lua-resty-access

Passwordless authentication for OpenResty - Flexible and Secure

lua-resty-access

lua-resty-access - Web application access management module based on passwordless authentication for OpenResty.

Live Demo on https://luarestyaccess.site

Installation

    $ opm get supereldar/lua-resty-access

Requirements and Quick Start example

Your nginx configuration should look like this

    http {
    #REQUIREMENT: module require temporary storage, please setup luarestyaccess dictionary.
      lua_shared_dict luarestyaccess 10m;
      
        server {
        listen 80;
        servername domain.local;
        
          location / {
    #REQUIREMENT: resolver and ca certificate directives are needed for external communication.
            resolver 8.8.8.8;
            lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    #REQUIREMENT: Call method Protect of resty.access object using access_by_lua* directive to activate access restriction.
            access_by_lua_block {
              local access = require'resty.access'
              local site = access:new()
              
              #Add users one by one who can access this location. To pass authentication provide "username".
              site:permitUser({username="john", email="john@snow.winter"})
              
              #You can also permit a single email.
              site:permitEmail({email = "john@snow.winter"})
              
              #Or you can permit the whole domain. "*" - works as wildcard here.
              site:permitEmail({email = "*@snow.winter"})
              
              #Launch module
              site:protect()
             }
           proxy_pass http://app1.domain.local;
         }
       }
    }

Optional configuration

If you want to change access time and persistence or cookie name prefix you can use sessionConfig method.

    site:sessionConfig({cookie_prefix = "luarestyaccess_", access_persistent = false , access_time = 3600})

If you want to keep users authenticated after configuration reload, specify static secret using access_secret key.

    site:sessionConfig({access_secret = 623q4hR325t36VsCD3g567922IC0073T})

If you want grant access to the whole domain specify it's name using cookie_domain key.

    site:sessionConfig({cookie_domain = "domain.local"})

If you want to process emails through your own smtp server you can use emailConfig method.

    site:emailConfig({
      mode = "smtp", 
      host= "smtp.gmail.com", 
      port = 587, 
      tls = true,
      username = "user@gmail.com",
      password = "qwerty123"  
    })

Authors

Eldar Beibutov (@supereldar)

License

2bsd

Dependencies

Versions