mirror/lldap
1
0
Fork 0
mirror of https://github.com/nitnelave/lldap.git synced 2023-04-12 14:25:13 +00:00
Code Issues Projects Releases Wiki Activity

docs: update architecture doc

Browse Source
This commit is contained in:
Valentin Tolmer 2022-04-29 14:59:32 +02:00 committed by nitnelave
parent 90611aefef
commit 4537d1ae2b
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/architecture.md
View File

@ -6,7 +6,8 @@ backend and [yew](https://yew.rs) for the frontend.
Backend: Backend:
* Listens on a port for LDAP protocol. * Listens on a port for LDAP protocol.
* Only a small, read-only subset of the LDAP protocol is supported. * Only a small, read-only subset of the LDAP protocol is supported.
* An extension to allow resetting the password through LDAP will be added. * In addition to that, an extension to allow resetting the password is also
supported.
* Listens on another port for HTTP traffic. * Listens on another port for HTTP traffic.
* The authentication API, based on JWTs, is under "/auth". * The authentication API, based on JWTs, is under "/auth".
* The user management API is a GraphQL API under "/api/graphql". The schema * The user management API is a GraphQL API under "/api/graphql". The schema
@ -46,11 +47,6 @@ Data storage:
### Passwords ### Passwords
Passwords are hashed using Argon2, the state of the art in terms of password
storage. They are hashed using a secret provided in the configuration (which
can be given as environment variable or command line argument as well): this
should be kept secret and shouldn't change (it would invalidate all passwords).
Authentication is done via the OPAQUE protocol, meaning that the passwords are Authentication is done via the OPAQUE protocol, meaning that the passwords are
never sent to the server, but instead the client proves that they know the never sent to the server, but instead the client proves that they know the
correct password (zero-knowledge proof). This is likely overkill, especially correct password (zero-knowledge proof). This is likely overkill, especially
@ -59,6 +55,15 @@ but it's one less potential flaw (especially since the LDAP interface can be
restricted to an internal docker-only network while the web app is exposed to restricted to an internal docker-only network while the web app is exposed to
the Internet). the Internet).
OPAQUE's "passwords" (user-specific blobs of data that can only be used in a
zero-knowledge proof that the password is correct) are hashed using Argon2, the
state of the art in terms of password storage. They are hashed using a secret
provided in the configuration (which can be given as environment variable or
command line argument as well): this should be kept secret and shouldn't change
(it would invalidate all passwords). Note that even if it was compromised, the
attacker wouldn't be able to decrypt the passwords without running an expensive
brute-force search independently for each password.
### JWTs and refresh tokens ### JWTs and refresh tokens
When logging in for the first time, users are provided with a refresh token When logging in for the first time, users are provided with a refresh token