mirror of https://github.com/System-End/identity-vault.git synced 2026-04-19 15:18:23 +00:00

a better basket to put all your eggs in

Find a file

dependabot[bot] 28a5707f2a Bump the bundler group across 1 directory with 8 updates Bumps the bundler group with 5 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [bcrypt](https://github.com/bcrypt-ruby/bcrypt-ruby) \| `3.1.21` \| `3.1.22` \| \| [actionview](https://github.com/rails/rails) \| `8.0.4` \| `8.0.4.1` \| \| [json](https://github.com/ruby/json) \| `2.18.1` \| `2.19.2` \| \| [mcp](https://github.com/modelcontextprotocol/ruby-sdk) \| `0.7.1` \| `0.9.2` \| \| [rack](https://github.com/rack/rack) \| `3.2.5` \| `3.2.6` \| Updates `bcrypt` from 3.1.21 to 3.1.22 - [Release notes](https://github.com/bcrypt-ruby/bcrypt-ruby/releases) - [Changelog](https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/CHANGELOG) - [Commits](https://github.com/bcrypt-ruby/bcrypt-ruby/compare/v3.1.21...v3.1.22) Updates `actionview` from 8.0.4 to 8.0.4.1 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionview/CHANGELOG.md) - [Commits](https://github.com/rails/rails/compare/v8.0.4...v8.0.4.1) Updates `activestorage` from 8.0.4 to 8.0.4.1 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v8.1.3/activestorage/CHANGELOG.md) - [Commits](https://github.com/rails/rails/compare/v8.0.4...v8.0.4.1) Updates `activesupport` from 8.0.4 to 8.0.4.1 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v8.1.3/activesupport/CHANGELOG.md) - [Commits](https://github.com/rails/rails/compare/v8.0.4...v8.0.4.1) Updates `json` from 2.18.1 to 2.19.2 - [Release notes](https://github.com/ruby/json/releases) - [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md) - [Commits](https://github.com/ruby/json/compare/v2.18.1...v2.19.2) Updates `loofah` from 2.25.0 to 2.25.1 - [Release notes](https://github.com/flavorjones/loofah/releases) - [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md) - [Commits](https://github.com/flavorjones/loofah/compare/v2.25.0...v2.25.1) Updates `mcp` from 0.7.1 to 0.9.2 - [Release notes](https://github.com/modelcontextprotocol/ruby-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/ruby-sdk/blob/main/CHANGELOG.md) - [Commits](https://github.com/modelcontextprotocol/ruby-sdk/compare/v0.7.1...v0.9.2) Updates `rack` from 3.2.5 to 3.2.6 - [Release notes](https://github.com/rack/rack/releases) - [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md) - [Commits](https://github.com/rack/rack/compare/v3.2.5...v3.2.6) --- updated-dependencies: - dependency-name: bcrypt dependency-version: 3.1.22 dependency-type: direct:production dependency-group: bundler - dependency-name: actionview dependency-version: 8.0.4.1 dependency-type: indirect dependency-group: bundler - dependency-name: activestorage dependency-version: 8.0.4.1 dependency-type: indirect dependency-group: bundler - dependency-name: activesupport dependency-version: 8.0.4.1 dependency-type: indirect dependency-group: bundler - dependency-name: json dependency-version: 2.19.2 dependency-type: indirect dependency-group: bundler - dependency-name: loofah dependency-version: 2.25.1 dependency-type: indirect dependency-group: bundler - dependency-name: mcp dependency-version: 0.9.2 dependency-type: indirect dependency-group: bundler - dependency-name: rack dependency-version: 3.2.6 dependency-type: indirect dependency-group: bundler ... Signed-off-by: dependabot[bot] <support@github.com>		2026-04-02 19:03:50 +00:00
.github	Bump actions/checkout from 4 to 6 (#45 )	2025-12-03 01:56:42 -05:00
app	Clarify that `/api/external/check` is there on purpose (#209 )	2026-03-26 14:20:16 -04:00
bin	initial public commit!!!	2025-09-02 13:53:47 -04:00
config	s/what data/what account info	2026-03-24 17:23:42 -04:00
db	less scary consent screen for HQ stuff! (#208 )	2026-03-24 16:22:52 -04:00
lib	channeling	2026-02-04 13:24:46 -05:00
log	initial public commit!!!	2025-09-02 13:53:47 -04:00
public	switch error handling to sentry	2025-12-29 16:19:10 -05:00
script	initial public commit!!!	2025-09-02 13:53:47 -04:00
spec	s/what data/what account info	2026-03-24 17:23:42 -04:00
storage	initial public commit!!!	2025-09-02 13:53:47 -04:00
tmp	initial public commit!!!	2025-09-02 13:53:47 -04:00
vendor	initial public commit!!!	2025-09-02 13:53:47 -04:00
.dockerignore	initial public commit!!!	2025-09-02 13:53:47 -04:00
.erb_lint.yml	Address autocomplete! (#115 )	2025-12-19 12:20:18 -05:00
.gitattributes	initial public commit!!!	2025-09-02 13:53:47 -04:00
.gitignore	[Backend] UI2. (#67 )	2025-12-03 01:17:37 -05:00
.rspec	VERSION. TWO. (#42 )	2025-11-24 10:52:27 -05:00
.rubocop.yml	initial public commit!!!	2025-09-02 13:53:47 -04:00
.ruby-version	initial public commit!!!	2025-09-02 13:53:47 -04:00
config.ru	initial public commit!!!	2025-09-02 13:53:47 -04:00
docker-compose-dbonly.yml	initial public commit!!!	2025-09-02 13:53:47 -04:00
Dockerfile	what	2026-03-19 17:23:56 -04:00
Dockerfile.worker	more threads?	2026-01-07 13:47:01 -05:00
Gemfile	one update a day keeps the bugs away! (#183 )	2026-02-28 13:54:41 -05:00
Gemfile.lock	Bump the bundler group across 1 directory with 8 updates	2026-04-02 19:03:50 +00:00
package.json	fix vite crash	2026-03-01 10:35:27 -05:00
Procfile.dev	initial public commit!!!	2025-09-02 13:53:47 -04:00
Rakefile	initial public commit!!!	2025-09-02 13:53:47 -04:00
README.md	better DX (#168 )	2026-01-20 23:10:23 -05:00
vite.config.mts	[Backend] UI2. (#67 )	2025-12-03 01:17:37 -05:00
yarn.lock	fix vite crash	2026-03-01 10:35:27 -05:00

README.md

Hack Club Auth

This is the Rails codebase powering https://auth.hackclub.com!

contributing

ask around in #idv-dev or poke nora!

avoid questions that can be answered by reading the source code, but otherwise i'd be happy to help you get up to speed :-D

kindly bin/lint your code before you submit it!

local dev setup

prerequisites

you'll need:

ruby 3.4.4+ (i use mise to manage this)
node.js + yarn
postgres (see below)
imagemagick & libvips (image processing)
libxmlsec1 (SAML signing)

on macOS:

brew install imagemagick libvips libxmlsec1 yarn

database

easiest way is docker. if you don't have it and you're on macOS, orbstack works well enough.

docker compose -f docker-compose-dbonly.yml up -d

this gives you a postgres instance at postgresql://postgres@localhost:5432/identity_vault_development.

if you've got your own postgres running somewhere, that works too – just point at it.

environment

create a .env.development file:

DATABASE_URL=postgresql://postgres@localhost:5432/identity_vault_development

that's it for local dev – lockbox will use a deterministic dev key automatically. see environment variables below for the full list.

install & setup

bundle install
yarn install
bin/rails db:prepare
bin/rails db:seed

the seeds create a dev account with 2FA already set up. it'll print out the TOTP secret – add that to your authenticator app.

running the thing

bin/dev

if you want hot reload on css & js, also run bin/vite dev in another terminal.

logging in to the backend

go to http://localhost:3000/login
enter identity@hackclub.com
grab the verification code from http://localhost:3000/letter_opener
enter your TOTP code (from the authenticator app you set up during seeding)
head to http://localhost:3000/backend

the backend requires 2FA – that's why the seeds set up a TOTP for you.

environment variables

required

var	description
`DATABASE_URL`	postgres connection string

required in production

var	description
`SECRET_KEY_BASE`	rails secret key – generate with `openssl rand -hex 64`
`LOCKBOX_MASTER_KEY`	encryption key for lockbox fields – generate with `openssl rand -hex 32`

active record encryption

used for encrypts fields (like aadhaar data). generate these with bin/rails db:encryption:init or use random strings.

var	description
`ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`	primary encryption key
`ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`	deterministic encryption key
`ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`	key derivation salt

slack integration

var	description
`SLACK_BOT_TOKEN`	bot token (xoxb-*)
`SLACK_TEAM_ID`	workspace ID (T*)
`SLACK_SCIM_TOKEN`	SCIM API token for user provisioning
`SLACK_CLIENT_ID`	OAuth client ID
`SLACK_CLIENT_SECRET`	OAuth client secret
`SLACK_SIGNING_SECRET`	webhook request verification
`SLACK_ADULT_WEBHOOK_URL`	webhook for guardian notifications

SAML

var	description
`SAML_IDP_CERT_PATH`	path to SAML IdP certificate
`SAML_IDP_KEY_PATH`	path to SAML IdP private key

generate a self-signed cert for local dev:

openssl req -x509 -newkey rsa:2048 -keyout saml_key.pem -out saml_cert.pem -days 365 -nodes -subj "/CN=localhost"

OIDC

var	description
`OIDC_SIGNING_KEY`	RSA private key for JWT signing

generate an RSA key:

openssl genrsa -out oidc_key.pem 2048

then set OIDC_SIGNING_KEY to the contents of oidc_key.pem (the whole thing including the BEGIN/END lines).

email (production/staging/uat)

var	description
`SES_SMTP_HOST`	SES SMTP endpoint
`SES_SMTP_USERNAME`	SES SMTP username
`SES_SMTP_PASSWORD`	SES SMTP password

document storage (production)

var	description
`CLOUDFLARE_R2_ENDPOINT`	R2 endpoint URL
`CLOUDFLARE_R2_ACCESS_KEY_ID`	R2 access key
`CLOUDFLARE_R2_SECRET_ACCESS_KEY`	R2 secret key

other

var	description
`SENTRY_DSN`	error tracking
`GOOGLE_PLACES_API_KEY`	address autocomplete
`ANALYTICS_DATABASE_URL`	separate analytics DB (optional)
`DISABLE_ANALYTICS`	set to "true" to disable Ahoy
`SOURCE_COMMIT`	git commit for version display

security

this oughta go without saying, but if you find a security-relevant issue please either contact me directly or go through the security.hackclub.com flow – if you just open an issue or a PR there's a chance a bad actor sees it and exploits it before we can patch or merge.

README.md Unescape Escape