feat!: securing the Admin UI

localenv/README.md

@@ -8,6 +8,8 @@ These packages include:
 - `auth` (GNAP auth server)
 - `mock-account-servicing-entity` (mocks an [Account Servicing Entity](https://rafiki.dev/concepts/account-servicing-entity/)
 - `frontend` (Remix app to expose a UI for Rafiki Admin management via interaction with the `backend` Admin APIs)
+- `kratos` (An identity and user management solution for the `frontend`)
+- `mailslurper` (A SMTP mail server to catch account recovery emails)
 
 These packages depend on the following databases:
 
@@ -31,26 +33,34 @@ This environment will set up a playground where you can use the Rafiki Admin API
 
 (c) Open Payments API - accessible at http://localhost:3000
 
-(d) Admin UI - accessible at http://localhost:3010
+(d) Auth Admin API - accessible at http://localhost:3003/graphql
 
-(e) Auth Admin API - accessible at http://localhost:3003/graphql
+(e) Open Payments Auth API - accessible at http://localhost:3006
 
-(f) Open Payments Auth API - accessible at http://localhost:3006
+(f) Admin UI - accessible at http://localhost:3010
 
-#### Happy Life Bank
+(g) Kratos API - accessible at http://localhost:4433
 
-(g) User Interface - accessible at http://localhost:3031
+#### Happy Life Bank
 
-(h) Admin API - accessible at http://localhost:4001/graphql
+(h) User Interface - accessible at http://localhost:3031
 
-(i) Open Payments API - accessible at http://localhost:4000
+(i) Admin API - accessible at http://localhost:4001/graphql
 
-(j) Admin UI - accessible at http://localhost:4010
+(j) Open Payments API - accessible at http://localhost:4000
 
 (k) Auth Admin API - accessible at http://localhost:4003/graphql
 
 (l) Open Payments Auth API - accessible at http://localhost:4006
 
+(m) Admin UI - accessible at http://localhost:4010
+
+(n) Kratos API - accessible at http://localhost:4432
+
+#### Mail Slurper
+
+(o) Mail UI - accessible at http://localhost:4436
+
 #### Database
 
 Postgres Server - accessible at http://localhost:5432
@@ -186,6 +196,14 @@ Note that you have to go through an interaction flow by clicking on the `redirec
 
 In order to manage, and view information about the Rafiki instance(s) using a UI, you can navigate to [`localhost:3010`](http://localhost:3010) (Cloud Nine Wallet) or [`localhost:4010`](http://localhost:4010) (Happy Life Bank). This is the `frontend` project which runs a Remix app for querying info and executing mutations against the Rafiki [Admin APIs](#admin-apis).
 
+We have secured access to the Admin UI using [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro), a secure and fully open-source identity and user management solution. Check it out on [GitHub](https://github.com/ory/kratos). Since access to the UI is on an invitation-only basis the registration flow is not publicly available. As such, in order to access the Admin UI you can click the registration link provided in the logs during `localenv` startup or you can manually add a new user with the invite-user script. Run `docker exec -it <admin-container-name> npm run invite-user -- example@mail.com` and it will output recovery link to the terminal. The recovery link doubles as the invitation method. Copy and paste this link in your browser and you will automatically be logged in and directed to the account settings page. The next step is changing your password. We're using a simple email and password authentication method.
+
+There is a password recovery flow. On the login page if you clkick the `forgot password` link and enter an email for a registered user then you can open [Mail Slurper](http://localhost:4436) to access the recovery link for your account.
+
+We've also included a script to remove users: `docker exec -it <admin-container-name> npm run delete-user -- example@mail.com`.
+
+See the `frontend` [README](../packages/frontend/README.md) for more information.
+
 #### Admin APIs
 
 In addition to the using the Admin UI for interacting with the Admin APIs, you can also use the Apollo explorer (on [`localhost:3001/graphql`](http://localhost:3001/graphql) and [`localhost:4001/graphql`](http://localhost:4001/graphql), respectively), and also via the [Bruno collection](https://github.com/interledger/rafiki/tree/main/bruno/collections/Rafiki/Rafiki%20Admin%20APIs). The Bruno collection is configured to use the default endpoints of the local environment.

localenv/cloud-nine-wallet/dbinit.sql

@@ -13,3 +13,11 @@ ALTER DATABASE happy_life_bank_backend OWNER TO happy_life_bank_backend;
 CREATE USER happy_life_bank_auth WITH PASSWORD 'happy_life_bank_auth';
 CREATE DATABASE happy_life_bank_auth;
 ALTER DATABASE happy_life_bank_auth OWNER TO happy_life_bank_auth;
+
+CREATE USER happy_life_kratos WITH PASSWORD 'kratos_password';
+CREATE DATABASE happy_life_kratos;
+ALTER DATABASE happy_life_kratos OWNER TO happy_life_kratos;
+
+CREATE USER cloud_nine_kratos WITH PASSWORD 'kratos_password';
+CREATE DATABASE cloud_nine_kratos;
+ALTER DATABASE cloud_nine_kratos OWNER TO cloud_nine_kratos;

localenv/cloud-nine-wallet/docker-compose.yml

@@ -107,20 +107,52 @@ services:
     image: rafiki-frontend
     build:
       context: ../..
-      dockerfile: ./packages/frontend/Dockerfile
+      dockerfile: ./packages/frontend/devDockerfile
+    volumes:
+      - type: bind
+        source: ../../packages/frontend/app
+        target: /home/rafiki/packages/frontend/app
+        read_only: true
     restart: always
     networks:
       - rafiki
     ports:
       - '3010:3010'
     environment:
       PORT: 3010
+      LOG_LEVEL: debug
+      NODE_ENV: ${NODE_ENV:-development}
       GRAPHQL_URL: http://cloud-nine-wallet-backend:3001/graphql
       OPEN_PAYMENTS_URL: https://cloud-nine-wallet-backend/
       ENABLE_INSECURE_MESSAGE_COOKIE: true
+      KRATOS_CONTAINER_PULIC_URL: 'http://cloud-nine-kratos:4433'
+      KRATOS_BROWSER_PUBLIC_URL: 'http://localhost:4433'
+      KRATOS_ADMIN_URL: 'http://cloud-nine-kratos:4434/admin'
     depends_on:
       - cloud-nine-backend
-
+      - cloud-nine-kratos
+  cloud-nine-kratos:
+    build:
+      context: ../..
+      dockerfile: ./packages/frontend/kratos/Dockerfile
+      args:
+        PATH_TO_KRATOS_CONFIG: ./localenv/cloud-nine-wallet/kratos.yml
+    depends_on:
+      - shared-database
+      - mailslurper
+    environment:
+      DEV_MODE: true
+    ports:
+      - "4433:4433"
+    networks:
+      - rafiki
+  mailslurper:
+    image: oryd/mailslurper:latest-smtps
+    ports:
+      - "4436:4436"
+      - "4437:4437"
+    networks:
+      - rafiki
 
 volumes:
   database-data: # named volumes can be managed easier using docker-compose

localenv/cloud-nine-wallet/kratos.yml

@@ -0,0 +1,91 @@
+version: v0.13.0
+
+dsn: postgres://cloud_nine_kratos:kratos_password@shared-database:5432/cloud_nine_kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+
+serve:
+  public:
+    base_url: http://localhost:4433/
+    cors:
+      enabled: true
+  admin:
+    base_url: http://cloud-nine-kratos:4434/
+
+selfservice:
+  default_browser_return_url: http://localhost:3010/
+  allowed_return_urls:
+    - http://localhost:3010
+
+  methods:
+    link:
+      config:
+        lifespan: 1h
+        base_url: http://localhost:4433
+      enabled: true
+    password:
+      enabled: true
+
+  flows:
+    error:
+      ui_url: http://localhost:3010/error
+
+    settings:
+      ui_url: http://localhost:3010/settings
+      privileged_session_max_age: 15m
+      required_aal: highest_available
+
+    recovery:
+      enabled: true
+      ui_url: http://localhost:3010/auth/recovery
+      use: link
+      after:
+        hooks:
+        - hook: revoke_active_sessions
+
+    verification:
+      enabled: false
+
+    logout:
+      after:
+        default_browser_return_url: http://localhost:3010/auth
+
+    login:
+      ui_url: http://localhost:3010/auth/login
+      lifespan: 10m
+
+    registration:
+      enabled: false
+
+log:
+  level: debug
+  format: json
+  leak_sensitive_values: true
+
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+  cipher:
+    - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+ciphers:
+  algorithm: xchacha20-poly1305
+
+hashers:
+  algorithm: bcrypt
+  bcrypt:
+    cost: 8
+
+identity:
+  schemas:
+    - id: default
+      url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+
+session:
+  lifespan: 1h
+  cookie:
+    persistent: false
+    same_site: Strict
+    path: /

localenv/happy-life-bank/docker-compose.yml

@@ -76,16 +76,42 @@ services:
     hostname: happy-life-bank-admin
     image: rafiki-frontend
     pull_policy: never
+    volumes:
+      - type: bind
+        source: ../../packages/frontend/app
+        target: /home/rafiki/packages/frontend/app
+        read_only: true
     restart: always
     networks:
       - rafiki
     ports:
       - '4010:4010'
     environment:
       PORT: 4010
+      LOG_LEVEL: debug
+      NODE_ENV: development
       GRAPHQL_URL: http://happy-life-bank-backend:3001/graphql
       OPEN_PAYMENTS_URL: https://happy-life-bank-backend/
       ENABLE_INSECURE_MESSAGE_COOKIE: true
+      KRATOS_CONTAINER_PULIC_URL: 'http://happy-life-kratos:4433'
+      KRATOS_BROWSER_PUBLIC_URL: 'http://localhost:4432'
+      KRATOS_ADMIN_URL: 'http://happy-life-kratos:4434/admin'
     depends_on:
       - cloud-nine-admin
       - happy-life-backend
+      - happy-life-kratos
+  happy-life-kratos:
+    build:
+      context: ../..
+      dockerfile: ./packages/frontend/kratos/Dockerfile
+      args:
+        PATH_TO_KRATOS_CONFIG: ./localenv/happy-life-bank/kratos.yml
+    depends_on:
+      - shared-database
+      - mailslurper
+    environment:
+      DEV_MODE: true
+    ports:
+      - "4432:4433"
+    networks:
+      - rafiki

localenv/happy-life-bank/kratos.yml

@@ -0,0 +1,91 @@
+version: v0.13.0
+
+dsn: postgres://happy_life_kratos:kratos_password@shared-database:5432/happy_life_kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+
+serve:
+  public:
+    base_url: http://localhost:4432/
+    cors:
+      enabled: true
+  admin:
+    base_url: http://happy-life-kratos:4434/
+
+selfservice:
+  default_browser_return_url: http://localhost:4010/
+  allowed_return_urls:
+    - http://localhost:4010
+
+  methods:
+    link:
+      config:
+        lifespan: 1h
+        base_url: http://localhost:4432
+      enabled: true
+    password:
+      enabled: true
+
+  flows:
+    error:
+      ui_url: http://localhost:4010/error
+
+    settings:
+      ui_url: http://localhost:4010/settings
+      privileged_session_max_age: 15m
+      required_aal: highest_available
+
+    recovery:
+      enabled: true
+      ui_url: http://localhost:4010/auth/recovery
+      use: link
+      after:
+        hooks:
+        - hook: revoke_active_sessions
+
+    verification:
+      enabled: false
+
+    logout:
+      after:
+        default_browser_return_url: http://localhost:4010/auth
+
+    login:
+      ui_url: http://localhost:4010/auth/login
+      lifespan: 10m
+
+    registration:
+      enabled: false
+
+log:
+  level: debug
+  format: json
+  leak_sensitive_values: true
+
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+  cipher:
+    - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+ciphers:
+  algorithm: xchacha20-poly1305
+
+hashers:
+  algorithm: bcrypt
+  bcrypt:
+    cost: 8
+
+identity:
+  schemas:
+    - id: default
+      url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+
+session:
+  lifespan: 1h
+  cookie:
+    persistent: false
+    same_site: Strict
+    path: /