-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: make rafiki admin auth optional #2883
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
c23fe28
feat: make rafiki admin auth optional
JoblersTune a8e8aeb
chore: formatting
JoblersTune 58b62db
chore: README tweaks
JoblersTune ce5d245
fix: incorrect number of args to new func name in recovery flow
JoblersTune 1e91c2d
fix: logout page should be accessible for logged in users
JoblersTune 32fa66c
fix: logic error in route handling
JoblersTune adbb734
chore: added clarity to the redirect functionality
JoblersTune 715fe11
chore: added fix to the redirect functionality
JoblersTune File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -255,11 +255,9 @@ Note that you have to go through an interaction flow by clicking on the `redirec | |
|
|
||
| #### Admin UI | ||
|
|
||
| In order to manage, and view information about the Rafiki instance(s) you can use the [Rafiki Admin](../packages/frontend/README.md) UI. We have secured access to Rafiki Admin using [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro). Since access to the UI is on an invitation-only basis the registration flow is not publicly available. As such, in order to access Rafiki Admin you can click the registration link provided in the logs during `localenv` startup or you can manually add a new user with the invite-user script. Run `docker exec -it <admin-container-name> npm run invite-user -- [email protected]` and it will output a link to the terminal. Copy and paste this link in your browser and you will automatically be logged in and directed to the account settings page. The next step is changing your password. We're using a simple email and password authentication method. | ||
| In order to manage and view information about the Rafiki instance(s) you can use the [Rafiki Admin](https://rafiki.dev/rafikiadmin/overview/) UI. We have secured access to Rafiki Admin using [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro); however, in our local playground setup we've chosen to disable authorization for easier development and testing interactions. | ||
|
|
||
| Note that a separate registration is required for Cloud Nine Wallet's Rafiki Admin and Happy Life Bank's Rafiki Admin, since they are each designed to run as separate mock account servicing entities. Once you've registered, you can always come back to your Rafiki Admin account by navigating to [`localhost:3010`](http://localhost:3010) (Cloud Nine Wallet) or [`localhost:4010`](http://localhost:4010) (Happy Life Bank) and logging in. | ||
|
|
||
| You can test the account recovery flow by clicking "Forgot pasword?" on the login page and by navigating to [`localhost:4436`](http://localhost:4436) (Mailslurper interface). | ||
| If you'd like to enable authorization locally you can run `pnpm localenv:compose:adminauth up` and check out the setup in the [`admin-auth`](./admin-auth/) subdirectory. Note that, if authorization is enabled, you must register separately for Cloud Nine Wallet's Rafiki Admin and Happy Life Bank's Rafiki Admin, as they are intended to operate as distinct mock account servicing entities. Once you've registered, you can always come back to your Rafiki Admin account by navigating to [`localhost:3010`](http://localhost:3010) (Cloud Nine Wallet) or [`localhost:4010`](http://localhost:4010) (Happy Life Bank) and logging in. Since access to the UI is on an invitation-only basis the registration flow is not publicly available. As such, in order to access Rafiki Admin you can manually add a new user with the invite-user script. Run `docker exec -it <admin-container-name> npm run invite-user -- [email protected]`, and it will output a link to the terminal. Copy and paste this link in your browser and you will automatically be logged in and directed to the account settings page. The next step is changing your password. We are using a simple email and password authentication method. | ||
|
|
||
| #### Admin APIs | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| version: v0.13.0 | ||
|
|
||
| dsn: postgres://cloud_nine_kratos:kratos_password@shared-database:5432/cloud_nine_kratos?sslmode=disable&max_conns=20&max_idle_conns=4 | ||
|
|
||
| serve: | ||
| public: | ||
| base_url: http://localhost:4433/ | ||
| cors: | ||
| enabled: true | ||
| admin: | ||
| base_url: http://cloud-nine-kratos:4434/ | ||
|
|
||
| selfservice: | ||
| default_browser_return_url: http://localhost:3010/ | ||
| allowed_return_urls: | ||
| - http://localhost:3010 | ||
|
|
||
| methods: | ||
| link: | ||
| config: | ||
| lifespan: 1h | ||
| base_url: http://localhost:4433 | ||
| enabled: true | ||
| password: | ||
| enabled: true | ||
|
|
||
| flows: | ||
| error: | ||
| ui_url: http://localhost:3010/error | ||
|
|
||
| settings: | ||
| ui_url: http://localhost:3010/settings | ||
| privileged_session_max_age: 15m | ||
| required_aal: highest_available | ||
|
|
||
| recovery: | ||
| enabled: true | ||
| ui_url: http://localhost:3010/auth/recovery | ||
| use: link | ||
| after: | ||
| hooks: | ||
| - hook: revoke_active_sessions | ||
|
|
||
| verification: | ||
| enabled: false | ||
|
|
||
| logout: | ||
| after: | ||
| default_browser_return_url: http://localhost:3010/auth | ||
|
|
||
| login: | ||
| ui_url: http://localhost:3010/auth/login | ||
| lifespan: 10m | ||
|
|
||
| registration: | ||
| enabled: false | ||
|
|
||
| log: | ||
| level: debug | ||
| format: json | ||
| leak_sensitive_values: true | ||
|
|
||
| secrets: | ||
| cookie: | ||
| - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE | ||
| cipher: | ||
| - 32-LONG-SECRET-NOT-SECURE-AT-ALL | ||
|
|
||
| ciphers: | ||
| algorithm: xchacha20-poly1305 | ||
|
|
||
| hashers: | ||
| algorithm: bcrypt | ||
| bcrypt: | ||
| cost: 8 | ||
|
|
||
| identity: | ||
| schemas: | ||
| - id: default | ||
| url: file:///etc/config/kratos/identity.schema.json | ||
|
|
||
| courier: | ||
| smtp: | ||
| connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true | ||
|
|
||
| session: | ||
| lifespan: 1h | ||
| cookie: | ||
| persistent: false | ||
| same_site: Strict | ||
| path: / |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| CREATE USER cloud_nine_wallet_backend WITH PASSWORD 'cloud_nine_wallet_backend'; | ||
| CREATE DATABASE cloud_nine_wallet_backend; | ||
| ALTER DATABASE cloud_nine_wallet_backend OWNER TO cloud_nine_wallet_backend; | ||
|
|
||
| CREATE USER cloud_nine_wallet_auth WITH PASSWORD 'cloud_nine_wallet_auth'; | ||
| CREATE DATABASE cloud_nine_wallet_auth; | ||
| ALTER DATABASE cloud_nine_wallet_auth OWNER TO cloud_nine_wallet_auth; | ||
|
|
||
| CREATE USER happy_life_bank_backend WITH PASSWORD 'happy_life_bank_backend'; | ||
| CREATE DATABASE happy_life_bank_backend; | ||
| ALTER DATABASE happy_life_bank_backend OWNER TO happy_life_bank_backend; | ||
|
|
||
| CREATE USER happy_life_bank_auth WITH PASSWORD 'happy_life_bank_auth'; | ||
| CREATE DATABASE happy_life_bank_auth; | ||
| ALTER DATABASE happy_life_bank_auth OWNER TO happy_life_bank_auth; | ||
|
|
||
| CREATE USER happy_life_kratos WITH PASSWORD 'kratos_password'; | ||
| CREATE DATABASE happy_life_kratos; | ||
| ALTER DATABASE happy_life_kratos OWNER TO happy_life_kratos; | ||
|
|
||
| CREATE USER cloud_nine_kratos WITH PASSWORD 'kratos_password'; | ||
| CREATE DATABASE cloud_nine_kratos; | ||
| ALTER DATABASE cloud_nine_kratos OWNER TO cloud_nine_kratos; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| services: | ||
| cloud-nine-admin: | ||
| environment: | ||
| AUTH_ENABLED: true | ||
| KRATOS_CONTAINER_PUBLIC_URL: 'http://cloud-nine-kratos:4433' | ||
| KRATOS_BROWSER_PUBLIC_URL: 'http://localhost:4433' | ||
| KRATOS_ADMIN_URL: 'http://cloud-nine-kratos:4434/admin' | ||
| depends_on: | ||
| - cloud-nine-backend | ||
| - cloud-nine-kratos | ||
|
|
||
| happy-life-admin: | ||
| environment: | ||
| AUTH_ENABLED: true | ||
| KRATOS_CONTAINER_PUBLIC_URL: 'http://happy-life-kratos:4433' | ||
| KRATOS_BROWSER_PUBLIC_URL: 'http://localhost:4432' | ||
| KRATOS_ADMIN_URL: 'http://happy-life-kratos:4434/admin' | ||
| depends_on: | ||
| - cloud-nine-admin | ||
| - happy-life-backend | ||
| - happy-life-kratos | ||
|
|
||
| cloud-nine-kratos: | ||
| build: | ||
| context: ../.. | ||
| dockerfile: ./packages/frontend/kratos/Dockerfile | ||
| args: | ||
| PATH_TO_KRATOS_CONFIG: ./localenv/admin-auth/cloud-nine-kratos.yml | ||
| depends_on: | ||
| - shared-database | ||
| - mailslurper | ||
| environment: | ||
| DEV_MODE: true | ||
| ports: | ||
| - "4433:4433" | ||
| networks: | ||
| - rafiki | ||
|
|
||
| happy-life-kratos: | ||
| build: | ||
| context: ../.. | ||
| dockerfile: ./packages/frontend/kratos/Dockerfile | ||
| args: | ||
| PATH_TO_KRATOS_CONFIG: ./localenv/admin-auth/happy-life-kratos.yml | ||
| depends_on: | ||
| - shared-database | ||
| - mailslurper | ||
| environment: | ||
| DEV_MODE: true | ||
| ports: | ||
| - "4432:4433" | ||
| networks: | ||
| - rafiki | ||
|
|
||
| mailslurper: | ||
| image: oryd/mailslurper:latest-smtps | ||
| ports: | ||
| - "4436:4436" | ||
| - "4437:4437" | ||
| networks: | ||
| - rafiki | ||
|
|
||
| shared-database: | ||
| volumes: | ||
| - ../admin-auth/dbinit.sql:/docker-entrypoint-initdb.d/init.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| version: v0.13.0 | ||
|
|
||
| dsn: postgres://happy_life_kratos:kratos_password@shared-database:5432/happy_life_kratos?sslmode=disable&max_conns=20&max_idle_conns=4 | ||
|
|
||
| serve: | ||
| public: | ||
| base_url: http://localhost:4432/ | ||
| cors: | ||
| enabled: true | ||
| admin: | ||
| base_url: http://happy-life-kratos:4434/ | ||
|
|
||
| selfservice: | ||
| default_browser_return_url: http://localhost:4010/ | ||
| allowed_return_urls: | ||
| - http://localhost:4010 | ||
|
|
||
| methods: | ||
| link: | ||
| config: | ||
| lifespan: 1h | ||
| base_url: http://localhost:4432 | ||
| enabled: true | ||
| password: | ||
| enabled: true | ||
|
|
||
| flows: | ||
| error: | ||
| ui_url: http://localhost:4010/error | ||
|
|
||
| settings: | ||
| ui_url: http://localhost:4010/settings | ||
| privileged_session_max_age: 15m | ||
| required_aal: highest_available | ||
|
|
||
| recovery: | ||
| enabled: true | ||
| ui_url: http://localhost:4010/auth/recovery | ||
| use: link | ||
| after: | ||
| hooks: | ||
| - hook: revoke_active_sessions | ||
|
|
||
| verification: | ||
| enabled: false | ||
|
|
||
| logout: | ||
| after: | ||
| default_browser_return_url: http://localhost:4010/auth | ||
|
|
||
| login: | ||
| ui_url: http://localhost:4010/auth/login | ||
| lifespan: 10m | ||
|
|
||
| registration: | ||
| enabled: false | ||
|
|
||
| log: | ||
| level: debug | ||
| format: json | ||
| leak_sensitive_values: true | ||
|
|
||
| secrets: | ||
| cookie: | ||
| - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE | ||
| cipher: | ||
| - 32-LONG-SECRET-NOT-SECURE-AT-ALL | ||
|
|
||
| ciphers: | ||
| algorithm: xchacha20-poly1305 | ||
|
|
||
| hashers: | ||
| algorithm: bcrypt | ||
| bcrypt: | ||
| cost: 8 | ||
|
|
||
| identity: | ||
| schemas: | ||
| - id: default | ||
| url: file:///etc/config/kratos/identity.schema.json | ||
|
|
||
| courier: | ||
| smtp: | ||
| connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true | ||
|
|
||
| session: | ||
| lifespan: 1h | ||
| cookie: | ||
| persistent: false | ||
| same_site: Strict | ||
| path: / |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@melissahenderson the local playground changes would be something along these lines.