Merge pull request #630 from namecheap/bugfix/lderegistry

fix(registry): fix auth in docker with http

docker-compose.yml

@@ -1,91 +1,92 @@
-version: "2.4"
+version: '2.4'
 services:
-  registry:
-    image: namecheap/ilc_registry:latest
-    ports:
-      - "4001:4001"
-    environment:
-      NODE_ENV: production
-      DB_CLIENT: mysql
-      # DB_CLIENT: pg
-      DB_HOST: mysql
-      # DB_HOST: postgres
-      DB_USER: root
-      DB_PASSWORD: pwd
-      DB_NAME: ilc
-    depends_on:
-      mysql:
-        condition: service_healthy
-      # postgres:
-      #   condition: service_healthy
-  registry_worker:
-    image: namecheap/ilc_registry:latest
-    command: ["npm", "run", "assetsdiscovery"]
-    environment:
-      NODE_ENV: production
-      DB_CLIENT: mysql
-      # DB_CLIENT: pg
-      DB_HOST: mysql
-      # DB_HOST: postgres
-      DB_USER: root
-      DB_PASSWORD: pwd
-      DB_NAME: ilc
-    network_mode: "service:ilc" # We need this to make apps accessible at 127.0.0.1
-    depends_on:
-      mysql:
-        condition: service_healthy
-  ilc:
-    image: namecheap/ilc:latest
-    restart: always
-    ports:
-      - "80:8233"
-      - "8233:8233"
-      - "8234-8240:8234-8240" # Ports from "demo-apps" container
-    environment:
-      NODE_ENV: production
-      REGISTRY_ADDR: "http://host.docker.internal:4001"
-      OVERRIDE_CONFIG_TRUSTED_ORIGINS: all
-  demo-apps:
-    image: namecheap/ilc-demo-apps:latest
-    network_mode: "service:ilc" # We need this to make apps accessible at 127.0.0.1 inside "ilc" container
-    # ports:
-    #   - "8234-8240:8234-8240" # Uncomment to run with ilc via node
-    env_file:
-      - ./demo-apps.env  # Used by the demo site to override PUBLIC_HOST var
-  mysql:
-    container_name: mysql
-    platform: linux/x86_64
-    image: mysql:5.7
-    volumes:
-      - .:/usr/src/ilc
-      - "./dbfiles:/var/lib/mysql"
-    ports:
-      - "3306:3306"
-    environment:
-      MYSQL_ROOT_PASSWORD: pwd
-      MYSQL_DATABASE: ilc
-    healthcheck:
-      test: ["CMD", "mysqladmin", "-uroot", "-ppwd", "processlist", "-h", "localhost"]
-      interval: 3s
-      timeout: 3s
-      retries: 50
-  postgres:
-      container_name: postgres
-      image: postgres:15.6-alpine
-      restart: always
-      environment:
-        POSTGRES_USER: root
-        POSTGRES_PASSWORD: pwd
-        POSTGRES_DB: ilc
-      ports:
-          - '5432:5432'
-      volumes:
-          - postgres:/var/lib/postgresql/data
-      healthcheck:
-        test: ["CMD-SHELL", "sh -c 'pg_isready -U root -d ilc'"]
-        interval: 3s
-        timeout: 3s
-        retries: 50
+    registry:
+        image: namecheap/ilc_registry:latest
+        ports:
+            - '4001:4001'
+        environment:
+            NODE_ENV: production
+            DB_CLIENT: mysql
+            # DB_CLIENT: pg
+            DB_HOST: mysql
+            # DB_HOST: postgres
+            DB_USER: root
+            DB_PASSWORD: pwd
+            DB_NAME: ilc
+            DB_SEED: true
+        depends_on:
+            mysql:
+                condition: service_healthy
+            # postgres:
+            #   condition: service_healthy
+    registry_worker:
+        image: namecheap/ilc_registry:latest
+        command: ['npm', 'run', 'assetsdiscovery']
+        environment:
+            NODE_ENV: production
+            DB_CLIENT: mysql
+            # DB_CLIENT: pg
+            DB_HOST: mysql
+            # DB_HOST: postgres
+            DB_USER: root
+            DB_PASSWORD: pwd
+            DB_NAME: ilc
+        network_mode: 'service:ilc' # We need this to make apps accessible at 127.0.0.1
+        depends_on:
+            mysql:
+                condition: service_healthy
+    ilc:
+        image: namecheap/ilc:latest
+        restart: always
+        ports:
+            - '80:8233'
+            - '8233:8233'
+            - '8234-8240:8234-8240' # Ports from "demo-apps" container
+        environment:
+            NODE_ENV: production
+            REGISTRY_ADDR: 'http://host.docker.internal:4001'
+            OVERRIDE_CONFIG_TRUSTED_ORIGINS: all
+    demo-apps:
+        image: namecheap/ilc-demo-apps:latest
+        network_mode: 'service:ilc' # We need this to make apps accessible at 127.0.0.1 inside "ilc" container
+        # ports:
+        #   - "8234-8240:8234-8240" # Uncomment to run with ilc via node
+        env_file:
+            - ./demo-apps.env # Used by the demo site to override PUBLIC_HOST var
+    mysql:
+        container_name: mysql
+        platform: linux/x86_64
+        image: mysql:5.7
+        volumes:
+            - .:/usr/src/ilc
+            - './dbfiles:/var/lib/mysql'
+        ports:
+            - '3306:3306'
+        environment:
+            MYSQL_ROOT_PASSWORD: pwd
+            MYSQL_DATABASE: ilc
+        healthcheck:
+            test: ['CMD', 'mysqladmin', '-uroot', '-ppwd', 'processlist', '-h', 'localhost']
+            interval: 3s
+            timeout: 3s
+            retries: 50
+    postgres:
+        container_name: postgres
+        image: postgres:15.6-alpine
+        restart: always
+        environment:
+            POSTGRES_USER: root
+            POSTGRES_PASSWORD: pwd
+            POSTGRES_DB: ilc
+        ports:
+            - '5432:5432'
+        volumes:
+            - postgres:/var/lib/postgresql/data
+        healthcheck:
+            test: ['CMD-SHELL', "sh -c 'pg_isready -U root -d ilc'"]
+            interval: 3s
+            timeout: 3s
+            retries: 50
 volumes:
     postgres:
         driver: local

registry/Dockerfile

@@ -18,4 +18,6 @@ ADD ./ /codebase
 
 RUN npm run build
 
+ENTRYPOINT ["sh", "./scripts/docker-entrypoint.sh"]
+
 CMD ["npm", "run", "start-docker"]

registry/README.md

@@ -76,3 +76,7 @@ This command ignores `.env` file
 ```bash
 $ npm run test:postgres
 ```
+
+## Secure session on production
+
+To set the session cookie as secure, set the environment variable AUTH_COOKIE_SECURE=true. Note that you will need to use an HTTPS forward proxy to access the registry admin panel.

registry/config/custom-environment-variables.ts

@@ -19,6 +19,7 @@ export default {
     },
     auth: {
         sessionSecret: 'AUTH_SESSION_SECRET',
+        cookieSecure: 'AUTH_COOKIE_SECURE',
     },
     healthCheck: {
         url: 'ILC_REGISTRY_HEALTH_CHECK_URL',

registry/config/default.ts

@@ -25,6 +25,7 @@ module.exports = {
     },
     auth: {
         sessionSecret: 'zaM7%#BjyZZ3A5zV@Mpt',
+        cookieSecure: false,
     },
     http: {
         requestLimit: '1mb',

registry/scripts/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+if [ "$DB_SEED" = 'true' ] && [ ! -f .seed ]; then
+  npm run seed
+  touch .seed
+fi
+
+exec "$@"

registry/server/app.ts

@@ -47,7 +47,7 @@ export default async (withAuth: boolean = true): Promise<Application> => {
             {
                 session: {
                     secret: config.get('auth.sessionSecret'),
-                    cookie: { httpOnly: true, secure: process.env.NODE_ENV === 'production' },
+                    cookie: { httpOnly: true, secure: config.get('auth.cookieSecure') },
                 },
             },
             getLogger(),