Skip to content
/ triflector Public

A relay which enforces authentication based on custom policy

License

MIT license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

coracle-social/triflector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
acl.go
acl.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
util.go
util.go
 
 
watch
watch
 
 

Repository files navigation

Triflector

This is a relay based on Khatru which implements a range of access controls.

Basic configuration

The following environment variables are optional:

  • PORT - the port to run on
  • RELAY_NAME - the name of your relay
  • RELAY_ICON - an icon for your relay
  • RELAY_PUBKEY - the public key of your relay
  • RELAY_DESCRIPTION - your relay's description
  • RELAY_CLAIMS - a comma-separated list of claims to auto-approve for relay access
  • AUTH_BACKEND - a url to delegate authorization to
  • AUTH_WHITELIST - a comma-separate list of pubkeys to allow access for
  • AUTH_RESTRICT_USER - whether to only accept events published by authenticated users. Defaults to true. If false, no AUTH challenge will be sent.
  • AUTH_RESTRICT_AUTHOR - whether to only accept events signed by authorized users. Defaults to false.

Access control

Several different policies are available for granting access, described below. If any of these checks passes, access will be granted via NIP 42 AUTH for both read and write.

Pubkey whitelist

To allow a static list of pubkeys, set the AUTH_WHITELIST env variable to a comma-separated list of pubkeys.

Arbitrary policy

You can dynamically allow/deny pubkey access by setting the AUTH_BACKEND env variable to a URL.

The pubkey in question will be appended to this URL and a GET request will be made against it. A 200 means the key is allowed to read and write to the relay; any other status code will deny access.

For example, providing AUTH_BACKEND=http://example.com/check-auth?pubkey= will result in a GET request being made to http://example.com/check-auth?pubkey=<pubkey>.

Relay claims

A user may send a kind 28934 claim event to this relay. If the claim tag is in the RELAY_CLAIMS list, the pubkey which signed the event will be granted access to the relay.

Docker

You can use Docker Compose or Portainer Stacks to run a container:

services:

  triflector:
    image: ghcr.io/coracle-social/triflector
    container_name: triflector
    restart: unless-stopped
    networks:
      - triflectornet
    ports:
      - 3334:3334
    environment:
      - DATABASE_URL=postgres://triflector:YOUR_PASSWORD_HERE@database:5432/triflector?sslmode=disable

  database:
    image: postgres
    container_name: triflector_db
    restart: unless-stopped
    networks:
      - triflectornet
    volumes:
      - triflectordata:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=triflector
      - POSTGRES_USER=triflector
      - POSTGRES_PASSWORD=YOUR_PASSWORD_HERE

networks:

  triflectornet:

volumes:

  triflectordata:

Make sure to change the example postgres password in both DATABASE_URL and POSTGRES_PASSWORD.

You can add the environment variables from Basic configuration to the environment: section under triflector: to customize your relay.

About

A relay which enforces authentication based on custom policy

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

5 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

  •  
  •  

Languages