efim/go-ssr-pocketbase-oauth-attempt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: efim:master
Branches Tags
efim:main efim:master
...
compare: efim:2a3d00839fd0a843af1163910860888eef09ef0f
Branches Tags
efim:main efim:master

6 Commits
master ... 2a3d00839f

Author SHA1 Message Date
efim
2a3d00839f feat: securing the cookies 2023-10-09 04:22:09 +00:00
efim
e4c79b2155 refactor: utilizing cool options for nginx 2023-10-09 03:17:47 +00:00
efim
eb2b170335 feat: attempted allowance for nixos ssl 2023-10-08 20:56:19 +00:00
efim
bfee145b6c fix: removing printlns 
todo - figure out good logging
 2023-10-08 18:42:09 +00:00
efim
c032987952 fix: removing hardcode of js init 2023-10-08 18:23:04 +00:00
efim
ea8d1fab75 feat: adding a license for pushing to repo 2023-10-08 17:00:25 +00:00
7 changed files with 111 additions and 51 deletions
Expand all files Collapse all files

8
LICENSE Normal file
View File

@@ -0,0 +1,8 @@
The MIT License (MIT) Copyright (c) 2023 - present, Efim Nefedov
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

42
auth-notes.org
View File

@@ -148,7 +148,7 @@ and
#+end_src
is what i need for it to pick up pb_data from work directory, cool
** TODO write nixos module
** DONE write nixos module
need to pass data and migration location as params
and address on which to serve, cool
i suppose
@@ -174,16 +174,52 @@ cool
oh, but if i'm using nginx i'll need my own certificate, that makes sence
*** maybe things are ok?
let's try to plaintext deploy?
*** quoting of the '' in multiline string
https://nixos.org/manual/nix/stable/language/values.html
*** not accessible still
sudo journalctl -u nginx --since "1 day ago"
*** oh, i forgot to add subname in gandi ui
now works
*** now i need a way to pass in the hostname
because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
*** adding a custom flag:
https://github.com/pocketbase/pocketbase/discussions/1900
** DONE change some additional config to option :
${optionalString config.proxyWebsockets ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
''}
( also in planning poker repo )
https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428
** TODO add docker image from nix
*** TODO add cli for port and host
*** CANCELLED add cli for port and host
** TODO add readme and comments
** TODO configure tls / ssl / https on franzk deployment
** DONE configure tls / ssl / https on franzk deployment
https://nixos.org/manual/nixos/stable/#module-security-acme-nginx
( and also same here https://nixos.wiki/wiki/Nginx )
can it be configured on render.com?
omg
line 112 & 113 in project config:
http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05
and this in my server config:
https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f
this is all that's needed to enable tls
mind blown
** DONE somehow set cookie to httpOnly & secure
with ability to disable for development session
** TODO maybe add middleware so that 401 would be a page, and not json
** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
http://localhost:8090/_/images/oauth2/apple.svg
yes.
** TODO read and add ok logging
** TODO figure out and enbale migrations
https://pocketbase.io/docs/go-migrations/#enable-go-migrations

54
flake.nix
View File

@@ -42,8 +42,8 @@
nixosModules.auth-pocketbase-attempt = { config, pkgs, ... }:
let
cfg = config.services.${pname};
lib = pkgs.lib;
shortName = "pb-auth-example-group";
lib = nixpkgs.lib;
shortName = "pb-auth-example-app";
in {
options.services.${pname} = {
enable = lib.mkEnableOption
@@ -70,17 +70,27 @@
description =
"Whether pocketbase should serve on https and issue own certs. Main case for true - when not under nginx";
};
useHostTls = lib.mkOption {
type = lib.types.bool;
default = false;
description =
"Whether virtual host should enable NixOS ACME certs";
};
};
config = lib.mkIf cfg.enable {
users.groups."${shortName}-group" = { };
users.users."${shortName}-user" = {
isSystemUser = true;
group = "${shortName}-group";
config = let
username = "${shortName}-user";
groupname = "${shortName}-group";
in lib.mkIf cfg.enable {
users.groups."${groupname}" = { };
users.users."${username}" = {
isNormalUser = true; # needed to allow for home dir
group = "${groupname}";
};
systemd.services.${shortName} = let
protocol = if cfg.usePbTls then "https" else "http";
serverHost = if cfg.useNginx then "127.0.0.1" else cfg.host;
servedAddress = "${protocol}://${serverHost}:${cfg.port}";
serveCliArg =
"--${protocol} ${serverHost}:${toString cfg.port}";
in {
description = "Exercise app ${pname}";
wantedBy = [ "multi-user.target" ];
@@ -89,12 +99,32 @@
startLimitBurst = 10;
serviceConfig = {
ExecStart =
"${packages.auth-pocketbase-attempt}/bin/${pname} serve ${servedAddress} --dir=/home/${
config.users.users."${shortName}-user"
"${packages.auth-pocketbase-attempt}/bin/${pname} serve ${serveCliArg} --dir=/home/${
"${username}"
}";
Restart = "on-failure";
User = "${shortName}-user";
Group = "${shortName}-group";
User = "${username}";
Group = "${groupname}";
};
};
services.nginx = lib.mkIf cfg.useNginx {
virtualHosts.${cfg.host} = {
forceSSL = cfg.useHostTls;
enableACME = cfg.useHostTls;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
# taken from https://pocketbase.io/docs/going-to-production/
proxyWebsockets = true;
extraConfig = ''
# check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
proxy_read_timeout 360s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};

11
main.go
View File

@@ -1,16 +1,21 @@
package main
import (
"log"
"log"
"strings"
"github.com/pocketbase/pocketbase"
"github.com/pocketbase/pocketbase"
"sunshine.industries/auth-pocketbase-attempt/middleware"
"sunshine.industries/auth-pocketbase-attempt/pages"
)
func main() {
app := pocketbase.New()
middleware.AddCookieSessionMiddleware(app)
servedName := app.Settings().Meta.AppUrl
isTlsEnabled := strings.HasPrefix(servedName, "https://")
middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
pages.AddPageRoutes(app)
if err := app.Start(); err != nil {

40
middleware/auth.go
View File

@@ -1,9 +1,9 @@
package middleware
import (
"fmt"
"log"
"net/http"
"github.com/labstack/echo/v5"
"github.com/pocketbase/pocketbase"
"github.com/pocketbase/pocketbase/apis"
@@ -15,7 +15,9 @@ import (
const AuthCookieName = "Auth"
func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
log.Println("Warning: starting server with cookie Secure = false!")
app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
e.Router.Use(loadAuthContextFromCookie(app))
return nil
@@ -23,14 +25,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
// fires for every auth collection
app.OnRecordAuthRequest().Add(func(e *core.RecordAuthEvent) error {
log.Println(e.HttpContext)
log.Println(e.Record)
log.Println(e.Token)
log.Println(e.Meta)
e.HttpContext.SetCookie(&http.Cookie{
Name: AuthCookieName,
Value: e.Token,
Path: "/",
Secure: isTlsEnabled,
HttpOnly: true,
})
e.HttpContext.SetCookie(&http.Cookie{
Name: "username",
@@ -39,17 +39,16 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
return nil
})
app.OnAdminAuthRequest().Add(func(e *core.AdminAuthEvent) error {
log.Println(e.HttpContext)
log.Println(e.Admin)
log.Println(e.Token)
e.HttpContext.SetCookie(&http.Cookie{
Name: AuthCookieName,
Value: e.Token,
Path: "/",
Secure: isTlsEnabled,
HttpOnly: true,
})
return nil
})
app.OnBeforeServe().Add(getLogoutRoute(app))
app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
}
func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@@ -74,14 +73,6 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
if err == nil && admin != nil {
// "authenticate" the admin
c.Set(apis.ContextAdminKey, admin)
someData := struct {
username string
email string
} {
admin.Email,
admin.Created.String(),
}
fmt.Printf("triggering the middlewar for cookie %v and err %v\n", someData, err)
}
case tokens.TypeAuthRecord:
@@ -92,15 +83,6 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
if err == nil && record != nil {
// "authenticate" the app user
c.Set(apis.ContextAuthRecordKey, record)
someData := struct {
username string
email string
} {
record.Username(),
record.Email(),
}
fmt.Printf("triggering the middlewar for cookie %v and err %v\n", someData, err)
}
}
@@ -110,7 +92,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
}
// render and return login page with configured oauth providers
func getLogoutRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error {
func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool) func(*core.ServeEvent) error {
return func (e *core.ServeEvent) error {
e.Router.GET("/logout", func(c echo.Context) error {
c.SetCookie(&http.Cookie{
@@ -118,6 +100,8 @@ func getLogoutRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error {
Value: "",
Path: "/",
MaxAge: -1,
Secure: isTlsEnabled,
HttpOnly: true,
})
c.Response().Header().Add("HX-Trigger", "auth-change-event")
return c.JSON(http.StatusOK, map[string]string{"message": "session cookie removed"})

4
pages/pageRoutes.go
View File

@@ -3,7 +3,6 @@ package pages
import (
"bytes"
"embed"
"fmt"
"html/template"
"math/rand"
"net/http"
@@ -47,8 +46,6 @@ func getIndexPageRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error
record := info.AuthRecord // nil if not authenticated as regular auth record
isGuest := admin == nil && record == nil
coolMessage := fmt.Sprintf("got admin %v and record %v. is guest: %t", admin, record, isGuest)
fmt.Print(coolMessage)
username := ""
switch {
@@ -65,7 +62,6 @@ func getIndexPageRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error
oauthProviderNames = append(oauthProviderNames, name)
}
}
fmt.Printf(">> enabled providers names %+v\n", oauthProviderNames)
indexPageData := struct {
IsGuest, IsAdmin bool

3
pages/templates/base.gohtml
View File

@@ -46,7 +46,8 @@
</dialog>
<script defer type="text/javascript">
async function callOauth(providerName) {
const pb = new PocketBase("http://127.0.0.1:8090");
const baseUrl = window.location.protocol + "//" + window.location.host;
const pb = new PocketBase(baseUrl);
// This method initializes a one-off realtime subscription and will
// open a popup window with the OAuth2 vendor page to authenticate.