# PDS gatekeeper

A microservice that sits on the same server as the PDS to add some of the security that the entryway does.

![Picture in black and white of a grassy hill with a gate at the top](./images/gate.jpg)

PDS gatekeeper works by overriding some of the PDS endpoints inside your Caddyfile to provide gatekeeping to certain
endpoints. Mainly, the ability to have 2FA on a self hosted PDS like it does on a Bluesky mushroom(PDS). Most of the
logic of these endpoints still happens on the PDS via a proxied request, just some are gatekept.

# Features

## 2FA

- [x] Ability to turn on/off 2FA
- [x] getSession overwrite to set the `emailAuthFactor` flag if the user has 2FA turned on
- [x] send an email using the `PDS_EMAIL_SMTP_URL` with a handlebar email template like Bluesky's 2FA sign in email.
- [ ] generate a 2FA code
- [ ] createSession gatekeeping (It does stop logins, just eh, doesn't actually send a real code or check it yet)
- [ ] oauth endpoint gatekeeping

## Captcha on Create Account

Future feature?

# Setup

Nothing here yet! If you are brave enough to try before full release, let me know and I'll help you set it up.
But I want to run it locally on my own PDS first to test run it a bit.

Example Caddyfile (mostly so I don't lose it for now. Will have a better one in the future)

```caddyfile
http://localhost {

    @gatekeeper {
        path /xrpc/com.atproto.server.getSession
        path /xrpc/com.atproto.server.updateEmail
        path /xrpc/com.atproto.server.createSession
    }

    handle @gatekeeper {
        reverse_proxy http://localhost:8080
    }

    reverse_proxy /* http://localhost:3000
}

```