• OHAP: OpenHotel Auth Protocol

This projects helps people who want to implement their own auth methods following the OHAP with a functional and secure example.

• Install deno >= 1.44

• Run deno task start

• Client tries to join OH
• OH calls Auth with /create-ticket with a redirectUrl and ticketKey
• OH returns ticketId + authUrl to client
• Client travels to authUrl
• Client call /login with ticketId and they credentials
  • or Client call /refresh-token with ticketId and sessionId + refreshToken
• Auth sends client sessionId + token and redirectUrl
• Client travels to redirectUrl
• Client calls OH with sessionId + token + ticketId
• OH calls Auth with /claim-session with sessionId + token + ticketId + ticketKey
• OH confirms Client identity
• Client now is happy

Configure OpenHotel config.yml file with:

...
auth:
  # Redirects user to client url
  redirectUrl: https://client.openhotel.club
  # Auth website
  url: https://auth.openhotel.club
  # Auth service url (it will call /create-ticket and /claim-session)
  api: https://auth.openhotel.club/api/v2/server
...

// Server side

{
  "redirectUrl": "string",
  "ticketKey": "string"
}

• redirectUrl redirects user when login is fulfilled
• ticketKey is a random string generated by the server to verify the identity of the server and the ticket origin. This key cannot be exposed to users.

{
  "status": 200,
  "data": {
    "ticketId": "string"
  }
}

• ticket duration needs to be 2 hours
• ticket is destroyed when the login (or refresh-session) petition is fulfilled

// Client side

{
  "ticketId": "string",
  
  "email": "string",
  "password": "string"
}

{
  "status": 200,
  "data": {
    "redirectUrl": "string",
    
    "sessionId": "string",
    "token": "string",
    //Optional
    "refreshToken": "string"
  }
}

• ticketId duration change to 5 minutes
• (sessionId + token) duration would be 5 minutes
• (sessionId + refreshToken) duration would be 7 days
• Redirect user to redirectUrl

// Server side

{
  "ticketId": "string",
  "ticketKey": "string",
  
  "sessionId": "string",
  "token": "string"
}

{
  "status": 200,
  "data": {
    "accountId": "string",
    "username": "string"
  }
}

• ticketId is destroyed
• token is destroyed

// Client side

{
  "email": "string",
  "username": "string",
  "password": "string"
}

{
  "status": 200
}

// Client side

{
  "ticketId": "string",
  
  "sessionId": "string",
  "refreshToken": "string"
}

{
  "redirectUrl": "string",
  
  "token": "string",
  "refreshToken": "string"
}

• ticketId is destroyed

• sessionId is still the same

• (sessionId + token) duration would be 5 minutes

• (sessionId + refreshToken) duration would be 7 days

• Redirect user to:

  redirectUrl?ticketId=ticketId&sessionId=sessionId&token=token