modifications to support JWT auth locally.

2022-10-31 23:08:42 -07:00 · 2022-10-31 23:08:42 -07:00 · f907abf10f
parent 14fae4c748
commit f907abf10f
6 changed files with 101 additions and 109 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -214,3 +214,9 @@ a CDN or minimal Nginx deployment.

 - ng test --include='**/base_client.spec.ts'    
 - ng test --include='lib/**/*.spec.ts'     
+
+
+### How do I change the default encryption key and admin credentials
+- FASTEN_ISSUER_JWT_KEY
+- FASTEN_COUCHDB_ADMIN_USERNAME
+- FASTEN_COUCHDB_ADMIN_PASSWORD
--- a/4
+++ b/4
@ -15,6 +15,10 @@ RUN yarn run build -- --configuration sandbox --output-path=../dist
 # Backend Build
 #########################################################################################################
 FROM golang:1.18 as backend-build
+ENV FASTEN_COUCHDB_ADMIN_USERNAME=admin
+ENV FASTEN_COUCHDB_ADMIN_PASSWORD=mysecretpassword
+ENV FASTEN_ISSUER_JWT_KEY=mysessionpassword
+
 WORKDIR /go/src/github.com/fastenhealth/fastenhealth-onprem
 COPY . .

--- a/docker/couchdb/Dockerfile
+++ b/docker/couchdb/Dockerfile
@ -4,12 +4,16 @@
 #########################################################################################################
 FROM couchdb:3.2

+ENV FASTEN_COUCHDB_ADMIN_USERNAME=admin
+ENV FASTEN_COUCHDB_ADMIN_PASSWORD=mysecretpassword
+ENV FASTEN_ISSUER_JWT_KEY=mysessionpassword
+
 ARG S6_ARCH=amd64
 RUN curl https://github.com/just-containers/s6-overlay/releases/download/v1.21.8.0/s6-overlay-${S6_ARCH}.tar.gz -L -s --output /tmp/s6-overlay-${S6_ARCH}.tar.gz \
    && tar xzf /tmp/s6-overlay-${S6_ARCH}.tar.gz -C / \
    && rm -rf /tmp/s6-overlay-${S6_ARCH}.tar.gz

-COPY /docker/couchdb/local.ini /opt/couchdb/etc/local.ini
+COPY /docker/couchdb/fasten.ini /opt/couchdb/etc/local.ini
 COPY /docker/rootfs /
 RUN rm -rf /etc/services.d/fasten #delete the fasten app from the couchdbase container.

--- a/docker/couchdb/fasten.ini
+++ b/docker/couchdb/fasten.ini
@ -0,0 +1,54 @@
+; CouchDB Configuration Settings
+; Custom settings should be made in this file. They will override settings
+; in default.ini, but unlike changes made to default.ini, this file won't be
+; overwritten on server upgrade.
+
+[couch_peruser]
+
+; fasten requires that each user have a private database. These databases are writable only by the corresponding user.
+; Databases are in the following form: userdb-{hex encoded username}
+enable = true
+
+[chttpd_auth]
+
+; require_valid_user must be set to false because Fasten will check session endpoint to determine if user is authenticated.
+; if this option is not disabled, user is prompted with basic auth.
+require_valid_user = false
+
+[httpd]
+
+; enable CORS support, required because the database is hosted on a different node.
+enable_cors = true
+
+; ------------------------------------------ DOCKER MODIFICATIONS
+; ------------------------------------------ DOCKER MODIFICATIONS
+; ------------------------------------------ DOCKER MODIFICATIONS
+; ------------------------------------------ DOCKER MODIFICATIONS
+
+; always use single node in docker
+[couchdb]
+;max_document_size = 4294967296 ; bytes
+;os_process_timeout = 5000
+single_node = true
+
+; when running in docker, allow cors for all domains
+; TODO, we should find a more secure way to do this
+[cors]
+origins = *
+headers = accept, authorization, content-type, origin, referer
+credentials = true
+methods = GET, PUT, POST, HEAD, DELETE
+max_age = 3600
+
+# make sure the databse is listening to all traffic, not just from localhost within the container.
+[chttpd]
+;port = 5984
+;bind_address = 127.0.0.1
+bind_address = 0.0.0.0
+enable_cors = true
+x_forwarded_host = X-Forwarded-Host
+; require_valid_user must be set to false because Fasten will check session endpoint to determine if user is authenticated.
+; if this option is not disabled, user is prompted with basic auth.
+require_valid_user = false
+; fasten uses JWT tokens to authenticate against the database. we override the authentication_handlers to add jwt_authentication_handler
+authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
--- a/docker/couchdb/local.ini
+++ b/docker/couchdb/local.ini
@ -1,108 +0,0 @@
-; CouchDB Configuration Settings
-
-; Custom settings should be made in this file. They will override settings
-; in default.ini, but unlike changes made to default.ini, this file won't be
-; overwritten on server upgrade.
-
-[cors]
-origins = *
-headers = accept, authorization, content-type, origin, referer
-credentials = true
-methods = GET, PUT, POST, HEAD, DELETE
-
-[couchdb]
-;max_document_size = 4294967296 ; bytes
-;os_process_timeout = 5000
-single_node=true
-
-[couch_peruser]
-; If enabled, couch_peruser ensures that a private per-user database
-; exists for each document in _users. These databases are writable only
-; by the corresponding user. Databases are in the following form:
-; userdb-{hex encoded username}
-enable = true
-; If set to true and a user is deleted, the respective database gets
-; deleted as well.
-;delete_dbs = true
-; Set a default q value for peruser-created databases that is different from
-; cluster / q
-;q = 1
-
-[chttpd]
-;port = 5984
-;bind_address = 127.0.0.1
-; Options for the MochiWeb HTTP server.
-;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
-; For more socket options, consult Erlang's module 'inet' man page.
-;socket_options = [{sndbuf, 262144}, {nodelay, true}]
-bind_address = 0.0.0.0
-enable_cors = true
-x_forwarded_host = X-Forwarded-Host
-
-[httpd]
-; NOTE that this only configures the "backend" node-local port, not the
-; "frontend" clustered port. You probably don't want to change anything in
-; this section.
-; Uncomment next line to trigger basic-auth popup on unauthorized requests.
-;WWW-Authenticate = Basic realm="administrator"
-
-; Uncomment next line to set the configuration modification whitelist. Only
-; whitelisted values may be changed via the /_config URLs. To allow the admin
-; to change this value over HTTP, remember to include {httpd,config_whitelist}
-; itself. Excluding it from the list would require editing this file to update
-; the whitelist.
-;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
-enable_cors = true
-
-[chttpd_auth]
-; If you set this to true, you should also uncomment the WWW-Authenticate line
-; above. If you don't configure a WWW-Authenticate header, CouchDB will send
-; Basic realm="server" in order to prevent you getting logged out.
-; require_valid_user = false
-allow_persistent_cookies = true
-;cookie_domain = localhost:5984
-
-[ssl]
-;enable = true
-;cert_file = /full/path/to/server_cert.pem
-;key_file = /full/path/to/server_key.pem
-;password = somepassword
-; set to true to validate peer certificates
-;verify_ssl_certificates = false
-; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
-;fail_if_no_peer_cert = false
-; Path to file containing PEM encoded CA certificates (trusted
-; certificates used for verifying a peer certificate). May be omitted if
-; you do not want to verify the peer.
-;cacert_file = /full/path/to/cacertf
-; The verification fun (optional) if not specified, the default
-; verification fun will be used.
-;verify_fun = {Module, VerifyFun}
-; maximum peer certificate depth
-;ssl_certificate_max_depth = 1
-;
-; Reject renegotiations that do not live up to RFC 5746.
-;secure_renegotiate = true
-; The cipher suites that should be supported.
-; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
-; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
-;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
-; The SSL/TLS versions to support
-;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
-
-; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
-; the Virual Host will be redirected to the path. In the example below all requests
-; to http://example.com/ are redirected to /database.
-; If you run CouchDB on a specific port, include the port number in the vhost:
-; example.com:5984 = /database
-[vhosts]
-;example.com = /database/
-
-; To create an admin account uncomment the '[admins]' section below and add a
-; line in the format 'username = password'. When you next start CouchDB, it
-; will change the password to a hash (so that your passwords don't linger
-; around in plain-text files). You can add more admin accounts with more
-; 'username = password' lines. Don't forget to restart CouchDB after
-; changing this.
-[admins]
-admin = mysecretpassword
--- a/docker/rootfs/etc/cont-init.d/05-couchdb-config
+++ b/docker/rootfs/etc/cont-init.d/05-couchdb-config
@ -0,0 +1,32 @@
+#!/usr/bin/with-contenv bash
+
+if [ -f "/opt/couchdb/data/.config_complete" ]; then
+    echo "Couchdb config has already completed, skipping"
+else
+
+  FASTEN_ISSUER_JWT_KEY_BASE64=$(echo "${FASTEN_ISSUER_JWT_KEY}" | base64)
+
+
+cat << EOF >> /opt/couchdb/etc/local.ini
+
+; ------------------------------------------ GENERATED MODIFICATIONS
+; ------------------------------------------ GENERATED MODIFICATIONS
+; ------------------------------------------ GENERATED MODIFICATIONS
+;
+[jwt_auth]
+required_claims = exp, {iss, "docker-fastenhealth"}
+
+[jwt_keys]
+hmac:_default = ${FASTEN_ISSUER_JWT_KEY_BASE64}
+
+
+; users should change this default password
+[admins]
+${FASTEN_COUCHDB_ADMIN_USERNAME} = ${FASTEN_COUCHDB_ADMIN_PASSWORD}
+EOF
+
+    # create the config complete flag
+    echo "Couchdb config: complete"
+    touch /opt/couchdb/data/.config_complete
+
+fi