-
Notifications
You must be signed in to change notification settings - Fork 24
Step by step: Install lxHive and setup authentication for your app
This tutorial goes through the installation and app authorization of lxHive (0.9.x).
This tutorial uses the domain mylxhive.com and the email admin@mylxhive.com as examples. You should replace any occurrences of these with your own site name and email.
- Ubuntu server 16.04
- Apache 2
- PHP >= 5.4
- Mongo 3.x
- PHP Mongo
- Git
- PHP Composer
- administrator/root/sudo access/permissions
Browse to your htdocs directory
$ cd /home/lrs/www/Clone repository from the web
$ git clone https://github.com/g3i/lxHive.gitMove into the cloned lxhive app root directory
$ cd lxHiveInstall dependencies with composer
$ composer installCreate an apache conf file.
$ sudo nano /etc/apache2/sites-available/mylxhive.com.confPopulate the file with the following contents and then save. Remember to change the ServerAdmin and ServerName fields.
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin admin@mylxhive.com
ServerName mylxhive.com
DocumentRoot /home/lrs/www/lxHive/public
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/lrs/www/lxHive/public>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /home/lrs/www/logs/error.log
CustomLog /home/lrs/www/logs/access.log combined
</VirtualHost>
Enable the configuration
sudo a2ensite mylxhive.com.conf
Reload Apache to apply changes
$ sudo service apache2 reloadEdit your system's map of hostnames to IP addresses
$ sudo nano /etc/hostsAdd your domain and save
127.0.0.1 mylxhive.com
$ ping mylxhive.com
# should return something like this
PING mylxhive.com (xx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from mylxhive.com (xx.xxx.xxx.xxx): icmp_seq=1 ttl=54 time=10.3 ms
64 bytes from mylxhive.com (xx.xxx.xxx.xxx) icmp_seq=2 ttl=54 time=8.17 ms
...
- Note: Some environments might block
pingrequests. - Note: There is NO root endpoint (
/), requests tohttp:(s)://mylxhive.com/will always return404 Not Found
Move into lxhive app root directory
$ cd /home/lrs/www/lxHiveExamine the xApi Config file
$ cat ./src/xAPI/Config/Config.ymlFind the filesystem settings
...
filesystem:
exposed_url: /attachments
in_use: local
local: { root_dir: '%app.root%/storage/files' }
...
filestsystem.local defines the storage location relative to the lxhive app root.
Manually create these folders (This will be automated in future releases)
# verify if we are still in app root
$ pwd
/home/lrs/www/lxHive
# create folder /home/lrs/www/lxHive/storage/files and /home/lrs/www/lxHive/storage/logs
$ mkdir -p ./storage/files
$ mkdir -p ./storage/logs
The storage folder and it's subfolders require read/write/create permissions for your server. There are multiple approaches, depending on your server configuration and your privacy policy.
This is just one way to do it.
#set ownership (recursively) to Apache user (Apache2/Ubuntu)
$ sudo chown -R www-data:www-data ./storageThe ./X terminal is your tool for administrating your LRS.
Move into lxhive app root directory
$ cd /home/lrs/www/lxHiveStart the X client
$ ./X
# outputs a list of all available ./X commandsRead briefly through the command options the .X client offers. We will use some in the next steps.
Create/register your lxHive data storage. This requires two steps:
$ ./X setup:dbThis triggers a series of prompts:
- Define name of your lxHive instance (required)
- Define the name of your database (required)
- Define the uri of your database (optional:
enterfor default)
$ ./X setup:db
Welcome to the setup of lxHive!
Enter a name for this lxHive instance: sandbox
Enter the URI of your MongoDB installation (default: "mongodb://127.0.0.1"):
Connection successful, MongoDB version 2.6.11.
Enter the name of your MongoDB database (default: "lxHive"): mylxhive
DB setup complete!
$ ./X setup:oauth
Setting up default OAuth scopes...
OAuth scopes configured!At this stage your Mongo database has been created and populated with the default authentication scopes
At this stage you might want to check the database
Start Mongo terminal, select your new lxhive database and show collections
$ mongo
MongoDB shell version: 3.0.12
> use mylxhive
switched to db mylxhive
> show collections
authScopes
system.indexesNot much going on there yet... More collections will be added in later steps
Create your first user. This should be an administrative user with super permissions
$ ./X user:createThis starts a prompt sequence:
- Enter user email (required) . This email will be used later to map users to authentication tokens
- Enter password (required)
- Select permissions: As we are creating the admin user we select super (
0).
$ ./X user:create
Please enter an e-mail: admin@mylxhive.com
Please enter a password: *******
Please select which permissions you would like to enable (defaults to super). Separate multiple values with commas (without spaces). If you select super, all other permissions are also inherited:
[0] super
[1] statements/write
[2] statements/read
[3] statements/read/mine
[4] attachments
[5] state
[6] profile
[7] define
[8] all/read
[9] all
> 0 #super user
User successfully created!
Info:
{
"email": "admin@mylxhive.com",
"passwordHash": "b762ad8a5f1e24ed836c84b9dca8bf5f6b27d6e6",
"permissionIds": [
{
"$id": "57da0fa36bbbacd35d8b4567"
}
],
"_id": {
"$id": "57da10036bbbacdc5d8b4567"
}
}Note: When we create users for our applications then we need to select the permissions more careful. See the xAPI specs for definition of the scopes
At this point your LRS is operational! You can test this by calling the /about endpoint.
Either open a browser and go to http://mylxhive.com/about or enter the following in your terminal:
$ curl http://mylxhive.com/about`
{"version":["1.0.2"]}The about endpoint is public and returns some JSON information about your LRS
- Note: The
/aboutis the ONLY public resource available on lxHive - Note: There is NO root endpoint (
/), requests tohttp:(s)://mylxhive.com/will always return404 Not Found
In order to connect your application to your LRS you need to authenticate it with lxHvive.
We currently support 3 (or more correctly: 2 1/2) authentication methods.
- HTTP Basic Authentication: MACHINE-to-LRS
- oAuth2 (three-legged): HUMAN-to-LRS
- Temporary Access Token: MACHINE/HUMAN-to-LRS
The temporary access token is a more secure way to perform HTTP Basic Authentication without leaking your password/secret. See our Wiki for more info.
Move into lxhive app root directory.
$ cd /home/lrs/www/lxHiveStart the ./X terminal and run the command
./X auth:basic:createThis starts a prompt sequence:
- Enter name (required)
- Enter description (required)
- enter expire date for token (optional, skip with
enterkey) - Associate the user connected to this token via a registered user email See (step 1.6)
- Define the scope for this application. This is a sub-scope of the user scope you assigned in step 1.6
$ ./X auth:basic:create
Please enter a name: testaccount
Please enter a description: test account
Please enter the expiration timestamp for the token (blank == indefinite):
Please enter enter the e-mail of the associated user: admin@mylxhive.com
Please select which scopes you would like to enable (defaults to super). Separate multiple values with commas (without spaces). If you select super, all other permissions are also inherited:
[0] super
[1] statements/write
[2] statements/read
[3] statements/read/mine
[4] attachments
[5] state
[6] profile
[7] define
[8] all/read
[9] all
> 9
Basic token successfully created!
Info:
{
"userId": {
"$id": "57da10036bbbacdc5d8b4567"
},
"key": "mGrId54hISqgS1Jb38TvckCw5uqKLhsSCygAYi0f",
"secret": "weFj5IOneZx7O3r3Y4jODuD8elGQMczjGqCXve5j",
"expiresAt": null,
"createdAt": {
"sec": 1473909116,
"usec": 0
},
"name": "testaccount",
"description": "test account",
"scopeIds": [
{
"$id": "57da0fa36bbbacd35d8b4570"
}
],
"_id": {
"$id": "57da117c6bbbac2d5e8b4567"
}
}
Use key and secret in your app for any request to lxHive (HTTP BASIC authentication header)
Pseudo code:
headers[] = 'Authorization: ' + base64encode(<key>:<secret>);
A node.js http example.
var http = require('http');
var base64 = new Buffer('mGrId54hISqgS1Jb38TvckCw5uqKLhsSCygAYi0f' + ':' + 'weFj5IOneZx7O3r3Y4jODuD8elGQMczjGqCXve5j').toString('base64');
var options = {
host: 'www.mylrs.com',
path: '/statements',
method: 'GET',
headers: {
'Authorization': 'Basic ' + base64,
'X-Experience-API-Version': '1.0.2'
}
};
http.get(options, function(response) {
var body = '';
response.on('data', function(d) {
body += d;
});
response.on('end', function() {
// Data complete, now trigger your callback
});
});
lxHive oAuth2 is a browser based login. In short: Your app forwards the user to a login page on your LRS. After successfully logging in the user gets redirected back to your app. A more detailed explanation can be found in the following resources:
- https://aaronparecki.com/2012/07/29/2/oauth2-simplified#browser-based-apps
- https://tools.ietf.org/html/rfc6749#section-4.1
We are going to set up an oAuth2 token access client on lxHive.
Move into lxhive app root directory.
$ cd /home/lrs/www/lxHiveStart the ./X terminal and run the command
./X oauth:client:createThis starts a prompt sequence:
- Enter name (required)
- Enter description (required)
- Enter the redirect URI: This is the (absolute) Url of your app. Your user will get redirected to this url after a successful login.
$ ./X oauth:client:create
Please enter a name: tester
Please enter a description: test account
Please enter a redirect URI: http://my-app.com/app/ #example url
OAuth client successfully created!
Info:
{
"clientId": "ZhAOj7Rizs9hGFEN055xhkwt2yi5VgC00NRDeMUg",
"secret": "RbSnTJ0XdyuoOyaH5lC9BpLbAxw8aBld7KnwJ3nK",
"description": "test account",
"name": "tester",
"redirectUri": "http:\/\/my-app.com\/app\/",
"_id": {
"$id": "57da23386bbbacd7618b4567"
}
}