From a16ab00ce6a3fbc4f55dbca94ddb2d9b8a3005b3 Mon Sep 17 00:00:00 2001 From: "K. Andrew Parker" Date: Sat, 21 Aug 2021 17:33:19 -0700 Subject: [PATCH 1/3] support strict-mode requiring JWT on render req --- lib/RenderApp.pm | 2 +- lib/RenderApp/Controller/Render.pm | 2 +- render_app.conf.dist | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/RenderApp.pm b/lib/RenderApp.pm index ee8d5942c..d96b9259a 100644 --- a/lib/RenderApp.pm +++ b/lib/RenderApp.pm @@ -43,7 +43,7 @@ sub startup { $self->plugin('Config'); $self->plugin('TagHelpers'); $self->secrets($self->config('secrets')); - for ( qw(problemJWTsecret webworkJWTsecret baseURL formURL SITE_HOST MOJO_MODE) ) { + for ( qw(problemJWTsecret webworkJWTsecret baseURL formURL SITE_HOST MOJO_MODE STRICT_JWT) ) { $ENV{$_} //= $self->config($_); }; diff --git a/lib/RenderApp/Controller/Render.pm b/lib/RenderApp/Controller/Render.pm index a5bfbaba9..33f4b900a 100644 --- a/lib/RenderApp/Controller/Render.pm +++ b/lib/RenderApp/Controller/Render.pm @@ -8,7 +8,7 @@ use WeBWorK::Form; sub parseRequest { my $c = shift; my %params = WeBWorK::Form->new_from_paramable($c->req)->Vars; - if ($c->app->mode eq 'production' && !( defined $params{problemJWT} || defined $params{sessionJWT} )) { + if ($ENV{STRICT_JWT} && !( defined $params{problemJWT} || defined $params{sessionJWT} )) { $c->exception('Not allowed to request problems with raw data.', 403); return undef; } diff --git a/render_app.conf.dist b/render_app.conf.dist index 8d1855a1d..c199a4876 100644 --- a/render_app.conf.dist +++ b/render_app.conf.dist @@ -7,6 +7,7 @@ SITE_HOST => 'http://localhost:3000', CORS_ORIGIN => '*', MOJO_MODE => 'development', + STRICT_JWT => 0, hypnotoad => { listen => ['http://*:3000'], accepts => 400, From d8ab36839918b9cebe05eb56c9a69a5b10c5b963 Mon Sep 17 00:00:00 2001 From: "K. Andrew Parker" Date: Sat, 21 Aug 2021 17:52:09 -0700 Subject: [PATCH 2/3] update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3cf52a060..fe51a4216 100644 --- a/README.md +++ b/README.md @@ -31,10 +31,10 @@ If you have non-OPL content, it can be mounted as a volume at `/usr/app/private` --mount type=bind,source=/pathToYourLocalContentRoot,target=/usr/app/private \ ``` -A default configuration file is included in the container, but it can be overridden by mounting a replacement at the application root. +A default configuration file is included in the container, but it can be overridden by mounting a replacement at the application root. This is necessary if, for example, you want to run the container in `production` mode. ``` - --mount type=bind,source=/pathToYour/configuration_file.conf,target=/usr/app/render_app.conf \ + --mount type=bind,source=/pathToYour/render_app.conf,target=/usr/app/render_app.conf \ ``` ## LOCAL INSTALL ### From 3b7138e3c71c19bfef4e657f0facf2ca5dac8305 Mon Sep 17 00:00:00 2001 From: "K. Andrew Parker" Date: Sun, 22 Aug 2021 13:56:36 -0700 Subject: [PATCH 3/3] remove ineffective MOJO_MODE settings --- lib/RenderApp.pm | 2 +- render_app.conf.dist | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/RenderApp.pm b/lib/RenderApp.pm index d96b9259a..a5eb1365e 100644 --- a/lib/RenderApp.pm +++ b/lib/RenderApp.pm @@ -43,7 +43,7 @@ sub startup { $self->plugin('Config'); $self->plugin('TagHelpers'); $self->secrets($self->config('secrets')); - for ( qw(problemJWTsecret webworkJWTsecret baseURL formURL SITE_HOST MOJO_MODE STRICT_JWT) ) { + for ( qw(problemJWTsecret webworkJWTsecret baseURL formURL SITE_HOST STRICT_JWT) ) { $ENV{$_} //= $self->config($_); }; diff --git a/render_app.conf.dist b/render_app.conf.dist index c199a4876..a7c538308 100644 --- a/render_app.conf.dist +++ b/render_app.conf.dist @@ -6,7 +6,6 @@ webworkJWTsecret => 'private', SITE_HOST => 'http://localhost:3000', CORS_ORIGIN => '*', - MOJO_MODE => 'development', STRICT_JWT => 0, hypnotoad => { listen => ['http://*:3000'],