This sounds like it does exactly what I need, but... how do I deploy it? Can you put out an example please? My current configuration is https -> nginx -> foo. I'd like to do https -> nginx -> doorman -> foo.

Is it possible to use this with an internal OAuth server?
If it is, where would I be looking to make edits?

You mention in this comment that you built this to replace nginx basic auth. Is that possible, and if so, how would i go about it?

I need some webhooks to be reachable without hitting Doorman and would like to know if there is some sort of whitelist or similar mechanism.
TIA.

It would be great if doorman could manage different backends after login.

Thank you in advance!

Hello,

Ever since yesterday's commits, I cannot start doorman. I get the error below. When I revert to 3efbe2d everything works.

/srv/doorman/lib/modules/google.js:5
var requiredDomain = conf.modules.google.requiredDomain;
                                        ^
TypeError: Cannot read property 'requiredDomain' of undefined
    at Object.<anonymous> (/srv/doorman/lib/modules/google.js:5:41)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/srv/doorman/app.js:16:14)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)

This is my config file:

module.exports = {
  // port to listen on.  Can't be < 1024 cause this never runs as root
  port: 8080,
  hostname: 'https://a.domain.com',

  proxyTo: {
    host: 'localhost',
    port: 5601
  },

  sessionSecret: 'secret',
  sessionCookieMaxAge: false,

  modules: {
    // Register a new oauth app on Github at
    // https://github.com/account/applications/new
    github: {
      appId: 'stuff',
      appSecret: 'stuff',
      entryPath: '/oauth/github',
      callbackPath: '/oauth/github/callback',
      requiredOrganization: 'stuff' // short organization name
    }

    // Register a new oauth app on Google Apps at
    // https://code.google.com/apis/console
    //google: {
    //  appId: 'YOUR-GOOGLE-CLIENT-ID',
    //  appSecret: 'YOUR-GOOGLE-CLIENT-SECRET',
    //  requiredDomain: 'yourdomain.com'
    //}
  }
};

Thanks for the software, it's really easy to set up. Going a bit beyond the basics, can you give me an example of:

1. How do I set up multiple vhosts in conf.js? Should I just have multiple conf files and a different URL for each of the hosts I want to get to? Should I edit the jade entry to have a list of different hosts?
2. Setting up SSL: I have the hostname set to https but where do I specify the certs etc?

Thanks again.

Hi,

I cloned the repo and made a copy of the config file, starting the app.
I am getting this error message.
2015-07-01T21:39:17.048Z Registered Github authentication for members of organizations: yourorginization
2015-07-01T21:39:17.052Z Registered Google authentication for members of domains: yourdomain.com
2015-07-01T21:39:17.146Z Doorman on duty, listening on port 8085 and proxying to localhost:8080.
2015-07-01T21:39:19.901Z GET 192.168.44.150:8085 /
2015-07-01T21:39:19.904Z User rejected because they haven't authenticated.
2015-07-01T21:39:20.432Z GET 192.168.44.150:8085 /_doorman/css/main.css
2015-07-01T21:39:20.443Z GET 192.168.44.150:8085 /_doorman/icons/github.ico.png
2015-07-01T21:39:20.453Z GET 192.168.44.150:8085 /_doorman/icons/google.ico.png
2015-07-01T21:39:20.455Z GET 192.168.44.150:8085 /_doorman/images/logo.jpg
2015-07-01T21:39:23.028Z GET 192.168.44.150:8085 /oauth/github
2015-07-01T21:39:23.029Z User rejected because they haven't authenticated.

Can some one please help me with this and also how do i put this on nginx, authenticate and this allow access to my app.

Thanks,

Right now, there is no way to say: "Allow users from @my.domain AND also allow specific user [email protected]" - which would be a very typical deployment scenario when using oauth. You're going to allow everyone from your company, but might also specifically authorize a few others.

It would help greatly e.g. creating docker images if there were git release tags. As it is now, referencing 0.4.1 has to be done by explicit ref in order to get a known state. E.g.

git tag 0.4.1 dbd151e5dbafd2ce345b3384f77c414dd21650a3

Create an 'official', based on your repo, automated build at Docker Hub for the image: https://docs.docker.com/docker-hub/builds/ . Just requires a free Docker Hub account and a following a quick 'Create automated build' process where you link your Github repo to the Docker Hub.

An Automated Build provides a trustable, verifiable from source, public image on Docker Hub which can be used right away by just docker runing the image (movableink/doorman). It will add another packaging/distribution/installation method, which will be triggered automatically on each commit.

Ping me if I can be of any help.

Hello and thanks for the useful software. I have other apps working (like jenkins and gerrit) via github oauth but i'm trying to use doorman in front of cgit (nginx) running on port 80 and can't seem to get a valid callback URL set in the github app settings no matter what I try. Do you have any advice on that?

Hi, we would like to resurrect the code and submit a PR based on 66b485f to enable redirects back to the URL before auth was required.

However, It seems that code was removed due to "some issues". Are you able to share a bit more ?

pete@dashboard1:$ node -v
v0.10.26
pete@dashboard1:$ git clone https://github.com/movableink/doorman
Cloning into 'doorman'...
remote: Counting objects: 484, done.
remote: Total 484 (delta 0), reused 0 (delta 0), pack-reused 484
Receiving objects: 100% (484/484), 148.20 KiB | 0 bytes/s, done.
Resolving deltas: 100% (223/223), done.
Checking connectivity... done.
pete@dashboard1:$ cd doorman/
pete@dashboard1:/doorman$ npm install
<100s of lines>
pete@dashboard1:/doorman$ wget https://gist.githubusercontent.com/pdehlke/68f6303e73da26c168a1/raw/8b04cd00ba191c1b3b1e59a7e2523eecb38cac79/gistfile1.js -O conf.js -q
pete@dashboard1:/doorman$ node app.js

util.js:555
ctor.prototype = Object.create(superCtor.prototype, {
^
TypeError: Cannot read property 'prototype' of undefined
at Object.exports.inherits (util.js:555:43)
at Object. (/home/pete/doorman/node_modules/http-proxy/lib/http-proxy/index.js:108:17)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.require (module.js:364:17)
at require (module.js:380:17)
at Object. (/home/pete/doorman/node_modules/http-proxy/lib/http-proxy.js:4:17)
at Module._compile (module.js:456:26)
pete@dashboard1:~/doorman$

Same result with node 0.12.0

There are no files named util.js on this machine that have more than 319 lines, and no files named util.js contain the string 'superCtor'.

Admittedly, I know nearly nothing of node. Any help with this?

As I'm working on dockerizing Doorman, being able to start it loading config from env vars is the easiest and simplest solution and the most flexible.
My proposal does not involve changing code, but adding a conf.environment.js file to copy as conf.js for scenarios where it is needed.
Most of the config params are covered. It works successfully for me for GitHub auth by running Doorman like this:

$ DOORMAN_SECRET=AeV8Thaieel0Oor6shainu6OUfoh3ohwZaemohC0Ahn3guowieth2eiCkohhohG4 \
DOORMAN_LISTEN_PORT=8085 \
DOORMAN_GITHUB_APPID=my_gh_appid DOORMAN_GITHUB_APPSECRET=my_gh_appsecret \
DOORMAN_GITHUB_REQUIRED_ORGANIZATION=MyOrganization \
DOORMAN_GOOGLE_REQUIRED_DOMAIN=mydomain.com \
DOORMAN_PROXY_HOST=example.com DOORMAN_PROXY_PORT=80 \
npm start

Is there a way to extend the timeout for the auth tokens?

If username is (or can be) made available to the backend server, for example via an added HTTP header, backend apps would benefit a lot. I didn't found anything in the docs.

Hi Guy
I know that might not be your fault but you might know the answer.
Here is the issue i have opened to everyauth.

bnoguchi/everyauth#471

Thanks
Roman

Would be nice to be able to have the proxy deliver a small number of files directly.

The particular use case is to be able to easily enable support for LetsEncrypt directly against doorman without having to do it in the backend service - which may not be customizable.

i.e. something like

staticPaths: {
'/.well-known/acme-challenge/' : '/path/to/letsencrypt.sh/.acme-challenges/',
'/static/' : '/path/to/static/html/'
},
staticPathsPublic: {
'/robots.txt' : '/path/to/my/robots.txt'
},

So that it defaults to authenticating with my [email protected] account instead of prompting for my personal account [email protected]?