+4

.env.example

··· 1 1 + ORIGIN=https://indiko.dunkirk.sh 2 2 + RP_ID=indiko.dunkirk.sh 3 3 + PORT=3000 4 4 + NODE_ENV="production"

+5 -22

LICENSE.md

··· 1 1 - The MIT License (MIT) 2 2 - ===================== 1 1 + # The O'Saasy License 3 2 4 3 Copyright © `2025` `Kieran Klukas` 5 4 6 6 - Permission is hereby granted, free of charge, to any person 7 7 - obtaining a copy of this software and associated documentation 8 8 - files (the “Software”), to deal in the Software without 9 9 - restriction, including without limitation the rights to use, 10 10 - copy, modify, merge, publish, distribute, sublicense, and/or sell 11 11 - copies of the Software, and to permit persons to whom the 12 12 - Software is furnished to do so, subject to the following 13 13 - conditions: 5 5 + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 14 6 15 15 - The above copyright notice and this permission notice shall be 16 16 - included in all copies or substantial portions of the Software. 7 7 + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 8 + No licensee or downstream recipient may use the Software (including any modified or derivative versions) to directly compete with the original Licensor by offering it to third parties as a hosted, managed, or Software-as-a-Service (SaaS) product or cloud service where the primary value of the service is the functionality of the Software itself. 17 9 18 18 - THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, 19 19 - EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES 20 20 - OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 21 21 - NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 22 22 - HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 23 23 - WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 24 24 - FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 25 25 - OTHER DEALINGS IN THE SOFTWARE. 26 26 - 27 27 - 10 10 + THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

+141 -3

README.md

··· 1 1 # Indiko 2 2 3 3 - No that was not a typo the project's name actually is `indiko`! This is a small implementation of [IndieAuth](https://indieweb.org/How_to_set_up_web_sign-in_on_your_own_domain) running on bun with sqlite and lit web components and serving as the authentication provider for my homelab / side projects. 3 3 + No that was not a typo the project's name actually is `indiko`! This is a small implementation of [IndieAuth](https://indieweb.org/How_to_set_up_web_sign-in_on_your_own_domain) running on bun with sqlite and serving as the authentication provider for my homelab / side projects it also supports custom clients with roles over the OAuth 2.0 spec. 4 4 5 5 The canonical repo for this is hosted on tangled over at [`dunkirk.sh/indiko`](https://tangled.org/@dunkirk.sh/indiko) 6 6 7 7 + ## Quick Start 8 8 + 9 9 + ### Prerequisites 10 10 + 11 11 + - [Bun](https://bun.sh) v1.0 or higher 12 12 + - A domain with HTTPS (required for WebAuthn) 13 13 + 14 14 + ### Installation 15 15 + 16 16 + 1. Clone the repository: 17 17 + 18 18 + ```bash 19 19 + git clone https://github.com/taciturnaxolotl/indiko.git 20 20 + cd indiko 21 21 + ``` 22 22 + 23 23 + 2. Install dependencies: 24 24 + 25 25 + ```bash 26 26 + bun install 27 27 + ``` 28 28 + 29 29 + 3. Create a `.env` file: 30 30 + 31 31 + ```bash 32 32 + cp .env.example .env 33 33 + ``` 34 34 + 35 35 + Configure the following environment variables: 36 36 + 37 37 + ```env 38 38 + ORIGIN=https://your-indiko-domain.com 39 39 + RP_ID=your-indiko-domain.com 40 40 + PORT=3000 41 41 + NODE_ENV=production 42 42 + ``` 43 43 + 44 44 + - `ORIGIN` - Full URL where Indiko is hosted (must match RP_ID) 45 45 + - `RP_ID` - Domain for WebAuthn (no protocol, matches ORIGIN domain) 46 46 + - `PORT` - Port to run the server on 47 47 + - `NODE_ENV` - Environment (dev/production) 48 48 + 49 49 + The database will be automatically created at `./indiko.db` on first run. 50 50 + 51 51 + 4. Start the server: 52 52 + 53 53 + ```bash 54 54 + # Development (with hot reload) 55 55 + bun run dev 56 56 + 57 57 + # Production 58 58 + bun run start 59 59 + ``` 60 60 + 61 61 + ### First User Setup 62 62 + 63 63 + On first run, you'll need to create an admin user: 64 64 + 65 65 + 1. Visit `https://your-indiko-domain.com/login?invite=bootstrap` 66 66 + 2. Register with a passkey 67 67 + 3. This first user will automatically be an admin 68 68 + 69 69 + After the first user is created, the bootstrap invite is disabled. Subsequent users must be invited by an admin. 70 70 + 71 71 + ## Usage 72 72 + 73 73 + ### Creating OAuth Apps 74 74 + 75 75 + 1. Go to `/admin/clients` 76 76 + 2. Click "Create OAuth Client" 77 77 + 3. Fill in: 78 78 + 79 79 + - **Name** - Display name for your app 80 80 + - **Logo URL** - (Optional) URL to app logo 81 81 + - **Description** - (Optional) Brief description 82 82 + - **Redirect URIs** - One or more OAuth callback URLs 83 83 + - **Available Roles** - (Optional) Define roles users can be assigned 84 84 + - **Default Role** - (Optional) Auto-assign this role on first auth 85 85 + 86 86 + 4. Save and copy the generated credentials: 87 87 + 88 88 + - **Client ID** - Format: `ikc_xxxxxxxxxxxxxxxxxxxxx` 89 89 + - **Client Secret** - Format: `iks_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` 90 90 + 91 91 + > [!IMPORTANT] 92 92 + > The client secret is only shown once! Save it securely. 93 93 + 94 94 + ### Using as an IndieAuth Provider 95 95 + 96 96 + Add these tags to your website's `<head>`: 97 97 + 98 98 + ```html 99 99 + <link 100 100 + rel="authorization_endpoint" 101 101 + href="https://your-indiko-domain.com/auth/authorize" 102 102 + /> 103 103 + <link rel="token_endpoint" href="https://your-indiko-domain.com/auth/token" /> 104 104 + <link rel="me" href="https://your-indiko-domain.com/u/your-username" /> 105 105 + ``` 106 106 + 107 107 + Now you can sign in to IndieAuth-compatible sites using `https://your-domain.com/` as your identity. 108 108 + 109 109 + ## API Reference 110 110 + 111 111 + ### OAuth 2.0 Endpoints 112 112 + 113 113 + - `GET /auth/authorize` - Authorization endpoint 114 114 + - `POST /auth/token` - Token exchange endpoint 115 115 + - `POST /auth/logout` - Session logout 116 116 + 117 117 + ### User Profile 118 118 + 119 119 + - `GET /u/:username` - Public h-card profile 120 120 + 121 121 + ### Admin API (requires admin token) 122 122 + 123 123 + - `GET /api/admin/users` - List all users 124 124 + - `POST /api/admin/invites` - Create invite 125 125 + - `GET /api/admin/invites` - List invites 126 126 + - `GET /api/admin/clients` - List OAuth clients 127 127 + - `POST /api/admin/clients` - Create OAuth client 128 128 + - `GET /api/admin/clients/:clientId` - Get client details 129 129 + - `PUT /api/admin/clients/:clientId` - Update client 130 130 + - `DELETE /api/admin/clients/:clientId` - Delete client 131 131 + 132 132 + ## Development 133 133 + 134 134 + ```bash 135 135 + # Run with hot reload 136 136 + bun run dev 137 137 + 138 138 + # Format code 139 139 + bun run format 140 140 + 141 141 + # Type check (handled by Bun) 142 142 + bun run src/index.ts 143 143 + ``` 144 144 + 7 145 <p align="center"> 8 146 <img src="https://raw.githubusercontent.com/taciturnaxolotl/carriage/main/.github/images/line-break.svg" /> 9 147 </p> 10 148 11 149 <p align="center"> 12 12 - <i><code>&copy 2025-present <a href="https://github.com/taciturnaxololt">Kieran Klukas</a></code></i> 150 150 + <i><code>&copy 2025-present <a href="https://dunkirk.sh">Kieran Klukas</a></code></i> 13 151 </p> 14 152 15 153 <p align="center"> 16 16 - <a href="https://github.com/taciturnaxolotl/indiko/blob/main/LICENSE.md"><img src="https://img.shields.io/static/v1.svg?style=for-the-badge&label=License&message=MIT&logoColor=d9e0ee&colorA=363a4f&colorB=b7bdf8"/></a> 154 154 + <a href="https://tangled.org/dunkirk.sh/indiko/blob/main/LICENSE.md"><img src="https://img.shields.io/static/v1.svg?style=for-the-badge&label=License&message=O'Saasy&logoColor=d9e0ee&colorA=363a4f&colorB=b7bdf8"/></a> 17 155 </p>

indiko.db

This is a binary file and will not be displayed.