mirror of https://github.com/IoTcat/ushio-auth.git
commit
b9ca89bb70
2 changed files with 69 additions and 10 deletions
@ -1,18 +1,38 @@ |
||||
# auth |
||||
auth system for ushio system |
||||
|
||||
Ushio User System |
||||
|
||||
## Key Logic |
||||
- three kinds of account: admin, user, visitor |
||||
- usr can be authed by email, phone, passwd |
||||
- after logined, the client id and secret can be generated and assigned |
||||
- every domain is an single app, it needs a new client id and secret. |
||||
- the app use the id and secret to get a time-expired token |
||||
- the client id and secret can be managed |
||||
|
||||
[简体中文(推荐)](./zh.md) |
||||
|
||||
## Implementation |
||||
|
||||
## Process Flow |
||||
There are three concepts in the Ushio user system, namely hash, token and mask. |
||||
|
||||
Each user has a unique hash, which represents all the permissions of this user. If the hash is leaked, the user needs to refresh the hash manually. But this will cause all devices and services previously bound to this user to automatically log out. |
||||
|
||||
Each device (such as a browser) has a unique token. Various services (such as different websites) running on the device each have their own unique mask. |
||||
|
||||
For security, the token is stored in a cookie under auth.yimian.xyz. Every time a user opens a new website, the system will determine and automatically bind the mask to the token. At this time, multiple masks correspond to one token. As shown below |
||||
|
||||
``` |
||||
token |
||||
/ | \ |
||||
mask1 mask2 mask3 |
||||
``` |
||||
|
||||
Every time a user logs in or registers, what the system does is to associate the token with the hash on the server side. When the user logs out, the token and hash on the server side will be disconnected, and the user will log out. |
||||
|
||||
``` |
||||
hash |
||||
/ | \ |
||||
token1 token2 token3 |
||||
``` |
||||
|
||||
## Login logic |
||||
|
||||
Taking into account that it is difficult for us to remember the password for a long time, the login logic of this site is designed to log in with an email or mobile number verification code. After logging in, the system will evaluate the user's equipment security according to the changes of fp and ip. If the system assessment result is dangerous, the user will be required to verify, otherwise the user will remain logged in. |
||||
|
||||
|
||||
## Dependence |
||||
|
||||
Ushio user systems rely heavily on ushio-session, fp, ip and other projects. |
||||
|
||||
@ -0,0 +1,39 @@ |
||||
# auth |
||||
|
||||
Ushio用户系统 |
||||
|
||||
[English Version](./README.md) |
||||
|
||||
## 实现方法 |
||||
|
||||
Ushio用户系统中存在三个概念,分别是hash, token以及mask。 |
||||
|
||||
每个用户拥有一个自己唯一的hash,这个hash代表着此用户所有的权限。如果hash被泄露,用户需要手动刷新hash。但这将导致此用户之前绑定的所有设备和服务自动登出。 |
||||
|
||||
每个设备(比如浏览器)拥有唯一的token。设备上运行的各种服务(比如不同的网站)各自拥有自己唯一的mask。 |
||||
|
||||
为了安全起见,token储存在auth.yimian.xyz下的cookie中。每次用户打开新的网站时,系统会判断并将mask自动绑定到token。此时,多个mask对应一个token。如下图 |
||||
|
||||
``` |
||||
token |
||||
/ | \ |
||||
mask1 mask2 mask3 |
||||
``` |
||||
|
||||
每次用户登录或注册时,系统所做的事情是在服务器端将token与代表用户的hash联系起来。用户登出时,服务器端的token和hash将断开连接,用户便退出来了。 |
||||
|
||||
``` |
||||
hash |
||||
/ | \ |
||||
token1 token2 token3 |
||||
``` |
||||
|
||||
|
||||
## 登录逻辑 |
||||
|
||||
考虑到我们时长很难记住密码,因此本站登录逻辑设计为邮箱或手机号验证码登录。登陆后,系统将根据fp, ip的变化对用户的设备安全进行评估。如果系统评估结果为危险,则会要求用户进行验证,否则用户将一直处于登录状态。 |
||||
|
||||
|
||||
## 依赖 |
||||
|
||||
Ushio用户系统严重依赖ushio-session,fp,ip等项目。 |
||||
Loading…
Reference in new issue