Ha! Got it! And version bump

TODO: Still no access to routes on staging... hmmm...

.drone.yml

@@ -3,7 +3,7 @@ type: docker
 name: Test Pipeline
 
 workspace:
-  path: /drone/grow
+  path: /drone/auth
 
 steps:
 - name: yarn install
@@ -60,18 +60,17 @@ steps:
 trigger:
   branch:
   - main
+  - develop
   event:
-  # - pull_request
+  - pull_request
-  - push
 
 ---
 kind: pipeline
 type: docker
 name: Publish Pipeline
-group: publish
 
 workspace:
-  path: /drone/grow
+  path: /drone/auth
 
 steps:
 - name: Build Package
@@ -80,19 +79,13 @@ steps:
     - yarn install
     - yarn build
 - name: Publish NPM
-  image: plugins/npm
+  image: node:20-alpine
   failure: ignore
-  settings:
+  commands:
-    username:
+    - yarn publish -t ${DRONE_TAG}
-      from_secret: registry_username
-    password:
-      from_secret: registry_password
-    registry: https://git.mifi.dev/api/packages/mifi/npm
-    token:
-    - from_secret: gitea_token
   volumes:
   - name: npmrc
-    path: /drone/grow/.npmrc
+    path: /drone/auth/.npmrc
 - name: Report NPM Publish Status
   image: plugins/webhook
   settings:
@@ -109,40 +102,18 @@ steps:
       - success
       - failure
 - name: Publish Image
-  image: docker
+  image: plugins/docker
-  environment:
+  settings:
-    USERNAME:
+    auto_tag: true
-      from_secret: registry_username
+    repo: git.mifi.dev/mifi/mifi/auth
-    PASSWORD:
+    registry: git.mifi.dev
-      from_secret: registry_password
+    debug: true
-  commands:
+    ssh-agent-key:
-    - docker login -u ${USERNAME} -p {PASSWORD} git.mifi.dev
+      from_secret: reg_token    
-    - docker build -t git.mifi.dev/mifi/mifi/auth:latest -t git.mifi.dev/mifi/mifi/auth:${DRONE_TAG} .
+    username: <token>
-    - docker push git.mifi.dev/mifi/mifi/auth:latest
+    password:
-  volumes:
+      from_secret: reg_token
-  - name: dockersock
+  secrets: [reg_token]
-    path: /var/run/docker.sock
-  - name: dockerconfig
-    path: /drone/grow/.docker/config.json
-# - name: Publish Image
-#   image: plugins/docker
-#   settings:
-#     auto_tag: true
-#     squash: true
-#     repo: git.mifi.dev/mifi/auth
-#     context: mifi
-#     registry: git.mifi.dev
-#     username:
-#       from_secret: registry_username
-#     password:
-#       from_secret: registry_password
-#     ssh-agent-key:
-#       from_secret: gitea_token
-  volumes:
-  - name: dockersock
-    path: /var/run/docker.sock
-  - name: dockerconfig
-    path: /drone/grow/.docker/config.json
 - name: Report Image Publish Status
   image: plugins/webhook
   settings:
@@ -174,36 +145,36 @@ depends_on:
   - Test Pipeline
 
 trigger:
-  # branch:
-  # - main
   event:
-  # - push
   - tag
 
 ---
 kind: pipeline
 type: docker
-name: Deploy Pipeline
+name: Staging Deploy Pipeline
 
 workspace:
-  path: /drone/grow
+  path: /drone/auth
 
 steps:
 - name: Deploy Container
   image: docker
   privileged: true
+  environment:
+    CONTAINER_PREFIX: staging
+    HOST: area51.mifi.dev
+    ROUTE_PREFIX: /auth
+    PORT: 9001
   commands:
-    - docker compose -f docker-compose.staging.yml pull
+    - docker compose -f docker-compose.staging-build.yml build --pull --no-cache
-    - docker compose -f docker-compose.staging.yml build --no-cache
+    - docker compose -f docker-compose.staging-build.yml up --remove-orphans --force-recreate --wait
-    - docker compose -f docker-compose.staging.yml rm --stop
-    - docker compose -f docker-compose.staging.yml up --wait
   volumes:
   - name: env-secrets
-    path: /drone/grow/staging.secrets.env
+    path: /drone/auth/staging.env
   - name: dockersock
     path: /var/run/docker.sock
   - name: dockerconfig
-    path: /drone/grow/.docker/config.json
+    path: /drone/auth/.docker/config.json
 - name: Send Status Notifications
   image: plugins/webhook
   privileged: true
@@ -230,14 +201,82 @@ volumes:
     path: /var/run/docker.sock
 - name: env-secrets
   host:
-    path: /volume1/docker/beethoven/labs-auth/staging.secrets.env
+    path: /volume1/docker/beethoven/labs-auth/staging.env
 
 depends_on:
   - Test Pipeline
 
 trigger:
-  # branch:
+  branch:
-  # - main
+  - develop
   event:
-  # - push
+  - push
-  - tag
+
+---
+kind: pipeline
+type: docker
+name: Production Deploy Pipeline
+
+workspace:
+  path: /drone/auth
+
+clone:
+  disable: true
+
+steps:
+- name: Deploy Container
+  image: docker
+  privileged: true
+  environment:
+    CONTAINER_PREFIX: staging
+    HOST: area51.mifi.dev
+    ROUTE_PREFIX: /auth
+    PORT: 9001
+  commands:
+    - docker compose -f docker-compose.production-build.yml pull
+    - docker compose -f docker-compose.production-build.yml build --no-cache
+    - docker compose -f docker-compose.production-build.yml rm --stop
+    - docker compose -f docker-compose.production-build.yml up --wait
+  volumes:
+  - name: env-secrets
+    path: /drone/auth/production.env
+  - name: dockersock
+    path: /var/run/docker.sock
+  - name: dockerconfig
+    path: /drone/auth/.docker/config.json
+- name: Send Status Notifications
+  image: plugins/webhook
+  privileged: true
+  settings:
+    urls: https://lab.mifi.dev/hooks/ccw34hdf7tgbjmzp96nptn938r
+    content_type: application/json
+    template: |
+      {
+        "icon_url":"https://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/120/apple/198/freezing-face_1f976.png",
+        "text": "[{{ repo.name }} - Build # {{ build.number }}] Deploy {{ build.status }} {{#success build.status}}:tada:{{else}}:poop:{{/success}}",
+        "username":"DroneBot"
+      }
+  when:
+    status:
+      - success
+      - failure
+
+volumes:
+- name: dockerconfig
+  host:
+    path: /volume1/docker/dockerconfig.json
+- name: dockersock
+  host:
+    path: /var/run/docker.sock
+- name: env-secrets
+  host:
+    path: /volume1/docker/beethoven/labs-auth/staging.env
+
+depends_on:
+  - Test Pipeline
+
+trigger:
+  event:
+  - promote
+  target:
+  - production

.env.dev

@@ -6,14 +6,14 @@ ROUTE_PREFIX=/auth
 LOGIN_ROUTE=/login
 RESET_ROUTE=/reset
 
-DB_ADMIN_USERNAME=root
+# DB_ADMIN_USERNAME=root
-DB_ADMIN_PASSWORD=password
+# DB_ADMIN_PASSWORD=password
 DB_USERNAME=user
 DB_PASSWORD=password
 DB_NAME=auth
 
-MONGO_INITDB_ROOT_USERNAME=$DB_ADMIN_USERNAME
+MONGO_INITDB_ROOT_USERNAME=$DB_USERNAME
-MONGO_INITDB_ROOT_PASSWORD=$DB_ADMIN_PASSWORD
+MONGO_INITDB_ROOT_PASSWORD=$DB_PASSWORD
 MONGO_INITDB_DATABASE=$DB_NAME
 
 SESSION_KEY=shjhakjfhfjdshjksdhfdshfhfduyeyb73te4
@@ -27,3 +27,5 @@ RESET_VALID_MINUTES=15
 DEFAULT_TOKEN_DAYS=1
 
 CONTAINER_PREFIX=dev
+SERVICE_NAME=auth-service
+ENV=development

.env.staging

@@ -1,6 +0,0 @@
-HOST=area51.mifi.dev
-PORT=9001
-
-ROUTE_PREFIX=/auth
-
-CONTAINER_PREFIX=mifi

Dockerfile

@@ -1,18 +1,28 @@
+ARG ENV=production
+ARG MONGO_VERSION=latest
+ARG PORT=9001
+
+## mongo build stage
+FROM mongo:$MONGO_VERSION AS database
+COPY mongo-init.sh /docker-entrypoint-initdb.d
+
+## stage one, build the service
 FROM node:20-alpine AS build
+ENV NODE_ENV development
 WORKDIR /home/node/app
 COPY package*.json ./
 COPY tsconfig.json ./
 COPY lib ./lib
 RUN ls -a
 RUN yarn install
-RUN yarn build:production
+RUN yarn build
 
 ## this is stage two , where the app actually runs
 FROM node:20-alpine AS containerize
+ENV NODE_ENV $ENV
 WORKDIR /home/node/app
 COPY package*.json ./
 RUN yarn install --frozen-lockfile --production
-COPY --from=0 /home/node/app/dist .
+COPY --from=build /home/node/app/dist .
-EXPOSE 9001
+EXPOSE $PORT
-EXPOSE 27017
 CMD ["node","server/index.js"]

README.md

@@ -1,2 +1,2 @@
-# grow-api
+# @mifi/auth
 

docker-compose.dev.yml

@@ -3,26 +3,31 @@ version: '3.8'
 services:
     auth-service_mongo:
         env_file: .env.dev
-        container_name: ${CONTAINER_PREFIX:-dev}-auth-service_mongo
+        container_name: ${CONTAINER_PREFIX}-auth-service_mongo
         ports:
             - 27017:27017
         networks:
-            - labs-net
+            - backend
         volumes:
-            - /var/tmp/labs:/data/db
+            - auth-db:/data/db
-            - ./mongo-init.js:/docker-entrypoint-initdb.d/mongo-init.js:ro
+            - auth-db:/data/configdb
         restart: unless-stopped
         image: mongo:latest
     auth-service:
         env_file: .env.dev
-        build: .
+        build:
-        container_name: ${CONTAINER_PREFIX:-dev}-auth-service
+            context: .
+            args:
+              - PORT
+              - ENV
+        container_name: ${CONTAINER_PREFIX}-auth-service
         ports:
             - 9001:9001
         environment:
-            - DB_HOST=${CONTAINER_PREFIX:-dev}-auth-service_mongo
+            - DB_HOST=${CONTAINER_PREFIX}-auth-service_mongo
         networks:
             - labs-net
+            - backend
         restart: unless-stopped
         image: node:20-alpine
         depends_on:
@@ -30,3 +35,7 @@ services:
 networks:
     labs-net:
         name: labs-net
+
+volumes:
+    auth-db:
+        external: true

docker-compose.staging-build.yml

@@ -0,0 +1,58 @@
+version: '3.8'
+
+services:
+    auth-service_mongo:
+        container_name: ${CONTAINER_PREFIX}-auth-service_mongo
+        env_file:
+            - staging.env
+        build:
+            context: .
+            target: database
+            args:
+              MONGO_VERSION: 4.4
+        networks:
+            - auth-backend
+        volumes:
+            - 'auth-db:/data/db'
+            - 'auth-db:/data/configdb'
+        restart: unless-stopped
+        image: mongo:4.4
+    auth-service:
+        container_name: ${CONTAINER_PREFIX}-auth-service
+        env_file:
+            - staging.env
+        build:
+            context: .
+            target: containerize
+            args:
+              - PORT
+              - ENV
+        environment:
+            - DB_HOST=${CONTAINER_PREFIX}-auth-service_mongo
+        labels:
+            - 'traefik.enable=true'
+            - 'traefik.docker.network=docknet'
+            - 'traefik.http.routers.labs-auth.rule=Host(`${HOST}`) && PathPrefix(`${ROUTE_PREFIX}`)'
+            - 'traefik.http.routers.labs-auth.entrypoints=websecure'
+            - 'traefik.http.routers.labs-auth.tls=true'
+            - 'traefik.http.routers.labs-auth.tls.certresolver=letsencrypt'
+            - 'traefik.http.routers.labs-auth.service=labs-auth-service'
+            - 'traefik.http.services.labs-auth-service.loadbalancer.server.port=${PORT}'
+        networks:
+            - auth-backend
+            - docknet
+        restart: unless-stopped
+        image: node:20-alpine
+        depends_on:
+            - auth-service_mongo
+networks:
+    auth-backend:
+        driver: bridge
+        external: false
+    docknet:
+        name: docknet
+        external: true
+
+volumes:
+    auth-db:
+        external: false

docker-compose.staging-image.yml

@@ -2,39 +2,42 @@ version: '3.8'
 
 services:
     auth-service_mongo:
-        container_name: $${CONTAINER_PREFIX:-mifi}-auth-service_mongo
+        container_name: ${CONTAINER_PREFIX}-auth-service_mongo
         env_file:
-            - .env.staging
+            - staging.env
-            - staging.secrets.env
         networks:
             - docknet
         volumes:
-            - '/volume1/docker/labs/auth/mongo:/data/db'
+            - auth-db:/data
+            - ./mongo-init.js:/docker-entrypoint-initdb.d/mongo-init.js:ro
         restart: unless-stopped
-        image: mongo:latest
+        image: mongo:4.4
     auth-service:
         env_file:
-            - .env.staging
+            - staging.env
-            - staging.secrets.env
+        container_name: ${CONTAINER_PREFIX}-auth-service
-        build: .
-        container_name: $${CONTAINER_PREFIX:-mifi}-auth-service
         environment:
-            - DB_HOST=$${CONTAINER_PREFIX:-mifi}-auth-service_mongo
+            - DB_HOST=${CONTAINER_PREFIX}-auth-service_mongo
         labels:
             - 'traefik.enable=true'
-            - 'traefik.http.routers.grow.rule=Host(`$${HOST}`) && Path(`$${ROUTE_PREFIX}`)'
+            - 'traefik.http.routers.grow.rule=Host(`${HOST}`) && Path(`${ROUTE_PREFIX}`)'
             - 'traefik.http.routers.grow.entrypoints=websecure'
             - 'traefik.http.routers.grow.tls=true'
             - 'traefik.http.routers.grow.tls.certresolver=letsencrypt'
             - 'traefik.http.routers.grow.service=grow-service'
-            - 'traefik.http.services.grow-service.loadbalancer.server.port=$${PORT}'
+            - 'traefik.http.services.grow-service.loadbalancer.server.port=${PORT}'
         networks:
             - docknet
         restart: unless-stopped
-        image: node:20-alpine
         depends_on:
             - auth-service_mongo
+        image: git.mifi.dev/mifi/mifi/auth:latest
+
 networks:
     docknet:
         name: docknet
-        external: true
+        external: true
+
+volumes:
+    auth-db:
+        external: false

lib/constants/db.ts

@@ -1,5 +1,5 @@
-export const DB_HOST = process.env.DB_HOST || 'not_set';
+export const DB_HOST = process.env.DB_HOST;
 export const DB_PORT = process.env.DB_PORT || 27017;
-export const DB_USERNAME = process.env.DB_USERNAME || 'not_set';
+export const DB_USERNAME = process.env.DB_USERNAME;
-export const DB_PASSWORD = process.env.DB_PASSWORD || 'not_set';
+export const DB_PASSWORD = process.env.DB_PASSWORD;
-export const DB_NAME = process.env.DB_NAME || 'not_set';
+export const DB_NAME = process.env.DB_NAME;

lib/server/controllers/auth.ts

@@ -7,6 +7,7 @@ import Auth from '../../db/model/auth';
 import { sign } from '../../utils/jwt';
 import passport from '../passport';
 import { ErrorCodes, getErrorBody } from '../../constants/errors';
+import { authenticated } from '../middleware/authenication';
 
 const routerOpts: Router.IRouterOptions = { prefix };
 const router: Router = new Router(routerOpts);
@@ -43,7 +44,10 @@ router.post(process.env.RESET_ROUTE || RESET_ROUTE, async (ctx, next) => {
     ctx.body = { success: false, ...getErrorBody(ErrorCodes.RESET_REQUEST_DATA) };
 });
 
-router.patch('/:record', (ctx: Koa.Context) => {
+router.patch('/:record', authenticated(), (ctx: Koa.Context) => {
+    if (ctx.user !== ctx.param.record) {
+        ctx.throw(StatusCodes.UNAUTHORIZED);
+    }
     const data = Auth.findOneAndUpdate({ record: ctx.params.record });
     if (!data) {
         ctx.throw(StatusCodes.NOT_FOUND);

lib/server/index.ts

@@ -5,7 +5,7 @@ import { PORT } from '../constants/env';
 connection.then(
     () => {
         app.listen(PORT);
-        console.log('LISTENING', process.env);
+        console.debug('Server up and listening', { env: process.env });
     },
-    (err) => console.error('SERVER ERROR!', { err, env: process.env }),
+    (err) => console.error('Could not reach database', { err, env: process.env }),
 );

mongo-init.js

@@ -1,12 +0,0 @@
-/* eslint-disable no-undef */
-db = db.getSiblingDB(process.env.DB_NAME);
-db.createUser({
-    user: process.env.DB_USERNAME,
-    pwd: process.env.DB_PASSWORD,
-    roles: [
-        {
-            role: 'readWrite',
-            db: process.env.DB_NAME,
-        },
-    ],
-});

mongo-init.sh

@@ -0,0 +1,14 @@
+set -e
+
+mongo <<EOF
+use $MONGO_INITDB_DATABASE
+
+db.createUser({
+  user: '$DB_USERNAME',
+  pwd: '$DB_PASSWORD',
+  roles: [{
+    role: 'readWrite',
+    db: '$MONGO_INITDB_DATABASE'
+  }]
+})
+EOF

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mifi/auth",
-  "version": "0.0.33",
+  "version": "0.0.39",
   "author": "mifi (Mike Fitzpatrick)",
   "license": "MIT",
   "scripts": {