Secure, highly performant authentication server written in Haskell.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Peter J. Jones 6ca1bc3157
Add an effect record for database methods
5 days ago
app Add an effect record for database methods 5 days ago
config Add application-wide configuration and crypto configuration 1 week ago
schema Add an effect record for database methods 5 days ago
scripts Connect to a database and migrate it 3 weeks ago
src/Sthenauth Add an effect record for database methods 5 days ago
test Make it harder to construct invalid salt, unify on `Either CryptoError' 2 weeks ago
.envrc Add database tables for accounts and emails, refactor some crypto stuff 2 weeks ago
.gitignore Implement secure password hashing for storing passwords in a database 1 month ago
CHANGES.md Implement secure password hashing for storing passwords in a database 1 month ago
LICENSE Initial import 1 month ago
README.md Add database tables for accounts and emails, refactor some crypto stuff 2 weeks ago
Setup.hs Implement secure password hashing for storing passwords in a database 1 month ago
default.nix Add types and schema for an audit log 1 week ago
shell.nix Add database tables for accounts and emails, refactor some crypto stuff 2 weeks ago
sthenauth.cabal Add an effect record for database methods 5 days ago
sthenauth.nix Add an effect record for database methods 5 days ago

README.md

Sthenauth: Never Write Authentication Code Again!

An authentication server that can be used by off-the-shelf and custom software without having to reinvent the wheel. In other words, don’t write your own authentication solution (you’ll probably get it wrong).

Status

This project is currently under heavy development. A stable release is forthcoming. Watch this space.

Features

  • Standards-compliant management of passwords and sessions

    • Conforms to NIST 800-63B with support for AAL1, AAL2, and AAL3
    • Replay resistant (multi-factor authentication)
    • Verifier-impersonation resistant (anti-phishing)
    • Verifier-compromise resistance (client certificates)
    • Secrets are safe even if someone has access to the database
    • Passwords are hashed with PBKDF2 (HMAC + SHA-3 512)
    • Automatic password re-hashing as needed
    • Unicode passwords are normalized (NFKC) then stored as UTF-8
    • Upgrade legacy password databases (bcrypt)
  • Protects personally identifiable information (PII)

    • Encrypted email addresses (with site-wide key)
    • Hashed email addresses (with salt) for deterministic lookup
  • Attack counter measures:

    • Real-time brute force detection
    • Slow attack responses without affecting real users
  • Auditing

    • Complete event log of all actions taken
    • Statistics transmitted to a time series database
  • Acts as a remote authentication provider:

  • Authenticate with external providers:

    • OAuth2 Generic
    • Google
    • GitHub
    • LDAP
    • PAM
  • User interface:

    • Customize the UI so it matches your brand
    • Users can change and reset passwords
    • Administrator interface
  • Open and Free:

    • Open source, released under the Apache License.
    • Free, even for commercial use
    • Commercial support available

Goals

  • Secure by default.

    You shouldn’t have to be a security expert to install or use Sthenauth. As much as possible we try to make it impossible to install or configure Sthenauth in a way that would make it insecure.

Name

Sthenauth takes its name from the gorgon Stheno, the immortal sister of Medusa. The face of a gorgon was used in Ancient Greece as a way to ward off evil.