email_domain != domain.lower():
raise ValueError(f"Email must be at {domain}")
# Check rate limit
if self._is_rate_limited(email):
raise HTTPException(429, "Too many requests. Try again in 1 hour.")
# Generate 6-digit code
code = ''.join(secrets.choice('0123456789') for _ in range(6))
# Store code with expiration
self.codes[email] = {
'code': code,
'domain': domain,
'created_at': datetime.utcnow(),
'expires_at': datetime.utcnow() + timedelta(minutes=15),
'attempts': 0,
}
# Send email
try:
self._send_code_email(email, code)
logger.info(f"Verification code sent to {email[:3]}***@{email_domain}")
except Exception as e:
logger.error(f"Failed to send email to {email_domain}: {e}")
raise HTTPException(500, "Email delivery failed")
def verify_code(self, email: str, submitted_code: str) -> str:
"""
Verify submitted code.
Returns: domain if valid
Raises: HTTPException if invalid/expired
"""
code_data = self.codes.get(email)
if not code_data:
raise HTTPException(400, "No verification code found")
# Check expiration
if datetime.utcnow() > code_data['expires_at']:
del self.codes[email]
raise HTTPException(400, "Code expired. Request a new one.")
# Check attempts
code_data['attempts'] += 1
if code_data['attempts'] > 3:
del self.codes[email]
raise HTTPException(429, "Too many attempts")
# Verify code (constant-time comparison)
if not secrets.compare_digest(submitted_code, code_data['code']):
raise HTTPException(400, "Invalid code")
# Success: Clean up and return domain
domain = code_data['domain']
del self.codes[email] # Single-use code
logger.info(f"Domain verified via email: {domain}")
return domain
def _send_code_email(self, to: str, code: str) -> None:
"""Send verification code via SMTP."""
msg = EmailMessage()
msg['From'] = self.smtp['from_email']
msg['To'] = to
msg['Subject'] = 'Gondulf Verification Code'
msg.set_content(f"""
Your Gondulf verification code is:
{code}
This code expires in 15 minutes.
Only enter this code if you initiated this login.
If you did not request this code, ignore this email.
""")
with smtplib.SMTP(self.smtp['host'], self.smtp['port'], timeout=10) as smtp:
smtp.starttls()
smtp.login(self.smtp['username'], self.smtp['password'])
smtp.send_message(msg)
def _is_rate_limited(self, email: str) -> bool:
"""Check if email is rate limited."""
# Simple in-memory tracking (for v1.0.0)
# Future: Redis-based rate limiting
recent_codes = [
code for code in self.codes.values()
if code.get('email') == email
and datetime.utcnow() - code['created_at'] < timedelta(hours=1)
]
return len(recent_codes) >= 3
```
### DNS TXT Record Verification
```python
import dns.resolver
class DNSVerificationService:
def __init__(self, cache_storage):
self.cache = cache_storage
def verify_domain(self, domain: str) -> bool:
"""
Check if domain has valid DNS TXT record.
Returns: True if verified, False otherwise
"""
# Check cache first
cached = self.cache.get(domain)
if cached and cached['verified']:
logger.info(f"Using cached DNS verification: {domain}")
return True
# Query DNS
try:
verified = self._query_txt_record(domain)
# Cache result
self.cache.set(domain, {
'verified': verified,
'verified_at': datetime.utcnow(),
'method': 'txt_record'
})
return verified
except Exception as e:
logger.warning(f"DNS verification failed for {domain}: {e}")
return False
def _query_txt_record(self, domain: str) -> bool:
"""
Query _gondulf.{domain} TXT record.
Returns: True if record exists with value 'verified'
"""
record_name = f'_gondulf.{domain}'
# Use multiple resolvers for redundancy
resolvers = ['8.8.8.8', '1.1.1.1']
for resolver_ip in resolvers:
try:
resolver = dns.resolver.Resolver()
resolver.nameservers = [resolver_ip]
resolver.timeout = 5
resolver.lifetime = 5
answers = resolver.resolve(record_name, 'TXT')
for rdata in answers:
txt_value = rdata.to_text().strip('"')
if txt_value == 'verified':
logger.info(f"DNS TXT verified: {domain} (resolver: {resolver_ip})")
return True
except Exception as e:
logger.debug(f"DNS query failed (resolver {resolver_ip}): {e}")
continue
return False
```
## Future Enhancements
### v1.1.0+: Additional Authentication Methods
**GitHub/GitLab Providers**:
- OAuth 2.0 flow with provider
- Verify domain in profile URL
- Link GitHub username to domain
**WebAuthn / FIDO2**:
- Register hardware security key
- Challenge/response authentication
- Strongest security option
**IndieAuth Delegation**:
- Follow rel="authorization_endpoint" link
- Delegate to another IndieAuth server
- Support federated authentication
These will be additive (user chooses method), not replacing email.
## Alternatives Considered
### Alternative 1: External Providers Only (GitHub, GitLab)
**Pros**:
- No email infrastructure needed
- Established OAuth 2.0 flows
- Users already have accounts
**Cons**:
- Contradicts user requirement (email-only in v1.0.0)
- Requires external API integration
- Users locked to specific providers
- Privacy concerns (data sharing)
**Rejected**: Violates user requirements for v1.0.0.
---
### Alternative 2: WebAuthn as Primary Method
**Pros**:
- Strongest security (hardware keys)
- Phishing-resistant
- No password/email needed
**Cons**:
- Requires hardware key (barrier to entry)
- Complex implementation (WebAuthn API)
- Browser compatibility issues
- Not suitable for MVP
**Rejected**: Too complex for MVP, hardware requirement.
---
### Alternative 3: SMS Verification
**Pros**:
- Familiar pattern
- Fast delivery
**Cons**:
- Requires phone number (PII collection)
- SMS delivery costs
- Phone number != domain ownership
- SIM swapping attacks
**Rejected**: Doesn't prove domain ownership, adds PII collection.
---
### Alternative 4: DNS Only (No Email Fallback)
**Pros**:
- Strongest proof of domain control
- No email infrastructure
- Simple implementation
**Cons**:
- Requires DNS knowledge
- Barrier to entry for non-technical users
- DNS propagation delays
- No fallback if DNS inaccessible
**Rejected**: Too restrictive, not accessible enough.
## References
- SMTP Protocol (RFC 5321): https://datatracker.ietf.org/doc/html/rfc5321
- Email Security (STARTTLS): https://datatracker.ietf.org/doc/html/rfc3207
- DNS TXT Records (RFC 1035): https://datatracker.ietf.org/doc/html/rfc1035
- WebAuthn (W3C): https://www.w3.org/TR/webauthn/ (future)
## Decision History
- 2025-11-20: Proposed (Architect)
- 2025-11-20: Accepted (Architect)
- TBD: Review after v1.0.0 deployment (gather user feedback)