Skip to content

Commit

Permalink
Implicit secret key (#44)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ciur
ciur authored Nov 16, 2024
1 parent 488797d commit e190a6f
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 86 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Changelog

## 1.0 - 2024-11-16

- Use python 3.13
- Restructure project to use similar layout as core
- Use Mantine + vite for UI
- Use Docker alpine images
- Use typer for CLI interface

## 0.9.0 - 2024-04-07

- Support for scopes/permissions/groups
Expand Down
92 changes: 10 additions & 82 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,82 +17,18 @@ cryptographically signed JWT access token.
JWT token is delivered to the client as http response payload (json format)
and as cookie.

![Authentication Server](./images/screenshot.png)

## Usage

Auth-server is configured only via environment variables.
The only required parameter you need to provide it secret key (used to sign tokens):

```
version: "3.9"
services:
web:
image: papermerge/auth-server
ports:
- "7000:80"
environment:
PAPERMERGE__SECURITY__SECRET_KEY: <your secret string>
```

If no other settings are provided, it will be assumed authentication against
credentials stored in database. Default database is "sqlite:////db/db.sqlite3".
Optionally you can choose to store credentials in PostgreSQL database:

```
version: "3.9"
services:
web:
image: papermerge/auth-server
ports:
- "7000:80"
environment:
PAPERMERGE__SECURITY__SECRET_KEY: <your secret string>
PAPERMERGE__DATABASE__URL: postgresql://postgres:123@db:5432/postgres
depends_on:
- db
db:
image: bitnami/postgresql:14.4.0
volumes:
- postgres_data:/var/lib/postgresql/data/
environment:
- POSTGRES_PASSWORD=123
volumes:
postgres_data:
```

For MySql/MariaDB use `mysql` scheme. For example:

PAPERMERGE__DATABASE__URL: mysql://user:password@127.0.0.1:3306/mydatabase

And docker compose file would look like:

```
version: "3.9"
services:
web:
image: papermerge/auth-server
ports:
- "7000:80"
environment:
PAPERMERGE__SECURITY__SECRET_KEY: <your secret string>
PAPERMERGE__DATABASE__URL: mysql://user:[email protected]:3306/mydatabase
depends_on:
- db
db:
image: mariadb:11.2
volumes:
- maria:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: password
MYSQL_DATABASE: mydatabase
MYSQL_USER: user
MYSQL_PASSWORD: password
ports:
- 3306:3306
volumes:
maria:
```
To start backend server:

$ poetry run task server

To start frontend (in dev mode):

$ cd ui2
$ yarn dev

Use nginx.conf (from the root folder) to play.

In order to enable authentication via OIDC provider you need to
provide following environment variables:
Expand All @@ -112,14 +48,6 @@ You need to provider all five values.
Above value should be same as in field "Authorized redirect URI" when
registering oauth2 client.

You can also start the auth server with poetry:

$ poetry run uvicorn auth_server.main:app \
--host 0.0.0.0 \
--port 8000 \
--reload \
--log-config etc/logging.yml
--log-level info

Application providers one single endpoint `POST /token` which return jwt access
token. There two valid options for using `POST /token` endpoint:
Expand Down
15 changes: 11 additions & 4 deletions auth_server/config.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
import logging
import secrets


from pydantic import Field
from functools import lru_cache
from enum import Enum

Expand All @@ -9,6 +12,10 @@
logger = logging.getLogger(__name__)


def generate_secret():
return secrets.token_hex(32)


class Algs(str, Enum):
HS256 = "HS256"
HS384 = "HS384"
Expand All @@ -22,10 +29,10 @@ class Algs(str, Enum):


class Settings(BaseSettings):
papermerge__security__secret_key: str
papermerge__security__secret_key: str = Field(default_factory=generate_secret)
papermerge__security__token_algorithm: Algs = Algs.HS256
papermerge__security__token_expire_minutes: int = 360
papermerge__security__cookie_name: str = 'access_token'
papermerge__security__cookie_name: str = "access_token"

# database where to read user table from
papermerge__database__url: str = "sqlite:////db/db.sqlite3"
Expand All @@ -41,10 +48,10 @@ class Settings(BaseSettings):
# e.g. uid={username},ou=People,dc=ldap,dc=trusel,dc=net
papermerge__auth__ldap_user_dn_format: str | None = None
# LDAP Entry attribute name for the email
papermerge__auth__ldap_email_attr: str = 'mail'
papermerge__auth__ldap_email_attr: str = "mail"
# if there is an error retrieving ldap_email_attr, the
# fallback user email will be set to username@<email-domain-fallback>
papermerge__auth__ldap_user_email_domain_fallback: str = 'example-ldap.com'
papermerge__auth__ldap_user_email_domain_fallback: str = "example-ldap.com"


@lru_cache()
Expand Down
Binary file removed images/screenshot.png
View file
Binary file not shown.

0 comments on commit e190a6f

Please sign in to comment.