Understanding how the IPification Showcase works at a high level.
- What is this app?
- How it works
- Key Components
- Authentication Flows
- Configuration
- Security
- Extending the App
- Technical Details
A showcase/demo application for IPification authentication services. It demonstrates:
- ✅ Multiple authentication methods (IP, IM, SIM)
- ✅ Phone number verification flows
- ✅ QR code authentication for desktop
- ✅ Multi-server support (stage, live, etc.)
Tech stack: Node.js + Express + Pug templates
┌─────────────┐ ┌──────────────┐ ┌─────────────────┐
│ Browser │────────│ This App │────────│ IPification API │
│ │ │ (Express) │ │ (OAuth Server) │
└─────────────┘ └──────────────┘ └─────────────────┘
Flow:
1. User clicks button
2. App redirects to IPification
3. User authenticates
4. IPification redirects back
5. App shows user info
- Pug Templates: Login page, user info page
- JavaScript: Button handlers, QR code, phone input
- CSS: Styling and animations
- Express Routes: Handle auth flow
- Session Management: Track user state
- OAuth2 Client: Talk to IPification
- WebSocket: For QR code flow (desktop ↔ mobile)
- auth_servers: Which IPification servers to use
- clients: Which auth flows to enable
- locale: UI text customization
User clicks button
↓
/auth/start (redirects to IPification)
↓
User authenticates on IPification
↓
/auth/callback (receives code)
↓
Exchange code for user info
↓
Show user info page
Desktop: Generate QR code with auth URL
Mobile: Scan QR → authenticate
Desktop: Receives notification via WebSocket → shows result
User clicks SIM button
↓
Browser requests SIM credential
↓
User confirms on device
↓
Show verified phone number
Three main config files:
- config/default.json - Your setup (auth servers, clients, credentials)
- config/locale.json - UI text labels
- config/app_config.json - App behavior settings
See CONFIG_DEFAULT_JSON_SAMPLE.md for details.
- ✅ OAuth2 authorization code flow
- ✅ State parameter (CSRF protection)
- ✅ Session management
- ✅ HTTPS recommended for production
- ✅ Helmet.js security headers
- Add client config in
config/default.json - Add button in
views/login.pug - Done! Routes handle it automatically
- Add to
auth_serversarray in config - Restart app
- Dropdown appears automatically
- Edit
config/locale.json - Or override in
config/default.json - Restart app
📚 Click for detailed architecture diagrams and module structure
┌─────────────────────────────────────────────────────────────┐
│ Express Application │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Routes │ │ Middleware │ │ Views │ │
│ │ │ │ │ │ (Pug) │ │
│ │ - auth.js │ │ - Session │ │ - login.pug │ │
│ │ - user.js │ │ - Helmet │ │ - info.pug │ │
│ │ - ts43.js │ │ - Logger │ │ - qr_*.pug │ │
│ │ │ │ - Parser │ │ │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Services │ │ Libraries │ │ Socket.io │ │
│ │ │ │ │ │ │ │
│ │ - DataStore │ │ - Axios │ │ - Real-time │ │
│ │ │ │ - GeoIP │ │ Events │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
┌─────────┐ ┌──────────┐ ┌──────────────┐ ┌──────────┐
│ Browser │ │ Express │ │ IPification │ │ Browser │
└────┬────┘ └────┬─────┘ └──────┬───────┘ └────┬─────┘
│ │ │ │
│ GET /auth/start│ │ │
├───────────────>│ │ │
│ │ Build Auth URL │ │
│ │──────────────────>│ │
│ │ │ │
│ 302 Redirect │ │ │
│<───────────────┤ │ │
│ │ │ │
│ │ │ User Auth │
│ │ │<─────────────────┤
│ │ │ │
│ │ Callback │ │
│ │<──────────────────┤ │
│ │ │ │
│ │ Exchange Code │ │
│ │──────────────────>│ │
│ │ │ │
│ │ Access Token │ │
│ │<──────────────────┤ │
│ │ │ │
│ │ Get User Info │ │
│ │──────────────────>│ │
│ │ │ │
│ │ User Info │ │
│ │<──────────────────┤ │
│ │ │ │
│ 302 Redirect │ │ │
│<───────────────┤ │ │
│ │ │ │
│ GET /auth/complete │ │
├───────────────>│ │ │
│ │ │ │
│ 302 Redirect │ │ │
│<───────────────┤ │ │
│ │ │ │
│ GET /user/info │ │ │
├───────────────>│ │ │
│ │ │ │
│ HTML Response │ │ │
│<───────────────┤ │ │
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Desktop │ │ Express │ │ Mobile │ │Express │
│ Browser │ │ Server │ │ Device │ │ Socket │
└────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘
│ │ │ │
│ GET /auth/start │ │ │
├───────────────>│ │ │
│ │ │ │
│ QR Code Display │ │ │
│<───────────────┤ │ │
│ │ │ │
│ Socket: init │ │ │
├───────────────>│ │ │
│ │ Join Room │ │
│ │────────────────>│ │
│ │ │ │
│ │ │ Scan QR & Auth │
│ │ │────────────────>│
│ │ │ │
│ │ Callback │ │
│ │<─────────────────────────────────┤
│ │ │ │
│ │ Socket: url │ │
│ │────────────────>│ │
│ │ │ │
│ Socket Event │ │ │
│<───────────────┤ │ │
│ │ │ │
│ Navigate to URL │ │ │
├───────────────>│ │ │
│ │ │ │
│ User Info │ │ │
│<───────────────┤ │ │
Request → Session Middleware → Session Store → Request Object
│
└─> res.locals (template variables)
Auth Start → Generate State → Store in Session → Include in Auth URL
│
└─> IPification
│
Callback ←────────────────────────────────────────────────┘
│
└─> Store User Info with State Key
│
Complete ← Retrieve User Info ← Data Store
Key Format: Value:
─────────────────────────────────────────────────────────────
{state} { userInfo, client_id, ... }
{state}-user-info { raw user info object }
- Helmet.js: HTTP security headers
- Session Management: Secure session cookies
- State Parameter: CSRF protection
- Input Validation: Parameter validation
- Secret Keys: Environment-based secrets
┌─────────────────────────────────────────────────────────┐
│ Security Measures │
├─────────────────────────────────────────────────────────┤
│ │
│ 1. State Parameter (CSRF Protection) │
│ - Generated on client │
│ - Validated on callback │
│ │
│ 2. OAuth2 Authorization Code Flow │
│ - Short-lived authorization codes │
│ - Server-side token exchange │
│ │
│ 3. Session Management │
│ - HttpOnly cookies │
│ - Secure flag (HTTPS) │
│ │
│ 4. Secret Management │
│ - Environment variables │
│ - Git-ignored config files │
│ │
└─────────────────────────────────────────────────────────┘
- Purpose: Main authentication flow handling
- Key Functions:
GET /auth/login: Render login pageGET /auth/start: Initiate OAuth flowGET /auth/callback/:userFlow: Handle OAuth callbackGET /auth/complete: Complete authenticationPOST /auth/mobile/login: Mobile login endpointPOST /auth/s2s/signin: Server-to-server sign-in
- Purpose: User information display
- Key Functions:
GET /user/info: Display authenticated user info
- Purpose: TS43 protocol implementation
- Key Functions:
POST /ts43/auth: Initiate TS43 authenticationPOST /ts43/token: Exchange VP tokenPOST /ts43/log: Logging endpoint
- Purpose: Temporary data storage
- Implementation: In-memory cache using
cache-manager - TTL: 60 minutes
- Usage: Store authentication state and user information
- Purpose: Auth server lookup and validation utilities
- Key Functions:
getAuthServer(authServers, serverId): Get server by ID or default to firstgetAuthServerIds(authServers): Get all available server IDshasAuthServer(authServers, serverId): Check if server exists
- Purpose: Configuration validation on application startup
- Key Functions:
validateConfig(config): Main validation entry pointvalidateAuthServers(authServers): Validate auth servers arrayvalidateClients(clients): Validate client configurationsvalidateRealm(realm): Validate realm configurationvalidateCredentials(config): Validate OAuth credentials
- Behavior: Throws error and prevents app startup if validation fails
- Purpose: General utility functions
- Key Functions:
deepMerge(target, source): Deep merge objectsfindClientByUserFlow(clients, userFlow): Find client by flow IDfindClientByClientId(clients, clientId): Find client by client ID
- Purpose: Application constants
- Contents: HTTP status codes, error messages, retry settings
- Purpose: WebSocket server for real-time communication
- Implementation: Socket.io
- Channels: Room-based (
auth:{state}) - Events:
init: Client joins roommessages: Server sends events
1. Environment Variables (.env)
2. config/default.json
3. Default values in code
On application startup, configuration is validated using utils/validateConfig.js:
- Required Fields:
realm,auth_servers,client_id,client_secret,clients - Auth Servers: Must have at least one server with valid
idandurl - Clients: Must have unique
user_flowvalues - Behavior: App crashes on startup if validation fails
See Sample Config Reference for field descriptions.
app.js → require('config') → config/default.json
│
└─> res.locals → Available in templates
Error Occurred
│
├─> Try-Catch Block
│ │
│ └─> Log Error
│ │
│ └─> Error Handler Middleware
│ │
│ └─> HTTP Error Response
│
└─> OAuth Errors
│
└─> Redirect to Login with Error Message
- Data Store: In-memory cache with 60-minute TTL
- Session Store: Memory-based (consider Redis for production)
- Static Assets: Express static middleware
- Redis Integration: Replace in-memory cache with Redis
- Session Store: Use Redis session store for scalability
- Rate Limiting: Implement rate limiting middleware
- Connection Pooling: Configure HTTP client connection pooling
┌─────────────────────────────────────────┐
│ Docker Compose Stack │
├─────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ App │──────│ Redis │ │
│ │ Container │ │ Container │ │
│ │ Port: 8080 │ │ Port: 6379 │ │
│ └─────────────┘ └─────────────┘ │
│ │
└─────────────────────────────────────────┘
- Environment Variables: Use secrets management
- HTTPS: Configure reverse proxy (nginx/traefik)
- Load Balancing: Multiple app instances
- Monitoring: Application performance monitoring
- Logging: Centralized logging system
- Add client configuration to
config/default.json(see Sample Config Reference) - Add UI button in
views/login.pug - Add JavaScript handler in
public/js/login.js - Flow automatically handled by existing routes
- Extend
routes/auth.jswith new endpoint - Implement OAuth2/OIDC flow
- Add UI components
- Update documentation
- Modify
views/info.pugtemplate - Update
routes/user.jsif needed - Customize styling in
public/css/
- express: Web framework
- express-session: Session management
- socket.io: WebSocket server
- axios: HTTP client
- pug: Template engine
- config: Configuration management
- helmet: Security headers
- cookie-parser: Cookie parsing
- uuid: UUID generation
- geoip-lite: GeoIP lookup
- cache-manager: Caching abstraction
- Redis Integration: Replace in-memory cache
- Rate Limiting: Add rate limiting middleware
- API Versioning: Implement API versioning
- OpenAPI Documentation: Generate OpenAPI specs
- Testing: Add unit and integration tests
- Monitoring: Add application monitoring
- Logging: Structured logging with correlation IDs