Prevent unauthorised access of public endpoints by for example bots or bad clients.

Overview

Anonymus API Auth Provider

Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu

Architecture

The basic idea is, to prevent unauthorised access of a public endpoint by bots or bad clients. Only known clients should be able to use the api. For example when you have a POST interface which should only be able to be requested by your own website. All requests from other clients to this public POST endpoint should be rejected.

This Repository introduces a separate serive, the "Anonymus API Auth Provider" (aaap), which can be requested to retrieve an access-token. The public endpoint can then validate this token.

The aaap and the public endpoint therefore share an api-key as secret. The aaap signs the token with the api-key and the public endpoint can check if the signature was signed with this api-key. Otherwise the public endpoint would reject the request.

But before the aaap generates the access-token and sends it to the requesting client, the client has to solve a challenge. This challenge is the shared secret between the aaap and the authorised client (e.g. your website):

Authorised Client

A bad client or a bot cannot solve the challenge provided by the aaap. In this case the aaap would send an invalid access-token to the client, and the public endpoint check for the token signature would fail. The request would be rejected:

Bot or Bad Client

An attacker of this public endpoint would have to reverse engineer the authorised client, to find out how the challenge of the aaap can be solved. This comes with an reasonable amount of effort especially when the code of the authorised client is obfuscated.

Usage

Define your own challenge.sh & response.sh and mount them into the docker image.

  • Make sure to provide a randomly unique challenge on every execution of the challenge.sh.
  • Make sure to implement the response.sh to generate a deterministic response on each given input generated by the challenge.sh
    ⚠️ The response must also be implemented on your client.
  • Define an api-key and provide it in the environement variables of the docker image.
  • Define how long the token should be valid
    ⚠️ The token lifetime should be validated in your public endpoint, as well as the token signature.

Docker

Build your own docker image

Integrate your challenge.sh & response.sh directly in your own docker image. It is also advisable to install some more programs, for example to generate uuids which can be used for designing your custom challenge/response.

cd example
# build
docker build -t authprovider-example .
# run
docker run -p 8080:8080 -e API_KEY=your-api-key -e TOKEN_EXPIRE=3600 -e PORT=8080 authprovider-example

Mount volume

You can also mount your custom challenge.sh & response.sh.

# build
docker build -f docker/Dockerfile -t authprovider .
# run
docker run -p 8080:8080 -v `pwd`/path/to/your/own/scripts/folder:/service/scripts -e API_KEY=your-api-key -e TOKEN_EXPIRE=3600 -e PORT=8080 authprovider

Development

API_KEY=your-key go run main.go

Known Limitations

  • clustering currently not possible
    will be possible in the future with redis integration
Owner
Tobias Meinhardt
Tobias Meinhardt
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 10.8k Dec 5, 2021
goRBAC provides a lightweight role-based access control (RBAC) implementation in Golang.

goRBAC goRBAC provides a lightweight role-based access control implementation in Golang. For the purposes of this package: * an identity has one or mo

Xing 1.2k Dec 2, 2021
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 10.8k Dec 3, 2021
Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols.

Teleport 10.5k Dec 7, 2021
Role Based Access Control (RBAC) with database persistence

Authority Role Based Access Control (RBAC) Go package with database persistence Install First get authority go get github.com/harranali/authority Next

null 205 Nov 22, 2021
Key-Checker - Go scripts for checking API key / access token validity

Key-Checker Go scripts for checking API key / access token validity Update V1.0.0 ?? Added 37 checkers! Screenshoot ?? How to Install go get github.co

Muhammad Daffa 174 Nov 25, 2021
Microservice generates pair of access and refresh JSON web tokens signed by user identifier.

go-jwt-issuer Microservice generates pair access and refresh JSON web tokens signed by user identifier. ?? Deployed on Heroku Run tests: export SECRET

Oleksii Velychko 23 Nov 27, 2021
Golang Mongodb Jwt Auth Example Using Echo

Golang Mongodb Jwt Auth Example Using Echo Golang Mongodb Rest Api Example Using Echo Prerequisites Golang 1.16.x Docker 19.03+ Docker Compose 1.25+ I

Şuayb Şimşek 6 Sep 21, 2021
Prevent unauthorised access of public endpoints by for example bots or bad clients.

Anonymous API Auth Provider Inspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu Architecture The basic idea is, to prevent u

Tobias Meinhardt 1 Nov 28, 2021
🐿️ Revoltgo is a go package for writing bots / self-bots in revolt easily.

Revoltgo Revoltgo is a go package for writing bots / self-bots in revolt easily. NOTE: This package is still under development and not finished. Creat

Kedi 5 Sep 22, 2021
rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.

rpCheckup - Catch AWS resource policy backdoors like Endgame rpCheckup is an AWS resource policy security checkup tool that identifies public, externa

Gold Fig Labs Inc. 134 Nov 18, 2021
ID type with marshalling to/from hash to prevent sending IDs to clients.

Hide IDs Hide is a simple package to provide an ID type that is marshalled to/from a hash string. This prevents sending technical IDs to clients and c

Emvi 40 Nov 30, 2021
Plays videos using Prometheus, e.g. Bad Apple.

prom_bad_apple Plays videos using Prometheus, e.g. Bad Apple. Inspiration A while back I thought this blog post and the corresponding source code were

Jacob Colvin 69 Oct 31, 2021
Plays videos using Prometheus and Grafana, e.g. Bad Apple.

prometheus_video_renderer Plays videos using Prometheus and Grafana, e.g. Bad Apple. Modes Currently 3 different modes are supported. Bitmap The bitma

Jacob Colvin 69 Oct 31, 2021
A tool written in GO to demonstrate how bad actors utilize requests to spam Discord Users and launch large unsolicited DM Advertisement Campaigns

discord-mass-DM-GO A tool written in GO to demonstrate how bad actors utilize requests to spam Discord Users and launch large unsolicited DM Advertise

Vanshaj 129 Dec 3, 2021
go-xss is a module used to filter input from users to prevent XSS attacks

go-xss 根据白名单过滤 HTML(防止 XSS 攻击) go-xss is a module used to filter input from users to prevent XSS attacks go-xss是一个用于对用户输入的内容进行过滤,以避免遭受 XSS 攻击的模块

solar 23 Nov 15, 2021
Prevent Kubernetes misconfigurations from ever making it (again 😤) to production! The CLI integration provides policy enforcement solution to run automatic checks for rule violations. Docs: https://hub.datree.io

What is Datree? Datree helps to prevent Kubernetes misconfigurations from ever making it to production. The CLI integration can be used locally or in

datree.io 5.2k Nov 30, 2021
A server that proxies requests and uses fhttp & my fork of CycleTLS to modify your clienthello and prevent your requests from being fingerprinted.

TLS-Fingerprint-API A server that proxies requests and uses my fork of CycleTLS & fhttp (fork of net/http) to prevent your requests from being fingerp

null 74 Dec 1, 2021
Run proprietary modpack in built in Darwin/macOS sandbox-exec to prevent it from doing malicious things.

sandbox-exec lunarclient Run LunarClient in built in Darwin/macOS sandbox-exec to prevent lunar from taking screenshots of your desktop. LunarClient l

makin 6 Nov 16, 2021
An attempt to manage session and prevent ddos attack

This is an attempt to manage the session and prevent ddos attack. A session_id is an int64, inscrease by 1 when issue a new session. Server has a tabl

null 1 Oct 28, 2021
A proxy to hide NFT metadata during the sale and prevent people from sniping specific NFTs.

NFT Sale Proxy A proxy to hide NFT metadata during the sale and prevent people from sniping specific NFTs. Check alephao/nft-sale-proxy-examples to se

Aleph Retamal 6 Nov 8, 2021
An example client implementation written in GO to access the CyberVox platform API

About This is an example client implementation written in GO to access the CyberVox platform API.

Cyberlabs AI 16 May 11, 2021
Golang Framework for writing Slack bots

hanu - Go for Slack Bots! The Go framework hanu is your best friend to create Slack bots! hanu uses allot for easy command and request parsing (e.g. w

Sebastian Müller 134 Oct 11, 2021
Golang Framework for writing Slack bots

hanu - Go for Slack Bots! The Go framework hanu is your best friend to create Slack bots! hanu uses allot for easy command and request parsing (e.g. w

Sebastian Müller 134 Oct 11, 2021
Chat bots (& more) for Zoom by figuring out their websocket protocol

zoomer - Bot library for Zoom meetings Good bot support is part of what makes Discord so nice to use. Unfortunately, the official Zoom API is basicall

Christopher Tarry 40 Nov 23, 2021
its the same idea as bruh-bot, but with golang, and add more bots

bruh-bot but more powerful! requirements python go you can used on mac and linux the idea its really simple, can make a lot of bots with the same task

pai 12 Jul 7, 2021
Brigodier is a command parser & dispatcher, designed and developed for command lines such as for Discord bots or Minecraft chat commands. It is a complete port from Mojang's "brigadier" into Go.

brigodier Brigodier is a command parser & dispatcher, designed and developed to provide a simple and flexible command framework. It can be used in man

Minekube 11 Aug 29, 2021
A Telegram Repo For Bots Under Maintenance Which Gives Faster Response To Users

Maintenance Bot A Telegram Repo For Bots Under Maintenance Which Gives Faster Response To Users Requests » Report a Bug | Request Feature Table of Con

HEIMAN PICTURES 7 Oct 10, 2021
Template for advanced Telegram bots using telebot.v3

Telebot Template $ git clone https://github.com/massbots/template . $ chmod +x init.sh; ./init.sh NOTE The script will delete itself after the configu

MassBots 8 Oct 16, 2021