keystonejs / keystone-classic

Node.js CMS and web app framework
http://v4.keystonejs.com
MIT License
14.62k stars 2.21k forks source link

Trying to add authentication to the mongodb #4922

Open Greg1992 opened 5 years ago

Greg1992 commented 5 years ago

So i have a droplet on digital ocean using ubuntu 16.04. On the droplet i have 3 databases, an admin,test and 'my site' which is the database keystone is apparently adding collections to. Now in order to make the database on the droplet secure I've had to change the following to be auth=true.

# Turn on/off security.  Off is currently the default
#noauth = true
auth = true

By doing so I'm getting the following error

'not authorized for query on my-site.app_updates'

So I went ahead and created an admin user in the admin database of the droplet, I'm using the following connection string which is above the keystone.init

keystone.set("mongo","mongodb://:admingreg:"+password+"@127.0.0.1:27217/my-site?authSource=admin")

This in my head should connect to the keystone database, but go to the admin database and check there is a user that matches the credentials. This does not work, nor does changing the connection string to match a keystone user credential.

I'm finding adding authentication to keystone a real pain, so if anyone could point me in the right direction that would be fab. Because I would hate to stop having to use the technology.

laurenskling commented 5 years ago

I don't know if I understand correctly, but it seems you are mixing auth to Mongo and auth to Keystone.

The mongo connection string needs a user to log into the database, which makes sense right? When Keystone can access the database with that user, it will set up all models. But they will be empty. There will not be a Keystone User, unless you make one. For example:

https://github.com/JedWatson/sydjs-site/blob/master/updates/0.0.1-admins.js

or easier code like this (in the updates folder, like the link above):

exports.create = {
    User: [
        {
            'name.first': 'Admin',
            'name.last': 'User',
            'email': 'test@example.com',
            'password': 'admin',
            'isAdmin': true,
        },
    ],
};

Does this answer your question?

Greg1992 commented 5 years ago

So my understanding is. Normally on a droplet you have the app code and the database as separate things, both of which require authentication to keep them secure. My 'probably misguided' understanding is that adding a keystone user as you described above, protects the app from people/bots being able to log onto the admin portal. But it does nothing to the database installed in the droplet, containing the keystone database.

So off the back of your great response, in order for there to be authentication with the mongo db, it needs to include the admin details of the actual keystone user

Am I thinking about it in the incorrect way?

laurenskling commented 5 years ago

As you mentioned, you've created a Database User, correct? And with this line keystone.set("mongo","mongodb://:admingreg:"+password+"@127.0.0.1:27217/my-site?authSource=admin") You are connecting to that database thru that user. You log into that database with these credentials.

Looking at your code and your response, I think you might be bothered by having to use password as a variable in your code? The keystone.set('mongo', ...) is only one way to set the database. The preferred way is to use env variables. If you have MONGODB_URL=... with the connection string in your env, keystone will use that. So it's seperate from your code and can be different per instance.

Does that answer your question?

These are the ways to set the mongo connection string: https://github.com/keystonejs/keystone/blob/d34f45662eb359e2cb18b397f2ffea21f9883141/lib/core/initDatabaseConfig.js