efim
/
go-ssr-pocketbase-oauth-attempt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: efim:eb2b17033550ad18158a74c944fceaad7ffc9987
Branches Tags
efim:main
efim:master
...
compare: efim:2a3d00839fd0a843af1163910860888eef09ef0f
Branches Tags
efim:main
efim:master

2 Commits
eb2b170335 ... 2a3d00839f

Author SHA1 Message Date
efim 2a3d00839f feat: securing the cookies 2023-10-09 04:22:09 +00:00
efim e4c79b2155 refactor: utilizing cool options for nginx 2023-10-09 03:17:47 +00:00
4 changed files with 40 additions and 10 deletions
Show Stats Expand all files Collapse all files

20
auth-notes.org
View File

@ -184,7 +184,7 @@ now works
because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
*** adding a custom flag: *** adding a custom flag:
https://github.com/pocketbase/pocketbase/discussions/1900 https://github.com/pocketbase/pocketbase/discussions/1900
** TODO change some additional config to option : ** DONE change some additional config to option :
${optionalString config.proxyWebsockets '' ${optionalString config.proxyWebsockets ''
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
@ -192,13 +192,29 @@ https://github.com/pocketbase/pocketbase/discussions/1900
''} ''}
( also in planning poker repo ) ( also in planning poker repo )
https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428
** TODO add docker image from nix ** TODO add docker image from nix
*** CANCELLED add cli for port and host *** CANCELLED add cli for port and host
** TODO add readme and comments ** TODO add readme and comments
** TODO configure tls / ssl / https on franzk deployment ** DONE configure tls / ssl / https on franzk deployment
https://nixos.org/manual/nixos/stable/#module-security-acme-nginx
( and also same here https://nixos.wiki/wiki/Nginx )
can it be configured on render.com? can it be configured on render.com?
omg
line 112 & 113 in project config:
http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05
and this in my server config:
https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f
this is all that's needed to enable tls
mind blown
** DONE somehow set cookie to httpOnly & secure
with ability to disable for development session
** TODO maybe add middleware so that 401 would be a page, and not json ** TODO maybe add middleware so that 401 would be a page, and not json
** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself? ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
http://localhost:8090/_/images/oauth2/apple.svg http://localhost:8090/_/images/oauth2/apple.svg

3
flake.nix
View File

@ -114,10 +114,9 @@
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";
# taken from https://pocketbase.io/docs/going-to-production/ # taken from https://pocketbase.io/docs/going-to-production/
proxyWebsockets = true;
extraConfig = '' extraConfig = ''
# check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
proxy_set_header Connection ''';
proxy_http_version 1.1;
proxy_read_timeout 360s; proxy_read_timeout 360s;
proxy_set_header Host $host; proxy_set_header Host $host;

11
main.go
View File

@ -1,16 +1,21 @@
package main package main
import ( import (
"log" "log"
"strings"
"github.com/pocketbase/pocketbase" "github.com/pocketbase/pocketbase"
"sunshine.industries/auth-pocketbase-attempt/middleware" "sunshine.industries/auth-pocketbase-attempt/middleware"
"sunshine.industries/auth-pocketbase-attempt/pages" "sunshine.industries/auth-pocketbase-attempt/pages"
) )
func main() { func main() {
app := pocketbase.New() app := pocketbase.New()
middleware.AddCookieSessionMiddleware(app)
servedName := app.Settings().Meta.AppUrl
isTlsEnabled := strings.HasPrefix(servedName, "https://")
middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
pages.AddPageRoutes(app) pages.AddPageRoutes(app)
if err := app.Start(); err != nil { if err := app.Start(); err != nil {

16
middleware/auth.go
View File

@ -1,7 +1,9 @@
package middleware package middleware
import ( import (
"log"
"net/http" "net/http"
"github.com/labstack/echo/v5" "github.com/labstack/echo/v5"
"github.com/pocketbase/pocketbase" "github.com/pocketbase/pocketbase"
"github.com/pocketbase/pocketbase/apis" "github.com/pocketbase/pocketbase/apis"
@ -13,7 +15,9 @@ import (
const AuthCookieName = "Auth" const AuthCookieName = "Auth"
func AddCookieSessionMiddleware(app *pocketbase.PocketBase) { func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
log.Println("Warning: starting server with cookie Secure = false!")
app.OnBeforeServe().Add(func(e *core.ServeEvent) error { app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
e.Router.Use(loadAuthContextFromCookie(app)) e.Router.Use(loadAuthContextFromCookie(app))
return nil return nil
@ -25,6 +29,8 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
Name: AuthCookieName, Name: AuthCookieName,
Value: e.Token, Value: e.Token,
Path: "/", Path: "/",
Secure: isTlsEnabled,
HttpOnly: true,
}) })
e.HttpContext.SetCookie(&http.Cookie{ e.HttpContext.SetCookie(&http.Cookie{
Name: "username", Name: "username",
@ -37,10 +43,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
Name: AuthCookieName, Name: AuthCookieName,
Value: e.Token, Value: e.Token,
Path: "/", Path: "/",
Secure: isTlsEnabled,
HttpOnly: true,
}) })
return nil return nil
}) })
app.OnBeforeServe().Add(getLogoutRoute(app)) app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
} }
func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc { func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@ -84,7 +92,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
} }
// render and return login page with configured oauth providers // render and return login page with configured oauth providers
func getLogoutRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error { func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool) func(*core.ServeEvent) error {
return func (e *core.ServeEvent) error { return func (e *core.ServeEvent) error {
e.Router.GET("/logout", func(c echo.Context) error { e.Router.GET("/logout", func(c echo.Context) error {
c.SetCookie(&http.Cookie{ c.SetCookie(&http.Cookie{
@ -92,6 +100,8 @@ func getLogoutRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error {
Value: "", Value: "",
Path: "/", Path: "/",
MaxAge: -1, MaxAge: -1,
Secure: isTlsEnabled,
HttpOnly: true,
}) })
c.Response().Header().Add("HX-Trigger", "auth-change-event") c.Response().Header().Add("HX-Trigger", "auth-change-event")
return c.JSON(http.StatusOK, map[string]string{"message": "session cookie removed"}) return c.JSON(http.StatusOK, map[string]string{"message": "session cookie removed"})