diff --git a/README.md b/README.md index d9e93f6..6e0ac84 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,47 @@ walnut ====== -Small, light, and secure iot application framework. +An opinionated, constrained, secure application framework with a hard shell - like iOS, but for a home server. + +Security Features + +* JSON-only APIs +* JWT (not cookie*) authentication +* no server-rendered html +* disallows urlencoded forms, except for secured webhooks +* disallows cookies, except for protected static assets +* api.* subdomain for apis +* assets.* subdomain for protected assets +* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.daplie.com/Daplie/goldilocks.js) +* HTTPS-only (checks for X-Forwarded-For) +* AES, RSA, and ECDSA encryption and signing +* Safe against CSRF, XSS, and SQL injection +* Safe against Compression attacks + +\*Cookies are used only for GETs and only where using a token would be less secure - +such as images which would otherwise require the token to be passed into the img src. +They are also scoped such that CSRF attacks are not possible. + +Application Features + +* JSON-only expressjs APIs +* Capability-based permissions system for (oauth3-discoverable) packages such as + * large file access (files@daplie.com) + * database access (data@daplie.com) + * scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@daplie.com) + * payments (credit card) (payments@daplie.com) + * email (email@daplie.com) + * SMS (texting) (tel@daplie.com) + * voice (calls and answering machine) (tel@daplie.com) + * lamba-style functions (functions@daplie.com) +* Per-app, per-site, and per-user configurations +* Multi-Tentated Application Management +* Built-in OAuth2 & OAuth3 support ```bash curl https://daplie.me/install-scripts | bash -daplie-install-cloud -``` - -If the pretty url isn't working, for whatever reason, you also try the direct one - -```bash -# curl https://git.daplie.com/Daplie/daplie-snippets/raw/master/install.sh | bash -# daplie-install-cloud +daplie-install-walnut ``` You could also, of course, try installing from the repository directly @@ -25,36 +53,17 @@ git clone git@git.daplie.com:Daplie/walnut.js.git /srv/walnut/core pushd /srv/walnut/core git checkout v1 popd -bash /srv/walnut/core/install.sh +bash /srv/walnut/core/install-helper.sh ``` -Features ------- +Initial Configuration +------------- -* Works with Goldilocks for secure, Let's Encrypt maneged, https-only serving +Once installed and started you can visit . -* IOT Application server written in [Node.js](https://nodejs.org) -* Small memory footprint (for a node app) -* Secure - * Uses JWT, not Cookies\* - * HTTPS-only (checks for X-Forwarded-For) - * AES, RSA, and ECDSA encryption and signing - * Safe against CSRF, XSS, and SQL injection - * Safe against Compression attacks -* Multi-Tentated Application Management -* Built-in OAuth2 & OAuth3 support - -\*Cookies are used only for GETs and only where using a token would be less secure -such as images which would otherwise require the token to be passed into the img src. -They are also scoped such that CSRF attacks are not possible. - -In Progress ------------ - -* HTTPS Key Pinning -* Heroku (pending completion of PostgreSQL support) -* [GunDB](https://gundb.io) Support -* OpenID support +``` +curl http://localhost.daplie.me:3000 -H 'X-Forwarded-Proto: https' +``` API --- @@ -258,3 +267,11 @@ API ``` req.apiUrlPrefix => https://api.example.com/api/tld.domain.pkg ``` + +TODO +---- + +* HTTPS Key Pinning +* Heroku (pending completion of PostgreSQL support) +* [GunDB](https://gundb.io) Support +* OpenID support