Remix auth

.dockerignore

@@ -0,0 +1,4 @@
+/postgres-data
+/node_modules
+/public/build
+.git

.env.example

@@ -0,0 +1,3 @@
+DATABASE_URL="postgresql://postgres:postgres@localhost:5433/postgres"
+SESSION_SECRET=<please replace with a better secret>
+# For social login see docs/auth.md

.eslintrc.js

@@ -1,4 +1,4 @@
-/** @type {import('@types/eslint').Linter.BaseConfig} */
+/** @type {import('eslint').Linter.Config} */
 module.exports = {
   root: true,
   extends: [

.github/workflows/ci.yml

@@ -27,6 +27,11 @@ jobs:
           cache: "npm"
       - run: npm ci
       - run: npm run build --if-present
+      - name: Generate RSA key pair
+        run: |
+          openssl genpkey -algorithm RSA -out private_key.pem \
+            -pkeyopt rsa_keygen_bits:2048
+          openssl rsa -pubout -in private_key.pem -out public_key.pem
       - run: npm test -- --coverage
       - run: npm run typecheck
       - run: npx prettier --check .

.gitignore

@@ -11,3 +11,12 @@ node_modules
 
 /sessions
 /coverage
+
+/prisma/dev.db
+
+/private_key.pem
+/public_key.pem
+
+Caddyfile
+
+postgres-data

Dockerfile

@@ -9,7 +9,7 @@ FROM base as deps
 
 WORKDIR /myapp
 
-ADD package.json ./
+ADD package.json package-lock.json tsconfig.json ./
 RUN npm install --production=false
 
 # Setup production node_modules
@@ -18,8 +18,8 @@ FROM base as production-deps
 WORKDIR /myapp
 
 COPY --from=deps /myapp/node_modules /myapp/node_modules
-ADD package.json ./
-RUN npm prune --production
+ADD package.json package-lock.json ./
+RUN npm prune --production 
 
 # Build the app
 FROM base as build
@@ -29,6 +29,7 @@ WORKDIR /myapp
 COPY --from=deps /myapp/node_modules /myapp/node_modules
 
 ADD . .
+RUN npx prisma generate
 RUN npm run build
 
 # Finally, build the production image with minimal footprint
@@ -43,6 +44,7 @@ WORKDIR /myapp
 
 COPY --from=production-deps /myapp/node_modules /myapp/node_modules
 
+COPY --from=build /myapp/node_modules/.prisma /myapp/node_modules/.prisma
 COPY --from=build /myapp/build /myapp/build
 COPY --from=build /myapp/public /myapp/public
 COPY --from=build /myapp/package.json /myapp/package.json

README.md

@@ -6,13 +6,13 @@
 
 Uses
 
-- [bartender](https://github.com/i-VRESSE/bartender) for user and job management.
+- [bartender](https://github.com/i-VRESSE/bartender) for job execution.
 - [workflow-builder](https://github.com/i-VRESSE/workflow-builder) to construct a Haddock3 workflow config file.
 - [haddock3](https://github.com/haddocking/haddock3) to compute
 
 ```mermaid
 sequenceDiagram
-    Web app->>+Bartender: Login
+    Web app->>+Web app: Login
     Web app->>+Builder: Construct workflow config
     Builder->>+Bartender: Submit job
     Bartender->>+haddock3: Run
@@ -22,8 +22,34 @@ sequenceDiagram
 
 - [Remix Docs](https://remix.run/docs)
 
+## Setup
+
+```shell
+npm install
+cp .env.example .env
+# Create rsa key pair for signing & verifying JWT tokens for bartender web service
+openssl genpkey -algorithm RSA -out private_key.pem \
+    -pkeyopt rsa_keygen_bits:2048
+openssl rsa -pubout -in private_key.pem -out public_key.pem
+```
+
 ## Development
 
+You need to have a Postgres database running. The easiest way is to use Docker:
+
+```sh
+npm run docker:dev
+```
+
+(Stores data in `./postgres-data`)
+(You can get a psql shell with `npm run psql:dev`)
+
+The database can be initialized with
+
+```sh
+npm run setup
+```
+
 From your terminal:
 
 ```sh
@@ -88,13 +114,16 @@ Make sure to deploy the output of `remix build`
 
 ### Docker
 
-The web application can be run inside a Docker container.
+The web application can be run inside a Docker container together with all its dependent containers.
 
 Requirements:
 
-1. [bartender repo](https://github.com/i-VRESSE/bartender) to be cloned in `../bartender` directory.
-2. bartender repo should have [.env file](https://github.com/i-VRESSE/bartender/blob/main/docs/configuration.md#environment-variables)
-3. bartender repo should have a [config.yaml file](https://github.com/i-VRESSE/bartender/blob/main/docs/configuration.md#configuration-file)
+1. Private key `./private_key.pem` and public key `./public_key.pem`.
+2. `./.env` file for haddock3 web application.
+3. [bartender repo](https://github.com/i-VRESSE/bartender) to be cloned in `../bartender` directory.
+4. bartender repo should have [.env file](https://github.com/i-VRESSE/bartender/blob/main/docs/configuration.md#environment-variables)
+5. bartender repo should have a [config.yaml file](https://github.com/i-VRESSE/bartender/blob/main/docs/configuration.md#configuration-file)
+   1. The `job_root_dir` key should be set to `/tmp/jobs`
 
 Build with
 
@@ -110,20 +139,9 @@ docker compose up
 
 Web application running at http://localhost:8080 .
 
-Create super user with
+## Authentication & authorization
 
-```sh
-# First register user in web application
-docker compose exec bartender bartender super <email>
-```
-
-## Sessions
-
-Making the login session secure requires a session secret.
-The session secret can be configured by setting the `SESSION_SECRET` environment variable.
-If not set, a hardcoded secret is used, which should not be used in production.
-
-The data of the login sessions in stored in the `./sessions` directory.
+See [docs/auth.md](docs/auth.md).
 
 ## Bartender web service client
 
@@ -139,28 +157,27 @@ npm run generate-client
 
 ## Bartender web service configuration
 
-### Bartender
-
-The web application needs to know where the [Bartender web service](https://github.com/i-VRESSE/bartender) is running.
+The haddock3 web application needs to know where the [Bartender web service](https://github.com/i-VRESSE/bartender) is running.
 Configure bartender location with `BARTENDER_API_URL` environment variable.
 
 ```sh
-export BARTENDER_API_URL='http://127.0.0.1:8000'
-npm start
+BARTENDER_API_URL=http://localhost:8000
 ```
 
-### Social login
-
-To enable GitHub or Orcid or EGI Check-in login the bartender web service needs following environment variables.
+The haddock3 web application must be trusted by the bartender web service using a JWT token.
+An RSA private key is used by the haddock3 web application to sign the JWT token.
+To tell the haddock3 web application where to find the private key, use the `BARTENDER_PRIVATE_KEY` environment variable.
 
-```shell
-BARTENDER_GITHUB_REDIRECT_URL="http://localhost:3000/auth/github/callback"
-BARTENDER_ORCIDSANDBOX_REDIRECT_URL="http://localhost:3000/auth/orcidsandbox/callback"
-BARTENDER_ORCID_REDIRECT_URL="http://localhost:3000/auth/orcid/callback"
-BARTENDER_EGI_REDIRECT_URL="http://localhost:3000/auth/egi/callback"
+```sh
+BARTENDER_PRIVATE_KEY=private_key.pem
 ```
 
-Where `http://localhost:3000` is the URL where the Remix run app is running.
+An RSA public key is used by the bartender web service to verify the JWT token.
+To tell the bartender web service where to find the public key, use the `BARTENDER_PUBLIC_KEY` environment variable.
+
+```sh
+BARTENDER_PUBLIC_KEY=public_key.pem
+```
 
 ## Haddock3 application
 
@@ -171,18 +188,10 @@ applications:
   haddock3:
     command: haddock3 $config
     config: workflow.cfg
-    allowed_roles:
-      - easy
-      - expert
-      - guru
 ```
 
 This allows the archive generated with the workflow builder to be submitted.
 
-The user can only submit jobs when he/she has any of these allowed roles.
-A super user should assign a role to the user at http://localhost:3000/admin/users.
-A super user can be made through the admin page or by running `bartender super <email>` on the server
-
 ## Catalogs
 
 This repo has a copy (`./app/catalogs/*.yaml`) of the [haddock3 workflow build catalogs](https://github.com/i-VRESSE/workflow-builder/tree/main/packages/haddock3_catalog/public/catalog).
@@ -192,3 +201,7 @@ To fetch the latest catalogs run
 ```shell
 npm run catalogs
 ```
+
+## Stack
+
+The tech stack is explained in [docs/stack.md](docs/stack.md).