ordinary-api 0.6.0-pre.13

API server for Ordinary
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

<!--
Copyright (C) 2026 Ordinary Labs, LLC.

SPDX-License-Identifier: AGPL-3.0-only
-->

# API Server Registration

This document covers invite flow for the API Server and its integration with the Ordinary Auth service.

## Generate Invite Token

`root` user generates token via the HTTP API (an Ordinary Action with `privilaged` set to true can also generate invite
tokens programmatically).

```mermaid
sequenceDiagram
    actor C1 as Root
    participant AS as API Server
    participant A as Auth
    participant DB as LMDB
    C1 ->> AS: GET /accounts/invite
    AS -->> AS: validate_domain()
    AS -->> AS: verify_access_token()
    AS -->> AS: check for existing domain
    AS -->> AS: validate_account()
    AS ->> A: account_exists()
    AS ->> A: api_invite_get()
    A -->> A: check against mode
    A -->> A: generate token UUID
    A -->> A: HMAC system/custom claims
    A ->> DB: invite_db: put token UUID (prevent replay)
    A -->> AS: invite_token
    AS -->> C1: invite_token
```

## Site Owner Registration

Site Owner registering for the first time with their invite token.

```mermaid
sequenceDiagram
    actor C2 as Site Owner
    participant AS as API Server
    participant A as Auth
    participant DB as LMDB
    C2 ->> AS: POST /accounts/registration/start
    AS ->> A: check invite_token HMAC
    A ->> DB: invite_db: delete token UUID (prevent replay)
    AS -->> AS: check for existing domain
    AS ->> A: registration_start()
    A -->> A: validate_account()
    A -->> A: validate_invite_claims()
    A ->> DB: check for existing account with same name
    A -->> A: OPAQUE server registration start
    A -->> A: encrypt OPAQUE setup
    A ->> DB: state_db: put encrypted OPAQUE setup/invite_claims
    A -->> AS: OPAQUE server start
    AS -->> C2: OPAQUE server start
    C2 ->> AS: POST /accounts/registration/finish
    AS ->> A: registration_finish()
    A ->> DB: check for existing account with same name
    A -->> A: create and encrypt OPAQUE password file
    A -->> A: generate and encrypt TOTP secret
    A ->> DB: get encrypted OPAQUE setup and invite_claims
    A -->> A: generate and Argon2 recovery codes
    A ->> DB: recovery_db: put Argon2 hashed recovery codes
    A ->> DB: account_db: put OPAQUE setup, MFA secret, password file and invite claims
    A ->> DB: state_db: delete OPAQUE setup and invite claims
    A -->> A: derive an ephemeral shared secret to encrypt MFA secret and recovery codes
    A -->> A: encrypt MFA secret and recovery codes
    A -->> AS: encrypted MFA secret and recovery codes
    AS -->> C2: encrypted MFA secret and recovery codes
    C2 -->> C2: decrypt MFA secret and recovery codes
```