Merge branch 'master' into v1

This commit is contained in:
AJ ONeal 2017-07-28 17:25:18 -06:00
commit 3b67f2d22e
1 changed files with 57 additions and 35 deletions

View File

@ -1,19 +1,52 @@
walnut walnut
====== ======
Small, light, and secure iot application framework. An opinionated, constrained, secure application framework with a hard shell - like iOS, but for a home server.
Security Features
-----------------
* JSON-only APIs
* JWT (not cookie*) authentication
* no server-rendered html
* disallows urlencoded forms, except for secured webhooks
* disallows cookies, except for protected static assets
* api.* subdomain for apis
* assets.* subdomain for protected assets
* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.daplie.com/Daplie/goldilocks.js)
* HTTPS-only (checks for X-Forwarded-For)
* AES, RSA, and ECDSA encryption and signing
* Safe against CSRF, XSS, and SQL injection
* Safe against Compression attacks
\*Cookies are used only for GETs and only where using a token would be less secure -
such as images which would otherwise require the token to be passed into the img src.
They are also scoped such that CSRF attacks are not possible.
Application Features
--------------------
* JSON-only expressjs APIs
* Capability-based permissions system for (oauth3-discoverable) packages such as
* large file access (files@daplie.com)
* database access (data@daplie.com)
* scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@daplie.com)
* payments (credit card) (payments@daplie.com)
* email (email@daplie.com)
* SMS (texting) (tel@daplie.com)
* voice (calls and answering machine) (tel@daplie.com)
* lamba-style functions (functions@daplie.com)
* Per-app, per-site, and per-user configurations
* Multi-Tentated Application Management
* Built-in OAuth2 & OAuth3 support
Install
-------
```bash ```bash
curl https://daplie.me/install-scripts | bash curl https://daplie.me/install-scripts | bash
daplie-install-cloud daplie-install-walnut
```
If the pretty url isn't working, for whatever reason, you also try the direct one
```bash
# curl https://git.daplie.com/Daplie/daplie-snippets/raw/master/install.sh | bash
# daplie-install-cloud
``` ```
You could also, of course, try installing from the repository directly You could also, of course, try installing from the repository directly
@ -25,36 +58,17 @@ git clone git@git.daplie.com:Daplie/walnut.js.git /srv/walnut/core
pushd /srv/walnut/core pushd /srv/walnut/core
git checkout v1 git checkout v1
popd popd
bash /srv/walnut/core/install.sh bash /srv/walnut/core/install-helper.sh
``` ```
Features Initial Configuration
------ -------------
* Works with Goldilocks for secure, Let's Encrypt maneged, https-only serving Once installed and started you can visit <https://localhost.daplie.me:3000>.
* IOT Application server written in [Node.js](https://nodejs.org) ```
* Small memory footprint (for a node app) curl http://localhost.daplie.me:3000 -H 'X-Forwarded-Proto: https'
* Secure ```
* Uses JWT, not Cookies\*
* HTTPS-only (checks for X-Forwarded-For)
* AES, RSA, and ECDSA encryption and signing
* Safe against CSRF, XSS, and SQL injection
* Safe against Compression attacks
* Multi-Tentated Application Management
* Built-in OAuth2 & OAuth3 support
\*Cookies are used only for GETs and only where using a token would be less secure
such as images which would otherwise require the token to be passed into the img src.
They are also scoped such that CSRF attacks are not possible.
In Progress
-----------
* HTTPS Key Pinning
* Heroku (pending completion of PostgreSQL support)
* [GunDB](https://gundb.io) Support
* OpenID support
API API
--- ---
@ -258,3 +272,11 @@ API
``` ```
req.apiUrlPrefix => https://api.example.com/api/tld.domain.pkg req.apiUrlPrefix => https://api.example.com/api/tld.domain.pkg
``` ```
TODO
----
* HTTPS Key Pinning
* Heroku (pending completion of PostgreSQL support)
* [GunDB](https://gundb.io) Support
* OpenID support