Add new security config + restrict register route

Added ENABLE_MAILBOX_ROUTE, MAILBOX_USER and MAILBOX_PASSWORD environment variables to enable/disable route to local mailbox (/dev/mailbox) and basic auth (optional) Restricted /users/register route if ENABLE_ACCOUNT_CREATION is false
2025-12-16 03:47:56 +01:00 · 2022-09-05 21:27:02 +02:00
parent e6f524ba3f
commit aafda15b86
9 changed files with 69 additions and 29 deletions
--- a/.env.sample
+++ b/.env.sample
@@ -15,4 +15,7 @@ MAIL_TRANSPORT=local
 MAIL_FROM=noreply@claper.co
 MAIL_FROM_NAME=Claper

-ENABLE_ACCOUNT_CREATION=true
+ENABLE_ACCOUNT_CREATION=true
+ENABLE_MAILBOX_ROUTE=false
+MAILBOX_USER=admin
+MAILBOX_PASSWORD=admin
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,10 +2,17 @@

 This is the first version of the open-source project. Feel free to contribute!

-## v.1.1.0
+## v1.1.0

 - Added password authentication
- Remove passwordless authentication
+- Removed passwordless authentication
 - Disabled email verification
 - Added new `ENABLE_ACCOUNT_CREATION` environment variable to enable or disable user registration
- Improved french localization
+- Improved french localization
+
+## v1.1.1
+
+_Security updates_
+
+- Added `ENABLE_MAILBOX_ROUTE`, `MAILBOX_USER` and `MAILBOX_PASSWORD` environment variables to enable/disable route to local mailbox (`/dev/mailbox`) and basic auth (optional)
+- Restricted `/users/register` route if `ENABLE_ACCOUNT_CREATION` is false
--- a/README.md
+++ b/README.md
@@ -113,21 +113,11 @@ docker build -t claper .
 docker run -p 4000:4000 -d claper
 ```

-<!-- USAGE EXAMPLES -->
-## Usage
-
-### Login/Signup
-Claper is passwordless, so you don't have to create an account. Just login with your email, check your mailbox ([localhost:4000/dev/mailbox](http://localhost:4000/dev/mailbox) if you have configured mail to be in local) and click on the link to get connected.
-
-<!-- ROADMAP -->
-## Roadmap
-
- [x] Add Changelog
- [ ] Add additional tests for better coverage
- [ ] Add more docs
-
-See the [open issues](https://github.com/ClaperCo/Claper/issues) for a full list of proposed features (and known issues).
+or you can use the official Docker image:

+```sh
+docker run -p 4000:4000 ghcr.io/claperco/claper:main
+```

 <!-- CONTRIBUTING -->
 ## Contributing
--- a/guides/introduction/configuration.md
+++ b/guides/introduction/configuration.md
@@ -4,6 +4,8 @@

 All configuration used by the app is stored in the `.env` file. You can find an example file in `.env.sample`, but you should copy it to `.env` and fill it with your own values (described below).

+### Storage
+
 Variable | Values | Default | Required | Description
 --- | --- | --- | --- | ---
 PRESENTATION_STORAGE | local, s3 | local | - |  Define where the presentation files will be stored
@@ -11,16 +13,30 @@ AWS_ACCESS_KEY_ID | - | - | _only for s3_ | Your AWS Access Key ID
 AWS_SECRET_ACCESS_KEY | - | - | _only for s3_ | Your AWS Secret Access Key
 AWS_S3_BUCKET | - | - | _only for s3_ | The name of the bucket where the presentation files will be stored
 AWS_S3_REGION | - | - | _only for s3_ | The region where the bucket is located
+
+
+### Mail
+
+Variable | Values | Default | Required | Description
+--- | --- | --- | --- | ---
 MAIL_TRANSPORT | local, smtp | local | - | Define how the emails will be sent
 MAIL_FROM | - | Claper | - | Email address used to send emails
 MAIL_FROM_NAME | - | noreply@claper.co | - | Name used to send emails
-SMTP_RELAY | - | - |  ✓ | SMTP relay server
-SMTP_USERNAME | - | - | ✓ |  SMTP username
-SMTP_PASSWORD | - | - |  ✓ | SMTP password
+SMTP_RELAY | - | - |  _only for smtp_ | SMTP relay server
+SMTP_USERNAME | - | - | _only for smtp_  |  SMTP username
+SMTP_PASSWORD | - | - |  _only for smtp_  | SMTP password
 SMTP_PORT | - | 25 | - | SMTP port
 SMTP_TLS | always, never, if_available | always | - | SMTP TLS
 SMTP_AUTH | always, never, if_available | always | - | SMTP Auth
 SMTP_SSL | true, false | true | - | SMTP SSL
+ENABLE_MAILBOX_ROUTE | true, false | false | - | Enable/disable route to local mailbox (`/dev/mailbox`)
+MAILBOX_USER | - | - | - | Basic auth user for mailbox route
+MAILBOX_PASSWORD | - | - | - | Basic auth password for mailbox route
+
+### Application
+
+Variable | Values | Default | Required | Description
+--- | --- | --- | --- | ---
 ENABLE_ACCOUNT_CREATION | true, false | true | - | Enable/disable user registration

 ## Production / Docker
--- a/guides/introduction/installation.md
+++ b/guides/introduction/installation.md
@@ -51,5 +51,11 @@ If you have configured `MAIL` to `local`, you can access to the mailbox at [`loc
 You can build the app with Docker:
 ```sh
 docker build -t claper .
-docker run -p 4000:4000 -d claper
+docker run -p 4000:4000 claper
+```
+
+or you can use the official Docker image:
+
+```sh
+docker run -p 4000:4000 ghcr.io/claperco/claper:main
 ```
--- a/guides/usage/features.md
+++ b/guides/usage/features.md
--- a/lib/claper_web/router.ex
+++ b/lib/claper_web/router.ex
@@ -14,6 +14,10 @@ defmodule ClaperWeb.Router do
    plug(ClaperWeb.Plugs.Locale)
  end

+  pipeline :protect_with_basic_auth do
+    plug :basic_auth
+  end
+
  pipeline :api do
    plug(:accepts, ["json"])
  end
@@ -82,21 +86,28 @@ defmodule ClaperWeb.Router do
  #
  # Note that preview only shows emails that were sent by the same
  # node running the Phoenix server.
-  if Mix.env() == :dev || System.get_env("MAIL_TRANSPORT", "local") == "local" do
+  if Mix.env() == :dev || System.get_env("ENABLE_MAILBOX_ROUTE", "false") == "true" do
    scope "/dev" do
-      pipe_through(:browser)
+
+      if System.get_env("MAILBOX_USER") && System.get_env("MAILBOX_PASSWORD") && System.get_env("ENABLE_MAILBOX_ROUTE", "false") == "true" do
+        pipe_through [:browser, :protect_with_basic_auth]
+      else
+        pipe_through [:browser]
+      end

      forward("/mailbox", Plug.Swoosh.MailboxPreview)
    end
  end

  ## Authentication routes
-
  scope "/", ClaperWeb do
    pipe_through([:browser, :redirect_if_user_is_authenticated])

-    get("/users/register", UserRegistrationController, :new)
-    post("/users/register", UserRegistrationController, :create)
+    if System.get_env("ENABLE_ACCOUNT_CREATION", "true") == "true" do
+      get("/users/register", UserRegistrationController, :new)
+      post("/users/register", UserRegistrationController, :create)
+    end
+
    get("/users/register/confirm", UserRegistrationController, :confirm)
    get("/users/log_in", UserSessionController, :new)
    post("/users/log_in", UserSessionController, :create)
@@ -125,4 +136,11 @@ defmodule ClaperWeb.Router do
    get("/users/confirm/:token", UserConfirmationController, :edit)
    post("/users/confirm/:token", UserConfirmationController, :update)
  end
+
+  defp basic_auth(conn, _opts) do
+    username = System.fetch_env!("MAILBOX_USER")
+    password = System.fetch_env!("MAILBOX_PASSWORD")
+    Plug.BasicAuth.basic_auth(conn, username: username, password: password)
+  end
+
 end
--- a/lib/claper_web/templates/user_session/new.html.heex
+++ b/lib/claper_web/templates/user_session/new.html.heex
@@ -42,7 +42,7 @@
            </.form>

            <div class="mt-4 text-center">
-              <%= if System.get_env("ENABLE_ACCOUNT_CREATION") == "true" do %>
+              <%= if System.get_env("ENABLE_ACCOUNT_CREATION", "true") == "true" do %>
                <%= link gettext("Create account"), to: Routes.user_registration_path(@conn, :new), class: "text-white text-sm text-center" %>
              <% end %>
            </div>
--- a/mix.exs
+++ b/mix.exs
@@ -1,7 +1,7 @@
 defmodule Claper.MixProject do
  use Mix.Project

-  @version "1.1.0"
+  @version "1.1.1"

  def project do
    [