Authentication Service

A standalone service to handle authentication and authorization.

 

Description

User signup, authentication and authorization are integral parts of any SAAS product. When we kick start a new product development we can either use services like AWS cognito , Auth0 etc or build ourselves to achieve this, Even if we use external services we end up writing a wrapper. This service tries to implement the user authentication and authorization features needed for any application.

Service can be used as mentioned below

• Deploy as a standalone service for managing authentication and authorization
• Use it as a starting point for new product development and build new features on top of it.

Developers can customise this as per their requirement.

Features

• Signup using phone number/email and password
• Login using phone number/email and password
• Signup using phone number/email and OTP (custom totp + message via sendgrid / twilio)
• Validating OTP
• Recaptcha v2 and v3 implementation
• Signup using google
• Authentication using JWT access token
• Ability to refresh the token
• Option to change password
• Managing groups
• Assign user to a group
• Manage permissions for different apis
• Assigning permissions to a group or individual user.
• Authorize a user based on their permissions(direct permissions and group permissions)

Tech stack

• NodeJS
• NestJS
• Redis
• Postgresql
• Apollo Graphql
• Docker
• Sendgrid
• Twilio

Getting Started

• Clone the repo and execute command npm install
• Create a copy of the env.sample file and rename it as .env
• Install postgres and redis
• Create a restricted tenant user that cannot bypass RLS policies
• Provide postgres, redis secrets and default user details in .env file as mentioned below

Database configuration(Required)
POSTGRES_HOST	localhost
POSTGRES_PORT	5432
POSTGRES_ADMIN_USER	postgres
POSTGRES_ADMIN_PASSWORD	postgres
POSTGRES_TENANT_USER	tenant
POSTGRES_TENANT_PASSWORD	tenant
POSTGRES_DB	auth_service

 

Redis Cache configuration(Required)
REDIS_HOST	localhost
REDIS_PORT	6379
REDIS_CACHE_TTL	3600
REDIS_MAX_ITEM_IN_CACHE	1000

 

Authentication Configuration(Required)
OTP_SECRET	secret
JWT_TOKEN_EXPTIME	3600
JWT_REFRESH_TOKEN_EXP_TIME	36000
ENV	local
AUTH_KEY	Required authentication key for tenant creation

 

Other Configuration(Required)
PORT	4000
DEFAULT_ADMIN_PASSWORD	Should be atleast 10 characters

 

Google social login Configuration(Optional)
GOOGLE_CLIENT_ID
GOOGLE_SECRET
APP_URL	the URL of the application to which the redirect should happen

 

Google recaptcha Configuration(Optional)
RECAPTCHA_SECRET_KEY	secret
RECAPTCHA_VERIFY_URL	https://www.google.com/recaptcha/api/siteverify
MIN_RECAPTCHA_SCORE	Required for Recaptcha V3

 

OTP Sender Configuration(Optional)
IS_TWILIO_INTEGRATED	false
TWILIO_ACC_SID	required only if you are using any twilio service(sms sender or verify tool)
TWILIO_AUTH_TOKEN	required only if you are using any twilio service(sms sender or verify tool)
TWILIO_SENDING_NUMBER	required only if you are using any twilio service(sms sender or verify tool)
OTP_VERIFY_TOOL	twilio or default
TWILIO_VERIFY_SID	required only if otp verify tool is twilio
SMS_INTEGRATION	twilio or aws
OTP_WINDOW	300
OTP_STEP	1

 

Multi-Tenancy Configuration(Optional)
MULTI_TENANCY_ENABLED	A boolean that indicates if multi-tenancy is enabled, used for handling user login
DEFAULT_TENANT_ID	Default tenant id to be used when multi-tenancy is disabled

• Run npm run migration:run
• Run npm run start
• Service should be up and running in http://localhost:${PORT}.
• A default admin user with email admin@domain.com and password given in DEFAULT_ADMIN_PASSWORD will already be available in the application. This user will be associated to the default Admin group which will have the permissions to create/update permissions, create/update groups, create/update entities and update a user

We can ensure the health of the service by accessing http://localhost:${PORT}/auth/api/health.

Google Social login

Inorder to login by Google, access the following URL in browser http://localhost:4000/auth/api/google

GraphQL API reference

GraphQL endpoint

http://localhost:${PORT}/auth/api/graphql

API Documentation

Multi-tenancy Support

This service supports multi-tenancy with complete data isolation between tenants at the database level using PostgreSQL row-level security (RLS). Each tenant's data is isolated using a tenant_id column and RLS policies.

How it Works

1. Every tenant specific entities in the system has a tenant_id column
2. PostgreSQL Row Level Security (RLS) policies are enabled on all tables
3. The app.tenant_id configuration parameter is set for each request
4. Database queries are automatically filtered by the tenant_id through RLS policies

Setting up Database User for Multi-tenancy

Create a database user with restricted access (can be done using the provided init-db.sh)