Documentation
HomeGithubDiscordBlog
  • What is OpenAlgo?
  • OpenAlgo Architecture
  • Mini FOSS Universe
  • Community Support
  • OpenAlgo GPT
  • New Features
    • Fast Scalper
    • API Analyzer
    • Traffic/Latency Monitor
    • Chartink Integration
  • Monetization
  • Connect Brokers
    • Brokers
      • 5Paisa
      • 5paisa (XTS)
      • AliceBlue
      • AngelOne
      • Compositedge
      • Dhan
      • Dhan(Sandbox)
      • Firstock
      • FlatTrade
      • Fyers
      • Groww
      • IIFL (XTS)
      • Jainam Retail (XTS)
      • Jainam Dealer (XTS)
      • Kotak Securities
      • Paytm
      • Pocketful
      • Shoonya
      • Tradejini
      • Upstox
      • Wisdom Capital
      • Zebu
      • Zerodha
  • Installation Guidelines
  • Getting Started
    • Windows Installation
      • Pre-Requesites
      • Setup
      • Install Dependencies
      • Ngrok Config
      • Environmental Variables
      • Start OpenAlgo
      • SSL Verification Failed
      • Accessing OpenAlgo
    • Windows Server Installation
    • Mac OS Installation
      • Pre-Requesties
      • Setup
      • Install Dependencies
      • Ngrok Config
      • Environmental Variables
      • Start OpenAlgo
      • Install certifi
      • Accessing OpenAlgo
    • Amazon Elastic Beanstalk
    • Ubuntu Server Installation
    • Docker Development
    • Testing OpenAlgo in Cloud
    • Upgrade
  • Latency
  • API Documentation
    • V1
      • Accounts API
        • Funds
        • Orderbook
        • Tradebook
        • PositionBook
        • Holdings
      • Orders API
        • Placeorder
        • PlaceSmartOrder
        • BasketOrder
        • SplitOrder
        • ModifyOrder
        • CancelOrder
        • CancelAllOrder
        • ClosePosition
        • OrderStatus
        • OpenPosition
      • Data API
        • Quotes
        • Depth
        • History
        • Intervals
        • Symbol
        • Ticker
      • Websockets
      • Order Constants
      • HTTP Status Codes
      • Rate Limiting
      • API Collections
  • Symbol Format
  • MCP
  • Trading Platform
    • Amibroker
      • AmiQuotes
      • Button Trading Module
      • Button Trading with Split Orders
      • Button Trading with Stoploss
      • SmartOrder Chart Module
      • Trailing Stoploss Execution Module
      • Line Trading Module
      • Equity Exploration Module
      • CSV Exploration Module
      • Options Button Trading Module
      • Spot/Futures to Options Module (Single Leg)
      • Spot/Futures to Options Module (Two Leg)
      • Time Based Execution
    • Tradingview
      • Futures to Options Module
    • ChartInk
    • Python
      • Strategy Management
      • EMA Crossover Strategy
      • EMA Crossover Strategy with Stoploss and Target
      • Supertrend Strategy
      • Supertrend Strategy with yfinance data
      • Voice Based Orders
    • NodeJS
    • Metatrader 5
      • Download & Install Library
      • OpenAlgo MQL5 Functions
      • Include the Header File
      • Sample Expert Advisor
    • Excel
    • Google Spreadsheets
    • N8N
    • Chrome Extension
  • Strategy Management
  • Developers
    • Design Documentation
      • Architecture
      • API Layer
      • Broker Integerations
      • Database Layer
      • Authentication Platforms
      • Configuration
      • Utilities
      • Broker Integration Checklist
  • Change Log
    • Version 1.0.0.25 Launched
    • Version 1.0.0.24 Launched
    • Version 1.0.0.23 Launched
    • Version 1.0.0.22 Launched
    • Version 1.0.0.21 Launched
    • Version 1.0.0.20 Launched
    • Version 1.0.0.19 Launched
    • Version 1.0.0.18 Launched
    • Version 1.0.0.17 Launched
    • Version 1.0.0.16 Launched
    • Version 1.0.0.15 Launched
    • Version 1.0.0.14 Launched
    • Version 1.0.0.13 Launched
    • Version 1.0.0.12 Launched
    • Version 1.0.0.11 Launched
    • Version 1.0.0.10 Launched
    • Version 1.0.0.9 Launched
    • Version 1.0.0.8 Launched
    • Version 1.0.0.7 Launched
    • Version 1.0.0.6 Launched
    • Version 1.0.0.5 Launched
    • Version 1.0.0.4 Launched
    • Version 1.0.0.3 Launched
    • Version 1.0.0.2 Launched
    • Version 1.0.0.1 Launched
    • Version 1.0.0.0 Launched
Powered by GitBook
On this page
  • Platform Authentication & Authorization
  • Authentication Mechanisms
  • Authorization
  • Security Considerations
  1. Developers
  2. Design Documentation

Authentication Platforms

Platform Authentication & Authorization

This section describes how users authenticate with the OpenAlgo platform itself (Web UI and API) and how authorization is managed, distinct from authenticating with external brokers.

Authentication Mechanisms

OpenAlgo supports multiple ways for users/clients to authenticate:

  1. Web UI Session Authentication (Username/Password):

    • Library: Uses Flask-Login (implied by session usage and typical Flask patterns) and Flask-Bcrypt or Argon2 (explicitly used in database/auth_db.py and database/user_db.py) for password hashing.

    • Flow:

      1. User navigates to the login page (/auth/login).

      2. User submits username and password via an HTML form.

      3. The auth.login route in blueprints/auth.py receives the credentials.

      4. authenticate_user function (in database/user_db.py) retrieves the user record and verifies the submitted password against the stored hash (using bcrypt.check_password_hash or ph.verify).

      5. If valid, the username (or user ID) is stored in the Flask session (session['user'] = username).

      6. Subsequent requests from the user's browser include the session cookie, allowing Flask to identify the logged-in user.

    • Session Management: Flask's built-in session management (likely server-side sessions secured by app.secret_key) is used. The @check_session_validity decorator (utils/session.py) is used on protected routes to ensure a user is logged in.

    • Password Reset: A password reset flow involving email and TOTP verification is implemented in auth.reset_password.

  2. API Key Authentication:

    • Purpose: Allows programmatic access to the OpenAlgo API by external applications or scripts.

    • Generation: Users can generate/manage their API keys via the Web UI (/apikey route handled by blueprints/apikey.py). Secure random keys are generated using secrets.token_hex.

    • Storage: API keys are stored securely in the api_keys table (database/auth_db.py):

      • A hash of the key (peppered with API_KEY_PEPPER and hashed using Argon2 ph.hash) is stored for verification (api_key_hash).

      • The key itself is encrypted using Fernet (derived from API_KEY_PEPPER) for potential retrieval/display (api_key_encrypted).

    • Verification: When an API request includes an API key (e.g., in an Authorization header or query parameter), the platform:

      1. Retrieves the corresponding ApiKeys record based on the provided key (potentially requiring a lookup mechanism or verifying against all stored hashes if the key itself isn't indexed directly for lookup).

      2. Uses ph.verify(stored_hash, provided_key + PEPPER) via the verify_api_key function to check if the provided key matches the stored hash.

      3. If valid, the request is authenticated as the associated user_id.

Authorization

Authorization (determining what an authenticated user is allowed to do) appears relatively simple in the current structure:

  • Login Required: Most blueprints/routes likely rely on @check_session_validity or API key verification to ensure a user is authenticated.

  • Role-Based Access Control (RBAC): There is no explicit evidence of a fine-grained RBAC system (e.g., different user roles like 'admin', 'trader', 'viewer'). Authorization seems primarily based on successful authentication – if a user is logged in or provides a valid API key, they likely have access to most features associated with their account.

  • Ownership: Authorization might be implicitly enforced by fetching data scoped to the authenticated user_id (e.g., only retrieving orders or strategies belonging to the logged-in user).

Security Considerations

  • Password Hashing: Strong hashing (Argon2) is used for user passwords.

  • API Key Security: Keys are hashed for verification and encrypted at rest. A pepper is used.

  • Session Security: Flask sessions are signed with app.secret_key. Ensure this key is strong and kept secret.

  • Rate Limiting: Applied to login and password reset endpoints via Flask-Limiter to mitigate brute-force attacks.

  • Input Validation: Handled by Flask-WTF and Flask-RESTX.

PreviousDatabase LayerNextConfiguration

Last updated 1 month ago