twproxy 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d76c0ff8f096bc96a9a2bb037879a31fd08f958f
+  data.tar.gz: e56c25cac077859244f4e062af7edcc59df27b4c
+SHA512:
+  metadata.gz: fe6b63a884f567df715720db6b1ee556b91ae947e0e22def49b3911c70a2dee0851054a73478e8392a45fc3785ac8e5db466968101bb09afb3f8c48c7276c08e
+  data.tar.gz: ba4b836a56c8316719a53a456e6bf59c3f468e681337e7289e4aae42fec1254a950def4d3d1b7dbb65ccacf10950ecc35b50778e59336be47ab37607a9f38a4e

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+gem "sinatra"
+gem "haml"
+gem "rotp"
+

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+Copyright (c) 2016 Steve Gattuso
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,117 @@
+# TiddlyWiki Proxy
+*An authenticated proxy for protecting your wiki.*
+
+![Screencast](http://i.imgur.com/NmGf4iE.gif)
+
+This gem provides an easy way to secure a TiddlyWiki installation so you can
+expose it to the internet without having to worry about others gaining access.
+The proxy provides you with a username, password and optionally a 2-factor auth
+code (based on TOTP, which is compatible with [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en)).
+
+Although this proxy can be used as a server in itself, it's highly recommended
+that you run it behind a proper webserver (such as nginx's reverse proxy) that
+is secured with SSL.
+
+## Usage reference
+Installation:
+```
+$ gem install twproxy
+```
+
+Argument reference:
+```
+$ twproxy --help
+Usage: twproxy [options]
+    -p, --port PORT                  Specify port to run the proxy on. Defaults to 8888.
+    -b, --bind HOSTNAME              Specify hostname to bind to. Defaults to 127.0.0.1.
+    -s, --enable-ssl                 Ensures cookies are marked as secure.
+    -d, --destination URL            Specify the url of the TiddlyWiki server. Defaults to http://localhost:8080.
+    -g CLEARTEXT,                    Generates a SHA1 hashed password
+        --generate-password
+    -u, --username USER              Sets the username. Defaults to user.
+    -P, --password HASHED            Sets the user's password. Use a SHA1 hash or -g. Defaults to test.
+    -a, --auth KEY                   Sets a TOTP key for use with Google Authenticator.
+    -h, --help                       Displays this help
+```
+
+## Basic Usage
+Let's say we have a 
+[tiddlywiki server](http://tiddlywiki.com/static/Using%2520TiddlyWiki%2520on%2520Node.js.html) 
+running on `http://localhost:8080` that we'd like to protect with twproxy.
+Fistly we'll want to generate a hashed version of the password we'd like to use:
+
+```
+$ twproxy -g helloWorld
+5395ebfd174b0a5617e6f409dfbb3e064e3fdf0a
+```
+
+Great! Now let's spin up twproxy so we can start working on our wiki,
+protecting it with a username of `stevenleeg` and a password of `helloWorld`:
+
+```
+$ twproxy -u stevenleeg -P 5395ebfd174b0a5617e6f409dfbb3e064e3fdf0a -d http://localhost:8080/
+```
+
+If all goes well you can now navigate to `http://localhost:8888` and see a
+prompt for your username and password.
+
+That's all there is to it! Twproxy is set up and ready to go for basic usage,
+however if you're paranoid I'd recommend further securing your wiki with SSL
+(using an nginx reverse proxy) and 2FA.
+
+## Enabling 2FA
+Sometimes a username and password isn't enough for paranoid minds. Not to
+worry! Twproxy lets you add another layer of security onto your wiki by
+supporting time-based one-time password authentication. This allows you to also
+require a unique one-time code from Google Authenticator (or any other TOTP app)
+in order to sign in.
+
+Setting up 2FA requires acquiring a secret key that is used to generate one-time
+passwords. [This online generator](http://www.xanxys.net/totp/) will do the job,
+but if you're serious about security you should know never to trust an online
+generator of secret keys.
+
+For this example use case I used the online generator to get a key (note, I
+copied the base32 version of the secret key):
+`o76swdmjl74izl7bihmziod333cwnje3`.
+
+I can then add 2FA to our previous example by adding the `-a` flag:
+```
+$ twproxy -u stevenleeg -P 5395ebfd174b0a5617e6f409dfbb3e064e3fdf0a -d http://localhost:8080/ -a o76swdmjl74izl7bihmziod333cwnje3
+```
+
+To test it, scan the QR code on the secret key generator's site into your
+favorite TOTP app and try logging in (the authentication screen will now show a
+third box for an auth code).
+
+If all goes well you should only be able to sign in after entering the correct
+auth code generated on your phone.
+
+## Enabling SSL
+If you plan on exposing your wiki to the internet, it's a smart idea to protect
+it by running it over an encrypted HTTPS connection. The easiest way to do this
+is by using an [nginx reverse proxy](https://www.nginx.com/resources/admin-guide/reverse-proxy/) 
+paired with an SSL certificate from [Let's Encrypt](https://letsencrypt.org/).
+
+Getting those two set up is out of scope of this readme, however it may be
+helpful to check out DigitalOcean's [SSL installation guide](https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04) if you're lost.
+
+An important note for those attempting to run twproxy over an SSL connection:
+you must add the `--enable-ssl` flag when starting the proxy! Without this flag twproxy
+won't mark cookies as secure, leaving you confused each time you log in
+correctly only to see yet another authentication prompt.
+
+## Using with Docker
+**Note:** More documentation on this to come. This is still a WIP.
+
+## Issues
+If you're having trouble with twproxy please don't hesitate to open an issue to
+let me know. I'm actively maintaining this project for my own use, so it's in
+my best interest to make sure it is secure and functional.
+
+If you are filing a bug report please make sure you describe all steps
+necessary to reproduce the issue. This will make my job much easier and make
+sure your bug gets fixed faster.
+
+Happy wiki-ing!
+

data/bin/twproxy

@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+require "twproxy"
+require "sinatra"
+require "optparse"
+require "digest/sha1"
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = "Usage: twproxy [options]"
+
+  opts.on("-p", "--port PORT", "Specify port to run the proxy on. Defaults to 8888.") do |port|
+    options[:port] = port
+  end
+  opts.on("-b", "--bind HOSTNAME", "Specify hostname to bind to. Defaults to 127.0.0.1.") do |hostname|
+    options[:bind] = hostname
+  end
+  opts.on("-s", "--enable-ssl", "Ensures cookies are marked as secure.") do |ssl|
+    options[:enable_ssl] = ssl
+  end
+  opts.on("-d", "--destination URL", "Specify the url of the TiddlyWiki server. Defaults to http://localhost:8080.") do |url|
+    options[:url] = url
+  end
+  opts.on("-g", "--generate-password CLEARTEXT", "Generates a SHA1 hashed password") do |pass|
+    puts Digest::SHA1.hexdigest(pass)
+    exit
+  end
+  opts.on("-u", "--username USER", "Sets the username. Defaults to user.") do |user|
+    options[:username] = user
+  end
+  opts.on("-P", "--password HASHED", "Sets the user's password. Use a SHA1 hash or -g. Defaults to test.") do |hash|
+    options[:password] = hash
+  end
+  opts.on("-a", "--auth KEY", "Sets a TOTP key for use with Google Authenticator.") do |key|
+    options[:auth] = key
+  end
+  opts.on("-h", "--help", "Displays this help") do
+    puts opts
+    exit
+  end
+end.parse!
+
+TWProxy.set :bind, options[:bind] || "127.0.0.1"
+
+TWProxy.set :port, options[:port] || 8888
+TWProxy.set :enable_ssl, options[:enable_ssl] || false
+TWProxy.set :url, options[:url] || "http://localhost:8080" || ENV['WIKI_URL']
+TWProxy.set :username, options[:username] || ENV['WIKI_USER'] || "user"
+# Default password is test
+TWProxy.set :password, 
+  options[:password] || ENV['WIKI_PASS'] || "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"
+TWProxy.set :auth, options[:auth] || ENV['WIKI_AUTH']
+
+TWProxy.run!
+

data/lib/twproxy/proxy.rb

@@ -0,0 +1,115 @@
+require "sinatra"
+require "net/http"
+require "uri"
+require "digest/sha1"
+require "rotp"
+
+class TWProxy < Sinatra::Base
+  ##
+  # Authenticate each request before permitting it to access the wiki
+  #
+  before do
+    @accepted_token = Digest::SHA1.hexdigest(
+      "#{settings.username}#{settings.password}#{settings.auth}"
+    )
+
+    token = request.cookies["auth"]
+
+    if token == @accepted_token
+      @authenticated = true
+    elsif request.path != "/login"
+      redirect "/login"
+    end
+  end
+
+  ##
+  # Authentication handlers
+  #
+  get "/login" do
+    redirect "/" if @authenticated
+    haml :login
+  end
+
+  post "/login" do
+    hashed_pass = Digest::SHA1.hexdigest(params["pass"])
+    user = params["user"] == settings.username
+    pass = hashed_pass == settings.password
+
+    if settings.auth
+      totp = ROTP::TOTP.new(settings.auth)
+      auth = totp.verify(params["auth"])
+    else
+      auth = true
+    end
+
+    if !auth
+      @error = "Auth code is incorrect"
+      haml :login
+    elsif user && pass && auth
+      token = Digest::SHA1.hexdigest(
+        "#{params["user"]}#{hashed_pass}#{settings.auth}"
+      )
+      response.set_cookie("auth", value: token, 
+                                  secure: settings.enable_ssl, 
+                                  expires: (Date.today >> 1).to_time,
+                                  httponly: true)
+
+      redirect "/"
+    else
+      @error = "Invalid username/password"
+      haml :login
+    end
+  end
+
+  get "/logout" do
+    response.set_cookie("auth", nil)
+    redirect "/login"
+  end
+
+  ##
+  # Wiki proxy
+  #
+  def get_uri
+    capture = URI::decode(params[:captures][0])
+    base = settings.url
+    if settings.url[-1] != '/'
+      base += '/'
+    end
+
+    uri = URI.parse("#{base}#{URI::encode(capture)}")
+  end
+
+  put /\/(.*)/ do
+    uri = get_uri
+    http = Net::HTTP.new(uri.host, uri.port)
+
+    req = Net::HTTP::Put.new(uri.request_uri, initheader = { "Content-Type" => "application/json"})
+    request.body.rewind
+    req.body = request.body.read
+
+    resp = http.request(req)
+
+    status resp.code
+    headers({"Etag" => resp["Etag"]})
+    resp.body
+  end
+
+  delete /\/(.*)/ do
+    uri = get_uri
+    http = Net::HTTP.new(uri.host, uri.port)
+
+    req = Net::HTTP::Delete.new(uri.request_uri)
+    resp = http.request(req)
+
+    status resp.code
+    resp.body
+  end
+
+  get /\/(.*)/ do
+    uri = get_uri
+    http = Net::HTTP.new(uri.host, uri.port)
+    req = Net::HTTP::Get.new(uri.request_uri)
+
+    http.request(req).body
+  end
+end

data/lib/twproxy/views/login.haml

@@ -0,0 +1,56 @@
+!!!
+%html
+  %head
+    %title wiki - login
+    :css
+      body { 
+        font-family: 'Helvetica'; 
+        color: #111; 
+        font-weight: 300; 
+      }
+      .box {
+        width: 400px;
+        position: fixed;
+        top: 50%;
+        left: 50%;
+        transform: translate(-50%, -80%);
+        background: #EEE;
+        padding: 15px;
+        box-sizing: border-box;
+      }
+      h1 {
+        margin: 0px 0px 10px 0px;
+        font-weight: 300;
+        font-size: 24px;
+      }
+      input {
+        display: block;
+        width: 100%;
+        margin-bottom: 5px;
+        font-family: 'Helvetica'; 
+        font-weight: 300; 
+        font-size: 18px;
+        padding: 5px;
+        box-sizing: border-box;
+        outline: none;
+      }
+
+      input[type=submit] {
+        background: #00B4FF;
+        border: 0px;
+        color: #FFF;
+        margin-bottom: 0px;
+      }
+
+  %body
+    .box
+      %h1 Login
+      - if @error
+        %p= @error
+
+      %form{action:'/login', method: 'POST'}
+        %input{type: 'text', placeholder: 'Username', name: 'user'}
+        %input{type: 'password', placeholder: 'Password', name: 'pass'}
+        - if settings.auth
+          %input{type: 'number', placeholder: 'Auth code', name: 'auth'}
+        %input{type: 'submit', value: 'Login'}

data/lib/twproxy.rb

@@ -0,0 +1 @@
+require 'twproxy/proxy'

data/twproxy.gemspec

@@ -0,0 +1,18 @@
+Gem::Specification.new do |s|
+  s.name = "twproxy"
+  s.version = "0.0.1"
+  s.date = "2016-04-09"
+  s.summary = "TiddlyWiki Proxy"
+  s.description = "An authenticated proxy for TiddlyWiki"
+  s.authors = ["Steve Gattuso"]
+  s.email = "steve@stevegattuso.me"
+  s.files = ["lib/twproxy.rb"]
+  s.files = %w(Gemfile LICENSE README.md twproxy.gemspec) + Dir['lib/**/*', 'bin/*']
+  s.license = "MIT"
+  s.executables << 'twproxy'
+
+  s.add_dependency 'sinatra', '~> 1.4'
+  s.add_dependency 'haml', '~> 4.0'
+  s.add_dependency 'rotp', '~> 2.1'
+end
+

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: twproxy
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Steve Gattuso
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-04-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: haml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+description: An authenticated proxy for TiddlyWiki
+email: steve@stevegattuso.me
+executables:
+- twproxy
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- LICENSE
+- README.md
+- bin/twproxy
+- lib/twproxy.rb
+- lib/twproxy/proxy.rb
+- lib/twproxy/views/login.haml
+- twproxy.gemspec
+homepage: 
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.3
+signing_key: 
+specification_version: 4
+summary: TiddlyWiki Proxy
+test_files: []