Static Assets, Partials, and TLS

[zoe-1]

Static Assets, Partials, and TLS

Configure the application to use TLS/SSL

• Generate your own TLS/SSL certificate
• Make "certs" directory in ./lib.
• Place the certificates you generate into "certs" directory.

  Configure two server connections

• One labelled ['web'] on port 8000 with no TLS configured.
• The other labelled ['web-tls'] on port 8001 will use TLS.
  Configure this connection to use the ssl certificates you just generated
  and placed in ./lib/certs
  • Example server certificate configuration at npm newww

    Use TLS everywhere

Configure the application to always use TLS Transport Layer Security.
Every http request should be redirected to https. Two references:

• @hueniverse on the issue
• related StackOverflow post

  Configure the home plugin.

• Make a new point in the home plugin called: "login"
  • Make login route display view template named login.html.
• Use partials to display the login form
  • make a directory inside of the ./views called partials
  • configure the home plugin to use the ./views/partials directory to load partials from.
  • In ./views/partials/ directory make a file named form.html.
    • form should have two inputs one type="text" named "username" and the second type="password" named "password".
    • form should have one submission button with text value "Login".
  • Inside login.html template load the partial file named "form.html"

    Use Static Assets

• Make directory in root of project called "assets".
• Inside the assets directory, make three directories:
  "styles" for css, "scripts" for JS scripts,
  "images" for project images.
  • Place Hapi University logo into the images directory
    and display it on the home page (home.html). (image is in the repo ./images/logo.png)
  • Place a CSS file in the stylesheets directory (styles).
    Name css file styles.css:
  • Make one simple style:
    h3 { font-size: 24px; font-weight: bold; }
  • Use the stylesheet in home.html. Make a title inside h3 tags.
  • Make a script named login.js and put in ./assets/scripts
  • Make this script print a console message to the browser when the form button is clicked.
  • In the home plugin configure the application to serve these static assets.
  • Make a login link in home.html that links to the login route.

    100% test coverage required

    Exended Due Date is June 12, 2015

Original due date was June 6, 2015.

Next After This Assignment

• Make POST request from our form.
• Validate the post request with Joi.
• Use hapi-auth-cookie to start session.
• Successful login goes to restricted access page.
• Error handling of login failure

[zoe-1]

Promote hapijs / university on Twitter

Make tweets promoting hapijs / university with the @hapijs tag in the tweet.
Then, @hueniverse can retweet them and get the word out. I will promote too, my twitter account is jswenson74.

Cheers!

[ghost]

One question : on the home page , do we still have to display the path ?

[zoe-1]

@roelof1967 The path in the home page should be removed. Forgot to mention that. Thanks.

[zoe-1]

Tips for Assignment6

/*
 * Redirect everything to tls
 */
server.ext('onRequest', function (request, reply) {

    if (request.connection.info.protocol === 'http') {
        return reply.redirect('https://localhost:8001' + request.url.path).code(301);
    }

    return reply.continue();
});

var Config = require('./config/config.js');
/*
 *  Important part of manifest JSON declaration for web-tls
 */
 "connections": [
      {
          port: 8000,
          labels: ['web']
      },
      {
          host: 'localhost',
          port: 8001,
          labels: ['web-tls'],
          tls: Config.tls
      }
  ],

//
//  config.js  Used above in the manifest. 
//
var fs = require('fs');
var config = module.exports = {};

//  tls Trasport Layer Security (tls)
config.tls = {
    key: fs.readFileSync('./lib/config/certs/server.key'),     // Path to key
    cert: fs.readFileSync('./lib/config/certs/server.crt'),      // Path to Certificate

    // This is necessary only if using the client certificate authentication.
    requestCert: true,

    // This is necessary only if the client uses the self-signed certificate.
    ca: []
};

In assignment, forgot to mention that you can make a config.js file to use for loading tis certs

Above is to illustrate this.

//
//  How to test on tls connection
//
it('GET request should respond properly.', function(done){

        University.init(0, function(err, server){

            expect(server.info.port).to.be.above(0);

            // IMPORTANT   this is how to inject into tis connection avoiding the redirect.
            var tlserver = server.select('web-tls');

            tlserver.inject({url: '/home', method: 'GET' }, function (response) {

                expect(response.statusCode).to.equal(200);
                server.stop(done);
            });
        });
});

[ghost]

I get a error message cannot call method of "replace" on udefined on the above test. Anyone who knows a good tutorial for making the certificates. I only get a perm file instead of the key and crt file

[zoe-1]

@roelof1967 links to tutorials below: openssl-essentials Heroku Tutorial Generate Self Signed Cert Another Tutorial Ubuntu http://en.wikipedia.org/wiki/Self-signed_certificate

[hussainanjar]

@zoe-1 you said moving manifest in an external file is a good idea, why didn't we do it then ?

[hussainanjar]

@zoe-1 in the assignment you have asked to keep certs under lib/certs while in the example above shared, it is pointing to lib/config/certs which path is the requirement of this assignment, I think the first one makes more sense.

[hussainanjar]

One more problem after pulling in the laster master its not running getting following error when I run node start

module.js:338
    throw err;
          ^
Error: Cannot find module '/Users/hussainanjar/workspace/personal/university/start'
    at Function.Module._resolveFilename (module.js:336:15)
    at Function.Module._load (module.js:278:25)
    at Function.Module.runMain (module.js:501:10)
    at startup (node.js:129:16)
    at node.js:814:3

[zoe-1]

@hussainanjar

• In respect to making a manifest file, it was not in the assignment because the assignment already had a lot of other things going on in it. So, decided not to make it yet. We will make one later though. It is not too hard to do.
• In respect to lib/config/certs etc, the assignment required us to use lib/certs. I put the above examples there to be a guide to think about the code and assumed people would adjust the paths. The above examples are from: my glued project. There is an example of an external manifest file there if you want to look at it.
• try npm start

[hussainanjar]

@zoe-1 thanks :)

[AdriVanHoudt]

another tutorial to make the certificates http://www.akadia.com/services/ssh_test_certificate.html

[zoe-1]

In order to give people more time to submit PRs, extending assignment6 due date until: June 12, 2015. Received two requests to slow things down a bit. Hopefully, this extension will give others space to complete the assignments.

Please share feed back on the pace of assignments, difficulty, etc...

[zoe-1]

Critique of Assignment6 PRs.

I want to close this assignment and merge in a PR, however, all the PRs have some issues to fix before any can be merged. See comments below and the comments made in your projects. I reviewed all of them.

• Several projects had linting issues. These need to be fixed.
• When enforcing the use of tls on the server, use the below code logic. The goal is to avoid redundant checks of the tls connection ensuring that it uses tls.

server.select('web').ext('onRequest', function (request, reply) {

    return reply.redirect('https://localhost:8001' + request.url.path).permanent();
});

• Some of you did not have tests ensuring the redirect of http requests forwarding to https. There are two options when testing the enforcement of tls:
  • Make one test checking if the "web" connection is forced to redirect to https.
    One of you did this. We do not want to use this option.
  • Test all routes proving http requests are forced to tls connection.
    Let's use this option, I would rather be over defensive rather than to lax when testing security related issues.
• Every route on the application should have at least two tests on it.
  • One, a test proving that is works correctly on the tls connection.
  • Two, a test proving that http requests get redirected to use tls connection.
• Let's give more peer review of each others code.
  • @hueniverse from the start said this project is horizontal learning not just vertical learning. If everyone contributes and provides review of others code it will cause everyone to improve.
  • Make comments and questions but please think about comments or questions before you make them.

Tip: Write out your question and comments relating to problems you are trying to solve before posting them. As you type the comment, question, or problem to post it will cause you to define the problem and find the vocabulary to articulate it. This will create clarity and often results in you finding the solution before you post anything.

[AdriVanHoudt]

Nice feedback, although it might be more usefull to test soms random urls to see if they redirect to https, that wat you can be even more sure that all URLs are forwarded and not just the ones we have now, doing this for every route seems redundant, the point of being more protective I fully support though

[zoe-1]

@AdriVanHoudt Good to have you back making comments again :-)

• Testing random urls will come in Assignment7. We are going to add a server.ext() to handle route does not exist errors.
• Yeah, I see your point about route tests being redundant.
  But, considering it is security related, my personal preference is to be more defensive.

[AdriVanHoudt]

I only have time for some comments I'm afraid ^^