Merge branch 'master' into v1
This commit is contained in:
commit
3b67f2d22e
92
README.md
92
README.md
|
@ -1,19 +1,52 @@
|
||||||
walnut
|
walnut
|
||||||
======
|
======
|
||||||
|
|
||||||
Small, light, and secure iot application framework.
|
An opinionated, constrained, secure application framework with a hard shell - like iOS, but for a home server.
|
||||||
|
|
||||||
|
Security Features
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
* JSON-only APIs
|
||||||
|
* JWT (not cookie*) authentication
|
||||||
|
* no server-rendered html
|
||||||
|
* disallows urlencoded forms, except for secured webhooks
|
||||||
|
* disallows cookies, except for protected static assets
|
||||||
|
* api.* subdomain for apis
|
||||||
|
* assets.* subdomain for protected assets
|
||||||
|
* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.daplie.com/Daplie/goldilocks.js)
|
||||||
|
* HTTPS-only (checks for X-Forwarded-For)
|
||||||
|
* AES, RSA, and ECDSA encryption and signing
|
||||||
|
* Safe against CSRF, XSS, and SQL injection
|
||||||
|
* Safe against Compression attacks
|
||||||
|
|
||||||
|
\*Cookies are used only for GETs and only where using a token would be less secure -
|
||||||
|
such as images which would otherwise require the token to be passed into the img src.
|
||||||
|
They are also scoped such that CSRF attacks are not possible.
|
||||||
|
|
||||||
|
Application Features
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
* JSON-only expressjs APIs
|
||||||
|
* Capability-based permissions system for (oauth3-discoverable) packages such as
|
||||||
|
* large file access (files@daplie.com)
|
||||||
|
* database access (data@daplie.com)
|
||||||
|
* scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@daplie.com)
|
||||||
|
* payments (credit card) (payments@daplie.com)
|
||||||
|
* email (email@daplie.com)
|
||||||
|
* SMS (texting) (tel@daplie.com)
|
||||||
|
* voice (calls and answering machine) (tel@daplie.com)
|
||||||
|
* lamba-style functions (functions@daplie.com)
|
||||||
|
* Per-app, per-site, and per-user configurations
|
||||||
|
* Multi-Tentated Application Management
|
||||||
|
* Built-in OAuth2 & OAuth3 support
|
||||||
|
|
||||||
|
Install
|
||||||
|
-------
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
curl https://daplie.me/install-scripts | bash
|
curl https://daplie.me/install-scripts | bash
|
||||||
|
|
||||||
daplie-install-cloud
|
daplie-install-walnut
|
||||||
```
|
|
||||||
|
|
||||||
If the pretty url isn't working, for whatever reason, you also try the direct one
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# curl https://git.daplie.com/Daplie/daplie-snippets/raw/master/install.sh | bash
|
|
||||||
# daplie-install-cloud
|
|
||||||
```
|
```
|
||||||
|
|
||||||
You could also, of course, try installing from the repository directly
|
You could also, of course, try installing from the repository directly
|
||||||
|
@ -25,36 +58,17 @@ git clone git@git.daplie.com:Daplie/walnut.js.git /srv/walnut/core
|
||||||
pushd /srv/walnut/core
|
pushd /srv/walnut/core
|
||||||
git checkout v1
|
git checkout v1
|
||||||
popd
|
popd
|
||||||
bash /srv/walnut/core/install.sh
|
bash /srv/walnut/core/install-helper.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
Features
|
Initial Configuration
|
||||||
------
|
-------------
|
||||||
|
|
||||||
* Works with Goldilocks for secure, Let's Encrypt maneged, https-only serving
|
Once installed and started you can visit <https://localhost.daplie.me:3000>.
|
||||||
|
|
||||||
* IOT Application server written in [Node.js](https://nodejs.org)
|
```
|
||||||
* Small memory footprint (for a node app)
|
curl http://localhost.daplie.me:3000 -H 'X-Forwarded-Proto: https'
|
||||||
* Secure
|
```
|
||||||
* Uses JWT, not Cookies\*
|
|
||||||
* HTTPS-only (checks for X-Forwarded-For)
|
|
||||||
* AES, RSA, and ECDSA encryption and signing
|
|
||||||
* Safe against CSRF, XSS, and SQL injection
|
|
||||||
* Safe against Compression attacks
|
|
||||||
* Multi-Tentated Application Management
|
|
||||||
* Built-in OAuth2 & OAuth3 support
|
|
||||||
|
|
||||||
\*Cookies are used only for GETs and only where using a token would be less secure
|
|
||||||
such as images which would otherwise require the token to be passed into the img src.
|
|
||||||
They are also scoped such that CSRF attacks are not possible.
|
|
||||||
|
|
||||||
In Progress
|
|
||||||
-----------
|
|
||||||
|
|
||||||
* HTTPS Key Pinning
|
|
||||||
* Heroku (pending completion of PostgreSQL support)
|
|
||||||
* [GunDB](https://gundb.io) Support
|
|
||||||
* OpenID support
|
|
||||||
|
|
||||||
API
|
API
|
||||||
---
|
---
|
||||||
|
@ -258,3 +272,11 @@ API
|
||||||
```
|
```
|
||||||
req.apiUrlPrefix => https://api.example.com/api/tld.domain.pkg
|
req.apiUrlPrefix => https://api.example.com/api/tld.domain.pkg
|
||||||
```
|
```
|
||||||
|
|
||||||
|
TODO
|
||||||
|
----
|
||||||
|
|
||||||
|
* HTTPS Key Pinning
|
||||||
|
* Heroku (pending completion of PostgreSQL support)
|
||||||
|
* [GunDB](https://gundb.io) Support
|
||||||
|
* OpenID support
|
||||||
|
|
Loading…
Reference in New Issue