diff --git a/docker/kratos/contrib/quickstart/.dockerignore b/docker/kratos/contrib/quickstart/.dockerignore new file mode 100644 index 0000000..f59ec20 --- /dev/null +++ b/docker/kratos/contrib/quickstart/.dockerignore @@ -0,0 +1 @@ +* \ No newline at end of file diff --git a/docker/kratos/contrib/quickstart/kratos/cloud/identity.schema.json b/docker/kratos/contrib/quickstart/kratos/cloud/identity.schema.json new file mode 100644 index 0000000..1a13787 --- /dev/null +++ b/docker/kratos/contrib/quickstart/kratos/cloud/identity.schema.json @@ -0,0 +1,49 @@ +{ + "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 3, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + } + }, + "verification": { + "via": "email" + }, + "recovery": { + "via": "email" + } + } + }, + "name": { + "type": "object", + "properties": { + "first": { + "title": "First Name", + "type": "string" + }, + "last": { + "title": "Last Name", + "type": "string" + } + } + } + }, + "required": [ + "email" + ], + "additionalProperties": false + } + } +} diff --git a/docker/kratos/contrib/quickstart/kratos/cloud/kratos.yml b/docker/kratos/contrib/quickstart/kratos/cloud/kratos.yml new file mode 100644 index 0000000..2f893c1 --- /dev/null +++ b/docker/kratos/contrib/quickstart/kratos/cloud/kratos.yml @@ -0,0 +1,92 @@ +version: v0.8.0-alpha.3 + +dsn: memory + +serve: + public: + base_url: http://localhost:4433/ + cors: + enabled: true + allowed_origins: + - http://localhost:3000 + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + allowed_headers: + - Authorization + - Cookie + - Content-Type + exposed_headers: + - Content-Type + - Set-Cookie + admin: + base_url: http://kratos:4434/ + +selfservice: + # default_browser_return_url: http://localhost:4455/ui/welcome + default_browser_return_url: http://localhost:3000/ + allowed_return_urls: + - http://localhost:3000 + + methods: + password: + enabled: true + + flows: + error: + ui_url: http://localhost:3000/login + + settings: + ui_url: http://localhost:3000/settings + privileged_session_max_age: 15m + + recovery: + enabled: true + ui_url: http://localhost:3000/recovery + + verification: + enabled: true + ui_url: http://localhost:3000/verification + after: + default_browser_return_url: http://localhost:3000/ + + logout: + after: + default_browser_return_url: http://localhost:3000/login + + login: + ui_url: http://localhost:3000/login + + registration: + ui_url: http://localhost:3000/registration + after: + password: + hooks: + - + hook: session + +log: + level: info + format: text + +secrets: + cookie: + - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE + +hashers: + algorithm: bcrypt + bcrypt: + cost: 8 + +identity: + default_schema_id: preset://email + schemas: + - id: preset://email + url: file:///etc/config/kratos/identity.schema.json + +courier: + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true diff --git a/docker/kratos/contrib/quickstart/kratos/cloud/quickstart.yml b/docker/kratos/contrib/quickstart/kratos/cloud/quickstart.yml new file mode 100644 index 0000000..d9e6e79 --- /dev/null +++ b/docker/kratos/contrib/quickstart/kratos/cloud/quickstart.yml @@ -0,0 +1,42 @@ +version: '3.7' + +services: + kratos: + volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./contrib/quickstart/kratos/cloud + target: /etc/config/kratos + kratos-migrate: + volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./contrib/quickstart/kratos/cloud + target: /etc/config/kratos + + # kratos-selfservice-ui-node: + # ports: + # - "4438:4438" + # environment: + # - PORT=4438 + # - KRATOS_BROWSER_URL=http://localhost:4455/ + + # kratos-caddy: + # image: caddy:2.4.5-alpine + # ports: + # - "4455:4455" + # volumes: + # - type: bind + # source: ./contrib/quickstart/kratos/cloud/Caddyfile + # target: /etc/caddy/Caddyfile + # command: caddy run -watch -config /etc/caddy/Caddyfile + # restart: on-failure + # networks: + # - intranet + diff --git a/docker/kratos/contrib/quickstart/kratos/email-password/identity.schema.json b/docker/kratos/contrib/quickstart/kratos/email-password/identity.schema.json new file mode 100644 index 0000000..1a13787 --- /dev/null +++ b/docker/kratos/contrib/quickstart/kratos/email-password/identity.schema.json @@ -0,0 +1,49 @@ +{ + "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 3, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + } + }, + "verification": { + "via": "email" + }, + "recovery": { + "via": "email" + } + } + }, + "name": { + "type": "object", + "properties": { + "first": { + "title": "First Name", + "type": "string" + }, + "last": { + "title": "Last Name", + "type": "string" + } + } + } + }, + "required": [ + "email" + ], + "additionalProperties": false + } + } +} diff --git a/docker/kratos/contrib/quickstart/kratos/email-password/kratos.yml b/docker/kratos/contrib/quickstart/kratos/email-password/kratos.yml new file mode 100644 index 0000000..127d757 --- /dev/null +++ b/docker/kratos/contrib/quickstart/kratos/email-password/kratos.yml @@ -0,0 +1,84 @@ +version: v0.7.1-alpha.1 + +dsn: memory + +serve: + public: + base_url: http://127.0.0.1:4433/ + cors: + enabled: true + admin: + base_url: http://kratos:4434/ + +selfservice: + default_browser_return_url: http://127.0.0.1:4455/ + allowed_return_urls: + - http://127.0.0.1:4455 + + methods: + password: + enabled: true + + flows: + error: + ui_url: http://127.0.0.1:4455/error + + settings: + ui_url: http://127.0.0.1:4455/settings + privileged_session_max_age: 15m + + recovery: + enabled: true + ui_url: http://127.0.0.1:4455/recovery + + verification: + enabled: true + ui_url: http://127.0.0.1:4455/verification + after: + default_browser_return_url: http://127.0.0.1:4455/ + + logout: + after: + default_browser_return_url: http://127.0.0.1:4455/login + + login: + ui_url: http://127.0.0.1:4455/login + lifespan: 10m + + registration: + lifespan: 10m + ui_url: http://127.0.0.1:4455/registration + after: + password: + hooks: + - + hook: session + +log: + level: debug + format: text + leak_sensitive_values: true + +secrets: + cookie: + - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE + cipher: + - 32-LONG-SECRET-NOT-SECURE-AT-ALL + +ciphers: + algorithm: xchacha20-poly1305 + +hashers: + algorithm: bcrypt + bcrypt: + cost: 8 + +identity: + default_schema_id: default + schemas: + - id: default + url: file:///etc/config/kratos/identity.schema.json + +courier: + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true diff --git a/docker/kratos/contrib/quickstart/kratos/oidc/identity.traits.schema.json b/docker/kratos/contrib/quickstart/kratos/oidc/identity.traits.schema.json new file mode 100644 index 0000000..8de397b --- /dev/null +++ b/docker/kratos/contrib/quickstart/kratos/oidc/identity.traits.schema.json @@ -0,0 +1,40 @@ +{ + "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 3, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + } + }, + "verification": { + "via": "email" + }, + "recovery": { + "via": "email" + } + } + }, + "website": { + "type": "object" + } + }, + "required": [ + "website", + "email" + ], + "additionalProperties": false + } + } +} diff --git a/docker/kratos/contrib/quickstart/kratos/oidc/oidc.github.jsonnet b/docker/kratos/contrib/quickstart/kratos/oidc/oidc.github.jsonnet new file mode 100644 index 0000000..06b92bf --- /dev/null +++ b/docker/kratos/contrib/quickstart/kratos/oidc/oidc.github.jsonnet @@ -0,0 +1,17 @@ +local claims = { + email_verified: false +} + std.extVar('claims'); + +{ + identity: { + traits: { + // Allowing unverified email addresses enables account + // enumeration attacks, especially if the value is used for + // e.g. verification or as a password login identifier. + // + // Therefore we only return the email if it (a) exists and (b) is marked verified + // by GitHub. + [if "email" in claims && claims.email_verified then "email" else null]: claims.email, + }, + }, +} diff --git a/docker/kratos/contrib/quickstart/oathkeeper/access-rules.yml b/docker/kratos/contrib/quickstart/oathkeeper/access-rules.yml new file mode 100644 index 0000000..0c30065 --- /dev/null +++ b/docker/kratos/contrib/quickstart/oathkeeper/access-rules.yml @@ -0,0 +1,60 @@ +- + id: "ory:kratos:public" + upstream: + preserve_host: true + url: "http://kratos:4433" + strip_path: /.ory/kratos/public + match: + url: "http://127.0.0.1:4455/.ory/kratos/public/<**>" + methods: + - GET + - POST + - PUT + - DELETE + - PATCH + authenticators: + - + handler: noop + authorizer: + handler: allow + mutators: + - handler: noop + +- + id: "ory:kratos-selfservice-ui-node:anonymous" + upstream: + preserve_host: true + url: "http://kratos-selfservice-ui-node:4435" + match: + url: "http://127.0.0.1:4455/<{registration,welcome,recovery,verification,login,error,**.css,**.js,**.png,}>" + methods: + - GET + authenticators: + - + handler: anonymous + authorizer: + handler: allow + mutators: + - + handler: noop + +- + id: "ory:kratos-selfservice-ui-node:protected" + upstream: + preserve_host: true + url: "http://kratos-selfservice-ui-node:4435" + match: + url: "http://127.0.0.1:4455/<{debug,dashboard,settings}>" + methods: + - GET + authenticators: + - + handler: cookie_session + authorizer: + handler: allow + mutators: + - handler: id_token + errors: + - handler: redirect + config: + to: http://127.0.0.1:4455/login diff --git a/docker/kratos/contrib/quickstart/oathkeeper/id_token.jwks.json b/docker/kratos/contrib/quickstart/oathkeeper/id_token.jwks.json new file mode 100644 index 0000000..5bc1ec1 --- /dev/null +++ b/docker/kratos/contrib/quickstart/oathkeeper/id_token.jwks.json @@ -0,0 +1,18 @@ +{ + "keys": [ + { + "use": "sig", + "kty": "RSA", + "kid": "a2aa9739-d753-4a0d-87ee-61f101050277", + "alg": "RS256", + "n": "zpjSl0ySsdk_YC4ZJYYV-cSznWkzndTo0lyvkYmeBkW60YHuHzXaviHqonY_DjFBdnZC0Vs_QTWmBlZvPzTp4Oni-eOetP-Ce3-B8jkGWpKFOjTLw7uwR3b3jm_mFNiz1dV_utWiweqx62Se0SyYaAXrgStU8-3P2Us7_kz5NnBVL1E7aEP40aB7nytLvPhXau-YhFmUfgykAcov0QrnNY0DH0eTcwL19UysvlKx6Uiu6mnbaFE1qx8X2m2xuLpErfiqj6wLCdCYMWdRTHiVsQMtTzSwuPuXfH7J06GTo3I1cEWN8Mb-RJxlosJA_q7hEd43yYisCO-8szX0lgCasw", + "e": "AQAB", + "d": "x3dfY_rna1UQTmFToBoMn6Edte47irhkra4VSNPwwaeTTvI-oN2TO51td7vo91_xD1nw-0c5FFGi4V2UfRcudBv9LD1rHt_O8EPUh7QtAUeT3_XXgjx1Xxpqu5goMZpkTyGZ-B6JzOY3L8lvWQ_Qeia1EXpvxC-oTOjJnKZeuwIPlcoNKMRU-mIYOnkRFfnUvrDm7N9UZEp3PfI3vhE9AquP1PEvz5KTUYkubsfmupqqR6FmMUm6ulGT7guhBw9A3vxIYbYGKvXLdBvn68mENrEYxXrwmu6ITMh_y208M5rC-hgEHIAIvMu1aVW6jNgyQTunsGST3UyrSbwjI0K9UQ", + "p": "77fDvnfHRFEgyi7mh0c6fAdtMEMJ05W8NwTG_D-cSwfWipfTwJJrroWoRwEgdAg5AWGq-MNUzrubTVXoJdC2T4g1o-VRZkKKYoMvav3CvOIMzCBxBs9I_GAKr5NCSk7maksMqiCTMhmkoZ5RPuMYMY_YzxKNAbjBd9qFLfaVAqs", + "q": "3KEmPA2XQkf7dvtpY1Xkp1IfMV_UBdmYk7J6dB5BYqzviQWdEFvWaSATJ_7qV1dw0JDZynOgipp8gvoL-RepfjtArhPz41wB3J2xmBYrBr1sJ-x5eqAvMkQk2bd5KTor44e79TRIkmkFYAIdUQ5JdVXPA13S8WUZfb_bAbwaCBk", + "dp": "5uyy32AJkNFKchqeLsE6INMSp0RdSftbtfCfM86fZFQno5lA_qjOnO_avJPkTILDT4ZjqoKYxxJJOEXCffNCPPltGvbE5GrDXsUbP8k2-LgWNeoml7XFjIGEqcCFQoohQ1IK4DTDN6cmRh76C0e_Pbdh15D6TydJEIlsdGuu_kM", + "dq": "aegFNYCEojFxeTzX6vIZL2RRSt8oJKK-Be__reu0EUzYMtr5-RdMhev6phFMph54LfXKRc9ZOg9MQ4cJ5klAeDKzKpyzTukkj6U20b2aa8LTvxpZec6YuTVSxxu2Ul71IGRQijTNvVIiXWLGddk409Ub6Q7JqkyQfvdwhpWnnUk", + "qi": "P68-EwgcRy9ce_PZ75c909cU7dzCiaGcTX1psJiXmQAFBcG0msWfsyHGbllOZG27pKde78ORGJDYDNk1FqTwsogZyCP87EiBmOoqXWnMvKYfJ1DOx7x42LMAGwMD3bgQj9jgRACxFJG4n3NI6uFlFruyl_CLQzwW_rQFHshLK7Q" + } + ] +} diff --git a/docker/kratos/contrib/quickstart/oathkeeper/oathkeeper.yml b/docker/kratos/contrib/quickstart/oathkeeper/oathkeeper.yml new file mode 100644 index 0000000..ff8ec39 --- /dev/null +++ b/docker/kratos/contrib/quickstart/oathkeeper/oathkeeper.yml @@ -0,0 +1,88 @@ +log: + level: debug + format: json + +serve: + proxy: + cors: + enabled: true + allowed_origins: + - "*" + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + allowed_headers: + - Authorization + - Content-Type + exposed_headers: + - Content-Type + allow_credentials: true + debug: true + +errors: + fallback: + - json + + handlers: + redirect: + enabled: true + config: + to: http://127.0.0.1:4455/login + when: + - + error: + - unauthorized + - forbidden + request: + header: + accept: + - text/html + json: + enabled: true + config: + verbose: true + +access_rules: + matching_strategy: glob + repositories: + - file:///etc/config/oathkeeper/access-rules.yml + +authenticators: + anonymous: + enabled: true + config: + subject: guest + + cookie_session: + enabled: true + config: + check_session_url: http://kratos:4433/sessions/whoami + preserve_path: true + extra_from: "@this" + subject_from: "identity.id" + only: + - ory_kratos_session + + noop: + enabled: true + +authorizers: + allow: + enabled: true + +mutators: + noop: + enabled: true + + id_token: + enabled: true + config: + issuer_url: http://127.0.0.1:4455/ + jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json + claims: | + { + "session": {{ .Extra | toJson }} + } diff --git a/docker/kratos/kratos.yml b/docker/kratos/kratos.yml new file mode 100644 index 0000000..cd7b925 --- /dev/null +++ b/docker/kratos/kratos.yml @@ -0,0 +1,61 @@ +version: '3.7' +services: + kratos-migrate: + image: oryd/kratos:v0.10.1 + environment: + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc + volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./contrib/quickstart/kratos/email-password + target: /etc/config/kratos + command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes + restart: on-failure + networks: + - intranet + # kratos-selfservice-ui-node: + # image: oryd/kratos-selfservice-ui-node:v0.10.1 + # environment: + # - KRATOS_PUBLIC_URL=http://kratos:4433/ + # - KRATOS_BROWSER_URL=http://127.0.0.1:4433/ + # networks: + # - intranet + # restart: on-failure + kratos: + depends_on: + - kratos-migrate + image: oryd/kratos:v0.10.1 + ports: + - '4433:4433' # public + - '4434:4434' # admin + restart: unless-stopped + environment: + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + - LOG_LEVEL=trace + command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier + volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./contrib/quickstart/kratos/email-password + target: /etc/config/kratos + networks: + - intranet + # mailslurper: + # image: oryd/mailslurper:latest-smtps + # ports: + # - '4436:4436' + # - '4437:4437' + # networks: + # - intranet + +networks: + intranet: + +volumes: + kratos-sqlite: diff --git a/frontend/.gitignore b/frontend/.gitignore index 3c3629e..b725104 100644 --- a/frontend/.gitignore +++ b/frontend/.gitignore @@ -1 +1,2 @@ node_modules +.svelte-kit diff --git a/frontend/src/routes/registration/+page.svelte b/frontend/src/routes/registration/+page.svelte index e6b3676..94300ef 100644 --- a/frontend/src/routes/registration/+page.svelte +++ b/frontend/src/routes/registration/+page.svelte @@ -7,10 +7,12 @@ import Messages from "$lib/components/kratos/messages.svelte"; const flowId = getFlowId($page.url.search); + console.log(browser, flowId); if (browser && !flowId) window.location.href = `${KRATOS}/self-service/registration/browser`; const pr = getDataModels("registration", flowId); + console.log(pr); diff --git a/frontend/tmux.bash b/frontend/tmux.bash index 64c851e..4847988 100755 --- a/frontend/tmux.bash +++ b/frontend/tmux.bash @@ -15,7 +15,7 @@ then # Create and setup pane for running the backend # tmux send-keys -t 'Main' 'bash' C-m 'clear' C-m 'cd backend && go build -o backend . && ./backend' C-m - tmux send-keys -t 'src' 'cd src && npm run dev' C-m + tmux send-keys -t 'src' 'cd src && npm run dev -- --host --port 3000' C-m # Create an horizontal pane for terminal commands tmux split-window -vf -l 1