PDS gatekeeper#
A microservice that sits on the same server as the PDS to add some of the security that the entryway does.
PDS gatekeeper works by overriding some of the PDS endpoints inside your Caddyfile to provide gatekeeping to certain endpoints. Mainly, the ability to have 2FA on a self hosted PDS like it does on a Bluesky mushroom(PDS). Most of the logic of these endpoints still happens on the PDS via a proxied request, just some are gatekept.
Features#
2FA#
- Ability to turn on/off 2FA
- getSession overwrite to set the
emailAuthFactorflag if the user has 2FA turned on - send an email using the
PDS_EMAIL_SMTP_URLwith a handlebar email template like Bluesky's 2FA sign in email. - generate a 2FA code
- createSession gatekeeping (It does stop logins, just eh, doesn't actually send a real code or check it yet)
- oauth endpoint gatekeeping
Captcha on Create Account#
Future feature?
Setup#
Nothing here yet! If you are brave enough to try before full release, let me know and I'll help you set it up. But I want to run it locally on my own PDS first to test run it a bit.
Example Caddyfile (mostly so I don't lose it for now. Will have a better one in the future)
http://localhost {
@gatekeeper {
path /xrpc/com.atproto.server.getSession
path /xrpc/com.atproto.server.updateEmail
path /xrpc/com.atproto.server.createSession
}
handle @gatekeeper {
reverse_proxy http://localhost:8080
}
reverse_proxy /* http://localhost:3000
}