8192bce301
- Implement full OAuth 2.0 with PKCE using haileyok/atproto-oauth-golang - Backend For Frontend (BFF) pattern: tokens stored server-side only - AES-256-GCM encrypted session cookies - Auto token refresh when near expiry - Restrict access to allowed handles (1440.news, wehrv.bsky.social) - Add genkey utility for generating OAuth configuration - Generic error messages to prevent handle enumeration - Server-side logging of failed login attempts for security monitoring New files: - oauth.go: OAuth client wrapper and DID/handle resolution - oauth_session.go: Session management with encrypted cookies - oauth_middleware.go: RequireAuth middleware for route protection - oauth_handlers.go: Login, callback, logout, metadata endpoints - cmd/genkey/main.go: Generate OAuth secrets and JWK keypair - oauth.env.example: Configuration template Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
64 lines
2.7 KiB
YAML
64 lines
2.7 KiB
YAML
services:
|
|
app-1440-news:
|
|
build: .
|
|
container_name: app-1440-news
|
|
restart: unless-stopped
|
|
stop_grace_period: 30s
|
|
env_file:
|
|
- pds.env
|
|
- oauth.env
|
|
environment:
|
|
DB_HOST: atproto-postgres
|
|
DB_PORT: 5432
|
|
DB_USER: news_1440
|
|
DB_PASSWORD_FILE: /run/secrets/db_password
|
|
DB_NAME: news_1440
|
|
secrets:
|
|
- db_password
|
|
volumes:
|
|
- ./vertices.txt.gz:/app/vertices.txt.gz:ro
|
|
networks:
|
|
- proxy
|
|
- atproto
|
|
labels:
|
|
- "traefik.enable=true"
|
|
# Production: HTTPS with Let's Encrypt for app.1440.news
|
|
- "traefik.http.routers.app-1440-news.rule=Host(`app.1440.news`)"
|
|
- "traefik.http.routers.app-1440-news.entrypoints=https"
|
|
- "traefik.http.routers.app-1440-news.tls.certresolver=letsencrypt-dns"
|
|
# Production: HTTPS for 1440.news root (accounts directory) - lower priority than PDS API paths
|
|
- "traefik.http.routers.root-1440-news.rule=Host(`1440.news`)"
|
|
- "traefik.http.routers.root-1440-news.entrypoints=https"
|
|
- "traefik.http.routers.root-1440-news.tls.certresolver=letsencrypt-dns"
|
|
- "traefik.http.routers.root-1440-news.priority=10"
|
|
# Production: HTTPS for url.1440.news (URL shortener)
|
|
- "traefik.http.routers.url-1440-news.rule=Host(`url.1440.news`)"
|
|
- "traefik.http.routers.url-1440-news.entrypoints=https"
|
|
- "traefik.http.routers.url-1440-news.tls.certresolver=letsencrypt-dns"
|
|
# Production: HTTP to HTTPS redirect for app and url subdomains
|
|
- "traefik.http.routers.app-1440-news-redirect.rule=Host(`app.1440.news`) || Host(`url.1440.news`)"
|
|
- "traefik.http.routers.app-1440-news-redirect.entrypoints=http"
|
|
- "traefik.http.routers.app-1440-news-redirect.middlewares=https-redirect"
|
|
# Production: HTTP to HTTPS redirect for 1440.news root
|
|
- "traefik.http.routers.root-1440-news-redirect.rule=Host(`1440.news`)"
|
|
- "traefik.http.routers.root-1440-news-redirect.entrypoints=http"
|
|
- "traefik.http.routers.root-1440-news-redirect.middlewares=https-redirect"
|
|
- "traefik.http.routers.root-1440-news-redirect.priority=10"
|
|
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
|
|
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
|
|
# Local development: HTTP only
|
|
- "traefik.http.routers.app-1440-news-local.rule=Host(`app.1440.localhost`) || Host(`url.1440.localhost`)"
|
|
- "traefik.http.routers.app-1440-news-local.entrypoints=http"
|
|
# Shared service
|
|
- "traefik.http.services.app-1440-news.loadbalancer.server.port=4321"
|
|
|
|
secrets:
|
|
db_password:
|
|
file: ../postgres/secrets/news_1440_password.txt
|
|
|
|
networks:
|
|
proxy:
|
|
external: true
|
|
atproto:
|
|
external: true
|