mirror/ackify-ce
1
0
Fork 0
mirror of https://github.com/btouchard/ackify-ce.git synced 2026-02-08 14:58:36 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
7291c1083bf87badd55b03263de628cd78c518f4
ackify-ce/README.md
Benjamin 68426bc882 feat: add PKCE support to OAuth2 flow for enhanced security 
- Implement PKCE (Proof Key for Code Exchange) with S256 method
- Add crypto/pkce module with code verifier and challenge generation
- Modify OAuth flow to include code_challenge in authorization requests
- Update HandleCallback to validate code_verifier during token exchange
- Extend session lifetime from 7 to 30 days
- Add comprehensive unit tests for PKCE functions
- Maintain backward compatibility with fallback for non-PKCE sessions
- Add detailed logging for OAuth flow with PKCE tracking

PKCE enhances security by preventing authorization code interception
attacks, as recommended by OAuth 2.1 and OIDC standards.

feat: add encrypted refresh token storage with automatic cleanup

- Add oauth_sessions table for storing encrypted refresh tokens
- Implement AES-256-GCM encryption for refresh tokens using cookie secret
- Create OAuth session repository with full CRUD operations
- Add SessionWorker for automatic cleanup of expired sessions
- Configure cleanup to run every 24h for sessions older than 37 days
- Modify OAuth flow to store refresh tokens after successful authentication
- Track client IP and user agent for session security validation
- Link OAuth sessions to user sessions via session ID
- Add comprehensive encryption tests with security validations
- Integrate SessionWorker into server lifecycle with graceful shutdown

This enables persistent OAuth sessions with secure token storage,
reducing the need for frequent re-authentication from 7 to 30 days.
2025-10-26 02:32:10 +02:00

7.3 KiB
Raw Blame History

🔐 Ackify

Proof of Read. Compliance made simple.

Secure document reading validation with cryptographic signatures and irrefutable proof.

Build codecov Security Go License

🇫🇷 Version française disponible ici

Website: https://www.ackify.eu

🎯 Why Ackify?

Prove that collaborators have read and acknowledged important documents with Ed25519 cryptographic signatures.

Use Cases:

  • Security policy validation
  • Training attestations
  • GDPR acknowledgment
  • Contractual agreements
  • Compliance procedures

Key Features:

  • Ed25519 cryptographic signatures
  • OAuth2 authentication (Google, GitHub, GitLab, custom)
  • One signature per user/document (database enforced)
  • Immutable audit trail
  • Expected signers tracking with email reminders
  • Document checksum verification (SHA-256/512, MD5)
  • Public embeddable widgets (Notion, Outline, etc.)
  • Admin dashboard (Vue.js 3 + dark mode)
  • Multilingual (fr, en, es, de, it)

Quick Start

Prerequisites

  • Docker & Docker Compose
  • OAuth2 credentials (Google, GitHub, or GitLab)

Installation

Option 1: Automated Installation Script (Recommended)

# Download and run installation script
curl -fsSL https://raw.githubusercontent.com/btouchard/ackify-ce/main/install/install.sh | bash

# Navigate to installation directory
cd ackify-ce

# Edit configuration with your OAuth2 credentials
nano .env

# Start services
docker compose up -d

# Access web interface
open http://localhost:8080

What the script does:

  • Downloads compose.yml and .env.example
  • Generates secure secrets automatically:
    • ACKIFY_OAUTH_COOKIE_SECRET (AES-256 session encryption)
    • POSTGRES_PASSWORD (database password)
  • Creates ready-to-use .env file
  • You only need to add your OAuth2 credentials

Option 2: Manual Installation

# Clone repository
git clone https://github.com/btouchard/ackify-ce.git
cd ackify-ce

# Configure
cp .env.example .env
nano .env  # Edit with your OAuth2 credentials and generate secrets

# Start services
docker compose up -d

# Verify
curl http://localhost:8080/api/v1/health
# Expected: {"status":"healthy","database":"connected"}

# Access web interface
open http://localhost:8080

Required Environment Variables

# Application
APP_DNS=sign.your-domain.com
ACKIFY_BASE_URL=https://sign.your-domain.com
ACKIFY_ORGANISATION="Your Organization"

# Database
POSTGRES_USER=ackifyr
POSTGRES_PASSWORD=your_secure_password
POSTGRES_DB=ackify

# OAuth2 (example with Google)
ACKIFY_OAUTH_PROVIDER=google
ACKIFY_OAUTH_CLIENT_ID=your_client_id
ACKIFY_OAUTH_CLIENT_SECRET=your_client_secret

# Security (generate with: openssl rand -base64 32)
ACKIFY_OAUTH_COOKIE_SECRET=your_base64_secret

See docs/en/configuration.md for all options.

📸 Screenshots

Home
 Signing
 Confirmed
Signatures
 Outline
 Google Docs

Videos: 1-initialize-sign.webm | 2-user-sign-flow.webm

📚 Documentation

Getting Started

Features

Technical

🚀 Usage

Request a Signature

https://your-domain.com/?doc=security_policy_2025

User authenticates via OAuth2 and signs with one click.

Embed in Your Tools

iFrame:

<iframe src="https://your-domain.com/?doc=policy_2025"
        width="600" height="200" frameborder="0"></iframe>

oEmbed (Notion, Outline, Confluence):

Just paste the URL - automatic embed via oEmbed discovery

Open Graph (Slack, Teams):

URL unfurls automatically with signature count

See docs/en/features/embedding.md for details.

🛡️ Security

  • Ed25519 - State-of-the-art elliptic curve signatures
  • SHA-256 - Payload hashing for tampering detection
  • PKCE - OAuth2 security (automatic)
  • AES-256-GCM - Encrypted refresh tokens
  • Immutable timestamps - PostgreSQL triggers
  • Rate limiting - 5 auth/min, 100 req/min
  • HTTPS enforced - Secure cookies only

See docs/en/architecture.md for full security details.

🔧 Tech Stack

Backend: Go 1.24.5, PostgreSQL 16, Chi Router, OAuth2, Ed25519

Frontend: Vue 3, TypeScript, Vite, Pinia, Tailwind CSS, shadcn/vue

DevOps: Docker, Multi-stage builds, Distroless image (< 30MB)

i18n: 5 languages (fr, en, es, de, it)

Coverage: 72.6% (180+ unit tests, 33 integration tests)

🤝 Support

📄 License

AGPLv3 - See LICENSE for details.

Developed with ❤️ by Benjamin TOUCHARD

Reference in New Issue View Git Blame Copy Permalink