Wiki | IRC | Gitter Chat
- Clone the repository
$ git clone git@github.com:Laverna/server.git
# navigate to the project directory
cd server
- Install dependencies
$ npm install
-
Configure the signal server Copy .env.example to .env and change configs in the new file.
-
Start the server
$ npm start
To authenticate a client on the server it uses token based authentication by using JSON Web Tokens and OpenPGP signatures.
The authentication method is based on public key authentication method where the possession of the private key serves as authentication.
How does it work?
- A client requests a session token by sending a GET request to
/api/token/username/:username
- The server generates and sends a JWT token (HS256 algorithm) for the client which will expire after 8 minutes
- The client signs the session token with their private OpenPGP key and sends a POST request to
/api/auth
- The server:
- Checks the authenticity of the signature
- Checks the signed JWT session token
- If there is no error, it generates an authentication token using JWT. The token will expire after 24 hours
- The authentication token is used to authenticate the client on the signaling socket server.
The server stores a minimum amount of information which includes your username and public OpenPGP key and fingerprint. Keep in mind if your OpenPGP key includes your email, it can be easily extracted.
Some of your personal information will be available to the public. It is necessary for our REST API.
The following data should be considered public:
- Your username
- Your public OpenPGP key
- Your OpenPGP key fingerprint
The authentication method used in this project was implemented by us and it hasn't been vetted nor audited by security experts. Use it at your own risk.
Published under MPL-2.0 License.