VMAUTH

From STEMX365-WIKI
Jump to navigationJump to search

VM AUTH

Bind VM Usage to Online Authentication using a Flask-based API server

Step 1: Flask API Server (STEMX365 Side)

# vm_auth_server.py
from flask import Flask, request, jsonify
from werkzeug.security import check_password_hash

app = Flask(__name__)

# Dummy database (use real DB in prod)
users = {
    "student1@stemx365.org": {
        "name": "Student One",
        "password_hash": "pbkdf2:sha256:260000$...your_hash_here..."
    }
}

@app.route("/api/vm-auth", methods=["POST"])
def vm_auth():
    data = request.json
    email = data.get("email")
    password = data.get("password")

    user = users.get(email)
    if user and check_password_hash(user["password_hash"], password):
        return jsonify({"status": "success", "message": "Authenticated"}), 200
    else:
        return jsonify({"status": "error", "message": "Invalid credentials"}), 401

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5000)

Step 2: VM Startup Script (Ubuntu Side)

#!/bin/bash

API_URL="https://login.stemx365.org/api/vm-auth"
MAX_ATTEMPTS=3
LOGFILE="/var/log/stemx365_vm_auth.log"

clear
echo "🔐 STEMX365 VM Access Authentication"

for attempt in $(seq 1 $MAX_ATTEMPTS); do
    read -p "Enter your STEMX365 email: " EMAIL
    read -s -p "Enter your password: " PASSWORD
    echo ""

    # Send request
    RESPONSE=$(curl -s -X POST $API_URL \
        -H "Content-Type: application/json" \
        -d "{\"email\":\"$EMAIL\", \"password\":\"$PASSWORD\"}")

    STATUS=$(echo $RESPONSE | jq -r '.status')

    if [[ "$STATUS" == "success" ]]; then
        echo "✅ Access granted. Welcome!"
        echo "$(date): $EMAIL logged in successfully" >> $LOGFILE
        exit 0
    else
        echo "❌ Login failed. Attempt $attempt of $MAX_ATTEMPTS."
    fi
done

echo "$(date): $EMAIL failed authentication" >> $LOGFILE
echo "⚠️ Too many failed attempts. Locking out..."
sleep 3
pkill -KILL -u "$USER"  # logout the session (or use shutdown -h now)

Step 3: Auto-Run Script at Boot

Place the above script in /usr/local/bin/vm_login.sh, make it executable:


chmod +x /usr/local/bin/vm_login.sh

Then set it as a required login precondition using one of:

Option A: .bashrc (for single user VM)

  1. Add to top of ~/.bashrc

/usr/local/bin/vm_login.sh || exit Option B: LightDM autologin greeter (more secure) Modify /etc/lightdm/lightdm.conf: 

[SeatDefaults]
greeter-setup-script=/usr/local/bin/vm_login.sh



  1. A **Python Flask server** (runs on your central server) to handle login/authentication and token validation.
  2. A **bash script** that runs on **each student's VM during boot**, checks their token, and halts if invalid.

OVERVIEW

Each VM has:

  1. A file `/etc/stemx365.conf` containing a unique `STUDENT_ID` and `VM_TOKEN`
  2. On boot, a script will:
    1. Read this config
    2. Ping your Flask server to validate the ID+token
    3. Only continue if authenticated

Bash Script for the Student VM (runs on boot)

Save this as `/usr/local/bin/stemx365_boot.sh` and make it executable. 

#!/bin/bash

CONFIG_FILE="/etc/stemx365.conf"
API_URL="https://auth.stemx365.org/api/validate"

if [ ! -f "$CONFIG_FILE" ]; then
    echo "Missing configuration. Please contact STEMX365 support."
    exit 1
fi

source "$CONFIG_FILE"

# Check if required variables exist
if [ -z "$STUDENT_ID" ] || [ -z "$VM_TOKEN" ]; then
    echo "Invalid config file. Aborting."
    exit 1
fi

# Call central API to verify
response=$(curl -s -X POST "$API_URL" \
    -H "Content-Type: application/json" \
    -d "{\"student_id\": \"$STUDENT_ID\", \"vm_token\": \"$VM_TOKEN\"}")

if [[ "$response" == *"valid":true* ]]; then
    echo "✅ Welcome, $STUDENT_ID"
else
    echo "❌ Authentication failed. Access denied."
    exit 1
fi

Add this to the crontab or systemd to run on boot: 

bash
sudo crontab -e
@reboot /usr/local/bin/stemx365_boot.sh

2. Config File Example (per VM)

Path: `/etc/stemx365.conf` 

bash
STUDENT_ID="student123"
VM_TOKEN="a1b2c3d4e5f6"

Generate unique `VM_TOKEN`s for each student when creating the VM.

3. Flask Server to Validate Login

Install Flask: 

bash
pip install flask flask-cors

Save this as `stemx365_auth.py` on your server: 

from flask import Flask, request, jsonify
from flask_cors import CORS

app = Flask(__name__)
CORS(app)

# Example: store valid tokens in a dictionary (use DB in production)
valid_tokens = {
    "student123": "a1b2c3d4e5f6",
    "student456": "z9y8x7w6v5"
}

@app.route('/api/validate', methods=['POST'])
def validate():
    data = request.get_json()
    student_id = data.get('student_id')
    token = data.get('vm_token')

    if student_id in valid_tokens and valid_tokens[student_id] == token:
        return jsonify({"valid": True})
    else:
        return jsonify({"valid": False}), 401

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5000)

Run with: 

python stemx365_auth.py

💡 In production, put behind NGINX with HTTPS.

Bonus: Generate Unique Tokens for Each VM

A helper Python snippet to generate: 

import uuid

def generate_vm_token():
    return uuid.uuid4().hex

print(generate_vm_token())
Retrieved from "https://wiki.stemx365.org/index.php?title=VMAUTH&oldid=1145"