suitenumerique · AntoLC · Dec 11, 2024 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024
diff --git a/.github/workflows/impress-frontend.yml b/.github/workflows/impress-frontend.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "18.x"
+          node-version: "20.x"
 
       - name: Restore the frontend cache
         uses: actions/cache@v4
@@ -46,6 +46,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+
       - name: Restore the frontend cache
         uses: actions/cache@v4
         id: front-node_modules
@@ -54,7 +59,7 @@ jobs:
           key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
 
       - name: Test App
-        run: cd src/frontend/ && yarn app:test
+        run: cd src/frontend/ && yarn test
 
   lint-front:
     runs-on: ubuntu-latest

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to
 
 ## Changed
 
+- 🔒️(collaboration) increase collaboration access security #472
 - 🔨(frontend) encapsulated title to its own component #474
 - 🐛(frontend) Fix hidden menu on Firefox #468
 - ⚡️(backend) optimize number of queries on document list view #411

diff --git a/Makefile b/Makefile
@@ -122,8 +122,8 @@ logs: ## display app-dev logs (follow mode)
 
 run: ## start the wsgi (production) and development server
 	@$(COMPOSE) up --force-recreate -d celery-dev
-	@$(COMPOSE) up --force-recreate -d nginx
 	@$(COMPOSE) up --force-recreate -d y-provider
+	@$(COMPOSE) up --force-recreate -d nginx
 	@echo "Wait for postgresql to be up..."
 	@$(WAIT_DB)
 .PHONY: run

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -118,6 +118,7 @@ services:
     depends_on:
       - keycloak
       - app-dev
+      - y-provider
 
   frontend-dev:
     user: "${DOCKER_USER:-1000}"
@@ -161,6 +162,8 @@ services:
       dockerfile: ./src/frontend/Dockerfile
       target: y-provider
     restart: unless-stopped
+    env_file:
+      - env.d/development/common
     ports:
       - "4444:4444"
     volumes:

diff --git a/docker/files/etc/nginx/conf.d/default.conf b/docker/files/etc/nginx/conf.d/default.conf
@@ -4,9 +4,58 @@ server {
     server_name localhost;
     charset utf-8;
 
+    # Proxy auth for collaboration server
+    location /collaboration/ws/ {
+        # Collaboration Auth request configuration
+        auth_request /collaboration-auth;
+        auth_request_set $authHeader $upstream_http_authorization;
+        auth_request_set $canEdit $upstream_http_x_can_edit;
+        auth_request_set $userId $upstream_http_x_user_id;
+
+        # Pass specific headers from the auth response
+        proxy_set_header Authorization $authHeader;
+        proxy_set_header X-Can-Edit $canEdit;
+        proxy_set_header X-User-Id $userId;
+
+        # Ensure WebSocket upgrade
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+
+        # Collaboration server
+        proxy_pass http://y-provider:4444;
+
+        # Set appropriate timeout for WebSocket
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+
+        # Preserve original host and additional headers
+        proxy_set_header Host $host;
+    }
+
+    location /collaboration-auth {
+        proxy_pass http://app-dev:8000/api/v1.0/documents/collaboration-auth/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Original-URL $request_uri;
+
+        # Prevent the body from being passed
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        proxy_set_header X-Original-Method $request_method;
+    }
+
+    location  /collaboration/api/ {
+        # Collaboration server
+        proxy_pass http://y-provider:4444;
+        proxy_set_header Host $host;
+    }
+
+    # Proxy auth for media
     location /media/ {
         # Auth request configuration
-        auth_request /auth;
+        auth_request /media-auth;
         auth_request_set $authHeader $upstream_http_authorization;
         auth_request_set $authDate $upstream_http_x_amz_date;
         auth_request_set $authContentSha256 $upstream_http_x_amz_content_sha256;
@@ -21,8 +70,8 @@ server {
         proxy_set_header Host minio:9000;
     }
 
-    location /auth {
-        proxy_pass http://app-dev:8000/api/v1.0/documents/retrieve-auth/;
+    location /media-auth {
+        proxy_pass http://app-dev:8000/api/v1.0/documents/media-auth/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

diff --git a/env.d/development/common.dist b/env.d/development/common.dist
@@ -53,7 +53,10 @@ AI_API_KEY=password
 AI_MODEL=llama
 
 # Collaboration
-COLLABORATION_WS_URL=ws://localhost:4444
+COLLABORATION_API_URL=http://nginx:8083/collaboration/api/
+COLLABORATION_SERVER_ORIGIN=http://localhost:3000
+COLLABORATION_SERVER_SECRET=my-secret
+COLLABORATION_WS_URL=ws://localhost:8083/collaboration/ws/
 
 # Frontend
 FRONTEND_THEME=dsfr