Overview
TGM Auth API is a custom-built, centralized Single-Sign-On (SSO) solution engineered to streamline user authentication across a diverse ecosystem of applications. Built on Node.js and MySQL, this stateful API provides a single, secure entry point for users, eliminating the need to manage multiple sets of credentials. It solves the critical challenge of fragmented user identity by creating a unified authentication layer that enhances both security and user experience through a robust, database-backed token system.
The system is designed for seamless integration, offering a flexible architecture that supports email verification, secure session management, and granular, role-based access control. By centralizing authentication, the TGM Auth API simplifies credential management for administrators and provides users with a frictionless login experience. The API is currently live and serves as the core authentication service for the TGM Studios platform, including account.tgmstudios.net.
Key Features
-
Centralized SSO Authentication: Provides a single source of truth for user identity, allowing users to log in once and gain access to multiple authorized applications without re-entering credentials.
-
Stateful, Database-Backed Tokens: Implements a custom token-based workflow where unique, opaque session tokens are generated and stored in the database. This stateful approach allows for instant session revocation, detailed activity logging, and centralized control over user sessions.
-
Application-Specific Tokens: Features a unique mechanism to generate and attach tokens to specific client applications, allowing a user's session to be securely linked and validated on a per-application basis.
-
Email Verification: Ensures the validity of user accounts by requiring email confirmation upon registration, adding a crucial layer of security and preventing spam or fraudulent sign-ups.
-
Granular Access Control: Allows for the definition and enforcement of specific roles and permissions, ensuring that users can only access the resources and perform the actions appropriate for their authorization level.
Technologies & Implementation
The TGM Auth API is built on a reliable and scalable backend stack, chosen specifically for the demands of a high-availability authentication service.
-
Backend: Node.js was selected for its event-driven, non-blocking I/O model, making it highly efficient for handling numerous concurrent authentication requests. The API is built upon the Express.js framework for its robust and minimalist approach to routing and middleware.
-
Database: MySQL serves as the data store, chosen for its proven reliability and data integrity. It is the backbone of the stateful architecture, managing user credentials, session tokens, roles, and relational permissions data.
-
Architecture: The system is architected as a stateful REST API. When a user authenticates, the API generates a unique, opaque token, stores it in the database with user and client metadata, and returns it to the client. This token is then passed with subsequent requests to other services. To authorize the user, those services must call a validation endpoint on the TGM Auth API, which verifies the token against the database. This design centralizes security and session control, creating a resilient and manageable microservices environment.
graph TD
A["User"] --> B["Client Application (e.g., account.tgmstudios.net)"];
B --> C["POST /login to TGM Auth API"];
C --> D["MySQL Database"];
D -- "Verify Credentials" --> C;
C -- "Issue Opaque Token & Store in DB" --> B;
B -- "Store Session Token" --> A;
A --> E["Access Protected Service"];
E -- "Request with Token" --> F["Another Application"];
F -- "Validate Token via Auth API (DB Lookup)" --> E;
E -- "Return Protected Resource" --> A;
Challenges & Solutions
One of the primary challenges was designing a system that could provide secure authentication across multiple services while retaining central control and the ability to instantly revoke user sessions. A stateless approach using self-contained tokens like JWTs would make immediate session termination difficult without complex revocation list management.
To solve this, I implemented a custom, stateful, database-backed token system. Upon a successful login, the API generates a cryptographically secure random string that acts as an opaque token. This token is stored in a dedicated table in the MySQL database, linked to the user's ID, client IP, and an expiration timestamp. When a client application needs to verify a user's session, it makes a request to the Auth API's validation endpoint. The API then performs a direct lookup in the database to confirm the token is valid, active, and matches the request context (e.g., IP address). This design provides significant security advantages, including the ability to instantly invalidate any token by simply deleting its record from the database, ensuring robust and centralized session control.
Results & Impact
The TGM Auth API successfully centralizes authentication for the TGM Studios digital ecosystem, providing a stable and secure foundation for user management.
-
Improved User Experience: Users now enjoy a streamlined, single-login experience across all connected platforms, significantly reducing friction and frustration.
-
Enhanced Security: By consolidating authentication logic and implementing a stateful, database-backed token system, the overall security posture is significantly improved. It provides a single point for enforcing security measures, monitoring activity, and instantly revoking sessions.
-
Developer Efficiency: Other application developers no longer need to implement their own authentication logic. They simply integrate with a single, well-documented API, saving significant development time and reducing the risk of security vulnerabilities. The system is live and actively manages user accounts via its endpoint at
auth.tgmstudios.net.
{TODO: Add screenshot of the user account portal at account.tgmstudios.net}