Merge pull request #42 from glenndehaan/release/v4

Release/v4
glenndehaan · Oct 4, 2024 · 990608b · 990608b
2 parents d653c12 + 0b2b183
commit 990608b
Show file tree

Hide file tree

Showing 30 changed files with 262 additions and 211 deletions.
diff --git a/.docs/images/desktop_0.png b/.docs/images/desktop_0.png
diff --git a/.docs/images/mobile_0.png b/.docs/images/mobile_0.png
diff --git a/.docs/oidc/authentik/README.md b/.docs/oidc/authentik/README.md
@@ -16,24 +16,15 @@
     - **Name**: `unifi-voucher-provider`.
     - **Authentication flow**: `default-authentication-flow`.
     - **Authorization flow**: `default-provider-authorization-implicit-consent`.
-    - **Client Type**: Select either `public` or `confidential` based on your needs:
-        - **Public**: No client secret is required.
-        - **Confidential**: A client secret will be generated.
-5. Set the **Redirect URI** to match your UniFi Voucher Site’s callback URL (e.g., `https://<unifi-voucher-url>/callback`).
+    - **Client Type**: Select `confidential`, A client secret will be generated.
+5. Set the **Redirect URI** to match your UniFi Voucher Site’s callback URL (e.g., `https://voucher.example.com/oidc/callback`).
 6. Click **Submit**.
 
 ![Create Provider 1](images/create_provider_1.png)
 ![Create Provider 2](images/create_provider_2.png)
 ![Create Provider 3](images/create_provider_3.png)
-![Create Provider 4](images/create_provider_4.png)
 
-#### For Public Client Method:
-
-- After saving, note down the **Client ID** generated for this provider. You’ll need it when configuring your UniFi Voucher Site.
-
-#### For Confidential Client Method:
-
-- After saving, note down the **Client ID** and **Client Secret** generated for this provider. You’ll need it when configuring your UniFi Voucher Site.
+> After saving, note down the **Client ID** and **Client Secret** generated for this provider. You’ll need it when configuring your UniFi Voucher Site.
 
 ### Step 3: Create a New Application
 
@@ -53,18 +44,7 @@
 
 Now, configure your UniFi Voucher Site to use the Authentik client.
 
-### For Public Client Configuration
-
-1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `public`.
-2. Set the `AUTH_OIDC_CLIENT_ID` as configured in Authentik (found in the Authentik provider configuration).
-3. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Authentik provider.
-    - You can find this under **Providers > unifi-voucher-provider > OpenID Configuration URL** in Authentik.
-4. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
-5. Restart the container after these changes
-
-### For Confidential Client Configuration
-
-1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
+1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_ENABLED` to `true`.
 2. Set the `AUTH_OIDC_CLIENT_ID` as configured in Authentik (found in the Authentik provider configuration).
 3. Provide the `AUTH_OIDC_CLIENT_SECRET` (found in the Authentik provider configuration).
 4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Authentik provider.
@@ -82,4 +62,4 @@ Now, configure your UniFi Voucher Site to use the Authentik client.
 ### Common Issues
 
 - **Invalid Redirect URI**: Ensure the callback URI matches what is configured in Authentik.
-- **Client Secret Errors** (for confidential clients): Double-check the client secret in both Authentik and your UniFi configuration.
+- **Client Secret Errors**: Double-check the client secret in both Authentik and your UniFi configuration.
diff --git a/.docs/oidc/authentik/images/create_provider_3.png b/.docs/oidc/authentik/images/create_provider_3.png
diff --git a/.docs/oidc/authentik/images/create_provider_4.png b/.docs/oidc/authentik/images/create_provider_4.png
diff --git a/.docs/oidc/keycloak/README.md b/.docs/oidc/keycloak/README.md
@@ -30,32 +30,17 @@ If you don't already have a realm:
 
 ### Step 4: Configure the Client
 
-You’ll see various tabs for configuring the client. Set the following fields based on the type of method you want:
-
-#### A. **Public Client Method**
-
-1. Go to the **Settings** tab.
-2. Set **Access Type** to `public`.
-3. Ensure **Implicit Flow Enabled** is set to `ON`. (This enables the Implicit flow for public clients).
-4. Set **Valid Redirect URIs** to your UniFi voucher callback URL (e.g., `https://voucher.example.com/callback`).
-5. Click **Save**.
-
-In this mode, no client secret is required. The public client relies on the Implicit flow without needing to authenticate itself.
-
-![Client Settings 1](images/client_settings_1.png)
-![Client Settings 2](images/client_settings_2.png)
-
-#### B. **Confidential Client Method**
+You’ll see various tabs for configuring the client. Set the following fields:
 
 1. Go to the **Settings** tab.
 2. Set **Access Type** to `confidential`.
 3. Ensure **Standard Flow Enabled** is set to `ON`.
-4. Set **Valid Redirect URIs** to your UniFi voucher callback URL (e.g., `https://voucher.example.com/callback`).
+4. Set **Valid Redirect URIs** to your UniFi voucher callback URL (e.g., `https://voucher.example.com/oidc/callback`).
 5. Click **Save**.
 
 6. After saving, go to the **Credentials** tab to get the **Client Secret**. This secret will be used by your UniFi Voucher Site when authenticating as a confidential client.
 
-![Client Settings 3](images/client_settings_3.png)
+![Client Settings 1](images/client_settings_1.png)
 ![Client Settings 2](images/client_settings_2.png)
 ![Client Secret](images/client_secret.png)
 
@@ -65,17 +50,7 @@ In this mode, no client secret is required. The public client relies on the Impl
 
 Now, configure your UniFi Voucher Site to use the Keycloak client.
 
-### For Public Client Configuration
-
-1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `public`.
-2. Set the `AUTH_OIDC_CLIENT_ID` as configured in Keycloak (e.g., `unifi-voucher-site`).
-3. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Keycloak server (e.g., `https://auth.example.com/realms/{realm}/.well-known/openid-configuration`).
-4. Provide the `AUTH_OIDC_APP_BASE_URL` from your UniFi Voucher Site instance (e.g., `https://voucher.example.com`).
-5. Restart the container after these changes
-
-### For Confidential Client Configuration
-
-1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
+1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_ENABLED` to `true`.
 2. Set the `AUTH_OIDC_CLIENT_ID` as configured in Keycloak (e.g., `unifi-voucher-site`).
 3. Provide the `AUTH_OIDC_CLIENT_SECRET` (found in the Credentials tab in Keycloak).
 4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Keycloak server (e.g., `https://auth.example.com/realms/{realm}/.well-known/openid-configuration`).
@@ -92,4 +67,4 @@ Now, configure your UniFi Voucher Site to use the Keycloak client.
 ### Common Issues
 
 - **Invalid Redirect URI**: Ensure the callback URI matches what is configured in Keycloak.
-- **Client Secret Errors** (for confidential clients): Double-check the client secret in both Keycloak and your UniFi configuration.
+- **Client Secret Errors**: Double-check the client secret in both Keycloak and your UniFi configuration.
diff --git a/.docs/oidc/keycloak/images/client_settings_1.png b/.docs/oidc/keycloak/images/client_settings_1.png
diff --git a/.docs/oidc/keycloak/images/client_settings_2.png b/.docs/oidc/keycloak/images/client_settings_2.png
diff --git a/.docs/oidc/keycloak/images/client_settings_3.png b/.docs/oidc/keycloak/images/client_settings_3.png
diff --git a/.docs/oidc/uid/README.md b/.docs/oidc/uid/README.md
@@ -20,7 +20,7 @@
    The required fields needed are `Initiate Sign-In URI` and `Sign-In Redirect URI`.
 
    Initiate Sign-In URI - (e.g., `https://voucher.example.com`)
-   Sign-In Redirect URI - (e.g., `https://voucher.example.com/callback`)
+   Sign-In Redirect URI - (e.g., `https://voucher.example.com/oidc/callback`)
 
 7. Press Add. You will now be presented with your Tool Collection for the app. Copy your `Client ID`, `Client Secret` and the value form your `Well Known Config Endpoint`.
 8. Press Done. You can now assign users or groups to the application. The setup has been completed UID side.
@@ -38,7 +38,7 @@
 
 Now, configure your UniFi Voucher Site to use the UID client.
 
-1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
+1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_ENABLED` to `true`.
 2. Set the `AUTH_OIDC_CLIENT_ID` as found within the UID Application.
 3. Provide the `AUTH_OIDC_CLIENT_SECRET` as found within the UID Application.
 4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your UID domain (e.g., `https://your-site.ui.com/gw/idp/api/v1/public/oauth/your-secret-token/.well-known/openid-configuration`).

diff --git a/.docs/oidc/zitadel/README.md b/.docs/oidc/zitadel/README.md
@@ -28,7 +28,7 @@ Now, create an application under the project you just created.
     - **Type**: `Web`.
 4. Select **Code** and click **Continue**.
 5. Fill in the following fields and click **Continue**:
-    - **Login Redirect URIs**: Enter the URL of your UniFi Voucher callback (e.g., `https://voucher.example.com/callback`).
+    - **Login Redirect URIs**: Enter the URL of your UniFi Voucher callback (e.g., `https://voucher.example.com/oidc/callback`).
     - **Logout Redirect URIs**: Enter the root URL of your UniFi Voucher instance (e.g., `https://voucher.example.com`).
 6. Click **Create** to save the application.
 7. Save the Client ID and Client Secret shown within the popup and click **Close**
@@ -46,7 +46,7 @@ Now, create an application under the project you just created.
 
 Now, configure your UniFi Voucher Site to use the ZITADEL client.
 
-1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_CLIENT_TYPE` as `confidential`.
+1. In your UniFi Voucher Site configuration, set `AUTH_OIDC_ENABLED` to `true`.
 2. Set the `AUTH_OIDC_CLIENT_ID` as the ClientId found within the ZITADEL Popup.
 3. Provide the `AUTH_OIDC_CLIENT_SECRET` as the ClientSecret found within the ZITADEL Popup.
 4. Provide the `AUTH_OIDC_ISSUER_BASE_URL` from your Keycloak server (e.g., `https://auth.example.com/.well-known/openid-configuration`).
@@ -63,4 +63,4 @@ Now, configure your UniFi Voucher Site to use the ZITADEL client.
 ### Common Issues
 
 - **Invalid Redirect URI**: Ensure the callback URI matches what is configured in ZITADEL.
-- **Client Secret Errors** (for confidential clients): Ensure that the client secret in both ZITADEL and your UniFi configuration match.
+- **Client Secret Errors**: Ensure that the client secret in both ZITADEL and your UniFi configuration match.
diff --git a/.docs/oidc/zitadel/images/project_create_overview.png b/.docs/oidc/zitadel/images/project_create_overview.png
diff --git a/.docs/oidc/zitadel/images/project_uris.png b/.docs/oidc/zitadel/images/project_uris.png
diff --git a/Dockerfile b/Dockerfile
@@ -103,15 +103,26 @@ HEALTHCHECK --interval=10s --timeout=3s \
 CMD ["dumb-init", "node", "/app/server.js"]
 
 #
-# Bundle app
+# Setup non-root user
 #
-
-# Bundle from build image
-COPY --from=dependencies /app/node_modules ./node_modules
-COPY --from=css /app/public/dist ./public/dist
-COPY . .
+RUN addgroup -g 1000 node \
+    && adduser -u 1000 -G node -s /bin/sh -D node;
 
 #
 # Set build
 #
 RUN echo -n `date '+%Y.%m.%d.%H.%M'` > /etc/unifi_voucher_site_build
+
+#
+# Continue as non-root user
+#
+USER node
+
+#
+# Bundle app
+#
+
+# Bundle from build image
+COPY --chown=node:node --from=dependencies /app/node_modules ./node_modules
+COPY --chown=node:node --from=css /app/public/dist ./public/dist
+COPY --chown=node:node . .