1
0
mirror of https://github.com/Jermolene/TiddlyWiki5 synced 2024-11-16 06:44:50 +00:00
TiddlyWiki5/editions/tw5.com/tiddlers/webserver/WebServer.tid

67 lines
3.3 KiB
Plaintext
Raw Normal View History

Module-ize server routes, add static file support and other enhancements(#2679) * Module-ize server routes and add static file support (#2510) * Refactor server routes to modules New module type: serverroute Caveats: Loading order is not deterministic but this would only matter if two route modules attempted to use the same path regexp (that would be silly). * Add static assets plugin This plugin allows the node server to fetch static assets in the /assets directory. I felt that this was a feature that goes above the core functionality. That is why I added it as a plugin. with the modular route extensions this was a breeze. * Add serverroute description to ModuleTypes * Coding standards tweaks * Fix filename typo * Move support for attachments from a plugin into the core * Missing "else" * Refactor server handling * Introduce a new named parameter scheme for commands * Move the SimpleServer class into it's own module * Deprecate the --server command because of the unwieldy syntax * Add a new --listen command using the new syntax For example: tiddlywiki mywiki --listen host:0.0.0.0 port:8090 * Add check for unknown parameters * Add support for multiple basic authentication credentials in a CSV file Beware: Passwords are stored in plain text. If that's a problem, use an authenticating proxy and the trusted header authentication approach. * Refactor module locations * Rename "serverroute" module type to "route" * Remove support for verifying optional named command parameters The idea was to be able to flag unknown parameter names, but requiring a command to pre-specify all the parameter names makes it harder for (say) the listen command to be extensible so that plugins can add new optional parameters that they handle. (This is particularly in the context of work in progress to encapsulate authenticators into their own modules). * Refactor the two authenticators into separate modules and add support for authorization * Correct mistaken path.join vs. path.resolve See https://stackoverflow.com/a/39836259 * Docs for the named command parameters I'd be grateful if anyone with sufficient Windows experience could confirm that the note about double quotes in "NamedCommandParameters" is correct. * Be consistent about lower case parameter names * Do the right thing when we have a username but no password With a username parameter but no password parameter we'll attribute edits to that username, but not require authentication. * Remove obsolete code * Add support for requiring authentication without restricting the username * Refactor authorization checks * Return read_only status in /status response * Fix two code typos * Add basic support for detecting readonly status and avoiding write errors We now have syncadaptors returning readonly status and avoid attempting to write to the server if it's going to fail * Add readonly-styles We hide editing-related buttons in read only mode I've made this part of the tiddlyweb plugin but I think a case could be made for putting it into the core. * Add custom request header as CSRF mitigation By default we require the header X-Requested-With to be set to TiddlyWiki. Can be overriden by setting csrfdisable to "yes" See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers * Add support for HTTPS * First pass at a route for serving rendered tiddlers cc @Drakor * Tweaks to the single tiddler static view Adding a simple sidebar * Switch to "dash" separated parameter names * Typo * Docs: Update ServerCommand and ListenCommand * First pass at docs for the new web server stuff Writing the docs is turning out to be quite an undertaking, much harder than writing the code! * Get rid of extraneous paragraphs in static renderings * Rejig anonymous user handling Now we can support wikis that are read-only for anonymous access, but allow a user to login for read/write access. * More docs Slowly getting there... * Static tiddler rendering: Fix HTML content in page title * Docs updates * Fix server command parameter names Missed off 30ce7ea * Docs: Missing quotes * Avoid inadvertent dependency on Node.js > v9.6.0 The listenOptions parameter of the plain HTTP version of CreateServer was only introduced in v9.6.0 cc @Drakor @pmario * Typo
2018-07-18 15:54:43 +00:00
created: 20180626150526207
modified: 20240413043741157
Module-ize server routes, add static file support and other enhancements(#2679) * Module-ize server routes and add static file support (#2510) * Refactor server routes to modules New module type: serverroute Caveats: Loading order is not deterministic but this would only matter if two route modules attempted to use the same path regexp (that would be silly). * Add static assets plugin This plugin allows the node server to fetch static assets in the /assets directory. I felt that this was a feature that goes above the core functionality. That is why I added it as a plugin. with the modular route extensions this was a breeze. * Add serverroute description to ModuleTypes * Coding standards tweaks * Fix filename typo * Move support for attachments from a plugin into the core * Missing "else" * Refactor server handling * Introduce a new named parameter scheme for commands * Move the SimpleServer class into it's own module * Deprecate the --server command because of the unwieldy syntax * Add a new --listen command using the new syntax For example: tiddlywiki mywiki --listen host:0.0.0.0 port:8090 * Add check for unknown parameters * Add support for multiple basic authentication credentials in a CSV file Beware: Passwords are stored in plain text. If that's a problem, use an authenticating proxy and the trusted header authentication approach. * Refactor module locations * Rename "serverroute" module type to "route" * Remove support for verifying optional named command parameters The idea was to be able to flag unknown parameter names, but requiring a command to pre-specify all the parameter names makes it harder for (say) the listen command to be extensible so that plugins can add new optional parameters that they handle. (This is particularly in the context of work in progress to encapsulate authenticators into their own modules). * Refactor the two authenticators into separate modules and add support for authorization * Correct mistaken path.join vs. path.resolve See https://stackoverflow.com/a/39836259 * Docs for the named command parameters I'd be grateful if anyone with sufficient Windows experience could confirm that the note about double quotes in "NamedCommandParameters" is correct. * Be consistent about lower case parameter names * Do the right thing when we have a username but no password With a username parameter but no password parameter we'll attribute edits to that username, but not require authentication. * Remove obsolete code * Add support for requiring authentication without restricting the username * Refactor authorization checks * Return read_only status in /status response * Fix two code typos * Add basic support for detecting readonly status and avoiding write errors We now have syncadaptors returning readonly status and avoid attempting to write to the server if it's going to fail * Add readonly-styles We hide editing-related buttons in read only mode I've made this part of the tiddlyweb plugin but I think a case could be made for putting it into the core. * Add custom request header as CSRF mitigation By default we require the header X-Requested-With to be set to TiddlyWiki. Can be overriden by setting csrfdisable to "yes" See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers * Add support for HTTPS * First pass at a route for serving rendered tiddlers cc @Drakor * Tweaks to the single tiddler static view Adding a simple sidebar * Switch to "dash" separated parameter names * Typo * Docs: Update ServerCommand and ListenCommand * First pass at docs for the new web server stuff Writing the docs is turning out to be quite an undertaking, much harder than writing the code! * Get rid of extraneous paragraphs in static renderings * Rejig anonymous user handling Now we can support wikis that are read-only for anonymous access, but allow a user to login for read/write access. * More docs Slowly getting there... * Static tiddler rendering: Fix HTML content in page title * Docs updates * Fix server command parameter names Missed off 30ce7ea * Docs: Missing quotes * Avoid inadvertent dependency on Node.js > v9.6.0 The listenOptions parameter of the plain HTTP version of CreateServer was only introduced in v9.6.0 cc @Drakor @pmario * Typo
2018-07-18 15:54:43 +00:00
tags: ListenCommand ServerCommand Features
title: WebServer
type: text/vnd.tiddlywiki
When [[running under Node.js|TiddlyWiki on Node.js]], TiddlyWiki includes a simple HTTP/HTTPS web server that allows you to use it from any browser running on the same machine or over a network.
<<.tip """The web server includes a very simple mechanism allowing multiple users to log in with different credentials. The implementation is designed to be simple and easy to use, and would not generally be considered robust enough for use on the open internet. It is intended for use by individuals or small groups on a trusted network. It is recommended to use an external proxy before exposing it on the Internet.""">>
! How It Works
The web server listens for requests coming over the network, and performs the following actions in turn:
* [[Authentication|WebServer Authentication]] is the process of identifying the current user. TiddlyWiki supports three types of authentication: [[Anonymous|WebServer Anonymous Access]], [[Basic|WebServer Basic Authentication]] and [[Header|WebServer Header Authentication]]
* [[Authorization|WebServer Authorization]] is the process of determining which resources may be accessed by a particular user. TiddlyWiki implements a simple scheme whereby read and write access to the wiki can be independently controlled.
2018-10-02 13:16:58 +00:00
* Routing is the process of dispatching the request to the [[API handler|WebServer API]], and returning any required data.
Module-ize server routes, add static file support and other enhancements(#2679) * Module-ize server routes and add static file support (#2510) * Refactor server routes to modules New module type: serverroute Caveats: Loading order is not deterministic but this would only matter if two route modules attempted to use the same path regexp (that would be silly). * Add static assets plugin This plugin allows the node server to fetch static assets in the /assets directory. I felt that this was a feature that goes above the core functionality. That is why I added it as a plugin. with the modular route extensions this was a breeze. * Add serverroute description to ModuleTypes * Coding standards tweaks * Fix filename typo * Move support for attachments from a plugin into the core * Missing "else" * Refactor server handling * Introduce a new named parameter scheme for commands * Move the SimpleServer class into it's own module * Deprecate the --server command because of the unwieldy syntax * Add a new --listen command using the new syntax For example: tiddlywiki mywiki --listen host:0.0.0.0 port:8090 * Add check for unknown parameters * Add support for multiple basic authentication credentials in a CSV file Beware: Passwords are stored in plain text. If that's a problem, use an authenticating proxy and the trusted header authentication approach. * Refactor module locations * Rename "serverroute" module type to "route" * Remove support for verifying optional named command parameters The idea was to be able to flag unknown parameter names, but requiring a command to pre-specify all the parameter names makes it harder for (say) the listen command to be extensible so that plugins can add new optional parameters that they handle. (This is particularly in the context of work in progress to encapsulate authenticators into their own modules). * Refactor the two authenticators into separate modules and add support for authorization * Correct mistaken path.join vs. path.resolve See https://stackoverflow.com/a/39836259 * Docs for the named command parameters I'd be grateful if anyone with sufficient Windows experience could confirm that the note about double quotes in "NamedCommandParameters" is correct. * Be consistent about lower case parameter names * Do the right thing when we have a username but no password With a username parameter but no password parameter we'll attribute edits to that username, but not require authentication. * Remove obsolete code * Add support for requiring authentication without restricting the username * Refactor authorization checks * Return read_only status in /status response * Fix two code typos * Add basic support for detecting readonly status and avoiding write errors We now have syncadaptors returning readonly status and avoid attempting to write to the server if it's going to fail * Add readonly-styles We hide editing-related buttons in read only mode I've made this part of the tiddlyweb plugin but I think a case could be made for putting it into the core. * Add custom request header as CSRF mitigation By default we require the header X-Requested-With to be set to TiddlyWiki. Can be overriden by setting csrfdisable to "yes" See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers * Add support for HTTPS * First pass at a route for serving rendered tiddlers cc @Drakor * Tweaks to the single tiddler static view Adding a simple sidebar * Switch to "dash" separated parameter names * Typo * Docs: Update ServerCommand and ListenCommand * First pass at docs for the new web server stuff Writing the docs is turning out to be quite an undertaking, much harder than writing the code! * Get rid of extraneous paragraphs in static renderings * Rejig anonymous user handling Now we can support wikis that are read-only for anonymous access, but allow a user to login for read/write access. * More docs Slowly getting there... * Static tiddler rendering: Fix HTML content in page title * Docs updates * Fix server command parameter names Missed off 30ce7ea * Docs: Missing quotes * Avoid inadvertent dependency on Node.js > v9.6.0 The listenOptions parameter of the plain HTTP version of CreateServer was only introduced in v9.6.0 cc @Drakor @pmario * Typo
2018-07-18 15:54:43 +00:00
! Usage
!! Anonymous Access
The web server is started with the ListenCommand (which supersedes the older ServerCommand). All
the NamedCommandParameters are optional, so the simplest form is:
```
tiddlywiki mywikifolder --listen
```
Visit http://127.0.0.1:8080/ to access the wiki. Access is anonymous, so anyone can read or write to the wiki.
This will typically be available only to users on the local machine. For information on how to open the instance to the local network see the Web Server [[host|WebServer Parameter: host]] parameter entry.
Module-ize server routes, add static file support and other enhancements(#2679) * Module-ize server routes and add static file support (#2510) * Refactor server routes to modules New module type: serverroute Caveats: Loading order is not deterministic but this would only matter if two route modules attempted to use the same path regexp (that would be silly). * Add static assets plugin This plugin allows the node server to fetch static assets in the /assets directory. I felt that this was a feature that goes above the core functionality. That is why I added it as a plugin. with the modular route extensions this was a breeze. * Add serverroute description to ModuleTypes * Coding standards tweaks * Fix filename typo * Move support for attachments from a plugin into the core * Missing "else" * Refactor server handling * Introduce a new named parameter scheme for commands * Move the SimpleServer class into it's own module * Deprecate the --server command because of the unwieldy syntax * Add a new --listen command using the new syntax For example: tiddlywiki mywiki --listen host:0.0.0.0 port:8090 * Add check for unknown parameters * Add support for multiple basic authentication credentials in a CSV file Beware: Passwords are stored in plain text. If that's a problem, use an authenticating proxy and the trusted header authentication approach. * Refactor module locations * Rename "serverroute" module type to "route" * Remove support for verifying optional named command parameters The idea was to be able to flag unknown parameter names, but requiring a command to pre-specify all the parameter names makes it harder for (say) the listen command to be extensible so that plugins can add new optional parameters that they handle. (This is particularly in the context of work in progress to encapsulate authenticators into their own modules). * Refactor the two authenticators into separate modules and add support for authorization * Correct mistaken path.join vs. path.resolve See https://stackoverflow.com/a/39836259 * Docs for the named command parameters I'd be grateful if anyone with sufficient Windows experience could confirm that the note about double quotes in "NamedCommandParameters" is correct. * Be consistent about lower case parameter names * Do the right thing when we have a username but no password With a username parameter but no password parameter we'll attribute edits to that username, but not require authentication. * Remove obsolete code * Add support for requiring authentication without restricting the username * Refactor authorization checks * Return read_only status in /status response * Fix two code typos * Add basic support for detecting readonly status and avoiding write errors We now have syncadaptors returning readonly status and avoid attempting to write to the server if it's going to fail * Add readonly-styles We hide editing-related buttons in read only mode I've made this part of the tiddlyweb plugin but I think a case could be made for putting it into the core. * Add custom request header as CSRF mitigation By default we require the header X-Requested-With to be set to TiddlyWiki. Can be overriden by setting csrfdisable to "yes" See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers * Add support for HTTPS * First pass at a route for serving rendered tiddlers cc @Drakor * Tweaks to the single tiddler static view Adding a simple sidebar * Switch to "dash" separated parameter names * Typo * Docs: Update ServerCommand and ListenCommand * First pass at docs for the new web server stuff Writing the docs is turning out to be quite an undertaking, much harder than writing the code! * Get rid of extraneous paragraphs in static renderings * Rejig anonymous user handling Now we can support wikis that are read-only for anonymous access, but allow a user to login for read/write access. * More docs Slowly getting there... * Static tiddler rendering: Fix HTML content in page title * Docs updates * Fix server command parameter names Missed off 30ce7ea * Docs: Missing quotes * Avoid inadvertent dependency on Node.js > v9.6.0 The listenOptions parameter of the plain HTTP version of CreateServer was only introduced in v9.6.0 cc @Drakor @pmario * Typo
2018-07-18 15:54:43 +00:00
!! Authenticated Access
Adding [[username|WebServer Parameter: username]] and [[password|WebServer Parameter: password]] parameters enforces basic authentication for both reading and writing:
```
tiddlywiki mywikifolder --listen username=test password=tset
```
Visiting the wiki will prompt for a username and password, and access is denied if they do not match the provided credentials.
!! Anonymous Read, Authenticated Write
This example adds the [[authorization|WebServer Authorization]] parameters [[readers|WebServer Parameter: readers]] and [[writers|WebServer Parameter: writers]] to grant read access to anonymous users, but require authentication as "joe" in order to gain write access.
> Note that anonymous users can trigger a username/password prompt by visiting the route `\login-basic` (eg http://127.0.0.1:8080/login-basic).
Module-ize server routes, add static file support and other enhancements(#2679) * Module-ize server routes and add static file support (#2510) * Refactor server routes to modules New module type: serverroute Caveats: Loading order is not deterministic but this would only matter if two route modules attempted to use the same path regexp (that would be silly). * Add static assets plugin This plugin allows the node server to fetch static assets in the /assets directory. I felt that this was a feature that goes above the core functionality. That is why I added it as a plugin. with the modular route extensions this was a breeze. * Add serverroute description to ModuleTypes * Coding standards tweaks * Fix filename typo * Move support for attachments from a plugin into the core * Missing "else" * Refactor server handling * Introduce a new named parameter scheme for commands * Move the SimpleServer class into it's own module * Deprecate the --server command because of the unwieldy syntax * Add a new --listen command using the new syntax For example: tiddlywiki mywiki --listen host:0.0.0.0 port:8090 * Add check for unknown parameters * Add support for multiple basic authentication credentials in a CSV file Beware: Passwords are stored in plain text. If that's a problem, use an authenticating proxy and the trusted header authentication approach. * Refactor module locations * Rename "serverroute" module type to "route" * Remove support for verifying optional named command parameters The idea was to be able to flag unknown parameter names, but requiring a command to pre-specify all the parameter names makes it harder for (say) the listen command to be extensible so that plugins can add new optional parameters that they handle. (This is particularly in the context of work in progress to encapsulate authenticators into their own modules). * Refactor the two authenticators into separate modules and add support for authorization * Correct mistaken path.join vs. path.resolve See https://stackoverflow.com/a/39836259 * Docs for the named command parameters I'd be grateful if anyone with sufficient Windows experience could confirm that the note about double quotes in "NamedCommandParameters" is correct. * Be consistent about lower case parameter names * Do the right thing when we have a username but no password With a username parameter but no password parameter we'll attribute edits to that username, but not require authentication. * Remove obsolete code * Add support for requiring authentication without restricting the username * Refactor authorization checks * Return read_only status in /status response * Fix two code typos * Add basic support for detecting readonly status and avoiding write errors We now have syncadaptors returning readonly status and avoid attempting to write to the server if it's going to fail * Add readonly-styles We hide editing-related buttons in read only mode I've made this part of the tiddlyweb plugin but I think a case could be made for putting it into the core. * Add custom request header as CSRF mitigation By default we require the header X-Requested-With to be set to TiddlyWiki. Can be overriden by setting csrfdisable to "yes" See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers * Add support for HTTPS * First pass at a route for serving rendered tiddlers cc @Drakor * Tweaks to the single tiddler static view Adding a simple sidebar * Switch to "dash" separated parameter names * Typo * Docs: Update ServerCommand and ListenCommand * First pass at docs for the new web server stuff Writing the docs is turning out to be quite an undertaking, much harder than writing the code! * Get rid of extraneous paragraphs in static renderings * Rejig anonymous user handling Now we can support wikis that are read-only for anonymous access, but allow a user to login for read/write access. * More docs Slowly getting there... * Static tiddler rendering: Fix HTML content in page title * Docs updates * Fix server command parameter names Missed off 30ce7ea * Docs: Missing quotes * Avoid inadvertent dependency on Node.js > v9.6.0 The listenOptions parameter of the plain HTTP version of CreateServer was only introduced in v9.6.0 cc @Drakor @pmario * Typo
2018-07-18 15:54:43 +00:00
```
tiddlywiki mywikifolder --listen "readers=(anon)" writers=joe username=joe password=bloggs
```
Note the double quotes that are required for parameters containing special characters.
! Arguments
The full list of available optional parameters is:
<<list-links filter:"[tag[WebServer Parameters]]">>
! Guides
Further information on usage of the integrated [[WebServer]]:
<<list-links filter:"[tag[WebServer Guides]]">>