In our life we are developers: we make mobile and web application, but every time we start a new project we have to choose how the user must authenticate itself. The questions are always the same: is better have a local users database or relay on public authentication systems like social network API?
Also, in many web applications we have to bill the user: having a secure place for authentication and billing would be great!
Here we go: we realized an Oauth2 server integrated with Stripe for billing the user, with security and speed in mind! We release it completely OpenSource in a GitHub repository, so everyone can download it for free and use it in his infrastructure... and also can contribute to have a better code.
But we think a working system isn't a complete system, especially where is needed more and more security; also creating an open-source community around this project will be a slow activity: so, we are here to raise money to complete some "extra" that can transform our artisan system in a professional one.
With the money raised we want to:
- complete the code with many and many test to be sure we don't break anything when will update the code
- add Paypal to Payment Gateway providers list
- add the possibility to link and login using social network
- integrate it with SMS to have 2 factor authentication
- request a professional penetration test to be more sure about security
- create a decent documentation to install and configure it
- The web interface was made with twitter bootstrap, so it is easy to maintain and adapt
- The Oauth2 Server is written in Ruby on Rails but is compatible with JRuby for maximizing the speed and concurrency; we are thinking to migrate the core of the authentication system in a even more powerful language like Scala or node.js.
- The database backend is in MongoDB because our application don't make intensive relational queries.
- We use an High Speed Redis database to store user tokens, to improve the speed
- We make intensive use of CRFS token also in API, for security
- The user token is in JWT format, so the client application can decode it locally to have all user information, without make a second API call
- In "check_token" method, we check the user token syntax before making a query in Redis DB: so we leave it free in case of a brute force attack; is also possible to activate a bloom filter to blacklists syntactically correct but not valid token.
- We support 3 authentication method: classic OAuth2 authorization_code/user_token, implicit and user/password login. You can choose what method is better to enable for each application
- You can force to work in a "single-application" mode: in this case, we don't use the DB to read application data, so better performance again.
- We use a pair user_token/renew_token to expire the first often to improve security
- About the billing: every Payment Gateway has its billing philosophy, but we choose a way to be compatible with every one. The user has an internal money balance and he can top-up it. Your application can subtract money from this balance using a simple API.
- The application can set up a subscription and the fee will be subtracted from the user balance at every expire.
Risks and challenges
This project, like many others coming from us, was born to respond to an internal necessity, so we are happy to continue mantain it.
We choose to make the project OpenSource from the beginning and make it available via GitHub, so you can see the progress in real time.
- (30 days)