planka/server/config/custom.js

/**
 * Custom configuration
 * (sails.config.custom)
 *
 * One-off settings specific to your application.
 *
 * For more information on custom configuration, visit:
 * https://sailsjs.com/config/custom
 */

const { URL } = require('url');
const sails = require('sails');

const version = require('../version');

const envToNumber = (value) => {
  const number = parseInt(value, 10);
  return Number.isNaN(number) ? null : number;
};

const envToArray = (value) => (value ? value.split(',') : []);

const parsedBasedUrl = new URL(process.env.BASE_URL);

module.exports.custom = {
  /**
   *
   * Any other custom config this Sails app should use during development.
   *
   */

  version,

  baseUrl: process.env.BASE_URL,
  baseUrlPath: parsedBasedUrl.pathname,
  baseUrlSecure: parsedBasedUrl.protocol === 'https:',

  tokenExpiresIn: parseInt(process.env.TOKEN_EXPIRES_IN, 10) || 365,

  // Location to receive uploaded files in. Default (non-string value) is a Sails-specific location.
  uploadsTempPath: null,
  uploadsBasePath: sails.config.appPath,

  preloadedFaviconsPathSegment: 'public/preloaded-favicons',
  faviconsPathSegment: 'public/favicons',
  userAvatarsPathSegment: 'public/user-avatars',
  backgroundImagesPathSegment: 'public/background-images',
  attachmentsPathSegment: 'private/attachments',

  defaultAdminEmail:
    process.env.DEFAULT_ADMIN_EMAIL && process.env.DEFAULT_ADMIN_EMAIL.toLowerCase(),

  internalAccessToken: process.env.INTERNAL_ACCESS_TOKEN,
  activeUsersLimit: envToNumber(process.env.ACTIVE_USERS_LIMIT),
  showDetailedAuthErrors: process.env.SHOW_DETAILED_AUTH_ERRORS === 'true',

  s3Endpoint: process.env.S3_ENDPOINT,
  s3Region: process.env.S3_REGION,
  s3AccessKeyId: process.env.S3_ACCESS_KEY_ID,
  s3SecretAccessKey: process.env.S3_SECRET_ACCESS_KEY,
  s3Bucket: process.env.S3_BUCKET,
  s3ForcePathStyle: process.env.S3_FORCE_PATH_STYLE === 'true',

  oidcIssuer: process.env.OIDC_ISSUER,
  oidcClientId: process.env.OIDC_CLIENT_ID,
  oidcClientSecret: process.env.OIDC_CLIENT_SECRET,
  oidcIdTokenSignedResponseAlg: process.env.OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG,
  oidcUserinfoSignedResponseAlg: process.env.OIDC_USERINFO_SIGNED_RESPONSE_ALG,
  oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
  oidcResponseMode: process.env.OIDC_RESPONSE_MODE || 'fragment',
  oidcUseDefaultResponseMode: process.env.OIDC_USE_DEFAULT_RESPONSE_MODE === 'true',
  oidcAdminRoles: envToArray(process.env.OIDC_ADMIN_ROLES),
  oidcProjectOwnerRoles: envToArray(process.env.OIDC_PROJECT_OWNER_ROLES),
  oidcBoardUserRoles: envToArray(process.env.OIDC_BOARD_USER_ROLES),
  oidcClaimsSource: process.env.OIDC_CLAIMS_SOURCE || 'userinfo',
  oidcEmailAttribute: process.env.OIDC_EMAIL_ATTRIBUTE || 'email',
  oidcNameAttribute: process.env.OIDC_NAME_ATTRIBUTE || 'name',
  oidcUsernameAttribute: process.env.OIDC_USERNAME_ATTRIBUTE || 'preferred_username',
  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
  oidcIgnoreUsername: process.env.OIDC_IGNORE_USERNAME === 'true',
  oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
  oidcEnforced: process.env.OIDC_ENFORCED === 'true',

  // TODO: move client base url to environment variable?
  oidcRedirectUri: `${
    sails.config.environment === 'production' ? process.env.BASE_URL : 'http://localhost:3000'
  }/oidc-callback`,

  smtpHost: process.env.SMTP_HOST,
  smtpPort: process.env.SMTP_PORT || 587,
  smtpName: process.env.SMTP_NAME,
  smtpSecure: process.env.SMTP_SECURE === 'true',
  smtpUser: process.env.SMTP_USER,
  smtpPassword: process.env.SMTP_PASSWORD,
  smtpFrom: process.env.SMTP_FROM,
  smtpTlsRejectUnauthorized: process.env.SMTP_TLS_REJECT_UNAUTHORIZED !== 'false',
};
Initial commit 2019-08-31 04:07:25 +05:00			`/**`
			`* Custom configuration`
			`* (sails.config.custom)`
			`*`
			`* One-off settings specific to your application.`
			`*`
			`* For more information on custom configuration, visit:`
			`* https://sailsjs.com/config/custom`
			`*/`

fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`const { URL } = require('url');`
Initial commit 2019-08-31 04:07:25 +05:00			`const sails = require('sails');`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const version = require('../version');`

			`const envToNumber = (value) => {`
			`const number = parseInt(value, 10);`
			`return Number.isNaN(number) ? null : number;`
			`};`

			`const envToArray = (value) => (value ? value.split(',') : []);`

fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`const parsedBasedUrl = new URL(process.env.BASE_URL);`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00
Initial commit 2019-08-31 04:07:25 +05:00			`module.exports.custom = {`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`/**`
			`*`
			`* Any other custom config this Sails app should use during development.`
			`*`
			`*/`
Initial commit 2019-08-31 04:07:25 +05:00
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`version,`

Initial commit 2019-08-31 04:07:25 +05:00			`baseUrl: process.env.BASE_URL,`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`baseUrlPath: parsedBasedUrl.pathname,`
			`baseUrlSecure: parsedBasedUrl.protocol === 'https:',`
Initial commit 2019-08-31 04:07:25 +05:00
fix: Provide default value for token expiration 2022-08-09 19:09:07 +02:00			`tokenExpiresIn: parseInt(process.env.TOKEN_EXPIRES_IN, 10) \|\| 365,`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00
feat: Configurable file storage locations (#886) * feat: Make logfile location customizable It may be desirable to log to a more standard location (e.g. in /var/log/), or in some cases to turn logging to file off. To support these, use a custom config property to determine the location of the output log file, and default to the previous location if it is unset. * feat: Support alternate storage locations for uploaded files This involves a couple primary changes: 1) to make Sails' temporary file-upload directory a configurable location by using a common file-upload-receiving helper; 2) to create custom static routes for the file-upload locations, so they can be outside the application's public directory; and 3) to use the file-uploading handler everywhere that receives files, so config for the helper is applied to all file uploads consistently. This is sufficient to allow the application directory to be deployed read- only, with writable storage used for file uploads. The new config property for Sails' temporary upload directory, combined with the existing settings for user-avatar and background-image locations are sufficient to handle uploads; the new custom routes handle serving those files from external locations. The default behavior of the application should be unchanged, with files uploaded to, and served from, the public directory if the relevant config properties aren't set to other values. 2024-09-20 14:29:11 -04:00			`// Location to receive uploaded files in. Default (non-string value) is a Sails-specific location.`
fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`uploadsTempPath: null,`
			`uploadsBasePath: sails.config.appPath,`
feat: Configurable file storage locations (#886) * feat: Make logfile location customizable It may be desirable to log to a more standard location (e.g. in /var/log/), or in some cases to turn logging to file off. To support these, use a custom config property to determine the location of the output log file, and default to the previous location if it is unset. * feat: Support alternate storage locations for uploaded files This involves a couple primary changes: 1) to make Sails' temporary file-upload directory a configurable location by using a common file-upload-receiving helper; 2) to create custom static routes for the file-upload locations, so they can be outside the application's public directory; and 3) to use the file-uploading handler everywhere that receives files, so config for the helper is applied to all file uploads consistently. This is sufficient to allow the application directory to be deployed read- only, with writable storage used for file uploads. The new config property for Sails' temporary upload directory, combined with the existing settings for user-avatar and background-image locations are sufficient to handle uploads; the new custom routes handle serving those files from external locations. The default behavior of the application should be unchanged, with files uploaded to, and served from, the public directory if the relevant config properties aren't set to other values. 2024-09-20 14:29:11 -04:00
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`preloadedFaviconsPathSegment: 'public/preloaded-favicons',`
			`faviconsPathSegment: 'public/favicons',`
fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`userAvatarsPathSegment: 'public/user-avatars',`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`backgroundImagesPathSegment: 'public/background-images',`
fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`attachmentsPathSegment: 'private/attachments',`
feat: Add S3 support for uploads (#938) 2024-11-11 20:59:18 +07:00
fix: Fix case sensitivity of default admin environment variables 2024-03-12 20:40:46 +01:00			`defaultAdminEmail:`
			`process.env.DEFAULT_ADMIN_EMAIL && process.env.DEFAULT_ADMIN_EMAIL.toLowerCase(),`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00
feat: Add `INTERNAL_ACCESS_TOKEN` to support internal user configuration 2025-07-07 21:35:37 +02:00			`internalAccessToken: process.env.INTERNAL_ACCESS_TOKEN,`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`activeUsersLimit: envToNumber(process.env.ACTIVE_USERS_LIMIT),`
feat: Ability to show detailed auth errors, set to false by default (#860) 2024-08-30 11:47:29 +02:00			`showDetailedAuthErrors: process.env.SHOW_DETAILED_AUTH_ERRORS === 'true',`
feat: Ability to allow everyone to create projects (#787) 2024-06-14 16:38:06 +02:00
fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`s3Endpoint: process.env.S3_ENDPOINT,`
			`s3Region: process.env.S3_REGION,`
			`s3AccessKeyId: process.env.S3_ACCESS_KEY_ID,`
			`s3SecretAccessKey: process.env.S3_SECRET_ACCESS_KEY,`
			`s3Bucket: process.env.S3_BUCKET,`
			`s3ForcePathStyle: process.env.S3_FORCE_PATH_STYLE === 'true',`

feat: OIDC with PKCE flow (#491) 2023-09-04 10:06:59 -05:00			`oidcIssuer: process.env.OIDC_ISSUER,`
			`oidcClientId: process.env.OIDC_CLIENT_ID,`
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1 2023-10-19 14:39:21 +02:00			`oidcClientSecret: process.env.OIDC_CLIENT_SECRET,`
feat: Improve OIDC support for strict providers (#824) 2024-07-16 12:19:27 +02:00			`oidcIdTokenSignedResponseAlg: process.env.OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG,`
			`oidcUserinfoSignedResponseAlg: process.env.OIDC_USERINFO_SIGNED_RESPONSE_ALG,`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`oidcScopes: process.env.OIDC_SCOPES \|\| 'openid email profile',`
feat: Improve OIDC support for strict providers (#824) 2024-07-16 12:19:27 +02:00			`oidcResponseMode: process.env.OIDC_RESPONSE_MODE \|\| 'fragment',`
ref: Refactoring, fix linting 2024-07-16 12:33:38 +02:00			`oidcUseDefaultResponseMode: process.env.OIDC_USE_DEFAULT_RESPONSE_MODE === 'true',`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`oidcAdminRoles: envToArray(process.env.OIDC_ADMIN_ROLES),`
			`oidcProjectOwnerRoles: envToArray(process.env.OIDC_PROJECT_OWNER_ROLES),`
			`oidcBoardUserRoles: envToArray(process.env.OIDC_BOARD_USER_ROLES),`
feat: Ability to configure OIDC claims source (#888) Closes #884 2024-09-20 16:19:54 +02:00			`oidcClaimsSource: process.env.OIDC_CLAIMS_SOURCE \|\| 'userinfo',`
feat: Add ability to map OIDC attributes and ignore username Closes #554 2024-01-25 23:01:59 +01:00			`oidcEmailAttribute: process.env.OIDC_EMAIL_ATTRIBUTE \|\| 'email',`
			`oidcNameAttribute: process.env.OIDC_NAME_ATTRIBUTE \|\| 'name',`
			`oidcUsernameAttribute: process.env.OIDC_USERNAME_ATTRIBUTE \|\| 'preferred_username',`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE \|\| 'groups',`
feat: Add ability to map OIDC attributes and ignore username Closes #554 2024-01-25 23:01:59 +01:00			`oidcIgnoreUsername: process.env.OIDC_IGNORE_USERNAME === 'true',`
fix: Disable role change when OIDC roles are not ignored 2023-10-25 23:39:34 +02:00			`oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',`
feat: Add ability to enforce SSO Closes #543, closes #545 2024-02-01 00:31:15 +01:00			`oidcEnforced: process.env.OIDC_ENFORCED === 'true',`
ref: Refactoring 2023-10-19 16:05:34 +02:00
			`// TODO: move client base url to environment variable?`
			oidcRedirectUri: `${
			`sails.config.environment === 'production' ? process.env.BASE_URL : 'http://localhost:3000'`
			}/oidc-callback`,
feat: Slack bot notifications (#676) 2024-04-08 00:33:29 +02:00
			`smtpHost: process.env.SMTP_HOST,`
			`smtpPort: process.env.SMTP_PORT \|\| 587,`
feat: Add SMTP_NAME environment variable (#761) Closes #758 2024-05-18 14:02:21 +01:00			`smtpName: process.env.SMTP_NAME,`
feat: Slack bot notifications (#676) 2024-04-08 00:33:29 +02:00			`smtpSecure: process.env.SMTP_SECURE === 'true',`
			`smtpUser: process.env.SMTP_USER,`
			`smtpPassword: process.env.SMTP_PASSWORD,`
			`smtpFrom: process.env.SMTP_FROM,`
feat: Ability to disable SMTP certificate verification Closes #744 2024-10-02 14:10:31 +02:00			`smtpTlsRejectUnauthorized: process.env.SMTP_TLS_REJECT_UNAUTHORIZED !== 'false',`
Initial commit 2019-08-31 04:07:25 +05:00			`};`