git/goodpackagerepo
1
0
Fork 0
mirror of https://github.com/johndoe6345789/goodpackagerepo.git synced 2026-04-24 13:54:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove JWT references from requirements docs

Browse Source
This commit is contained in:
johndoe6345789
2026-01-13 20:42:52 +00:00
parent 2435f0e331
commit 99536bea56
4 changed files with 17 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -34,7 +34,6 @@ The frontend will be available at http://localhost:3000 and the backend API at h
cd backend
pip install -r requirements.txt
export DATA_DIR=/tmp/data
export JWT_SECRET=your-secret-key
python app.py
```
@@ -123,12 +122,12 @@ Images are automatically built and pushed to GitHub Container Registry (GHCR) on
- **Backend**: Flask-based Python API implementing the schema.json specification
- **Frontend**: Next.js/React application with custom Material Design SCSS
- **Storage**: SQLite for user auth, filesystem for blobs, in-memory for metadata
- **Authentication**: JWT-based with bcrypt password hashing
- **Authentication**: Admin login with bcrypt password hashing
## API Endpoints
### Authentication
- `POST /auth/login` - Login and get JWT token
- `POST /auth/login` - Login and get an auth token
- `POST /auth/change-password` - Change password
- `GET /auth/me` - Get current user info
@@ -154,7 +153,7 @@ The repository behavior is defined by `schema.json`, which includes:
- **Entities**: Data models with validation rules
- **Storage**: Blob stores, KV stores, document schemas
- **Indexes**: Optimized package lookup
- **Auth**: JWT authentication with scope-based permissions
- **Auth**: Scope-based authentication and permissions
- **API Routes**: Declarative pipeline-based endpoints
- **Caching**: Response and blob caching policies
- **Replication**: Event sourcing for multi-region sync
@@ -167,4 +166,3 @@ See LICENSE file for details.
## Contributing
Contributions are welcome! Please feel free to submit a Pull Request.

14
ROADMAP.md
View File

@@ -8,17 +8,17 @@ This roadmap outlines near-term hardening, medium-term feature work, and longer-
- Seed data ingestion and sample packages for demo/test scenarios
- Reusable templates for entities, routes, pipelines, blob stores, auth scopes, and upstreams
- Operation vocabulary executor with auth, parsing, validation, transactions, KV, blob, index, cache, proxy placeholder, responses, and events
- SQLAlchemy-backed configuration and auth data models with session-based auth and JWT issuing
- SQLAlchemy-backed configuration and auth data models with session-based auth and token issuing
- Validation/test coverage for operation semantics and schema compliance
- Documentation for operations, templates, and seed data usage
### 🔧 Still Needed
- Production-grade storage backends (RocksDB/Redis) and index persistence
- Full proxy.fetch upstream implementation with retries and timeouts
- Admin user management (rotate JWT secret, manage users/scopes)
- Admin user management (manage users/scopes)
- Robust upload UX (progress, retry, digest verification feedback)
- Observability hardening (structured logging, protected admin endpoints, tracing)
- Security hardening (rate limiting, JWT validation options, password policy)
- Security hardening (rate limiting, token validation options, password policy)
## 0. Immediate Hardening (Security, Correctness, UX)
@@ -26,9 +26,9 @@ This roadmap outlines near-term hardening, medium-term feature work, and longer-
- [x] Enforce login gating across all privileged actions (Publish, Account, Admin)
- [x] Consistent token storage and refresh strategy; clear errors for 401/403
- Backend auth defaults
- [x] Require JWT for read and write by default; allow opt-in anonymous read via ALLOW_ANON_READ
- [x] Require authentication for read and write by default; allow opt-in anonymous read via ALLOW_ANON_READ
- [ ] Add rate-limiting to /auth/login and basic password policy requirements
- [ ] Validate JWT iss/aud (optional), shorter expiry, clock skew handling
- [ ] Harden token validation (issuer/audience checks, shorter expiry, clock skew handling)
- Data integrity
- [ ] Use atomic CAS for artifact metadata creation to avoid publish races
- [x] Respect DB-configured BlobStore.root and path_template
@@ -81,7 +81,7 @@ This roadmap outlines near-term hardening, medium-term feature work, and longer-
- [ ] Robust upload UI: progress, retry, digest verification feedback
- Admin console (MVP)
- [x] View config/entities/routes/blob stores
- [ ] Rotate JWT secret and user management (admin-only)
- [ ] Rotate auth secret and user management (admin-only)
## 5. Testing & Quality
@@ -108,7 +108,7 @@ This roadmap outlines near-term hardening, medium-term feature work, and longer-
- Security model
- [x] Anonymous vs authenticated access; ALLOW_ANON_READ guidance
- [ ] JWT secret management; rotation procedure
- [ ] Auth secret management; rotation procedure
- Deployment
- [x] Production-ready compose/k8s examples; CapRover instructions
- API reference

14
docs/CAPROVER.md
View File

@@ -72,16 +72,10 @@ You'll deploy these as two separate CapRover apps that communicate with each oth
3. Scroll down to **"Environmental Variables"** and add:
```
JWT_SECRET=your-very-secure-random-secret-key-change-this
DATA_DIR=/data
FLASK_ENV=production
```
**Important**: Generate a strong random string for `JWT_SECRET`. You can use:
```bash
python3 -c "import secrets; print(secrets.token_urlsafe(32))"
```
4. Click **"Add Persistent Directory"**:
- Path in App: `/data`
- Label: `backend-data`
@@ -201,7 +195,7 @@ On first deployment, the system uses default credentials:
2. Go to user settings or use the API:
```bash
curl -X POST https://goodrepo-backend.your-domain.com/auth/change-password \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"old_password": "admin", "new_password": "your-new-secure-password"}'
```
@@ -303,7 +297,7 @@ curl -X PUT "https://goodrepo-frontend.your-domain.com/v1/test/package/1.0.0/def
2. Verify all environment variables are set correctly
3. Ensure `DATA_DIR` is set to `/data`
4. Verify persistent directory is mounted at `/data`
5. Check that `JWT_SECRET` is set (no default value)
5. Check that required environment variables are set
### Frontend Can't Connect to Backend
@@ -364,7 +358,7 @@ curl -X PUT "https://goodrepo-frontend.your-domain.com/v1/test/package/1.0.0/def
**Solutions**:
1. Verify backend is running and accessible
2. Check that `JWT_SECRET` environment variable is set
2. Check that required environment variables are set
3. Try using default credentials: `admin` / `admin`
4. Check backend logs for authentication errors
5. Verify the backend data directory has proper permissions
@@ -401,7 +395,7 @@ If something goes wrong:
1. **Security**:
- Change default passwords immediately
- Use strong JWT secrets (32+ characters)
- Use strong application secrets (32+ characters)
- Enable HTTPS and force HTTPS redirects
- Regularly update dependencies

7
frontend/src/app/docs/page.jsx
View File

@@ -74,7 +74,6 @@ docker-compose up -d
<p>In the "App Configs" tab, add these environment variables:</p>
<ul>
<li><code>DATA_DIR</code> = <code>/data</code></li>
<li><code>JWT_SECRET</code> = (generate a random secret)</li>
</ul>
<h3>Step 4: Create Frontend App</h3>
@@ -101,9 +100,9 @@ docker-compose up -d
<h3>Authentication</h3>
<p>
Most endpoints require a JWT token for authentication. Include it in the Authorization header:
Most endpoints require an auth token for authentication. Include it in the Authorization header:
</p>
<pre><code>{`Authorization: Bearer YOUR_JWT_TOKEN`}</code></pre>
<pre><code>{`Authorization: Bearer YOUR_TOKEN`}</code></pre>
<h3>Publishing a Package</h3>
<pre><code>{`curl -X PUT \\
@@ -140,7 +139,7 @@ docker-compose up -d
<li><strong>Entities</strong>: Data models with validation and normalization rules</li>
<li><strong>Storage</strong>: Blob stores, KV stores, and document schemas</li>
<li><strong>Indexes</strong>: Optimized queries for package lookup</li>
<li><strong>Auth</strong>: JWT-based authentication with scope-based permissions</li>
<li><strong>Auth</strong>: Scope-based authentication and permissions</li>
<li><strong>API Routes</strong>: Declarative pipeline-based endpoints</li>
<li><strong>Caching</strong>: Response and blob caching policies</li>
<li><strong>Replication</strong>: Event sourcing for multi-region sync</li>