mirror of
https://github.com/Unleash/unleash.git
synced 2024-12-22 19:07:54 +01:00
d5fbd0b743
## What This (admittedly massive) PR updates the "physical" documentation structure and fixes url inconsistencies and SEO problems reported by marketing. The main points are: - remove or move directories : advanced, user_guide, deploy, api - move the files contained within to the appropriate one of topics, how-to, tutorials, or reference - update internal doc links and product links to the content - create client-side redirects for all the urls that have changed. A number of the files have been renamed in small ways to better match their url and to make them easier to find. Additionally, the top-level api directory has been moved to /reference/api/legacy/unleash (see the discussion points section for more on this). ## Why When moving our doc structure to diataxis a while back, we left the "physical' files lying where they were, because it didn't matter much to the new structure. However, that did introduce some inconsistencies with where you place docs and how we organize them. There's also the discrepancies in whether urls us underscores or hyphens (which isn't necessarily the same as their file name), which has been annoying me for a while, but now has also been raised by marketing as an issue in terms of SEO. ## Discussion points The old, hand-written API docs have been moved from /api to /reference/api/legacy/unleash. There _is_ a /reference/api/unleash directory, but this is being populated by the OpenAPI plugin, and mixing those could only cause trouble. However, I'm unsure about putting /legacy/ in the title, because the API isn't legacy, the docs are. Maybe we could use another path? Like /old-docs/ or something? I'd appreciate some input on this.
91 lines
3.7 KiB
Markdown
91 lines
3.7 KiB
Markdown
---
|
|
title: Securing Unleash v3
|
|
---
|
|
|
|
> This guide is only relevant if you are using Unleash Open-Source. The Enterprise edition does already ship with a secure setup and multiple SSO options.
|
|
|
|
The Unleash API is split into two different paths: `/api/client` and `/api/admin`. This makes it easy to have different authentication strategy for the admin interface and the client-api used by the applications integrating with Unleash.
|
|
|
|
## General settings {#general-settings}
|
|
|
|
Unleash uses an encrypted cookie to maintain a user session. This allows users to be logged in across multiple instances of Unleash. To protect this cookie, Unleash will automatically generate a secure token the first time you start Unleash.
|
|
|
|
## Securing the Admin API {#securing-the-admin-api}
|
|
|
|
To secure the Admin API, you have to tell Unleash that you are using a custom admin authentication and implement your authentication logic as a preHook.
|
|
|
|
```javascript
|
|
const unleash = require('unleash-server');
|
|
const myCustomAdminAuth = require('./auth-hook');
|
|
|
|
unleash
|
|
.start({
|
|
databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash',
|
|
adminAuthentication: 'custom',
|
|
preRouterHook: myCustomAdminAuth,
|
|
})
|
|
.then((unleash) => {
|
|
console.log(
|
|
`Unleash started on http://localhost:${unleash.app.get('port')}`,
|
|
);
|
|
});
|
|
```
|
|
|
|
Additionally, you can trigger the admin interface to prompt the user to sign in by configuring your middleware to return a `401` status on protected routes. The response body must contain a `message` and a `path` used to redirect the user to the proper login route.
|
|
|
|
```json
|
|
{
|
|
"message": "You must be logged in to use Unleash",
|
|
"path": "/custom/login"
|
|
}
|
|
```
|
|
|
|
Examples of custom authentication hooks:
|
|
|
|
- [google-auth-hook.js](https://github.com/Unleash/unleash-examples/blob/7ed25f97a31dfd8f773c00847080b1a4c889fd87/v3/securing-google-auth/google-auth-hook.js)
|
|
- [basic-auth-hook.js](https://github.com/Unleash/unleash-examples/blob/7ed25f97a31dfd8f773c00847080b1a4c889fd87/v3/securing-basic-auth/basic-auth-hook.js)
|
|
- [keycloak-auth-hook.js](https://github.com/Unleash/unleash-examples/blob/7ed25f97a31dfd8f773c00847080b1a4c889fd87/v3/securing-keycloak-auth/keycloak-auth-hook.js)
|
|
|
|
## Securing the Client API {#securing-the-client-api}
|
|
|
|
A common way to support client access is to use pre-shared secrets. This can be solved by having clients send a shared key in an HTTP header with every client request to the Unleash API. All official Unleash clients should support this.
|
|
|
|
In the [Java client](https://github.com/Unleash/unleash-client-java#custom-http-headers) this would look like this:
|
|
|
|
```java
|
|
UnleashConfig unleashConfig = UnleashConfig.builder()
|
|
.appName("my-app")
|
|
.instanceId("my-instance-1")
|
|
.unleashAPI(unleashAPI)
|
|
.customHttpHeader("Authorization", "12312Random")
|
|
.build();
|
|
```
|
|
|
|
On the Unleash server side, you need to implement a preRouter hook which verifies that all calls to `/api/client` include this pre-shared key in the defined header. This could look something like this.
|
|
|
|
```javascript
|
|
const unleash = require('unleash-server');
|
|
const sharedSecret = '12312Random';
|
|
|
|
unleash
|
|
.start({
|
|
databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash',
|
|
preRouterHook: (app) => {
|
|
app.use('/api/client', (req, res, next) => {
|
|
if (req.header('authorization') !== sharedSecret) {
|
|
res.sendStatus(401);
|
|
} else {
|
|
next();
|
|
}
|
|
});
|
|
},
|
|
})
|
|
.then((unleash) => {
|
|
console.log(
|
|
`Unleash started on http://localhost:${unleash.app.get('port')}`,
|
|
);
|
|
});
|
|
```
|
|
|
|
[client-auth-unleash.js](https://github.com/Unleash/unleash-examples/blob/7ed25f97a31dfd8f773c00847080b1a4c889fd87/v3/securing-client-auth/index.js)
|