Note
This is a very incomplete proof-of-concept implementation; usage in production environments is not recommended, yet. Use at own risk.
This repository contains a small HTTP reverse proxy which can be used to quickly add mStudio authentication to an existing web application.
Features:
- Handles the installation state of mittwald mStudio extension instances
- Support for one-click authentication from within the mittwald mStudio
Pending:
- Support for mittwald mStudio oAuth authentication
- Support for other database backends than MongoDB (for better integration into mittwald managed services)
$ docker run -p 8000:8000 \
-e MITTWALD_EXT_PROXY_MONGODB_URI=mongodb://... \
-e MITTWALD_EXT_PROXY_SECRET=... \
-e MITTWALD_EXT_PROXY_STATIC_PASSWORD=supersecret \
-e MITTWALD_EXT_PROXY_UPSTREAMS='{"/":{"upstreamURL":"http://..."}}' \
mittwald/mstudio-ext-proxy
Write me
Write me
The following environment variables can be used to modify this proxy's behaviour:
PORTis the port that the HTTP proxy should listen on. If omitted, this will default to8000.MITTWALD_EXT_PROXY_MONGODB_URIis the URI for a MongoDB connection. Used to store active extension instances and sessions.MITTWALD_EXT_PROXY_SECRETis the secret used for signing JWTs that are passed to the upstream application. If omitted, this service will not start.MITTWALD_EXT_PROXY_STATIC_PASSWORDdefines a static password that can be used to bypass the mStudio authentication by navigating to the/mstudio/auth/passwordendpoint. If this variable is omitted, that endpoint will not be available.MITTWALD_EXT_PROXY_CONTEXTcan be used to enable development mode (by setting it todev). In development, secure cookies are not enforced, and the/mstudio/auth/fakeendpoint is available.MITTWALD_EXT_PROXY_UPSTREAMScontains a JSON object with the proxy configuration. See section below for examples.MITTWALD_EXT_PROXY_REDIRECT_ON_UNAUTHENTICATEDis used when no password or OAuth authentication is enabled; in this case, the user will be redirected to this URL when accessing the extension without authentication.
The proxy configuration (passed in the MITTWALD_EXT_PROXY_UPSTREAMS environment variable) is a JSON map that should contain all proxy upstream definitions.
Example:
{
"/foo": {
"upstreamURL": "http://foo-service:3000",
"stripPrefix": "/foo"
},
"/": {
"upstreamURL": "http://bar-service:3030"
}
}When registering an extension to the mStudio marketplace using this component, your configuration YAML should look like this:
...
externalComponents:
backend:
extensionAddedToContext:
url: https://extension.example/mstudio/webhooks
extensionInstanceUpdated:
url: https://extension.example/mstudio/webhooks
extensionInstanceSecretRotated:
url: https://extension.example/mstudio/webhooks
extensionInstanceRemovedFromContext:
url: https://extension.example/mstudio/webhooks
frontends:
index:
url: https://extension.example/mstudio/auth/oneclick?atrek=:accessTokenRetrievalKey&userId=:userId&instanceId=:extensionInstanceId
Upstream applications will receive an additional HTTP header X-Mstudio-User with an JWT that contains the relevant user information in its claims:
sub: mStudio user IDfnameandlname: First and last nameemail: email addressinst: information about the extension instance; the subfieldsididentify the extension instance, andcontext.idandcontext.kindthe mstudio resource (meaning the organization or project), in which the extension was installedtok: an mStudio access token, which can be used to access the mStudio API as the accessing user
The JWT is signed with the secret that needs to be specified in MITTWALD_EXT_PROXY_SECRET. Your upstream applications need access to this secret in order to verify the JWT for authenticity.