3.8 KiB
3.8 KiB
MCIAS: Metacircular Identity and Access System
MCIAS: Metacircular Identity and Access System
Project Overview
MCIAS (Metacircular Identity and Access System) is a centralized identity and access management system designed to provide authentication and authorization services across metacircular projects. It serves as a single source of truth for user identity and access control.
The system currently provides:
- User password authentication
- User token authentication
- Database credential authentication
- TOTP (Time-based One-Time Password) authentication
Future planned features include:
- Policy management for fine-grained access control
System Architecture
MCIAS is built as a standalone REST API service with the following components:
Core Components
-
API Layer (
api/directory)- HTTP server and routing
- Request/response handling
- Authentication endpoints
- Error handling
-
Data Layer (
data/directory)- User management
- Token management
- Password hashing and verification
- Secure random generation
-
Database (SQLite)
- Persistent storage for users, tokens, and credentials
- Schema defined in
schema.sql
Request Flow
- Client sends authentication request to the API
- API layer validates the request format
- Data layer processes the authentication logic
- Database is queried to verify credentials
- Response is generated and sent back to the client
Database Schema
MCIAS uses a SQLite database with the following tables:
Users Table
CREATE TABLE users (
id text primary key,
created integer,
user text not null,
password blob not null,
salt blob not null,
totp_secret text
);Tokens Table
CREATE TABLE tokens (
id text primary key,
uid text not null,
token text not null,
expires integer default 0,
FOREIGN KEY(uid) REFERENCES user(id)
);Database Credentials Table
CREATE TABLE database (
id text primary key,
host text not null,
port integer default 5432,
name text not null,
user text not null,
password text not null
);Registrations Table
CREATE TABLE registrations (
id text primary key,
code text not null
);Roles Tables
CREATE TABLE roles (
id text primary key,
role text not null
);
CREATE TABLE user_roles (
id text primary key,
uid text not null,
rid text not null,
FOREIGN KEY(uid) REFERENCES user(id),
FOREIGN KEY(rid) REFERENCES roles(id)
);Permissions Tables
CREATE TABLE permissions (
id TEXT PRIMARY KEY,
resource TEXT NOT NULL,
action TEXT NOT NULL,
description TEXT
);
CREATE TABLE role_permissions (
id TEXT PRIMARY KEY,
rid TEXT NOT NULL,
pid TEXT NOT NULL,
FOREIGN KEY(rid) REFERENCES roles(id),
FOREIGN KEY(pid) REFERENCES permissions(id)
);Security Considerations
MCIAS implements several security best practices:
-
Password Security
- Passwords are never stored in plaintext
- Scrypt key derivation function is used for password hashing
- Each user has a unique random salt
- Constant-time comparison is used to prevent timing attacks
-
Token Security
- Tokens are generated using cryptographically secure random functions
- Tokens have an expiration time (24 hours by default)
- New tokens are issued on each successful authentication
-
API Security
- Input validation on all endpoints
- Standardized error responses that don't leak sensitive information
- Rate limiting (to be implemented)
-
Database Security
- Parameterized queries to prevent SQL injection
- Foreign key constraints to maintain data integrity