Securing TiddlyWiki on Node.js
This guide covers using Pomerium to add authentication and authorization to an instance of TiddlyWiki on NodeJS.
What is TiddlyWiki on Node.js
TiddlyWiki is a personal wiki and a non-linear notebook for organizing and sharing complex information. It is available in two forms:
- a single HTML page
- a Node.js application
We are using the Node.js application in this guide.
Where Pomerium fits
TiddlyWiki allows a simple form of authentication by using authenticated-user-header parameter of listen command. Pomerium provides the ability to login with well-known identity providers.
Pre-requisites
This guide assumes you have already completed one of the quick start guides, and have a working instance of Pomerium up and running. For purpose of this guide, We will use docker-compose, though any other deployment method would work equally well.
Configure
Pomerium Config
jwt_claims_headers: email
routes:
- from: https://wiki.example.local
to: http://tiddlywiki:8080
policy:
- allow:
or:
- email:
is: reader1@example.com
- email:
is: writer1@example.com
Docker-compose
version: "3"
services:
pomerium:
image: pomerium/pomerium:latest
volumes:
# Use a volume to store ACME certificates
- ./config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
tiddlywiki_init:
image: elasticdog/tiddlywiki:latest
volumes:
- ./wiki:/tiddlywiki
command: ['mywiki', '--init', 'server']
tiddlywiki:
image: elasticdog/tiddlywiki:latest
ports:
- 8080:8080
volumes:
- ./wiki:/tiddlywiki
command:
- mywiki
- --listen
- host=0.0.0.0
- authenticated-user-header=x-pomerium-claim-email
- readers=reader1@example.com
- writers=writer1@example.com
depends_on:
- tiddlywiki_init
That's it
Navigate to your TiddlyWiki instance (e.g. https://wiki.example.local) and log in:
as reader1@example.com: user can read the wiki, but there is no create new tiddler button is show up.
as writer1@example.com: user can read the wiki and create new tiddlers.
as another email: pomerium displays a permission denied error.