1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00
unleash.unleash/docs/securing-unleash.md

95 lines
3.5 KiB
Markdown
Raw Normal View History

---
id: securing_unleash
title: Securing Unleash
---
2019-03-05 09:26:34 +01:00
The Unleash API is split into two different paths: `/api/client` and `/api/admin`. This makes it easy to have different authentication strategy for the admin interface and the client-api used by the applications integrating with Unleash.
## General settings
2018-11-22 11:20:28 +01:00
2019-03-05 09:26:34 +01:00
Unleash uses an encrypted cookie to maintain a user session. This allows users to be logged in across multiple instances of Unleash. To protect this cookie, you should specify the `secret` option when starting Unleash.
## Securing the Admin API
2018-11-22 11:20:28 +01:00
2019-03-05 09:26:34 +01:00
To secure the Admin API, you have to tell Unleash that you are using a custom admin authentication and implement your authentication logic as a preHook. You should also set the secret option to a protected secret in your system.
```javascript
const unleash = require('unleash-server');
const myCustomAdminAuth = require('./auth-hook');
2018-11-22 11:20:28 +01:00
unleash
.start({
databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash',
secret: 'super-duper-secret',
adminAuthentication: 'custom',
preRouterHook: myCustomAdminAuth,
})
.then(unleash => {
console.log(
`Unleash started on http://localhost:${unleash.app.get('port')}`,
);
});
```
2018-11-22 11:20:28 +01:00
Additionally, you can trigger the admin interface to prompt the user to sign in by configuring your middleware to return a `401` status on protected routes. The response body must contain a `message` and a `path` used to redirect the user to the proper login route.
```json
{
2018-11-22 11:20:28 +01:00
"message": "You must be logged in to use Unleash",
"path": "/custom/login"
}
```
2019-03-05 09:26:34 +01:00
Examples of custom authentication hooks:
2018-11-22 11:20:28 +01:00
- [google-auth-hook.js](https://github.com/Unleash/unleash/blob/master/examples/google-auth-hook.js)
- [basic-auth-hook.js](https://github.com/Unleash/unleash/blob/master/examples/basic-auth-hook.js)
2018-11-22 11:20:28 +01:00
We also have a version of Unleash deployed on Heroku which uses Google OAuth 2.0: https://secure-unleash.herokuapp.com
## Securing the Client API
2018-11-22 11:20:28 +01:00
2019-03-05 09:26:34 +01:00
A common way to support client access is to use pre-shared secrets. This can be solved by having clients send a shared key in an HTTP header with every client request to the Unleash API. All official Unleash clients should support this.
2019-03-05 09:26:34 +01:00
In the [Java client](https://github.com/Unleash/unleash-client-java#custom-http-headers) this would look like this:
```java
UnleashConfig unleashConfig = UnleashConfig.builder()
.appName("my-app")
.instanceId("my-instance-1")
.unleashAPI(unleashAPI)
.customHttpHeader("Authorization", "12312Random")
.build();
```
2019-03-05 09:26:34 +01:00
On the Unleash server side, you need to implement a preRouter hook which verifies that all calls to `/api/client` include this pre-shared key in the defined header. This could look something like this.
```javascript
const unleash = require('unleash-server');
const sharedSecret = '12312Random';
2018-11-22 11:20:28 +01:00
unleash
.start({
databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash',
enableLegacyRoutes: false,
preRouterHook: app => {
app.use('/api/client', (req, res, next) => {
if (req.header('authorization') !== sharedSecret) {
2018-11-22 11:20:28 +01:00
res.sendStatus(401);
} else {
2018-11-22 11:20:28 +01:00
next();
}
});
2018-11-22 11:20:28 +01:00
},
})
.then(unleash => {
console.log(
`Unleash started on http://localhost:${unleash.app.get('port')}`,
);
});
```
[client-auth-unleash.js](https://github.com/Unleash/unleash/blob/master/examples/client-auth-unleash.js)
2019-03-05 09:26:34 +01:00
PS! Remember to disable legacy routes by setting the `enableLegacyRoutes` option to false. This will require all your clients to be on v3.x.