From fdce180c5c43a412edfc5d3ff4f35337f8b254fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=91=93=E5=96=B5=E9=85=B1?= Date: Tue, 8 Sep 2020 18:18:20 +0800 Subject: [PATCH] Update README.md --- README.md | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 530d2cd..3e182ee 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,38 @@ # auth -auth system for ushio system +Ushio User System -## Key Logic - - three kinds of account: admin, user, visitor - - usr can be authed by email, phone, passwd - - after logined, the client id and secret can be generated and assigned - - every domain is an single app, it needs a new client id and secret. - - the app use the id and secret to get a time-expired token - - the client id and secret can be managed - +[简体中文(推荐)](./zh.md) +## Implementation -## Process Flow +There are three concepts in the Ushio user system, namely hash, token and mask. + +Each user has a unique hash, which represents all the permissions of this user. If the hash is leaked, the user needs to refresh the hash manually. But this will cause all devices and services previously bound to this user to automatically log out. + +Each device (such as a browser) has a unique token. Various services (such as different websites) running on the device each have their own unique mask. + +For security, the token is stored in a cookie under auth.yimian.xyz. Every time a user opens a new website, the system will determine and automatically bind the mask to the token. At this time, multiple masks correspond to one token. As shown below + +``` + token + / | \ +mask1 mask2 mask3 ``` +Every time a user logs in or registers, what the system does is to associate the token with the hash on the server side. When the user logs out, the token and hash on the server side will be disconnected, and the user will log out. + ``` + hash + / | \ +token1 token2 token3 +``` + +## Login logic + +Taking into account that it is difficult for us to remember the password for a long time, the login logic of this site is designed to log in with an email or mobile number verification code. After logging in, the system will evaluate the user's equipment security according to the changes of fp and ip. If the system assessment result is dangerous, the user will be required to verify, otherwise the user will remain logged in. + + +## Dependence + +Ushio user systems rely heavily on ushio-session, fp, ip and other projects.