• Stars
    star
    429
  • Rank 101,271 (Top 2 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 6 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Standalone server for user address and OTP verification flows with pluggable providers (e-mail, SMS, bank penny drops etc.)

OTP Gateway

OTP (One Time Password) Gateway is a standalone web server that provides a central gateway to verify user addresses such as e-mails and phone numbers, and to send 2FA confirmations to such addresses.

  • Use the built in web UI to easily integrate with existing applications.
  • Use the HTTP/JSON APIs to build your own UI.
  • Basic multi-tenancy with namespace+secret BasicAuth for seggregating applications.

address otp email-otp

Built-in providers

  • SMTP
  • AWS Pinpoint SMS
  • Kaleyra SMS, WhatsApp

Webhook providers

Any external provider can be integrated by defining one or more webhook providers in the config. A JSON payload is posted to the webhook endpoint whenever an OTP is generated.

How does it work?

The application is agnostic of the user's "address" and the OTP / verification codes. These are handled by providers.

  • Addresses are strings, for example, e-mail IDs, phone numbers, bank account numbers etc.
  • OTPs are also just strings, for instance, 6 digit codes sent as SMSes or a penny value dropped to a bank account.

The gateway sends the OTP value to the user's address using a provider (an upstream that takes the OTP + message and sends it to the user) and the user then has to read the OTP and enter it on the gateway's web view to complete the verification.

Usage

Download the latest release from the releases page.

  • Copy config.sample.toml to config.toml and edit the configuration.
  • Run ./otpgateway
  • Refer to the API reference to send OTPs.

Built in UI

  1. Generate an OTP for a user server side in your application: curl -u "myAppName:mySecret" -X PUT -d "[email protected]&provider=smtp" localhost:9000/api/otp/uniqueIDForJohnDoe
  2. Use the OTPGateway() Javascript function (see the Javascript plugin section) to initiate the modal UI on your webpage. On receiving the Javascript callback, post it back to your application and confirm that the OTP is indeed verified: curl -u "myAppName:mySecret" -X POST localhost:9000/api/otp/uniqueIDForJohnDoe/status

Your own UI

Use the APIs described below to build your own UI.

API reference

List providers

curl -u "myAppName:mySecret" localhost:9000/api/providers

{
  "status": "success",
  "data": ["smtp"]
}

Initiate an OTP for a user

curl -u "myAppName:mySecret" -X PUT -d "[email protected]&provider=smtp&extra={\"yes\": true}" localhost:9000/api/otp/uniqueIDForJohnDoe
param description
:id (optional) A unique ID for the user being verified. If this is not provided, an random ID is generated and returned. It's good to send this as a permanent ID for your existing users to prevent users from indefinitely trying to generate OTPs. For instance, if your user's ID is 123 and you're verifying the user's e-mail, a simple ID can be MD5("email.123"). Important. The ID is only unique per namespace and not per provider.
provider ID of the provider plugin to use for verification. The bundled e-mail provider's ID is "smtp".
to (optional) The address of the user to verify, for instance, an e-mail ID for the "smtp" provider. If this is left blank, a view is displayed to collect the address from the user.
channel_description (optional) Description to show to the user on the OTP verification page. If not provided, it'll show the default description or help text from the provider plugin.
address_description (optional) Description to show to the user on the address collection page. If not provided, it'll show the default description or help text from the provider plugin.
otp (optional) The OTP or code to send to the user for verification. If not provided, a random OTP is generated and sent
ttl (optional) OTP expiry in seconds. If not provided, the default value from the config is used.
max_attempts (optional) Maximum number of OTP verification attempts. If not provided, the default value from the config is used.
skip_delete (optional) After a successful OTP verification, the OTP is deleted. If this is set true true, OTP is not deleted and is let to expire gradually.
extra (optional) An extra payload (JSON string) that will be returned with the OTP
{
  "status": "success",
  "data": {
    "namespace": "myAppName",
    "id": "uniqueIDForJohnDoe",
    "to": "[email protected]",
    "channel_description": "",
    "address_description": "",
    "extra": { "yes": true },
    "provider": "smtp",
    "otp": "354965",
    "max_attempts": 5,
    "attempts": 5,
    "closed": false,
    "ttl": 300,
    "url": "http://localhost:9000/otp/myAppName/uniqueIDForJohnDoe"
  }
}

Validate an OTP entered by the user

Every incorrect validation here increments the attempts before further attempts are blocked. Once the OTP is verified, it is deleted, unless skip_delete=true is passed in the params. curl -u "myAppName:mySecret" -X POST -d "action=check&otp=354965" localhost:9000/api/otp/uniqueIDForJohnDoe

{
  "status": "success",
  "data": {
    "namespace": "myAppName",
    "id": "uniqueIDForJohnDoe",
    "to": "[email protected]",
    "channel_description": "",
    "address_description": "",
    "extra": { "yes": true },
    "provider": "smtp",
    "otp": "354965",
    "max_attempts": 5,
    "attempts": 5,
    "closed": false,
    "ttl": 300,
    "url": "http://localhost:9000/otp/myAppName/uniqueIDForJohnDoe"
  }
}

Check whether an OTP request is verified

This is used to confirm verification after a callback from the built in UI flow. curl -u "myAppName:mySecret" -X POST localhost:9000/api/otp/uniqueIDForJohnDoe/status

{
  "status": "success",
  "data": {
    "namespace": "myAppName",
    "id": "uniqueIDForJohnDoe",
    "to": "[email protected]",
    "channel_description": "",
    "address_description": "",
    "extra": { "yes": true },
    "provider": "smtp",
    "otp": "354965",
    "max_attempts": 5,
    "attempts": 5,
    "closed": false,
    "ttl": 300
  }
}

or an error such as

{ "status": "error", "message": "OTP not verified" }

The closed field indicates whether the OTP has been validated by the user and has been "closed".

Javascript plugin

The gateway comes with a Javascript plugin that enables easy integration of the verification UI into existing applications. Once a server side call to generate an OTP is made and a namespace and id are obtained, calling OTPGateway() opens the verification UI in a modal popup. Upon completion of verification by the user, a callback is triggered.

<!-- The id #otpgateway-script is required for the script to work //-->
<script
  id="otpgateway-script"
  src="http://localhost:9000/static/otp.js"
></script>
<script>
  // 1. Make a call to the server to generate and send an OTP and return the
  // the :namespace and :id for the OTP.
  // 2. Invoke the verification UI for the user with the namespace and id values,
  // and a callback which is triggered when the user finishes the flow.
  OTPGateway(
    namespaceVal,
    idVal,
    function(nm, id) {
      console.log("finished", nm, id);

      // 3. Post the namespace and id to your server that will make the
      // status request to the gateway and on success, update the user's
      // address in your records as it's now verified.
    },
    function() {
      console.log("cancelled");
    }
  );
</script>

Licensed under the MIT license.

More Repositories

1

listmonk

High performance, self-hosted, newsletter and mailing list manager with a modern dashboard. Single binary app.
Go
14,893
star
2

dns.toys

A DNS server that offers useful utilities and services over the DNS protocol. Weather, world time, unit conversion etc.
Go
2,446
star
3

koanf

Simple, extremely lightweight, extensible, configuration management library for Go. Support for JSON, TOML, YAML, env, command line, file, S3 etc. Alternative to viper.
Go
2,445
star
4

niltalk

Instant, disposable, single-binary web based live chat server. Go + VueJS.
Go
939
star
5

dragmove.js

A super tiny Javascript library to make DOM elements draggable and movable. ~500 bytes (minified+gzipped) and no dependencies.
JavaScript
819
star
6

localStorageDB

A simple database layer for localStorage and sessionStorage for creating structured data in the form of databases and tables
JavaScript
812
star
7

tg-archive

A tool for exporting Telegram group chats into static websites like mailing list archives.
Python
772
star
8

hugo-ink

Crisp, minimal personal website and blog theme for Hugo
HTML
395
star
9

dictpress

A stand-alone web server application for building and publishing full fledged dictionary websites and APIs for any language.
Go
360
star
10

autocomp.js

A super tiny Javascript autocomplete / autosuggestions library. Zero dependencies, ~800 bytes min+gzip.
JavaScript
299
star
11

xmlutils.py

Python scripts for processing XML documents and converting to SQL, CSV, and JSON [UNMAINTAINED]
Python
241
star
12

dont.build

A simple, opinionated decision system to help decide whether to build a software feature or not.
HTML
206
star
13

stuffbin

Compress and embed static files and assets into Go binaries and access them with a virtual file system in production
Go
166
star
14

go-get-youtube

A tiny Go library + client for downloading Youtube videos. The library is capable of fetching Youtube video metadata, in addition to downloading videos.
Go
158
star
15

smtppool

High throughput Go SMTP pool library with graceful handling of idle timeouts, errors, and retries.
Go
124
star
16

ml2en

An algorithm that transliterates Malayalam script to Roman / Latin characters (commonly 'Manglish') with reasonable phonetic fairness. Available in Python, PHP, Javascript
Python
87
star
17

git-bars

A utility for visualising git commit activity as bars on the terminal
Python
85
star
18

indexed-cache

A tiny Javsacript library for sideloading static assets on pages and caching them in the browser's IndexedDB for longer-term storage.
JavaScript
78
star
19

simplemysql

An ultra simple wrapper for Python MySQLdb with very basic functionality
Python
77
star
20

floatype.js

A tiny, zero-dependency, floating autocomplete / autosuggestion widget for textareas.
JavaScript
76
star
21

pfxsigner

A CLI utility and web server for digitally signing PDFs with docsign loaded from PFX (PKCS#12) files
Go
73
star
22

go-pop3

A simple Go POP3 client library for connecting and reading mails from POP3 servers.
Go
72
star
23

indic.page

A directory of Indic (Indian) language computing resources.
HTML
55
star
24

goyesql

Parse SQL files with multiple named queries and automatically prepare and scan them into structs.
Go
48
star
25

dirmaker

dirmaker is a simple, opinionated static site generator for quickly publishing directory websites.
Python
48
star
26

knphone

KNphone is a phonetic algorithm for indexing Kannada words by their pronunciation, like Metaphone for English.
Go
45
star
27

tinytabs

A tiny (1.3 KB minified) Javascript tabbing library for rendering tabbed UIs. Zero dependencies.
HTML
44
star
28

wordpluck

A browser based typing game in Javascript. Revived from a 2012 project.
JavaScript
43
star
29

datuk

"Datuk", the Unicode Malayalam - Malayalam dictionary dataset
40
star
30

csv2json

csv2json is a fast utility that converts CSV files into JSON line files. An experiment in Zig lang.
Zig
37
star
31

profiler

A simple wrapper over Go runtime/pprof for running multiple concurrent profiles and dumping results to files.
Go
30
star
32

mlphone

MLphone (Python, PHP) is a phonetic algorithm for indexing Malayalam words by their pronounciation, like Metaphone for English. The algorithm generates three Romanized phonetic keys (hashes) of varying phonetic proximities for a given Malayalam word.
PHP
29
star
33

paginator

Tiny Go package for pagination queries and generating page numbers
Go
20
star
34

gtbump

git tag bump: A simple utility to bump and manage git semantic version tags and generate Markdown changelogs.
Python
20
star
35

listmonk-heroku-deploy

Official listmonk install button for Heroku.
Shell
16
star
36

bigreddy

BigReddy is a small utility that generates pseudo-philosophical and pseudo-poetic ramblings.
Python
15
star
37

tinyprogressbar

tinyProgressbar is an extremely tiny (640 bytes minified+gzipped) Javascript progressbar library
JavaScript
15
star
38

listmonk-site

Static website + docs for listmonk
HTML
15
star
39

otpgateway-solsms

SMS provider for otpgateway (SolutionsInfini, India)
Go
15
star
40

go-i18n

Tiny i18n library for loading and using simple JSON language translation files in Go programs.
Go
14
star
41

tinyauth

Tiny, opinionated authentication library for Go. Work in progress and not usable right now.
Go
14
star
42

simpleplanner

Simple planner
JavaScript
13
star
43

querytostruct

An extremely tiny utility for unmarshalling and scanning querystrings into structs
Go
13
star
44

jsonconfig

Super tiny JSON configuration file parser with comments support for Go programs
Go
12
star
45

tinytooltip

An extremely tiny tooltip plugin for jQuery
JavaScript
10
star
46

zig-releaser

A simple hack to use GoReleaser to build, release, and publish Zig projects.
Shell
10
star
47

scylladb-metrics

A script for generating docs for Promethus metrics exported by ScyllaDB
HTML
9
star
48

stringvalidator.py

Aa simple string validator class in Python for basic data validation such as checking if a string is alpha, alphanumeric, e-mail etc.
Python
8
star
49

jqdialog

A jQuery plugin with smooth and peristent dialog boxes meant as a replacement for alert(), confirm(), and prompt()
JavaScript
8
star
50

boastmachine

boastMachine (legacy), a full fledged blogging package. One of the earliest on the web, first released in 2002.
PHP
7
star
51

yesqlr

Parse SQL files with multiple named queries into a map for easy organisation and management of SQL queries. Port of goyesql.
Rust
7
star
52

ctunes

A prototype music list manager. C programming exercise I did a very long time ago.
C
6
star
53

CANT24

A neural network framework (primarily, a fLIF neuron simulator)
5
star
54

chunkedreader

chunkedreader is a light weight wrapper for Go's `bufio` that enables reading of byte streams in fixed size chunks
Go
4
star
55

rofi-vscode-projects

A vscode project launcher menu for the rofi app launcher
3
star
56

omeka-total-pages

An Omeka-S plugin for computing the total number of pages across items in an item set or collection.
PHP
2
star
57

csssprite

A simple utility for merging images into a sprite with accompanying CSS
Python
1
star