besaid.zone
forked from
baileytownsend.dev/pds-gatekeeper
Microservice to bring 2FA to self hosted PDSes
1# PDS gatekeeper
2
3A microservice that sits on the same server as the PDS to add some of the security that the entryway does.
4
5
6
7PDS gatekeeper works by overriding some of the PDS endpoints inside your Caddyfile to provide gatekeeping to certain
8endpoints. Mainly, the ability to have 2FA on a self hosted PDS like it does on a Bluesky mushroom(PDS). Most of the
9logic of these endpoints still happens on the PDS via a proxied request, just some are gatekept.
10
11# Features
12
13## 2FA
14
15- [x] Ability to turn on/off 2FA
16- [x] getSession overwrite to set the `emailAuthFactor` flag if the user has 2FA turned on
17- [x] send an email using the `PDS_EMAIL_SMTP_URL` with a handlebar email template like Bluesky's 2FA sign in email.
18- [ ] generate a 2FA code
19- [ ] createSession gatekeeping (It does stop logins, just eh, doesn't actually send a real code or check it yet)
20- [ ] oauth endpoint gatekeeping
21
22## Captcha on Create Account
23
24Future feature?
25
26# Setup
27
28Nothing here yet! If you are brave enough to try before full release, let me know and I'll help you set it up.
29But I want to run it locally on my own PDS first to test run it a bit.
30
31Example Caddyfile (mostly so I don't lose it for now. Will have a better one in the future)
32
33```caddyfile
34http://localhost {
35
36 @gatekeeper {
37 path /xrpc/com.atproto.server.getSession
38 path /xrpc/com.atproto.server.updateEmail
39 path /xrpc/com.atproto.server.createSession
40 }
41
42 handle @gatekeeper {
43 reverse_proxy http://localhost:8080
44 }
45
46 reverse_proxy /* http://localhost:3000
47}
48
49```