noxcrux is a Django web app and API which allows you to create and store passwords horcruxes to improve your online security.
The persons intended by this project are people who are a minimum aware of online security risks and at least use a password manager.
noxcrux was inspired by this article and the concept of horcruxes from the universe of Harry Potter.
The aim of this project is to split passwords in multiple horcruxes to mitigate the single point of failure risk induced by password managers.
Password horcruxes are not 2FA/MFA and does not pretend to replace it at all. A password is a sole factor (knowledge) and noxcrux allows you to distribute it across platforms.
The project is still in early development stage (see the features and the to-do list below) but the end goal is to offer to the users multiple noxcrux' servers to connect to and distribute their online accounts access security to different places.
A web extension will be later developed to allow end users to easily manage their noxcrux' servers and to retrieve and assemble their complete password when they want to login to a website.
Here is a link of a live demo of this project:
https://hydrogen.noxcrux.com/
See below the top level parts of this README:
noxcrux is powered by Django a well-known python web framework and DRF for the API (Spectacular for the reference).
It also makes use of Bootstrap, jQuery and SASS for the web interface.
Here is a table with the main technologies, and their current version:
Technology | Version |
---|---|
Django | 3.2 |
Django Rest Framework | 3.12.4 |
DRF Spectacular | 0.15.1 |
Bootstrap | 4.5.2 |
jQuery | 3.5.1 |
SASS | 1.32.5 |
Here is a list of the main features provided by this project:
- CRUD on horcruxes
- Personal account management
- Horcrux generator
- 2-Factor Authentication
- Friendship
- Horcrux sharing
- Self API Reference
- Brute-force protection
- Easy & Secure deployment with Docker
Here is what you need to do to get a noxcrux server up & running. This is also the recommended way to install it for a development setup.
Here are the commands to build the application straight from the sources, find below the Docker instructions for a production-ready environment or to just quickly get a server running.
noxcrux is being developed and tested on debian-based distro, so you will see below the commands for these distributions.
Django is a python web framework so first you need python and pip to later install modules.
I bet you already have them both installed but just in case, here are the commands.
sudo apt update && sudo apt upgrade
sudo apt install python3 python3-pip
Fetch the code from the repository and enter the folder.
git clone https://github.com/noxPHX/noxcrux.git && cd noxcrux
Install Django and the other modules.
pip3 install -r requirements.txt
Ideally, you may setup a virtual environment if you do not want to mess with your host dependencies.
sudo apt install python3-venv
python3 -m venv ./.venv/
source .venv/bin/activate
pip3 install -r requirements.txt
As mentioned before, noxcrux makes use of SASS, so you need to compile SCSS files into regular CSS files because these files are not tracked by git.
In order to install it, follow the instructions from https://sass-lang.com/.
I personally prefer to grab the latest release from https://github.com/sass/dart-sass/releases and untar the file somewhere in my path to be able to use it.
wget -O /tmp/sass.tgz https://github.com/sass/dart-sass/releases/download/1.32.5/dart-sass-1.32.5-linux-x64.tar.gz
tar -xzf /tmp/sass.tgz -C /tmp
mv /tmp/dart-sass/* /usr/local/bin
rm -r /tmp/sass.tgz /tmp/dart-sass
noxcrux uses PostgreSQL as database engine, for an easy setup you can use Docker and Compose and simply running the following commands in the docker directory:
cd docker
echo 'noxcrux_db_passwd' > secrets/noxcrux_db_passwd.txt
docker-compose up -d noxcrux_db
Otherwise, you can check how to install and configure PostgreSQL manually here.
In order to properly run the application, you might want to define some environment variables.
Find below a table with each variable, their description, type and default value.
Variable | Description | Type | Default |
---|---|---|---|
DEBUG | Enable or disable debug mode | Boolean | True |
REGISTRATION_OPEN | Enable or disable user registration | Boolean | True |
ALLOWED_HOSTS | Allowed hosts to access the application | Comma-separated values (eg "localhost,127.0.0.1") | * |
DB_HOST | Database IP address or hostname | String (eg "172.26.0.74" if using the noxcrux_db container) | 172.26.0.74 |
DB_PORT | Database port | String | 5432 |
DB_NAME | Database name | String | noxcrux |
DB_USER | Database user | String | noxcrux |
DB_PASSWORD | Database password | String | noxcrux |
CORS_ALLOW_ALL_ORIGINS | Enable or disable all origins for CORS | Boolean | False |
CORS_ALLOWED_ORIGINS | Allowed origins for CORS | Comma-separated values (eg "https://localhost,https://127.0.0.1") | http://localhost |
For the last step of the configuration, you need to generate your secret key for Django, the following command will suffice:
python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())' > secret_key.txt
If you cannot use python (eg with Docker setup), you can use this plain bash command:
cat /dev/urandom | tr -dc 'a-z0-9\!\@\#\$\%\^\&\*\(\-\_\=\+\)' | head -c 50 > secret_key.txt
Before running the server there are only the database migrations left:
python3 manage.py migrate
Finally, start the server.
python3 manage.py runserver
The docker-compose.yaml
file defines 3 services:
- noxcrux_db, which is a PostgreSQL container with a volume to persists the database
- noxcrux_web, which contains gunicorn serving the python application
- noxcrux_nginx, a nginx container which handles SSL and serve static files thanks to a shared volume with noxcrux_web
For a quick & easy setup you can use Docker and Compose, the following versions are the minimal requirements:
Tool | Version |
---|---|
Docker | 19 |
Compose | 1.29 |
I do not provide (yet) an image on the Docker hub so you need to build your image locally.
The instructions below are also valid for a production deployment.
First you need to fetch the code if you do not have already and enter the folder.
git clone https://github.com/noxPHX/noxcrux.git && cd noxcrux
As of earlier, you need to generate the secret key, and you might want to adjust the environment variables in the docker-compose.yaml
file. Please refer to the Configuration section.
The Compose stack comes with a nginx container which needs a certificate and it's private key as well as Diffie-Hellman parameters.
For the certificate, you can retrieve a free one from Let's Encrypt and place it in the docker/ssl
folder.
Otherwise, you can quickly generate a self-signed certificate for testing purposes (for a production environment you need a valid certificate):
openssl req -x509 -newkey rsa:4096 -nodes -keyout docker/ssl/privkey.pem -out docker/ssl/fullchain.pem -days 365 -subj '/CN=localhost' -addext "subjectAltName=IP:127.0.0.1,IP:0.0.0.0"
Regarding the D-H parameters you can generate them as follows:
openssl dhparams -out docker/ssl/dhparams.pem 4096
When you are ready, these commands will suffice to build the images and run the application.
docker-compose build
docker-compose up -d
Swagger UI is a tool which facilitates interaction with an API. Integrated in DRF-Spectacular, simply running the application provides your own API reference, you can find it browsing the /web/api/docs URL.
Alternatively, you can find it here : https://hydrogen.noxcrux.com/web/api/docs/
If you want to build your own OpenAPI schema, for instance to import it in your development tools, execute the following command.
python3 manage.py spectacular --file schema.yaml
Here is a list of what is left to be done:
- CSP Headers
- Custom 404 / 500 pages
- Import / Export Horcruxes
- Password / TOTP recovery
- Tests
- User groups sharing ❔
- Themes ❔
- Delegated authentication ❔
- Landing page ❔
- & More
❔ marked features are unsure to be implemented yet
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.