diff options
| author | Himbeer <himbeer@disroot.org> | 2024-11-16 23:17:27 +0100 |
|---|---|---|
| committer | Himbeer <himbeer@disroot.org> | 2024-11-17 16:32:50 +0100 |
| commit | d0d39d2f9f3abb68eec146376b3233c8bc7c1cfa (patch) | |
| tree | 70be515811406cdc3ba1ab8b56d3c6eccb2f0d59 /doc/auth_backends.md | |
| parent | e7d92562fcf05e4f9b7f6ba29b7cda529aab49bc (diff) | |
Allow plugins to implement authentication backends
Design decisions:
* Config option specifies which of the registered backends is used
* Name conflicts (including with builtins) make the backend registration
fail
* Builtin backends are not moved to plugins to avoid breaking existing
setups confusion in general
* Builtin backends are exposed to plugins (and have been for some time);
Important information and internal methods are hidden to prevent
interference from malicious plugins
See doc/auth_backends.md and the related interface and function
documentation for details.
Closes #127.
Diffstat (limited to 'doc/auth_backends.md')
| -rw-r--r-- | doc/auth_backends.md | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/doc/auth_backends.md b/doc/auth_backends.md index ce9dc2b..4075b08 100644 --- a/doc/auth_backends.md +++ b/doc/auth_backends.md @@ -94,3 +94,29 @@ Example (converting Minetest's PostgreSQL database to the `files` backend): ``` mt-auth-convert mtpostgresql files 'host=localhost user=mt dbname=mtauth sslmode=disable' nil ``` + +## Implementing custom authentication backends + +Plugins can implement their own authentication backends and register them +using the [RegisterAuthBackend](https://pkg.go.dev/github.com/HimbeerserverDE/mt-multiserver-proxy#RegisterAuthBackend) +function. These plugins can then be enabled by setting the `AuthBackend` +config option. Configuration for them is provided through a plugin-specific +configuration mechanism if needed. + +This makes it possible to integrate with custom environments, especially those +that share a database with other services such as a forum. + +Note that the network protocol is always SRP and the credentials are always SRP +verifiers and salts. This is a protocol limitation and should not be an issue. + +When implementing an authentication backend, make sure you follow the +[interface documentation](https://pkg.go.dev/github.com/HimbeerserverDE/mt-multiserver-proxy#AuthBackend) +carefully. The active authentication backend can be accessed using the +[DefaultAuth](https://pkg.go.dev/github.com/HimbeerserverDE/mt-multiserver-proxy#DefaultAuth) +function *after initialization time*. +Other backends can be accessed using the +[Auth](https://pkg.go.dev/github.com/HimbeerserverDE/mt-multiserver-proxy#Auth) +function *after initialization time*. + +Custom backends can be handled by the [mt-auth-convert](#mt-auth-convert) tool +as long as it is able to load the relevant plugin(s). |