Authentication
Authentication and security configuration
Authentication
Orbis uses JWT (JSON Web Tokens) for authentication and Argon2 for password hashing.
Environment Variables
| Variable | Description | Default |
|---|---|---|
ORBIS_JWT_SECRET | JWT signing secret | Generated |
ORBIS_JWT_EXPIRY | Token expiry time | 24h |
ORBIS_SESSION_DURATION | Session duration | 24h |
ORBIS_REFRESH_TOKEN_EXPIRY | Refresh token expiry | 7d |
ORBIS_PASSWORD_MIN_LENGTH | Minimum password length | 8 |
Configuration File
toml
[auth]
jwt_secret = "your-secure-secret-key-at-least-32-characters"
jwt_expiry = "24h"
session_duration = "24h"
refresh_token_expiry = "7d"
[auth.password]
min_length = 8
require_uppercase = true
require_lowercase = true
require_number = true
require_special = falseJWT Configuration
Secret Key
Required in production - Set a secure random secret:
bash
# Generate a secure secret
openssl rand -base64 32
# Set in environment
ORBIS_JWT_SECRET=your-generated-secret-hereImportant: Use at least 32 characters for the secret.
Token Expiry
bash
ORBIS_JWT_EXPIRY=24h # 24 hours
ORBIS_JWT_EXPIRY=1d # 1 day
ORBIS_JWT_EXPIRY=7d # 7 days
ORBIS_JWT_EXPIRY=30m # 30 minutesToken Structure
JWT tokens contain:
json
{
"sub": "user_id",
"name": "username",
"role": "user",
"exp": 1234567890,
"iat": 1234567890
}Session Management
Session Duration
bash
ORBIS_SESSION_DURATION=24hRefresh Tokens
bash
ORBIS_REFRESH_TOKEN_EXPIRY=7dRefresh tokens allow obtaining new access tokens without re-authentication.
Password Configuration
Minimum Length
bash
ORBIS_PASSWORD_MIN_LENGTH=8Password Requirements
toml
[auth.password]
min_length = 8
require_uppercase = true
require_lowercase = true
require_number = true
require_special = falsePassword Hashing
Orbis uses Argon2id for password hashing:
- Memory cost: 65536 KB
- Time cost: 3 iterations
- Parallelism: 4 threads
User Roles
Built-in Roles
| Role | Description |
|---|---|
admin | Full access |
user | Standard access |
guest | Limited access |
Role Permissions
toml
[auth.roles.admin]
permissions = ["*"]
[auth.roles.user]
permissions = ["read", "write"]
[auth.roles.guest]
permissions = ["read"]Login Flow
1. Login Request
json
POST /api/auth/login
{
"username": "[email protected]",
"password": "password123"
}2. Success Response
json
{
"access_token": "eyJhbGc...",
"refresh_token": "eyJhbGc...",
"expires_in": 86400,
"user": {
"id": "uuid",
"username": "[email protected]",
"role": "user"
}
}3. Using Access Token
bash
Authorization: Bearer eyJhbGc...4. Refresh Token
json
POST /api/auth/refresh
{
"refresh_token": "eyJhbGc..."
}Tauri Integration
In Tauri desktop mode, authentication uses commands:
typescript
import { invoke } from '@tauri-apps/api/core';
// Login
const session = await invoke('login', {
username: '[email protected]',
password: 'password123'
});
// Check auth status
const isAuth = await invoke('is_authenticated');
// Logout
await invoke('logout');Security Headers
Enable in production:
toml
[security]
strict_transport_security = true
content_security_policy = true
x_frame_options = "DENY"
x_content_type_options = "nosniff"
x_xss_protection = trueSession Storage
Standalone Mode
Sessions stored in SQLite:
sql
CREATE TABLE sessions (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
token TEXT NOT NULL,
expires_at DATETIME NOT NULL,
created_at DATETIME NOT NULL
);Client-Server Mode
Sessions stored in PostgreSQL with same schema.
Rate Limiting
Protect authentication endpoints:
toml
[rate_limit]
enabled = true
login_attempts = 5 # Max attempts
login_window = "15m" # Time window
lockout_duration = "30m" # Lockout timeSecurity Best Practices
JWT Secret
- Never commit to version control
- Use environment variables
- Rotate periodically
- Use at least 256 bits (32 characters)
Passwords
- Enforce minimum length
- Use complexity requirements
- Never store plaintext
- Use secure hashing (Argon2)
Sessions
- Set reasonable expiry times
- Invalidate on logout
- Invalidate on password change
- Use secure cookies (HTTPS only)
General
- Enable HTTPS in production
- Use security headers
- Enable rate limiting
- Log authentication events
Troubleshooting
Invalid Token
text
Error: Invalid token- Check token expiry
- Verify JWT secret matches
- Ensure token not tampered
Token Expired
text
Error: Token expired- Use refresh token to get new access token
- Re-authenticate if refresh token also expired
Authentication Required
text
Error: Authentication required- Include Authorization header
- Check token format:
Bearer <token>
On This Page
- Authentication
- Environment Variables
- Configuration File
- JWT Configuration
- Secret Key
- Token Expiry
- Token Structure
- Session Management
- Session Duration
- Refresh Tokens
- Password Configuration
- Minimum Length
- Password Requirements
- Password Hashing
- User Roles
- Built-in Roles
- Role Permissions
- Login Flow
- 1. Login Request
- 2. Success Response
- 3. Using Access Token
- 4. Refresh Token
- Tauri Integration
- Security Headers
- Session Storage
- Standalone Mode
- Client-Server Mode
- Rate Limiting
- Security Best Practices
- JWT Secret
- Passwords
- Sessions
- General
- Troubleshooting
- Invalid Token
- Token Expired
- Authentication Required