lhumina_code/hero_auth_archive
Archived
22
0
Fork 0
Code Issues 1 Pull requests Projects Releases 1 Packages Wiki Activity Actions
No description
This repository has been archived on 2026-04-14. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
57 commits 3 branches 1 tag 1 MiB
  • Rust 60.6%
  • HTML 21.7%
  • Shell 16.6%
  • Makefile 1%
Find a file
Exact
mik-tf 09c090fd0f
Some checks failed
Build and Test / build (push) Failing after 2s
Details
fix: hero_auth socket path to follow service naming convention 
Changed HeroUiServer::new() from 'hero_auth_server' to 'hero_auth'
to create sockets in the correct directory matching the service name.
This eliminates the need for entrypoint.sh reverse bridge workaround
and aligns with the standard socket naming convention.

Signed-off-by: mik-tf
2026-04-13 18:57:12 -04:00
.forgejo/workflows feat: add release workflow for publishing release asset 2026-04-05 11:57:01 +02:00
crates fix: migrate to directory socket convention (hero_auth/rpc.sock) 2026-04-13 09:37:27 -04:00
scripts feat: add release workflow for publishing release asset 2026-04-05 11:57:01 +02:00
src fix: hero_auth socket path to follow service naming convention 2026-04-13 18:57:12 -04:00
templates fix: connection status indicator visibility and clickability (#70) 2026-03-20 21:55:41 -04:00
.gitignore Add scopes, admin setup flow, MCP server, API docs, and access control 2026-02-10 10:26:07 +04:00
buildenv.sh feat: restructure into Cargo workspace with hero_proc-managed services 2026-03-21 07:16:31 +01:00
Cargo.lock fix: migrate to directory socket convention (hero_auth/rpc.sock) 2026-04-13 09:37:27 -04:00
Cargo.toml feat: add native Dioxus _app crate with JWT auth (#104) 2026-03-30 21:06:20 -04:00
CLAUDE.md feat: remove manual /mcp endpoint, add users.update_scope RPC method 2026-03-19 19:25:07 -04:00
Makefile migrate hero_auth to new CLI lifecycle pattern 2026-03-21 20:39:38 +01:00
README.md docs: add README.md 2026-02-11 22:02:00 -05:00

README.md

Hero Auth

Minimal OAuth2 authorization server for the Hero ecosystem. Runs locally on each machine and provides centralized authentication for all local services.

Built with Axum, featuring user management, JWT token issuance, encrypted config storage, and three integration methods: REST API, JSON-RPC 2.0, and MCP (Model Context Protocol).

Quick Start

# Run (HERO_SECRET is required)
HERO_SECRET=your_secret_here cargo run -- --port 3350

# Or via Make
make run

# First run: visit http://localhost:3350 to create admin account

Features

  • OAuth2 Client Credentials grant for service-to-service auth
  • User login/registration with email + password
  • JWT tokens (HS256, 1-hour TTL) with hierarchical scopes (read < write < admin)
  • Encrypted config — user database stored as AES-256-GCM encrypted TOML
  • JSON-RPC 2.0 endpoint at /rpc with OpenRPC discovery
  • MCP server at /mcp for AI agent integration (Claude, etc.)
  • Admin dashboard with user management UI
  • Zero-dependency token validation — any service with the same HERO_SECRET can verify tokens locally

Configuration

Variable Required Default Description
HERO_SECRET Yes Master key for JWT signing and config encryption
--port No 3350 Listen port
--config No ~/hero/cfg/hero_auth.toml Path to encrypted config file

API Endpoints

Authentication

Method Path Description
POST /token OAuth2 client_credentials grant (client_id + client_secret)
POST /login User login (email + password)
POST /register Self-register (returns JWT + one-time client_secret)
POST /validate Validate a JWT token
GET /health Health check

Admin (requires admin JWT)

Method Path Description
GET / Admin dashboard
POST /users/add Add user (returns one-time client_secret)
POST /users/delete Delete user
POST /users/scope Update user scope

JSON-RPC 2.0

Method Path Description
POST /rpc JSON-RPC endpoint (methods: health, stats, users.list, users.add, users.delete, token.create, token.validate, login)
GET /rpc/discover OpenRPC 1.3.2 specification

MCP (Model Context Protocol)

Method Path Description
POST /mcp MCP endpoint for AI agents (10 tools)

MCP setup for Claude Code:

claude mcp add --transport http hero-auth http://localhost:3350/mcp

Scope Hierarchy

Scope Includes Description
read Default for self-registered users
write read Can modify data
admin read, write Can manage users and change scopes

JWT Claims

{
  "sub": "client_id (UUID)",
  "iss": "hero_auth",
  "iat": 1234567890,
  "exp": 1234571490,
  "scope": "read|write|admin"
}

Hero Ecosystem Integration

Other services validate tokens locally using the same HERO_SECRET — no network calls to hero_auth needed after initial token issuance. Services check the scope claim to enforce authorization.

Typical flow:

  1. Service gets client_id + client_secret from admin
  2. Service calls POST /token to get a JWT
  3. Service includes JWT in requests to other services
  4. Receiving service validates JWT locally with shared HERO_SECRET

Security

Function Algorithm
JWT signing HS256
Config encryption AES-256-GCM
Password storage SHA-256 hash
Key derivation SHA-256(HERO_SECRET)

Build

make build      # Release build (optimized for size, stripped)
make test       # Run tests (4 crypto tests)
make install    # Build and install to ~/hero/bin/
make lint       # Run clippy
make fmt        # Format code

Port

3350 (registered in hero_ports)