Skip to content
MCC Who?
IT EN
← Back

DexAuth

DexSuite central Identity Provider — SSO, users, groups, audit

Under construction
Node.js Express Knex bcrypt SSO OIDC LDAP Audit Ledger HTTPS TLS Responsive
DexAuth

DexAuth is the central authenticator of the DexSuite. It knows **who you are** (authentication); the other 4 apps know **what you can do** (authorization). The clean separation of concerns makes the other apps leaner: DexHub, DexEditor, DexAssistant and Net Inventory Suite no longer host user tables — they just HTTP-verify against DexAuth and populate `req.user` with user + permissions.

The SSO flow is cookie-based: on login DexAuth sets `dexauth_sid` httpOnly + signed (HMAC with `SESSION_SECRET`) + `SameSite=Lax`. Hostname-only, so the browser automatically sends it to every port on the same host. When a user opens any of the 4 apps, the SSO middleware calls `GET /api/whoami` on DexAuth, gets user/permissions, does JIT provisioning, and the user is in. Single Sign-Out: click "Logout" on any app → DexAuth destroys the global session → at the next refresh all other apps detect the logout and close local sessions.

Pluggable authentication providers: `local` (working, bcrypt + DB), `ldap` (skeleton, activate by setting `LDAP_URL` + `LDAP_BIND_DN` and installing `ldapjs`), `oidc` (skeleton, for Azure AD / Google / Keycloak / Authentik via `openid-client`). The factory loads configured providers ordered by priority.

Complete user management via standalone UI: users (with `must_change_password` on first login), groups (members + inherited permissions), DexAuth-level permissions (`user.read`, `user.write`, `user.password_reset`, `audit.read`, `provider.write`) separate from per-app application permissions. Password reset generates a temporary password + forces change. Active sessions monitorable and killable by admins (with server-side cookie clear if the admin terminates their own session).

Audit ledger on `audit_events` table + file mirror at `data/logs/dexauth-audit.log` (JSON line, parser-friendly for centralized audit log). Stable namespaced action keys: `auth.login.success`, `auth.login.failed`, `auth.password.changed`, `user.created`, `group.permissions_set`, `session.killed`, etc.

Bilingual UI IT (default) + EN, persistent switch in `localStorage`, embedded chatbot like the other apps (proxy to Dex Assistant + dedicated tools `dexauth__get_user_status`).

Features

  • Cookie-based Single Sign-On for the 4 DexSuite apps (NIS, DexHub, DexEditor, DexAssistant)
  • Single Sign-Out: logout from any app closes the global session
  • Pluggable auth providers: local (bcrypt) ✅, LDAP/AD 🟡 skeleton, OIDC 🟡 skeleton
  • httpOnly + signed cookie (HMAC with SESSION_SECRET) + SameSite=Lax
  • Ready-to-use SSO clients: Express middleware for Node, Flask decorator for Python
  • Whoami with 30s client-side cache TTL, auto-invalidation on 401
  • JIT provisioning: the first time a DexAuth user appears in an app, local row auto-created
  • User CRUD with must_change_password on first login + admin password reset
  • Group CRUD with members and inherited permissions
  • DexAuth-level permissions: user.read/write, user.password_reset, audit.read, provider.write
  • Active sessions monitorable by admins with "Kill" button + server-side cookie clear
  • Audit ledger: audit_events table + JSON line file mirror for centralized log
  • Stable namespaced action keys (auth.login.success, user.created, etc.)
  • Multilingual IT (default) + EN, persistent switch in localStorage
  • Embedded chatbot (FAB) with dedicated tools (dexauth__get_user_status)
  • HTTPS with certificate (TLS) for secure UI and API access
  • Responsive UI: mobile / tablet / desktop

Configuration

  • DEXAUTH_PORT (default 9000)
  • DEXAUTH_HOST (default 0.0.0.0 — LAN bind required for the suite SSO pattern)
  • SESSION_SECRET — string used to sign cookies. Change in production.
  • SESSION_TTL_MINUTES (default 720, i.e. 12h)
  • SESSION_COOKIE_DOMAIN (empty for hostname-only cookie — recommended)
  • DB_ENGINE: sqlite | postgres | mariadb
  • DEXAUTH_DB_PATH (default data/dexauth.db)
  • INITIAL_ADMIN_PASSWORD — admin bootstrap (if empty → admin/admin with must_change=true)
  • DEXAUTH_DEFAULT_LOCALE (it | en, default it)
  • DEXAUTH_AUDIT_PATH (default data/logs/dexauth-audit.log)
  • DEXASSISTANT_URL — for the embedded chat widget
  • LDAP_URL / LDAP_BIND_DN — to enable the LDAP provider
  • OIDC_ISSUER / OIDC_CLIENT_ID — to enable the OIDC provider
  • HTTPS_PFX / HTTPS_PFX_PASSWORD to enable TLS

Technical prerequisites

  • Node.js 18+
  • SQL DB: SQLite (bundled) or PostgreSQL 14+ / MariaDB 10.6+
  • Same HTTP/HTTPS scheme as the 4 downstream apps (Chrome Schemeful Same-Site does not send cross-scheme cookies)
  • All 5 apps on the same hostname (different ports OK)
  • For LDAP/AD: npm dependency ldapjs + env LDAP_URL/LDAP_BIND_DN
  • For OIDC: npm dependency openid-client + env OIDC_ISSUER/OIDC_CLIENT_ID
  • Reachable Dex Assistant (optional, for embedded chatbot)