modifications to support JWT auth locally.

2022-10-31 23:08:42 -07:00 · 2022-10-31 23:08:42 -07:00 · f907abf10f
parent 14fae4c748
commit f907abf10f
6 changed files with 101 additions and 109 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -214,3 +214,9 @@ a CDN or minimal Nginx deployment.
 - ng test --include='**/base_client.spec.ts'    
 - ng test --include='lib/**/*.spec.ts'     
 ### How do I change the default encryption key and admin credentials
 - FASTEN_ISSUER_JWT_KEY
 - FASTEN_COUCHDB_ADMIN_USERNAME
 - FASTEN_COUCHDB_ADMIN_PASSWORD
--- a/4
+++ b/4
@ -15,6 +15,10 @@ RUN yarn run build -- --configuration sandbox --output-path=../dist
 # Backend Build
 #########################################################################################################
 FROM golang:1.18 as backend-build
 ENV FASTEN_COUCHDB_ADMIN_USERNAME=admin
 ENV FASTEN_COUCHDB_ADMIN_PASSWORD=mysecretpassword
 ENV FASTEN_ISSUER_JWT_KEY=mysessionpassword
 WORKDIR /go/src/github.com/fastenhealth/fastenhealth-onprem
 COPY . .
--- a/docker/couchdb/Dockerfile
+++ b/docker/couchdb/Dockerfile
@ -4,12 +4,16 @@
 #########################################################################################################
 FROM couchdb:3.2
 ENV FASTEN_COUCHDB_ADMIN_USERNAME=admin
 ENV FASTEN_COUCHDB_ADMIN_PASSWORD=mysecretpassword
 ENV FASTEN_ISSUER_JWT_KEY=mysessionpassword
 ARG S6_ARCH=amd64
 RUN curl https://github.com/just-containers/s6-overlay/releases/download/v1.21.8.0/s6-overlay-${S6_ARCH}.tar.gz -L -s --output /tmp/s6-overlay-${S6_ARCH}.tar.gz \
    && tar xzf /tmp/s6-overlay-${S6_ARCH}.tar.gz -C / \
    && rm -rf /tmp/s6-overlay-${S6_ARCH}.tar.gz
-COPY /docker/couchdb/local.ini /opt/couchdb/etc/local.ini
+COPY /docker/couchdb/fasten.ini /opt/couchdb/etc/local.ini
 COPY /docker/rootfs /
 RUN rm -rf /etc/services.d/fasten #delete the fasten app from the couchdbase container.
--- a/docker/couchdb/fasten.ini
+++ b/docker/couchdb/fasten.ini
@ -0,0 +1,54 @@
 ; CouchDB Configuration Settings
 ; Custom settings should be made in this file. They will override settings
 ; in default.ini, but unlike changes made to default.ini, this file won't be
 ; overwritten on server upgrade.
 [couch_peruser]
 ; fasten requires that each user have a private database. These databases are writable only by the corresponding user.
 ; Databases are in the following form: userdb-{hex encoded username}
 enable = true
 [chttpd_auth]
 ; require_valid_user must be set to false because Fasten will check session endpoint to determine if user is authenticated.
 ; if this option is not disabled, user is prompted with basic auth.
 require_valid_user = false
 [httpd]
 ; enable CORS support, required because the database is hosted on a different node.
 enable_cors = true
 ; ------------------------------------------ DOCKER MODIFICATIONS
 ; ------------------------------------------ DOCKER MODIFICATIONS
 ; ------------------------------------------ DOCKER MODIFICATIONS
 ; ------------------------------------------ DOCKER MODIFICATIONS
 ; always use single node in docker
 [couchdb]
 ;max_document_size = 4294967296 ; bytes
 ;os_process_timeout = 5000
 single_node = true
 ; when running in docker, allow cors for all domains
 ; TODO, we should find a more secure way to do this
 [cors]
 origins = *
 headers = accept, authorization, content-type, origin, referer
 credentials = true
 methods = GET, PUT, POST, HEAD, DELETE
 max_age = 3600
 # make sure the databse is listening to all traffic, not just from localhost within the container.
 [chttpd]
 ;port = 5984
 ;bind_address = 127.0.0.1
 bind_address = 0.0.0.0
 enable_cors = true
 x_forwarded_host = X-Forwarded-Host
 ; require_valid_user must be set to false because Fasten will check session endpoint to determine if user is authenticated.
 ; if this option is not disabled, user is prompted with basic auth.
 require_valid_user = false
 ; fasten uses JWT tokens to authenticate against the database. we override the authentication_handlers to add jwt_authentication_handler
 authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
--- a/docker/couchdb/local.ini
+++ b/docker/couchdb/local.ini
@ -1,108 +0,0 @@
 ; CouchDB Configuration Settings
 ; Custom settings should be made in this file. They will override settings
 ; in default.ini, but unlike changes made to default.ini, this file won't be
 ; overwritten on server upgrade.
 [cors]
 origins = *
 headers = accept, authorization, content-type, origin, referer
 credentials = true
 methods = GET, PUT, POST, HEAD, DELETE
 [couchdb]
 ;max_document_size = 4294967296 ; bytes
 ;os_process_timeout = 5000
 single_node=true
 [couch_peruser]
 ; If enabled, couch_peruser ensures that a private per-user database
 ; exists for each document in _users. These databases are writable only
 ; by the corresponding user. Databases are in the following form:
 ; userdb-{hex encoded username}
 enable = true
 ; If set to true and a user is deleted, the respective database gets
 ; deleted as well.
 ;delete_dbs = true
 ; Set a default q value for peruser-created databases that is different from
 ; cluster / q
 ;q = 1
 [chttpd]
 ;port = 5984
 ;bind_address = 127.0.0.1
 ; Options for the MochiWeb HTTP server.
 ;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
 ; For more socket options, consult Erlang's module 'inet' man page.
 ;socket_options = [{sndbuf, 262144}, {nodelay, true}]
 bind_address = 0.0.0.0
 enable_cors = true
 x_forwarded_host = X-Forwarded-Host
 [httpd]
 ; NOTE that this only configures the "backend" node-local port, not the
 ; "frontend" clustered port. You probably don't want to change anything in
 ; this section.
 ; Uncomment next line to trigger basic-auth popup on unauthorized requests.
 ;WWW-Authenticate = Basic realm="administrator"
 ; Uncomment next line to set the configuration modification whitelist. Only
 ; whitelisted values may be changed via the /_config URLs. To allow the admin
 ; to change this value over HTTP, remember to include {httpd,config_whitelist}
 ; itself. Excluding it from the list would require editing this file to update
 ; the whitelist.
 ;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
 enable_cors = true
 [chttpd_auth]
 ; If you set this to true, you should also uncomment the WWW-Authenticate line
 ; above. If you don't configure a WWW-Authenticate header, CouchDB will send
 ; Basic realm="server" in order to prevent you getting logged out.
 ; require_valid_user = false
 allow_persistent_cookies = true
 ;cookie_domain = localhost:5984
 [ssl]
 ;enable = true
 ;cert_file = /full/path/to/server_cert.pem
 ;key_file = /full/path/to/server_key.pem
 ;password = somepassword
 ; set to true to validate peer certificates
 ;verify_ssl_certificates = false
 ; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
 ;fail_if_no_peer_cert = false
 ; Path to file containing PEM encoded CA certificates (trusted
 ; certificates used for verifying a peer certificate). May be omitted if
 ; you do not want to verify the peer.
 ;cacert_file = /full/path/to/cacertf
 ; The verification fun (optional) if not specified, the default
 ; verification fun will be used.
 ;verify_fun = {Module, VerifyFun}
 ; maximum peer certificate depth
 ;ssl_certificate_max_depth = 1
 ;
 ; Reject renegotiations that do not live up to RFC 5746.
 ;secure_renegotiate = true
 ; The cipher suites that should be supported.
 ; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
 ; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
 ;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
 ; The SSL/TLS versions to support
 ;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
 ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
 ; the Virual Host will be redirected to the path. In the example below all requests
 ; to http://example.com/ are redirected to /database.
 ; If you run CouchDB on a specific port, include the port number in the vhost:
 ; example.com:5984 = /database
 [vhosts]
 ;example.com = /database/
 ; To create an admin account uncomment the '[admins]' section below and add a
 ; line in the format 'username = password'. When you next start CouchDB, it
 ; will change the password to a hash (so that your passwords don't linger
 ; around in plain-text files). You can add more admin accounts with more
 ; 'username = password' lines. Don't forget to restart CouchDB after
 ; changing this.
 [admins]
 admin = mysecretpassword
--- a/docker/rootfs/etc/cont-init.d/05-couchdb-config
+++ b/docker/rootfs/etc/cont-init.d/05-couchdb-config
@ -0,0 +1,32 @@
 #!/usr/bin/with-contenv bash
 if [ -f "/opt/couchdb/data/.config_complete" ]; then
    echo "Couchdb config has already completed, skipping"
 else
  FASTEN_ISSUER_JWT_KEY_BASE64=$(echo "${FASTEN_ISSUER_JWT_KEY}" | base64)
 cat << EOF >> /opt/couchdb/etc/local.ini
 ; ------------------------------------------ GENERATED MODIFICATIONS
 ; ------------------------------------------ GENERATED MODIFICATIONS
 ; ------------------------------------------ GENERATED MODIFICATIONS
 ;
 [jwt_auth]
 required_claims = exp, {iss, "docker-fastenhealth"}
 [jwt_keys]
 hmac:_default = ${FASTEN_ISSUER_JWT_KEY_BASE64}
 ; users should change this default password
 [admins]
 ${FASTEN_COUCHDB_ADMIN_USERNAME} = ${FASTEN_COUCHDB_ADMIN_PASSWORD}
 EOF
    # create the config complete flag
    echo "Couchdb config: complete"
    touch /opt/couchdb/data/.config_complete
 fi