1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00
unleash.unleash/website/docs/using-unleash/deploy/securing-unleash.md
Drew Gorton b2b19e4970
Navigation refactor (#5227)
## About the changes
Refactor the main nav, with the following goals: 
* Communicate the value of each section vs the format (ex:
“Understanding Unleash” vs “Topic Guides”)
* Make space for the Feature Flag tutorials section that we’re starting
to build
* Scope updates to navigation and pages that need updates based on new
URLs & organization
* Update URLs to follow the new hierarchy without breaking links (adding
redirects & editing internal links between pages as needed)

### Important files
sidebar.js
docusaurus.config.js

## Discussion points
* Redirects can't be tested out of prod, which is a bummer :/
* Some URLs have been preserved untouched while we monitor for potential
negative SEO impact of client-side redirects
* It's a large PR (sorry). Nav changes and file movements impacted lots
of files.

---------

Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
2023-10-31 09:38:03 -05:00

2.3 KiB

title
Securing Unleash

If you are still using Unleash v3 you need to follow the securing-unleash-v3

This guide is only relevant if you are using Unleash Open-Source. The Enterprise edition does already ship with multiple SSO options, such as SAML 2.0, OpenID Connect.

Unleash Open-Source v4 comes with username/password authentication out of the box. In addition Unleash v4 also comes with API token support, to make it easy to handle access tokens for Client SDKs and programmatic access to the Unleash APIs.

Password requirements

Unleash requires a strong password.

  • minimum 10 characters long
  • contains at least one uppercase letter
  • contains at least one number
  • contains at least one special character (symbol)

Implementing Custom Authentication

If you do not wish to use the built-in username/password authentication you can add a customAuthHandler

To secure the Admin API, you have to tell Unleash that you are using a custom admin authentication and implement your authentication logic as a preHook.

const unleash = require('unleash-server');
const myCustomAdminAuth = require('./auth-hook');

unleash
  .start({
    databaseUrl: 'postgres://unleash_user:password@localhost:5432/unleash',
    authentication: {
      type: 'custom',
      customAuthHandler: myCustomAdminAuth,
    },
  })
  .then((unleash) => {
    console.log(
      `Unleash started on http://localhost:${unleash.app.get('port')}`,
    );
  });

Additionally, you can trigger the admin interface to prompt the user to sign in by configuring your middleware to return a 401 status on protected routes. The response body must contain a message and a path used to redirect the user to the proper login route.

{
  "message": "You must be logged in to use Unleash",
  "path": "/custom/login"
}

Examples of custom authentication hooks: