besaid.zone / pds-gatekeeper
forked from baileytownsend.dev/pds-gatekeeper
Microservice to bring 2FA to self hosted PDSes
fork atom
Rust 80.5%
Handlebars 18.4%
Dockerfile 0.6%
Just 0.5%
4 1 0

Clone this repository

https://tangled.org/besaid.zone/pds-gatekeeper
git@tangled.org:besaid.zone/pds-gatekeeper

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

PDS gatekeeper#

A microservice that sits on the same server as the PDS to add some of the security that the entryway does.

Picture in black and white of a grassy hill with a gate at the top

PDS gatekeeper works by overriding some of the PDS endpoints inside your Caddyfile to provide gatekeeping to certain endpoints. Mainly, the ability to have 2FA on a self hosted PDS like it does on a Bluesky mushroom(PDS). Most of the logic of these endpoints still happens on the PDS via a proxied request, just some are gatekept.

Features#

2FA#

  • Overrides The login endpoint to add 2FA for both Bluesky client logged in and OAuth logins
  • Overrides the settings endpoints as well. As long as you have a confirmed email you can turn on 2FA

Captcha on Create Account#

Future feature?

Setup#

We are getting close! Testing now

Nothing here yet! If you are brave enough to try before full release, let me know and I'll help you set it up. But I want to run it locally on my own PDS first to test run it a bit.

Example Caddyfile (mostly so I don't lose it for now. Will have a better one in the future)

http://localhost {

    @gatekeeper {
        path /xrpc/com.atproto.server.getSession
        path /xrpc/com.atproto.server.updateEmail
        path /xrpc/com.atproto.server.createSession
        path /@atproto/oauth-provider/~api/sign-in
    }

    handle @gatekeeper {
        reverse_proxy http://localhost:8080
    }

    reverse_proxy /* http://localhost:3000
}