Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[STALE] Enforce signup and login only via campus network #20

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
16090a0
reformat nginx config
proffapt Jul 2, 2024
a7bdda6
Merge branch 'main' into enforce-campus-login
proffapt Jul 2, 2024
e3a6c69
feat: restrict login to campus network
proffapt Jul 2, 2024
29928c6
fix: restrict only post request for /v1/account/token
proffapt Jul 2, 2024
f3fe644
fix: prev commit was a mistake; i need sleep
proffapt Jul 2, 2024
fe47fbe
docs(guide): user log-out process for webapp
proffapt Jul 3, 2024
1fce684
docs(guide): account removal guide for mobile
proffapt Jul 3, 2024
34b3992
feat: restrict signup to campus network
proffapt Jul 3, 2024
d7052f9
feat: map logs to standard output to support docker logs
proffapt Jul 3, 2024
f43f545
Merge branch 'main' into enforce-campus-login
proffapt Jul 3, 2024
968bf51
Merge branch 'main' into enforce-campus-login
proffapt Jul 3, 2024
19d0023
Merge branch 'main' into enforce-campus-login
proffapt Jul 3, 2024
7281b3d
Merge branch 'main' into enforce-campus-login
proffapt Jul 4, 2024
d6b6ba3
Merge branch 'main' into enforce-campus-login
proffapt Jul 6, 2024
a71974b
Merge branch 'main' into enforce-campus-login
proffapt Jul 10, 2024
63a214b
Merge branch 'main' into enforce-campus-login
proffapt Jul 18, 2024
ffff2e9
feat: added variations for [un]restricting login on campus network
proffapt Jul 18, 2024
0ef914b
Merge branch 'main' into enforce-campus-login
proffapt Jul 18, 2024
2ee38b7
Merge branch 'main' into enforce-campus-login
proffapt Aug 13, 2024
c407774
Merge branch 'main' into enforce-campus-login
proffapt Aug 13, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 43 additions & 1 deletion SUBSCRIPTION_INSTRUCTION.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Narada (Sanskrit: नारद, IAST: Nārada), or Narada Muni, is a sage-divini

## User Registration

1. Visit [Naarad Signup](https://naarad.metakgp.org/signup) page
1. Visit [Naarad Signup](https://naarad-signup.metakgp.org/) page
2. You will be prompted to enter your institute email
3. Once email is entered, you will receive a verification OTP on the provided email
4. Enter the OTP in the available field and click the `Verify` button
Expand Down Expand Up @@ -190,3 +190,45 @@ Here are the general tutorials, to unrestrict background app activity:
<div align="center">
<img src="https://github.com/metakgp/naarad/assets/86282911/647f290d-51e8-4340-8033-61e47e326f74">
</div>

## Enforced Campus Signup and Login

Since, CDC period (for internships) starts during the summer vacations and majority of the students are not on campus during that time, [singup](#user-registration) and [login](#user-login) are open from any network. One day after the **CDC travel window** is over, following changes are implemented:
- User database is deleted
- __User Signup & Login__ are restricted, to be possible only via campus network
- Once signed up and logged in, via campus network, the app is functional on all networks

> [!Warning]
> Make sure you are connected to campus network, before following ahead in the documentation.

Users have to initiate the registration process again and receive new credentials. This time, just visit [https://naarad.metakgp.org/signup](https://naarad-signup.metakgp.org). You will receive the new credentials on your institute email within a few seconds.

It's now time to re-login with your new credentials, in-order to do that first remove the previous sessions from your webapp and app.

### Webapp

1. Click on the account icon on top right corner
2. Logout the current user
3. Visit [Naarad Login](https://naarad.metakgp.org/login)

<div align="center">
<img src="https://github.com/metakgp/naarad/assets/86282911/d20e5684-4831-439e-a81c-28a7f23aff9c">
</div>

### Mobile

1. Press the _three-dots_ on the top-right corner
2. Choose the `Settings` option from the context-menu
3. Select the `Manage Users` property in the _General_ section below
4. Press on the user corresponding to your institute email (auto-generated username, which you received on your email)
5. A dialogue will appear there, select the `Delete User` button
6. Now go back to the home screen, select the `kgp-mftp` topic and press the _three-dots_ there on the top-right corner
7. Choose the `Unsubscribe` option from the context-menu
8. A dialogue will appear the, select the `Delete Permanently`buttonthere
9. Now that the user has been removed properly, follow the [Subscribing to MFTP](#subscribing-to-mftp) section once again while being connected to the campus network

| ![](https://github.com/metakgp/naarad/assets/86282911/34a7e162-68b0-454e-98a5-b61bac62e898) | ![](https://github.com/metakgp/naarad/assets/86282911/4beb8bf5-bc28-4164-a4a4-f05f04644fe9) |
| ---------------------------------- | -------------------------------- |
| ![](https://github.com/metakgp/naarad/assets/86282911/6606ee7e-030f-48ec-b886-fe143bcbcbb7) | ![](https://github.com/metakgp/naarad/assets/86282911/3ed6ec9a-b57d-441c-8933-3365ebeba287) |
| ![](https://github.com/metakgp/naarad/assets/86282911/0829d4d6-fc88-4d24-8dbb-75810e800c40) | ![](https://github.com/metakgp/naarad/assets/86282911/cfb77e27-0e93-4897-9480-1530eaa67e38) |
| ![](https://github.com/metakgp/naarad/assets/86282911/8f366eb4-0cfb-4ee5-a272-8c0efe362d59) | ![](https://github.com/metakgp/naarad/assets/86282911/461f550d-9148-43a1-bc24-c29f1b47b271) |
30 changes: 26 additions & 4 deletions backend/metaploy/naarad-api.metaploy.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,34 @@ upstream naarad_api {
server {
server_name naarad-api.metakgp.org;

# Common proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Unprotected routes
## Allows us to call the /health endpoint for healthcheck
location = /health {
proxy_pass http://naarad_api;
}

# Protecting User Signup via Campus Network
location / {
auth_request /campus-auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth;

proxy_pass http://naarad_api;
}

# Internal authorisation endpoint via Campus Network
location = /campus-auth {
internal;
proxy_pass http://heimdall_server/;
}

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Handle case when auth fails in /campus-auth sub request
location @handle_campus_auth {
return 403;
}
}
44 changes: 31 additions & 13 deletions metaploy/naarad.metaploy.conf
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,8 @@ server {
location = /v1/health {
proxy_pass http://naarad;
}
## Allows the app to be functional
## Allows the app to be functional
## as it doesn't have Heimdall Session Auth
### Allowing login
location ~ ^/[^/]+/auth$ {
proxy_pass http://naarad;
}
### Allowing polling via websocket
location ~ ^/[^/]+/ws$ {
proxy_pass http://naarad;
Expand All @@ -33,7 +29,7 @@ server {
proxy_pass http://naarad;
add_header Content-Type application/json;
}

# Restricting user account registration only via
# naarad-signup service (our custom registration layer)
## BACKEND
Expand All @@ -59,20 +55,42 @@ server {
return 301 https://naarad-signup.metakgp.org;
}

# All the endpoints except (signup, healthcheck and
# mobile application related)
# Protecting User Login via Campus Network
## /login: frontend route
## /<topic>/auth: topic specific auth route
## /v1/account/token: account sign in route
location ~ ^/(v1/account/token|login|[^/]+/auth)$ {
auth_request /campus-auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth;

proxy_pass http://naarad;
}

# Internal authorisation endpoint via Campus Network
location = /campus-auth {
internal;
proxy_pass http://heimdall_server/;
}

# Handle case when auth fails in /campus-auth sub request
location @handle_campus_auth {
return 403;
}

# All the endpoints except (signup, healthcheck and
# mobile application related)
# described above are protected via Heimdall Session
location / {
auth_request /auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth;
auth_request /kgpian-auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_kgpian_auth;

proxy_pass http://naarad;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# Internal authorisation endpoint via heimdall
location = /auth {
location = /kgpian-auth {
internal;

proxy_pass http://heimdall_server/validate-jwt;
Expand All @@ -83,8 +101,8 @@ server {
proxy_set_header X-Real-IP $remote_addr; # For heimdall to see, real user
}

# Handle case when auth fails in /auth sub request
location @handle_auth {
# Handle case when auth fails in /kgpian-auth sub request
location @handle_kgpian_auth {
return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri;
}
}
108 changes: 108 additions & 0 deletions metaploy/variations/restricted.metaploy.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
upstream naarad {
server naarad:8000;
}

server {
server_name naarad.metakgp.org;

# Common proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Unprotected routes
## Allows us to call the /v1/health endpoint for healthcheck
location = /v1/health {
proxy_pass http://naarad;
}
## Allows the app to be functional
## as it doesn't have Heimdall Session Auth
### Allowing polling via websocket
location ~ ^/[^/]+/ws$ {
proxy_pass http://naarad;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
### Allowing polling via json
location ~ ^/[^/]+/json$ {
proxy_pass http://naarad;
add_header Content-Type application/json;
}

# Restricting user account registration only via
# naarad-signup service (our custom registration layer)
## BACKEND
location = /v1/account {
set $allowed YES;
valid_referers https://naarad-signup.metakgp.org;
if ($invalid_referer) {
set $allowed N;
}
if ($request_method = POST) {
set $allowed "${allowed}O";
}
if ($allowed = NO) {
return 403;
}

proxy_pass http://naarad;
}
## FRONTEND
### Permanently move the /signup endpoint
### (from frontend) to our custom naarad-signup service
location = /signup {
return 301 https://naarad-signup.metakgp.org;
}

# Protecting User Login via Campus Network
## /login: frontend route
## /<topic>/auth: topic specific auth route
## /v1/account/token: account sign in route
location ~ ^/(v1/account/token|login|[^/]+/auth)$ {
auth_request /campus-auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth;

proxy_pass http://naarad;
}

# Internal authorisation endpoint via Campus Network
location = /campus-auth {
internal;
proxy_pass http://heimdall_server/;
}

# Handle case when auth fails in /campus-auth sub request
location @handle_campus_auth {
return 403;
}

# All the endpoints except (signup, healthcheck and
# mobile application related)
# described above are protected via Heimdall Session
location / {
auth_request /kgpian-auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_kgpian_auth;

proxy_pass http://naarad;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# Internal authorisation endpoint via heimdall
location = /kgpian-auth {
internal;

proxy_pass http://heimdall_server/validate-jwt;

proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr; # For heimdall to see, real user
}

# Handle case when auth fails in /kgpian-auth sub request
location @handle_kgpian_auth {
return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri;
}
}
90 changes: 90 additions & 0 deletions metaploy/variations/unrestricted.metaploy.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
upstream naarad {
server naarad:8000;
}

server {
server_name naarad.metakgp.org;

# Common proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Unprotected routes
## Allows us to call the /v1/health endpoint for healthcheck
location = /v1/health {
proxy_pass http://naarad;
}
## Allows the app to be functional
## as it doesn't have Heimdall Session Auth
### Allowing login
location ~ ^/[^/]+/auth$ {
proxy_pass http://naarad;
}
### Allowing polling via websocket
location ~ ^/[^/]+/ws$ {
proxy_pass http://naarad;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
### Allowing polling via json
location ~ ^/[^/]+/json$ {
proxy_pass http://naarad;
add_header Content-Type application/json;
}

# Restricting user account registration only via
# naarad-signup service (our custom registration layer)
## BACKEND
location = /v1/account {
set $allowed YES;
valid_referers https://naarad-signup.metakgp.org;
if ($invalid_referer) {
set $allowed N;
}
if ($request_method = POST) {
set $allowed "${allowed}O";
}
if ($allowed = NO) {
return 403;
}

proxy_pass http://naarad;
}
## FRONTEND
### Permanently move the /signup endpoint
### (from frontend) to our custom naarad-signup service
location = /signup {
return 301 https://naarad-signup.metakgp.org;
}

# All the endpoints except (signup, healthcheck and
# mobile application related)
# described above are protected via Heimdall Session
location / {
auth_request /auth;
error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth;

proxy_pass http://naarad;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# Internal authorisation endpoint via heimdall
location = /auth {
internal;

proxy_pass http://heimdall_server/validate-jwt;

proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr; # For heimdall to see, real user
}

# Handle case when auth fails in /auth sub request
location @handle_auth {
return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri;
}
}