Merge pull request #20 from MaddyGuthridge/maddy-private-data-dir

Move private data to separate volume and modify firstrun workflow

Author: MaddyGuthridge

.env.example

@@ -1,4 +1,4 @@
-HOST=localhost           # the hostname to use
-PORT=5096                # the port number to use
-DATA_REPO_PATH="./data"  # the path to the data repository
-AUTH_SECRET="CHANGE ME"  # the secret key to validate tokens
+HOST=localhost                      # the hostname to use
+PORT=5096                           # the port number to use
+DATA_REPO_PATH="./data"             # the path to the data volume
+PRIVATE_DATA_PATH="./private_data"  # the path to the private data volume

.gitignore

@@ -6,6 +6,8 @@
 
 # Data directory
 /data/
+# Private data directory
+/private_data/
 
 # Server logs
 *.log

.vscode/settings.json

@@ -2,6 +2,7 @@
     "cSpell.words": [
         "Asciinema",
         "firstrun",
+        "Minifolio",
         "superstruct"
     ]
 }

docs/Files.md

@@ -0,0 +1,31 @@
+# File locations in Minifolio
+
+## Data directory
+
+Determined using environment variable `DATA_REPO_PATH`.
+
+Main portfolio data. Should be backed up using a `git` repo.
+
+### `config.json`
+
+Main site configuration.
+
+## Private data directory
+
+Determined using environment variable `PRIVATE_DATA_PATH`.
+
+Contains private data, including credentials and authentication secrets.
+
+### `config.local.json`
+
+Contains the local configuration of the server, including credentials and token
+info.
+
+### `id_ed25519`, `id_ed25519.pub`
+
+SSH key used by the server. These are used to perform git operations over SSH.
+
+### `auth.secret`
+
+Contains the authentication secret used by the server. This is used to validate
+JWTs.

package-lock.json

@@ -1,6 +1,6 @@
 {
 	"name": "minifolio",
-	"version": "0.5.0",
+	"version": "0.6.0",
 	"private": true,
 	"license": "GPL-3.0-only",
 	"scripts": {

package.json

@@ -27,7 +27,7 @@ export default function auth(token: string | undefined) {
       'POST',
       '/api/admin/auth/logout',
       token,
-    )) as Promise<{ token: string }>;
+    ));
   };
 
   /**
@@ -66,12 +66,12 @@ export default function auth(token: string | undefined) {
    * @param token The auth token
    * @param password The password to the admin account
    */
-  const disable = async (password: string) => {
+  const disable = async (username: string, password: string) => {
     return json(apiFetch(
       'POST',
       '/api/admin/auth/disable',
       token,
-      { password }
+      { username, password }
     )) as Promise<Record<string, never>>;
   };
 

src/endpoints/admin/auth.ts

@@ -1,5 +1,4 @@
 /** Git repository endpoints */
-import type { FirstRunCredentials } from '$lib/server/auth';
 import { apiFetch, json } from '../fetch';
 
 /**
@@ -9,13 +8,15 @@ import { apiFetch, json } from '../fetch';
  * @param branch The branch to check-out
  */
 export default async function (
-  repoUrl: string | null,
-  branch: string | null,
+  username: string,
+  password: string,
+  repoUrl?: string | undefined,
+  branch?: string | undefined,
 ) {
   return json(apiFetch(
     'POST',
     '/api/admin/firstrun',
     undefined,
-    { repoUrl, branch },
-  )) as Promise<{ credentials: FirstRunCredentials, firstTime: boolean }>;
+    { username, password, repoUrl, branch },
+  )) as Promise<{ token: string, firstTime: boolean }>;
 }

src/endpoints/admin/firstrun.ts

@@ -131,7 +131,7 @@ export async function json(response: Promise<Response>): Promise<object> {
   }
 
   if ([400, 401, 403].includes(res.status)) {
-    // All 400 and 403 errors have an error message
+    // All 400, 401 and 403 errors have an error message
     const message = (json as { message: string }).message;
     throw new ApiError(res.status, message);
   }

src/endpoints/fetch.ts

@@ -0,0 +1,14 @@
+/**
+ * Minifolio Auth
+ *
+ * Code for performing authorization in Minifolio.
+ *
+ * If you discover a security vulnerability, please disclose it responsibly.
+ */
+export { validateCredentials } from './passwords';
+export {
+  generateToken,
+  validateTokenFromRequest,
+  isRequestAuthorized,
+  redirectOnInvalidToken,
+} from './tokens';