Skip to content

Commit

Permalink
Migrate from Auth0 to Jetstream Auth
Browse files Browse the repository at this point in the history
Remove 3rd party authentication provider in favor of Jetstream in-house Authentication

Add support for MFA which is required by default - initial support for email and authenticator app

Tighten upp session management to ensure that sessions are being used on the same device

Add profile management with options to add a password, manage MFA options, link social accounts

Added captcha via Cloudflare turnstile to authentication pages

Added email templates and sending vie react email

Added rate limiting to all authentication routes

Added zod validation to environment variable parsing

Added E2E tests for all authentication pages
  • Loading branch information
paustint committed Oct 31, 2024
1 parent 016521b commit ad59872
Show file tree
Hide file tree
Showing 216 changed files with 11,835 additions and 3,313 deletions.
92 changes: 56 additions & 36 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -2,66 +2,82 @@
###### REQUIRED ######

ENVIRONMENT='development'
# Example key - not used in any real environments
JETSTREAM_SESSION_SECRET='15a845f36512d850dfd223af8809873c'

# SFDC API VERSION TO USE
NX_SFDC_API_VERSION='61.0'

# trace, debug (default), info, warn, error, fatal, silent
LOG_LEVEL='trace'

# Session signing secret - minimum of 32 characters
# Generate using: `openssl rand -base64 32`
JETSTREAM_SESSION_SECRET=''
# Backup key to allow session rotation
JETSTREAM_SESSION_SECRET_BACKUP=''
# Auth secret - used to sign encrypt CSRF tokens for authentication pages
# Generate using: `openssl rand -base64 32`
JETSTREAM_AUTH_SECRET=''
# Secret used to encrypt OTP tokens for storage in the database
JETSTREAM_AUTH_OTP_SECRET=''

# JETSTREAM URLS
# If developing, then these will be localhost
# If running locally but not developing the platform, use port `:3333` for all of these
JETSTREAM_CLIENT_URL='http://localhost:4200/app'
JETSTREAM_SERVER_DOMAIN='localhost:3333'
JETSTREAM_SERVER_URL='http://localhost:3333'
JETSTREAM_POSTGRES_DBURI='postgres://postgres@localhost:5432/postgres'

# trace, debug (default), info, warn, error, fatal, silent - determines how much server logging is done
LOG_LEVEL='trace'
# Used in landing page to redirect to the correct URL
# If running locally but not developing the platform, use port `:3333` for all of these
NEXT_PUBLIC_CLIENT_URL='http://localhost:4200/app'
NEXT_PUBLIC_SERVER_URL='http://localhost:3333'

# PLAYWRIGHT INTEGRATION TEST LOGIN
E2E_LOGIN_USERNAME='[email protected]'
E2E_LOGIN_PASSWORD='TODO'
E2E_LOGIN_URL='https://jetstream-e2e-dev-ed.develop.my.salesforce.com'
# OAUTH FOR LOGGING IN TO THE APP
# You can provide your own keys by creating a connected app in your dev or production org.
# Salesforce - Scopes: email, profile, openid
AUTH_SFDC_CLIENT_ID='3MVG9riCAn8HHkYWGpu4WgDxYOW_9snDbMX1MD9hZ5Hd9NZ4yIKUhecgKe.bLizoOuSZGUwL.214Oyhcfd..1'
AUTH_SFDC_CLIENT_SECRET='3DC73F32C7385596DF9625F914D96A2CADC68F074010D658C122A774A9EC6AA3'

# Google - Scopes: email, profile, openid
AUTH_GOOGLE_CLIENT_ID=''
AUTH_GOOGLE_CLIENT_SECRET=''

# SALESFORCE CONFIGURATION
# You can provide your own key by creating a connected app in your dev or production org.
# Ensure api, web, refresh_token scopes are included
# You can provide your own keys by creating a connected app in your dev or production org.
# Scopes: api, web, refresh_token
SFDC_CALLBACK_URL='http://localhost:3333/oauth/sfdc/callback'
SFDC_CONSUMER_KEY='3MVG9tSqyyAXNH5ItQtuplEg40Ks_MLSG37L1PV.TLDjsCbdp7EDonFUW0csSDDrutnfuxKH5OKSXSbhiGPv5'
SFDC_CONSUMER_SECRET='F77C1B4AF03CF51B290A591766F4C430E3136949A636D4AA5339F8EB6A40052A'
SFDC_CONSUMER_KEY='3MVG9riCAn8HHkYWGpu4WgDxYOW_9snDbMX1MD9hZ5Hd9NZ4yIKUhecgKe.bLizoOuSZGUwL.214Oyhcfd..1'
SFDC_CONSUMER_SECRET='3DC73F32C7385596DF9625F914D96A2CADC68F074010D658C122A774A9EC6AA3'

###### OPTIONAL ######

# API VERSION TO USE
SFDC_API_VERSION='58.0'
# PLAYWRIGHT INTEGRATION TEST LOGIN
E2E_LOGIN_USERNAME='[email protected]'
E2E_LOGIN_PASSWORD=''
E2E_LOGIN_URL='https://jetstream-e2e-dev-ed.develop.my.salesforce.com'

# If set to true, then authentication will be bypassed
# You will use a test account instead of a real account - only works if running locally
EXAMPLE_USER_OVERRIDE=true

# Auth0 configuration - Free public account, you can replace with your own if you want
AUTH0_CLIENT_ID='305Mn5azd97CZrHDf5SflQCZlEeEKfTU'
AUTH0_CLIENT_SECRET='CmOSq3HVhUVZhjmnlLy4IHk46E1XuhVXAxcx9Epjm38opRy-ycaBlJujkDlhL7zu'
AUTH0_DOMAIN='dev-ce6oji5b.us.auth0.com'
AUTH0_M2M_DOMAIN='dev-ce6oji5b.us.auth0.com'
EXAMPLE_USER_OVERRIDE='true'
EXAMPLE_USER_PASSWORD='EXAMPLE_123!'

# AUTH0 APPLICATION CONFIGURATION
# LOGO: https://getjetstream.app/assets/images/jetstream-logo.svg
# CALLBACK URL: http://localhost:3333/oauth/callback, http://localhost:3333/oauth/identity/link/callback, jetstream://localhost/oauth/callback
# LOGOUT URLS: https://staging.getjetstream.app, http://localhost:3333, jetstream://localhost/oauth/callback

###### OPTIONAL ######

PRISMA_DEBUG='false'

NX_PUBLIC_AUTH_AUDIENCE='http://getjetstream.app/app_metadata'
NX_PUBLIC_ROLLBAR_KEY=''
NX_PUBLIC_AMPLITUDE_KEY=''

# Used to save feedback as a github issue and run some build commands
# Also required for the release process
GITHUB_TOKEN=''

# Credentials for sending emails
# If you are not using the example user, then you may need to configure this for MFA
MAILGUN_API_KEY=''
JETSTREAM_EMAIL_DOMAIN=''
JETSTREAM_EMAIL_FROM_NAME=''
JETSTREAM_EMAIL_REPLY_TO=''

# Used to generate blog when building landing page
CONTENTFUL_HOST='cdn.contentful.com'
CONTENTFUL_SPACE=''
CONTENTFUL_TOKEN=''

# Required to use Google integration
# Required to use Google within application
GOOGLE_APP_ID=''
GOOGLE_API_KEY=''
GOOGLE_CLIENT_ID=''
Expand All @@ -79,3 +95,7 @@ ALGOLIA_API_KEY=''
HONEYCOMB_ENABLED=false
HONEYCOMB_API_KEY=''

# Nx 18 enables using plugins to infer targets by default
# This is disabled for existing workspaces to maintain compatibility
# For more info, see: https://nx.dev/concepts/inferred-tasks
NX_ADD_PLUGINS=false
19 changes: 10 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ env:
CONTENTFUL_TOKEN: ${{ secrets.CONTENTFUL_TOKEN }}
NX_CLOUD_DISTRIBUTED_EXECUTION: false
NX_PUBLIC_AMPLITUDE_KEY: ${{ secrets.NX_PUBLIC_AMPLITUDE_KEY }}
NX_PUBLIC_AUTH_AUDIENCE: http://getjetstream.app/app_metadata
NX_PUBLIC_ROLLBAR_KEY: ${{ secrets.NX_PUBLIC_ROLLBAR_KEY }}

jobs:
Expand Down Expand Up @@ -63,31 +62,33 @@ jobs:
runs-on: ubuntu-latest
env:
LOG_LEVEL: warn
AUTH0_CLIENT_ID: 'shxza1G0595Ut2htmAd3NfbMMsqelrE5'
AUTH0_CLIENT_SECRET: 'NOT-NEEDED'
AUTH0_DOMAIN: 'getjetstream-dev.us.auth0.com'
E2E_LOGIN_PASSWORD: ${{ secrets.E2E_LOGIN_PASSWORD }}
E2E_LOGIN_URL: 'https://jetstream-e2e-dev-ed.develop.my.salesforce.com'
E2E_LOGIN_USERNAME: '[email protected]'
E2E_LOGIN_PASSWORD: ${{ secrets.E2E_LOGIN_PASSWORD }}
EXAMPLE_USER_OVERRIDE: true
EXAMPLE_USER_PASSWORD: 'EXAMPLE_123!'
GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
GOOGLE_APP_ID: ${{ secrets.GOOGLE_APP_ID }}
GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
JETSTREAM_POSTGRES_DBURI: postgres://postgres:postgres@localhost:5432/postgres
JETSTREAM_SESSION_SECRET: ${{ secrets.JETSTREAM_SESSION_SECRET }}
JETSTREAM_SESSION_SECRET: '8e52194ce3b6650b93e95a5c40a705b2'
JETSTREAM_AUTH_SECRET: 'l26oD1TYqkJP/AZccmFwX2gPO45rG1qQuSXjVxRj9U/3'
JETSTREAM_AUTH_OTP_SECRET: 'pD0AwvBhZU5COntz97OBDAtonoEe/Z0lz5ulNFl4K04='
JETSTREAM_CLIENT_URL: http://localhost:3333/app
JETSTREAM_SERVER_DOMAIN: localhost:3333
JETSTREAM_SERVER_URL: http://localhost:3333
NEXT_PUBLIC_CLIENT_URL: 'http://localhost:4200/app'
NEXT_PUBLIC_SERVER_URL: 'http://localhost:3333'
NX_PUBLIC_AMPLITUDE_KEY: ${{ secrets.NX_PUBLIC_AMPLITUDE_KEY }}
NX_PUBLIC_AUTH_AUDIENCE: http://getjetstream.app/app_metadata
NX_CLOUD_DISTRIBUTED_EXECUTION: false
NX_PUBLIC_ROLLBAR_KEY: ${{ secrets.NX_PUBLIC_ROLLBAR_KEY }}
SFDC_CALLBACK_URL: http://localhost:3333/oauth/sfdc/callback
SFDC_CONSUMER_KEY: ${{ secrets.SFDC_CONSUMER_KEY }}
SFDC_CONSUMER_SECRET: ${{ secrets.SFDC_CONSUMER_SECRET }}
SFDC_ENC_KEY: ${{ secrets.SFDC_ENC_KEY }}
SFDC_API_VERSION: '58.0'
AUTH_SFDC_CLIENT_ID: ${{ secrets.SFDC_CONSUMER_KEY }}
AUTH_SFDC_CLIENT_SECRET: ${{ secrets.SFDC_CONSUMER_SECRET }}
SFDC_API_VERSION: '61.0'

services:
postgres:
Expand Down
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -58,4 +58,5 @@ package-lock.json
**/playwright/.cache

.nx/cache
.nx/workspace-data
.nx/workspace-data
**/playwright/.auth/user.json
4 changes: 4 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ RUN yarn build:core && \
RUN yarn install --production=true && \
yarn add cross-env npm-run-all --save-dev

# FIXME: figure out why this is not included
# Add missing dependencies
RUN yarn add @react-email/components

# Final stage for app image
FROM base

Expand Down
18 changes: 15 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,17 @@ This project was generated using [Nx](https://nx.dev) - This repository is consi
2. If you are using docker, make sure you have Docker installed.
3. If you want to run the dev server, make sure you have yarn version 1 installed.

### Installing Dependencies

### Setting up your environment

Run this script to copy `.env.example` to `.env` which will generate encryption keys which are required to run the application.
You will be asked some questions which will determine some of the environment variables.

```bash
yarn scripts:generate-env
```

📓 You can choose to skip authentication locally by setting the environment variable `EXAMPLE_USER_OVERRIDE=true`. This is set to true by default in the `.env.example` file.
🌟 To use this, don't click the login button, but instead just go to `http://localhost:3333/app` or `http://localhost:4200/app` (if running the react development server) directly.

Expand All @@ -91,16 +102,17 @@ docker compose up

- Jetstream will be running at `http://localhost:3333`
- Postgres will be running on port `5555` if you wanted to connect to it locally.
- When you click "Login", you should immediately be logged in without having to sign in.
- You can set `EXAMPLE_USER_OVERRIDE` if you want to disable this behavior
- You can login with the `Example` user
- The username is `[email protected]`
- The password is contained in the `.env` file
- If assets on the page don't load, do a hard refresh (hold cmd or shift and press refresh)
- This might happen if you have re-built the image and the browser has cached the page with now missing resources.

### Running without Docker

Use this option if you want to contribute to the codebase.

Jetstream relies on a Postgres database, so you either need to [run Postgresql locally](https://www.postgresql.org/download/) or use a managed provider such as one from the list below. Optionally you can run jetstream in a Docker container which includes Postgresql.
Jetstream relies on a Postgres database, so you either need to [run Postgresql locally](https://www.postgresql.org/download/), in a docker container, or use a managed provider such as one from the list below. Optionally you can run jetstream in a Docker container which includes Postgresql.

- [Render](https://render.com/) (Jetstream is hosted here)
- [elephantsql](https://www.elephantsql.com/plans.html)
Expand Down
21 changes: 0 additions & 21 deletions apps/api/.env.development

This file was deleted.

4 changes: 0 additions & 4 deletions apps/api/.env.production
Original file line number Diff line number Diff line change
@@ -1,8 +1,5 @@
ENVIRONMENT="production"

AUTH0_DOMAIN="auth.getjetstream.app"
AUTH0_M2M_DOMAIN="getjetstream.us.auth0.com"

CONTENTFUL_HOST="cdn.contentful.com"

GOOGLE_REDIRECT_URI="https://getjetstream.app/oauth/google/callback"
Expand All @@ -13,7 +10,6 @@ JETSTREAM_CLIENT_URL="https://getjetstream.app/app"
JETSTREAM_SERVER_DOMAIN="getjetstream.app"
JETSTREAM_SERVER_URL="https://getjetstream.app"

NX_PUBLIC_AUTH_AUDIENCE="http://getjetstream.app/app_metadata"
NX_BRANCH="main"
NX_SFDC_API_VERSION="61.0"

Expand Down
Loading

0 comments on commit ad59872

Please sign in to comment.