Forem: whchi The latest articles on Forem by whchi (@whchi). https://forem.com/whchi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F898116%2F7bd554c0-b828-4bd7-9bdb-c457501bbf1a.jpeg Forem: whchi https://forem.com/whchi en Managing Object Ownership in PostgreSQL Migrations whchi Sun, 03 Aug 2025 13:27:46 +0000 https://forem.com/whchi/managing-object-ownership-in-postgresql-migrations-2d0o https://forem.com/whchi/managing-object-ownership-in-postgresql-migrations-2d0o <p>Migrating a PostgreSQL database involves more than just copying data and schema—it also requires careful handling of ownership and privileges. Failure to properly manage these aspects can lead to permission errors, particularly when roles need to <code>ALTER</code>, <code>TRUNCATE</code>, or <code>DROP</code> objects. This guide outlines solutions to ensure a smooth migration process with proper object ownership.</p> <h2> "Owner" in PostgreSQL </h2> <p>In PostgreSQL, every database object—such as <strong>tables</strong>, <strong>views</strong>, <strong>sequences</strong>, <strong>functions</strong>, and even <strong>schemas</strong>—is owned by a role. The <strong>owner</strong> is the only role that can perform certain high-level operations on the object unless privileges are explicitly reassigned.</p> <p>PostgreSQL roles are essentially accounts, and they can either be:</p> <ul> <li> <strong>Superusers</strong>: These are roles with unrestricted access. They can bypass ownership rules but should be used cautiously.</li> <li> <strong>Non-superuser roles</strong>: These require explicit ownership or privileges to modify objects.</li> </ul> <p>For production environments, it’s a best practice to <strong>delegate ownership to a specific application role</strong> and avoid using the default superuser for schema management or migrations.</p> <h2> Why Ownership Matters in Migration </h2> <p>When you dump and restore a database (e.g., using <code>pg_dump</code> and <code>pg_restore</code>), all objects retain their original ownership unless explicitly changed. If the original owner doesn't exist or isn't appropriate in the target environment, you'll encounter permission issues.</p> <p>Common symptoms of incorrect ownership:</p> <ul> <li><code>ERROR: must be owner of table</code></li> <li>Inability to run schema-altering migrations (e.g., <code>ALTER TABLE</code>, <code>DROP</code>, etc.)</li> <li>Unexpected behavior in CI/CD pipelines or database initialization scripts</li> </ul> <h2> Solutions For Handling Ownership in Migration </h2> <h3> 1. use <code>pg_dump</code> &amp; <code>pg_restore</code> correctly </h3> <p>Recommended when migrating to a different environment or when role structures differ between source and target databases.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Export the database without OWNER and GRANT statements</span> pg_dump <span class="nt">--no-owner</span> <span class="nt">--no-privileges</span> <span class="nt">-Fc</span> <span class="nt">-f</span> db.dump your_db <span class="c"># Restore into a new database as the desired application role</span> pg_restore <span class="nt">--role</span><span class="o">=</span>your_app_role <span class="nt">-d</span> your_new_db db.dump </code></pre> </div> <p>This ensures that all objects are created under your_app_role without retaining the original roles or grants from the source database.</p> <h3> 2. Set Owner During Database Creation </h3> <p>When provisioning a new database, you can set the owner from the beginning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">your_new_db</span> <span class="k">OWNER</span> <span class="n">your_owner</span><span class="p">;</span> <span class="err">\</span><span class="k">c</span> <span class="n">your_new_db</span> <span class="k">SET</span> <span class="k">ROLE</span> <span class="n">your_owner</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">SCHEMA</span> <span class="n">my_schema</span><span class="p">;</span> </code></pre> </div> <p>This ensures all subsequently created objects inherit the correct owner.</p> <h3> 3. Use a One-Time Ownership Migration Script </h3> <p>If ownership needs to be updated after initialization, use a PL/pgSQL block to update all object types in one go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- The following script automates ownership reassignment for all tables in a database, ensuring consistency across schemas."</span> <span class="k">DO</span> <span class="err">$$</span> <span class="k">DECLARE</span> <span class="n">rec</span> <span class="n">RECORD</span><span class="p">;</span> <span class="k">BEGIN</span> <span class="c1">-- Alter tables</span> <span class="k">FOR</span> <span class="n">rec</span> <span class="k">IN</span> <span class="k">SELECT</span> <span class="n">n</span><span class="p">.</span><span class="n">nspname</span><span class="p">,</span> <span class="k">c</span><span class="p">.</span><span class="n">relname</span> <span class="k">FROM</span> <span class="n">pg_class</span> <span class="k">c</span> <span class="k">JOIN</span> <span class="n">pg_namespace</span> <span class="n">n</span> <span class="k">ON</span> <span class="k">c</span><span class="p">.</span><span class="n">relnamespace</span> <span class="o">=</span> <span class="n">n</span><span class="p">.</span><span class="n">oid</span> <span class="k">WHERE</span> <span class="k">c</span><span class="p">.</span><span class="n">relkind</span> <span class="o">=</span> <span class="s1">'r'</span> <span class="k">AND</span> <span class="n">n</span><span class="p">.</span><span class="n">nspname</span> <span class="k">NOT</span> <span class="k">LIKE</span> <span class="s1">'pg_%'</span> <span class="k">AND</span> <span class="n">n</span><span class="p">.</span><span class="n">nspname</span> <span class="o">!=</span> <span class="s1">'information_schema'</span> <span class="n">LOOP</span> <span class="k">EXECUTE</span> <span class="s1">'ALTER TABLE '</span> <span class="o">||</span> <span class="n">quote_ident</span><span class="p">(</span><span class="n">rec</span><span class="p">.</span><span class="n">nspname</span><span class="p">)</span> <span class="o">||</span> <span class="s1">'.'</span> <span class="o">||</span> <span class="n">quote_ident</span><span class="p">(</span><span class="n">rec</span><span class="p">.</span><span class="n">relname</span><span class="p">)</span> <span class="o">||</span> <span class="s1">' OWNER TO your_new_owner'</span><span class="p">;</span> <span class="n">RAISE</span> <span class="n">NOTICE</span> <span class="s1">'Changed owner of table %.% to your_new_owner'</span><span class="p">,</span> <span class="n">rec</span><span class="p">.</span><span class="n">nspname</span><span class="p">,</span> <span class="n">rec</span><span class="p">.</span><span class="n">relname</span><span class="p">;</span> <span class="k">END</span> <span class="n">LOOP</span><span class="p">;</span> <span class="c1">-- Repeat for sequences, views, enums, domains, functions, schemas, and other objects you want</span> <span class="k">END</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>This approach ensures all relevant objects are properly reassigned to the desired role, preventing future permission issues.</p> <h3> 4. Use <code>GRANT</code> When Ownership Change Isn't Required </h3> <p>You can delegate permissions via <code>GRANT</code>, but this does not allow operations like <code>DROP</code>, <code>ALTER</code>, or <code>TRUNCATE</code>. It’s a more limited but safer approach for read/write access<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- schema</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">SCHEMA</span> <span class="n">my_schema</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="c1">-- table</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">TABLE</span> <span class="n">my_schema</span><span class="p">.</span><span class="n">my_table</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="n">TABLES</span> <span class="k">IN</span> <span class="k">SCHEMA</span> <span class="n">my_schema</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="c1">-- sequence</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="n">SEQUENCE</span> <span class="n">my_schema</span><span class="p">.</span><span class="n">my_sequence</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="n">SEQUENCES</span> <span class="k">IN</span> <span class="k">SCHEMA</span> <span class="n">my_schema</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="c1">-- view</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="n">my_schema</span><span class="p">.</span><span class="n">my_view</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="c1">-- enum</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">TYPE</span> <span class="n">my_schema</span><span class="p">.</span><span class="n">my_enum</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="c1">-- function</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">FUNCTION</span> <span class="n">my_schema</span><span class="p">.</span><span class="n">my_function</span><span class="p">()</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="n">FUNCTIONS</span> <span class="k">IN</span> <span class="k">SCHEMA</span> <span class="n">my_schema</span> <span class="k">TO</span> <span class="n">new_role</span><span class="p">;</span> </code></pre> </div> <p>Use <code>GRANT</code> when you want multiple roles to collaborate without transferring ownership.</p> <h2> Final Advice </h2> <ul> <li><p>Plan ownership early: It’s easier to assign correct owners during initialization than to fix them later.</p></li> <li><p>Avoid superuser for app logic: Delegate to application-specific roles with scoped permissions.</p></li> <li><p>Automate ownership reassignment: Use PL/pgSQL to enforce consistency in your CI/CD pipeline or database bootstrap scripts.</p></li> <li><p>Audit before migration: Run queries to list current owners and identify mismatches before migrating.</p></li> </ul> <p>By handling ownership carefully, you ensure your PostgreSQL migrations remain predictable, secure, and maintainable.</p> postgres programming devops cicd Introduction to access control model: ACL, RBAC, ABAC whchi Tue, 06 May 2025 02:43:00 +0000 https://forem.com/whchi/introduction-to-access-control-model-acl-rbac-abac-4m1k https://forem.com/whchi/introduction-to-access-control-model-acl-rbac-abac-4m1k <p>In system design, access control is a critical mechanism to ensure data security and correct authorization of functionalities. Depending on the complexity of the system, the variety of user roles, and the flexibility needed in resource management, there are three common access control models: ACL (Access Control List), RBAC (Role-Based Access Control), and ABAC (Attribute-Based Access Control). Below is a brief comparison of these three models, outlining their design logic, characteristics, and application scenarios to help clarify the selection and implementation considerations.</p> <h3> ACL </h3> <p>Direct authorization, fine-grained, but difficult to manage</p> <ul> <li> <strong>Design Logic</strong>: User → Resource + Operation</li> </ul> <blockquote> <p>If a user has read and update permissions for the development department's file list, they can view all the data under that department and make changes to it.</p> </blockquote> <h3> RBAC </h3> <p>Simplified management, clear structure, but limited flexibility</p> <ul> <li> <strong>Design Logic</strong>: Role → Resource + Operation; User is assigned to a role</li> </ul> <blockquote> <p>If a user’s role is a department manager, they can perform CRUD operations on all resources within that department.</p> </blockquote> <h3> ABAC </h3> <p>Highest flexibility, dynamic condition evaluation based on the user's, resource's, and environment's attributes to determine authorization.<br> Some variants include ReBAC (Relationship-Based Access Control), LBAC (Label-Based Access Control).</p> <ul> <li> <strong>Design Logic</strong>: Access is determined based on attributes.</li> </ul> <blockquote> <p>If a user’s department attribute is "HR Department," the resource's attribute is "personnel data," and the current time is within working hours, access is granted.</p> </blockquote> <h2> Comparison Table </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Item</th> <th>ACL (Access Control List)</th> <th>RBAC (Role-Based Access Control)</th> <th>ABAC (Attribute-Based Access Control)</th> </tr> </thead> <tbody> <tr> <td>📘 Authorization Target</td> <td>User → Resource</td> <td>Role → Resource</td> <td>User attributes, resource attributes, environment attributes</td> </tr> <tr> <td>👤 User Binding Method</td> <td>User is directly granted access</td> <td>User is assigned a role</td> <td>User attributes are used to check access</td> </tr> <tr> <td>🔄 Authorization Method</td> <td>Static (each rule is defined clearly)</td> <td>Static (role-based)</td> <td>Dynamic condition-based (using multiple attributes)</td> </tr> <tr> <td>🧱 Database Design Simplicity</td> <td>Simple (but hard to scale)</td> <td>Moderate</td> <td>Complex (requires extra logic for attributes and rules)</td> </tr> <tr> <td>⚙️ Flexibility / Detail Control</td> <td>High (per user and resource)</td> <td>Medium (role-level)</td> <td>Very high (can use any attribute condition)</td> </tr> <tr> <td>📈 Maintenance Cost (Large Systems)</td> <td>High (hard to manage when users grow)</td> <td>Low to medium (if roles are well designed)</td> <td>High (complex rules and attributes need engine support)</td> </tr> <tr> <td>🔐 Permission Sharing / Inheritance</td> <td>Low (granted per user)</td> <td>High (shared roles, hierarchical roles)</td> <td>High (attributes are reusable)</td> </tr> <tr> <td>🛡️ Suitable Resource Scale</td> <td>Small (few users and resources)</td> <td>Medium to large (with stable role structure)</td> <td>Large and complex (many rules, multi-tenant)</td> </tr> <tr> <td>🧠 Learning / Implementation Difficulty</td> <td>Low</td> <td>Low to medium</td> <td>High (requires abstract thinking, policy language like XACML or engines like OPA)</td> </tr> <tr> <td>🧭 Suitable Use Cases</td> <td>Personal systems, sensitive data with fine control</td> <td>Enterprise backends, SaaS, shared platforms</td> <td>Banks, government, insurance, dynamic access control, zero-trust</td> </tr> <tr> <td>🧩 Typical Examples</td> <td>Dropbox, Google Drive “share with someone”</td> <td>Internal company systems (e.g., Admin, Manager)</td> <td>Data classification access, policy-driven API Gateway</td> </tr> <tr> <td>👮🏻‍♂️ Security</td> <td>High (fine control, but human error risk)</td> <td>Medium (depends on good role design)</td> <td>High (granular control, but needs accurate rules/attributes)</td> </tr> <tr> <td>🏎️ Performance</td> <td>Decreases with scale (each access is checked)</td> <td>High (simple role lookup)</td> <td>Low (many attributes and rules to evaluate)</td> </tr> <tr> <td>🎲 Standard Support</td> <td>None</td> <td>NIST RBAC Model</td> <td>XACML</td> </tr> </tbody> </table></div> security basic Setting up TLS connection for containerized PostgreSQL database whchi Mon, 24 Feb 2025 06:52:40 +0000 https://forem.com/whchi/setting-up-tls-connection-for-containerized-postgresql-database-1kmh https://forem.com/whchi/setting-up-tls-connection-for-containerized-postgresql-database-1kmh <p>When connecting your database to external services, especially SaaS platforms, you often can't restrict access by IP address or domain. In these cases, enabling TLS (Transport Layer Security) encryption helps keep your data safe.</p> <p><strong>PostgreSQL version: 16</strong></p> <h2> Understanding PostgreSQL Client Connection Types </h2> <p>PostgreSQL clients can connect in six different ways</p> <ol> <li> <code>disabled</code>: No encryption at all. Only safe for local networks.</li> <li> <code>allow</code>: Prefers unencrypted connections but will use encryption if the server requires it.</li> <li> <code>prefer</code>: (Default for most clients) Tries to use encryption first but accepts unencrypted connections if necessary.</li> <li> <code>require</code>: Must use encryption. Won't connect without it but doesn't verify certificates.</li> <li> <code>verify_ca</code>: Uses encryption and checks if the server's certificate is signed by a trusted authority.</li> <li> <code>verify_full</code>: The most secure option. Checks encryption, certificates, and ensures the server name matches the certificate.</li> </ol> <p>The most secure options are <code>verify_ca</code> and <code>verify_full</code>, but they require more setup in development:</p> <ul> <li>one-way verification: You need the root CA certificate</li> <li>two-way(mTLS) verification: You need both the client certificate and key in your connection string, <strong>the certificate/key MUST signed by root CA and key.</strong> </li> </ul> <h2> Setting Up the Server(One-Way Verification) </h2> <h3> 1. Create Certificate and Key </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set to 100 years for development use</span> openssl req <span class="nt">-x509</span> <span class="nt">-newkey</span> rsa:4096 <span class="nt">-sha256</span> <span class="nt">-nodes</span> <span class="nt">-keyout</span> key.pem <span class="nt">-out</span> cert.pem <span class="nt">-days</span> 36500 </code></pre> </div> <h3> 2. Configure PostgreSQL </h3> <p>Add these lines to <code>postgresql.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">ssl</span> = <span class="n">on</span> <span class="n">ssl_cert_file</span> = <span class="s1">'/var/lib/postgresql/cert.pem'</span> <span class="n">ssl_key_file</span> = <span class="s1">'/var/lib/postgresql/key.pem'</span> </code></pre> </div> <h3> 3. Update Access Rules </h3> <p>Add these lines to <code>pg_hba.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">hostssl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">scram</span>-<span class="n">sha</span>-<span class="m">256</span> <span class="n">hostnossl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">reject</span> </code></pre> </div> <h3> 4. Set Up Docker Compose </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16.3</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">5432:5432'</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=postgres</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=postgres</span> <span class="pi">-</span> <span class="s">POSTGRES_DB=postgres</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/pg_hba.conf:/etc/postgresql/pg_hba.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/postgresql.conf:/etc/postgresql/postgresql.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/cert.pem:/var/lib/postgresql/cert.pem:ro</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/key.pem:/var/lib/postgresql/key.pem:ro</span> <span class="pi">-</span> <span class="s">postgres:/var/lib/postgresql/data</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">config_file=/etc/postgresql/postgresql.conf</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">hba_file=/etc/postgresql/pg_hba.conf</span> </code></pre> </div> <h3> Connecting to Your Database </h3> <p>After setting everything up, just add <code>sslmode=require</code> to your connection string:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://postgres:postgres@postgres:5432/database?sslmode=require"</span> </code></pre> </div> <p>That's all you need to establish an encrypted connection to your PostgreSQL database.</p> <h2> Setting Up the Server(mTLS) </h2> <p>For mTLS (mutual TLS), both the server and client need valid certificates signed by a trusted Certificate Authority (CA). Here's how to set it up</p> <h3> 1. Create certifications for server and client </h3> <p>Your server.csr <code>CN</code> MUST be your postgreSQL hostname<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Create Root CA</span> openssl genrsa <span class="nt">-out</span> root.key 4096 openssl req <span class="nt">-x509</span> <span class="nt">-new</span> <span class="nt">-nodes</span> <span class="nt">-key</span> root.key <span class="nt">-sha256</span> <span class="nt">-days</span> 36500 <span class="nt">-out</span> root.crt <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=IT/CN=PostgreSQL Root CA"</span> <span class="c"># 2. create server cert</span> openssl genrsa <span class="nt">-out</span> server.key 4096 openssl req <span class="nt">-new</span> <span class="nt">-key</span> server.key <span class="nt">-out</span> server.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=Database/CN=postgres"</span> <span class="c"># This is important that SAN MUST contains all your possible DNS/IP </span> openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> server.csr <span class="nt">-CA</span> root.crt <span class="nt">-CAkey</span> root.key <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> server.crt <span class="nt">-days</span> 36500 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-extfile</span> &lt;<span class="o">(</span><span class="nb">printf</span> <span class="s2">"subjectAltName=DNS:localhost,DNS:postgres,IP:127.0.0.1,IP:192.168.0.23"</span><span class="o">)</span> <span class="c"># 3. create client cert - CN here MUST same as the postgres user you want</span> openssl genrsa <span class="nt">-out</span> client.key 4096 openssl req <span class="nt">-new</span> <span class="nt">-key</span> client.key <span class="nt">-out</span> client.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=Developers/CN=postgres"</span> openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> client.csr <span class="nt">-CA</span> root.crt <span class="nt">-CAkey</span> root.key <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> client.crt <span class="nt">-days</span> 36500 <span class="nt">-sha256</span> </code></pre> </div> <p>If you want your client CN using custom map, you should use <code>pg_ident.conf</code> and adjust setting in <code>pg_hba.conf</code> to archive that<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># pg_hba.conf hostssl all all 0.0.0.0/0 cert map=my_map # pg_ident.conf my_map /CN=client postgres </code></pre> </div> <h3> 2. Configure PostgreSQL </h3> <p>Add these lines to <code>postgresql.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">ssl</span> = <span class="n">on</span> <span class="n">ssl_cert_file</span> = <span class="s1">'/var/lib/postgresql/server.crt'</span> <span class="n">ssl_key_file</span> = <span class="s1">'/var/lib/postgresql/server.key'</span> <span class="n">ssl_ca_file</span> = <span class="s1">'/var/lib/postgresql/root.crt'</span> </code></pre> </div> <h3> 3. Update Access Rules </h3> <p>Add these lines to <code>pg_hba.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">hostssl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">cert</span> <span class="n">clientcert</span>=<span class="n">verify</span>-<span class="n">full</span> <span class="n">hostnossl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">reject</span> </code></pre> </div> <h3> 4. Update docker-compose.yml </h3> <p>Update volume bindings<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/pg_hba.conf:/etc/postgresql/pg_hba.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/postgresql.conf:/etc/postgresql/postgresql.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/server.crt:/var/lib/postgresql/server.crt:ro</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/server.key:/var/lib/postgresql/server.key:ro</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/root.crt:/var/lib/postgresql/root.crt:ro</span> <span class="nn">...</span> </code></pre> </div> <h3> Connecting to Your Database </h3> <p>After setting everything up, add the following options to your connection string</p> <ul> <li><code>sslmode=verify-full</code></li> <li><code>sslcert=client.crt</code></li> <li><code>sslkey=client.key</code></li> <li> <code>sslrootcert=root.crt</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://postgres:postgres@postgres:5432/database?sslmode=verify-full&amp;sslcert=client.crt&amp;sslkey=client.key&amp;sslrootcert=root.crt"</span> </code></pre> </div> postgres database security tutorial Setting up TLS connection for containerized PostgreSQL database whchi Sat, 22 Feb 2025 08:27:43 +0000 https://forem.com/whchi/setting-up-encrypted-postgresql-connection-on-aws-ec2-4m3g https://forem.com/whchi/setting-up-encrypted-postgresql-connection-on-aws-ec2-4m3g <p>When you need to allow external connections to your database while keeping costs low, encrypting the connection is essential. This guide shows you the simplest way to set up encrypted connections for your development environment.</p> <h2> Why Do We Need Encryption? </h2> <p>When connecting your database to external services, especially SaaS platforms, you often can't restrict access by IP address or domain. In these cases, enabling TLS (Transport Layer Security) encryption helps keep your data safe.</p> <p><strong>PostgreSQL version: 16</strong></p> <h2> Understanding PostgreSQL Client Connection Types </h2> <p>PostgreSQL clients can connect in six different ways</p> <ol> <li> <code>disabled</code>: No encryption at all. Only safe for local networks.</li> <li> <code>allow</code>: Prefers unencrypted connections but will use encryption if the server requires it.</li> <li> <code>prefer</code>: (Default for most clients) Tries to use encryption first but accepts unencrypted connections if necessary.</li> <li> <code>require</code>: Must use encryption. Won't connect without it but doesn't verify certificates.</li> <li> <code>verify_ca</code>: Uses encryption and checks if the server's certificate is signed by a trusted authority.</li> <li> <code>verify_full</code>: The most secure option. Checks encryption, certificates, and ensures the server name matches the certificate.</li> </ol> <p>The most secure options are <code>verify_ca</code> and <code>verify_full</code>, but they require more setup in development:</p> <ul> <li>one-way verification: You need the root CA certificate</li> <li>two-way(mTLS) verification: You need both the client certificate and key in your connection string, <strong>the certificate/key MUST signed by root CA and key.</strong> </li> </ul> <p>This guide focuses on setting up one-way verification for development environments since it's simpler while still providing good security.</p> <h2> Setting Up the Server(One-Way Verification) </h2> <h3> 1. Create Certificate and Key </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set to 100 years for development use</span> openssl req <span class="nt">-x509</span> <span class="nt">-newkey</span> rsa:4096 <span class="nt">-sha256</span> <span class="nt">-nodes</span> <span class="nt">-keyout</span> key.pem <span class="nt">-out</span> cert.pem <span class="nt">-days</span> 36500 </code></pre> </div> <h3> 2. Configure PostgreSQL </h3> <p>Add these lines to <code>postgresql.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">ssl</span> = <span class="n">on</span> <span class="n">ssl_cert_file</span> = <span class="s1">'/var/lib/postgresql/cert.pem'</span> <span class="n">ssl_key_file</span> = <span class="s1">'/var/lib/postgresql/key.pem'</span> </code></pre> </div> <h3> 3. Update Access Rules </h3> <p>Add these lines to <code>pg_hba.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">hostssl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">scram</span>-<span class="n">sha</span>-<span class="m">256</span> <span class="n">hostnossl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">reject</span> </code></pre> </div> <h3> 4. Set Up Docker Compose </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16.3</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">5432:5432'</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=postgres</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=postgres</span> <span class="pi">-</span> <span class="s">POSTGRES_DB=postgres</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/pg_hba.conf:/etc/postgresql/pg_hba.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/postgresql.conf:/etc/postgresql/postgresql.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/cert.pem:/var/lib/postgresql/cert.pem:ro</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/key.pem:/var/lib/postgresql/key.pem:ro</span> <span class="pi">-</span> <span class="s">postgres:/var/lib/postgresql/data</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">config_file=/etc/postgresql/postgresql.conf</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">hba_file=/etc/postgresql/pg_hba.conf</span> </code></pre> </div> <h3> Connecting to Your Database </h3> <p>After setting everything up, just add <code>sslmode=require</code> to your connection string:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://postgres:postgres@postgres:5432/database?sslmode=require"</span> </code></pre> </div> <p>That's all you need to establish an encrypted connection to your PostgreSQL database.</p> <h2> Setting Up the Server(mTLS) </h2> <p>For mTLS (mutual TLS), both the server and client need valid certificates signed by a trusted Certificate Authority (CA). Here's how to set it up</p> <h3> 1. Create certifications for server and client </h3> <p>Your server.csr <code>CN</code> MUST be your postgreSQL hostname<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Create Root CA</span> openssl genrsa <span class="nt">-out</span> root.key 4096 openssl req <span class="nt">-x509</span> <span class="nt">-new</span> <span class="nt">-nodes</span> <span class="nt">-key</span> root.key <span class="nt">-sha256</span> <span class="nt">-days</span> 36500 <span class="nt">-out</span> root.crt <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=IT/CN=PostgreSQL Root CA"</span> <span class="c"># 2. create server cert</span> openssl genrsa <span class="nt">-out</span> server.key 4096 openssl req <span class="nt">-new</span> <span class="nt">-key</span> server.key <span class="nt">-out</span> server.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=Database/CN=postgres"</span> <span class="c"># This is important that SAN MUST contains all your possible DNS/IP </span> openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> server.csr <span class="nt">-CA</span> root.crt <span class="nt">-CAkey</span> root.key <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> server.crt <span class="nt">-days</span> 36500 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-extfile</span> &lt;<span class="o">(</span><span class="nb">printf</span> <span class="s2">"subjectAltName=DNS:localhost,DNS:postgres,IP:127.0.0.1,IP:192.168.0.23"</span><span class="o">)</span> <span class="c"># 3. create client cert - CN here MUST same as the postgres user you want</span> openssl genrsa <span class="nt">-out</span> client.key 4096 openssl req <span class="nt">-new</span> <span class="nt">-key</span> client.key <span class="nt">-out</span> client.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=Developers/CN=postgres"</span> openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> client.csr <span class="nt">-CA</span> root.crt <span class="nt">-CAkey</span> root.key <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> client.crt <span class="nt">-days</span> 36500 <span class="nt">-sha256</span> </code></pre> </div> <p>If you want your client CN using custom map, you should use <code>pg_ident.conf</code> and adjust setting in <code>pg_hba.conf</code> to archive that<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># pg_hba.conf hostssl all all 0.0.0.0/0 cert map=my_map # pg_ident.conf my_map /CN=client postgres </code></pre> </div> <h3> 2. Configure PostgreSQL </h3> <p>Add these lines to <code>postgresql.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">ssl</span> = <span class="n">on</span> <span class="n">ssl_cert_file</span> = <span class="s1">'/var/lib/postgresql/server.crt'</span> <span class="n">ssl_key_file</span> = <span class="s1">'/var/lib/postgresql/server.key'</span> <span class="n">ssl_ca_file</span> = <span class="s1">'/var/lib/postgresql/root.crt'</span> </code></pre> </div> <h3> 3. Update Access Rules </h3> <p>Add these lines to <code>pg_hba.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">hostssl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">cert</span> <span class="n">clientcert</span>=<span class="n">verify</span>-<span class="n">full</span> <span class="n">hostnossl</span> <span class="n">all</span> <span class="n">all</span> <span class="n">all</span> <span class="n">reject</span> </code></pre> </div> <h3> 4. Update docker-compose.yml </h3> <p>Update volume bindings<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/pg_hba.conf:/etc/postgresql/pg_hba.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/config/postgresql.conf:/etc/postgresql/postgresql.conf</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/server.crt:/var/lib/postgresql/server.crt:ro</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/server.key:/var/lib/postgresql/server.key:ro</span> <span class="pi">-</span> <span class="s">./.docker/postgres/certs/root.crt:/var/lib/postgresql/root.crt:ro</span> <span class="nn">...</span> </code></pre> </div> <h3> Connecting to Your Database </h3> <p>After setting everything up, add the following options to your connection string</p> <ul> <li><code>sslmode=verify-full</code></li> <li><code>sslcert=client.crt</code></li> <li><code>sslkey=client.key</code></li> <li> <code>sslrootcert=root.crt</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://postgres:postgres@postgres:5432/database?sslmode=verify-full&amp;sslcert=client.crt&amp;sslkey=client.key&amp;sslrootcert=root.crt"</span> </code></pre> </div> postgres security database tutorial Integrate Self-host Infisical into your NestJS project whchi Wed, 11 Sep 2024 15:26:34 +0000 https://forem.com/whchi/integrate-self-host-infisical-into-your-nestjs-project-552h https://forem.com/whchi/integrate-self-host-infisical-into-your-nestjs-project-552h <h2> Why centralized secret management is necessary </h2> <p>In modern software development, especially in containerized and collaborative environments, centralized secret management has become increasingly important. Here are</p> <h3> Flexibility in containerized deployment </h3> <ul> <li>Real-time environment variable updates: In containerized deployments, centralized secret management allows us to easily update environment variables without rebuilding or redeploying containers. This greatly improves system flexibility and security.</li> <li>Environment consistency: It ensures all container instances use the same up-to-date secrets, reducing problems caused by environment inconsistencies.</li> </ul> <h3> Convenience in multi-developer scenarios </h3> <ul> <li>Avoiding <code>.env</code> file transfers: Traditionally, developers might need to send <code>.env</code> files via email or messaging apps, which is not only insecure but can also lead to version confusion.</li> <li>Permission management: Centralized management allows us to set different access permissions for different team members, enhancing security.</li> <li>Version control: You can track the change history of secrets, making audits and rollbacks easier. two main reasons:</li> </ul> <h2> A little about Infisical </h2> <p>Infisical is a secret management service similar to HashiCorp Vault, but it focuses more on the developer experience.</p> <h3> Advantages of Infisical </h3> <ul> <li>User-friendly: Offers an intuitive web interface and CLI tools, making secret management simple.</li> <li>Integration with development workflows: Provides SDKs in multiple languages, making it easy to integrate into existing projects.</li> <li>Team collaboration: Supports secure sharing and management of secrets among team members.</li> </ul> <h3> Paid features </h3> <ul> <li>Advanced audit logs</li> <li>Custom roles and more granular permission controls</li> <li>SAML single sign-on</li> <li>Advanced key rotation strategies</li> </ul> <h2> Writing a NestJS Module to integrate Infisical </h2> <p>First, install the necessary dependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @infisical/sdk </code></pre> </div> <p>Then, create a new <code>infisical.module.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">DynamicModule</span><span class="p">,</span> <span class="nx">Global</span><span class="p">,</span> <span class="nx">Module</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InfisicalClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@infisical/sdk</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InfisicalService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./infisical.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InfisicalModuleOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./infisical-module-options.type</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConfigModule</span><span class="p">,</span> <span class="nx">ConfigService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/config</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Global</span><span class="p">()</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">InfisicalModule</span> <span class="p">{</span> <span class="k">static</span> <span class="nf">forRoot</span><span class="p">(</span><span class="nx">options</span><span class="p">:</span> <span class="nx">InfisicalModuleOptions</span><span class="p">):</span> <span class="nx">DynamicModule</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// fallback to dotenv</span> <span class="nx">ConfigModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">envFilePath</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">fallbackFile</span><span class="p">,</span> <span class="p">}),</span> <span class="p">],</span> <span class="na">module</span><span class="p">:</span> <span class="nx">InfisicalModule</span><span class="p">,</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="dl">'</span><span class="s1">INFISICAL_OPTIONS</span><span class="dl">'</span><span class="p">,</span> <span class="na">useValue</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">options</span> <span class="p">},</span> <span class="p">},</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="nx">InfisicalClient</span><span class="p">,</span> <span class="na">useFactory</span><span class="p">:</span> <span class="p">(</span><span class="na">config</span><span class="p">:</span> <span class="nx">ConfigService</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">InfisicalClient</span><span class="p">({</span> <span class="na">siteUrl</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">INFISICAL_SITE_URL</span><span class="dl">'</span><span class="p">),</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">universalAuth</span><span class="p">:</span> <span class="p">{</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">INFISICAL_CLIENT_ID</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">),</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">INFISICAL_CLIENT_SECRET</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">),</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="p">},</span> <span class="na">inject</span><span class="p">:</span> <span class="p">[</span><span class="nx">ConfigService</span><span class="p">],</span> <span class="p">},</span> <span class="nx">InfisicalService</span><span class="p">,</span> <span class="p">],</span> <span class="na">exports</span><span class="p">:</span> <span class="p">[</span><span class="nx">InfisicalService</span><span class="p">],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>infisical.service.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Inject</span><span class="p">,</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">Logger</span><span class="p">,</span> <span class="nx">OnModuleInit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConfigService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/config</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InfisicalClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@infisical/sdk</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InfisicalModuleOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./infisical-module-options.type</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">InfisicalService</span> <span class="k">implements</span> <span class="nx">OnModuleInit</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">logger</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Logger</span><span class="p">(</span><span class="nx">InfisicalService</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">private</span> <span class="nx">fallbackToConfig</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="k">private</span> <span class="nx">secrets</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span> <span class="o">|</span> <span class="nx">boolean</span> <span class="o">|</span> <span class="kc">undefined</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">initializationPromise</span><span class="p">:</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">PROCESS_ENVS</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">DATABASE_URL</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">GOOGLE_APPLICATION_CREDENTIALS</span><span class="dl">'</span><span class="p">,</span> <span class="p">];</span> <span class="nf">constructor</span><span class="p">(</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">config</span><span class="p">:</span> <span class="nx">ConfigService</span><span class="p">,</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">client</span><span class="p">:</span> <span class="nx">InfisicalClient</span><span class="p">,</span> <span class="p">@</span><span class="nd">Inject</span><span class="p">(</span><span class="dl">'</span><span class="s1">INFISICAL_OPTIONS</span><span class="dl">'</span><span class="p">)</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">InfisicalModuleOptions</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">initializationPromise</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">init</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">onModuleInit</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">initializationPromise</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">init</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">INFISICAL_SITE_URL</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Use config from ConfigService</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">fallbackToConfig</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">secrets</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">listSecrets</span><span class="p">({</span> <span class="na">environment</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">INFISICAL_ENV</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">),</span> <span class="na">projectId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">INFISICAL_PROJECT_ID</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">),</span> <span class="na">path</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">options</span><span class="p">.</span><span class="nx">path</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// path to infisical project's path</span> <span class="na">includeImports</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="nx">secrets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">secret</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">secrets</span><span class="p">[</span><span class="nx">secret</span><span class="p">.</span><span class="nx">secretKey</span><span class="p">]</span> <span class="o">=</span> <span class="nx">secret</span><span class="p">.</span><span class="nx">secretValue</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">PROCESS_ENVS</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">secret</span><span class="p">.</span><span class="nx">secretKey</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// ENVs where should load directly into process</span> <span class="c1">// like prisma's DATABASE_URL &amp; google cloud credential</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">secret</span><span class="p">.</span><span class="nx">secretKey</span><span class="p">]</span> <span class="o">=</span> <span class="nx">secret</span><span class="p">.</span><span class="nx">secretValue</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Secrets loaded from Infisical</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Failed to fetch secrets from Infisical, falling back to ConfigService</span><span class="dl">'</span><span class="p">,</span> <span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">fallbackToConfig</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">public</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">T</span> <span class="o">=</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">T</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">fallbackToConfig</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="k">as</span> <span class="nx">T</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">secrets</span><span class="p">).</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">secrets</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="k">as</span> <span class="nx">T</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">value</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">secrets</span><span class="p">[</span><span class="nx">key</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">value</span> <span class="o">===</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="k">as</span> <span class="nx">T</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">value</span> <span class="k">as</span> <span class="nx">T</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>infisical-module-options.type</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">type</span> <span class="nx">InfisicalModuleOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">path</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">fallbackFile</span><span class="p">?:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">};</span> </code></pre> </div> <h2> Use it </h2> <p>Write env in your dotenv<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INFISICAL_ENV=dev # the slot of environments INFISICAL_PROJECT_ID=&lt;your-infisical-project-id&gt; INFISICAL_SITE_URL=&lt;your-infisical-site-url&gt; INFISICAL_CLIENT_ID=&lt;your-infisical-client-id&gt; INFISICAL_CLIENT_SECRET=&lt;your-infisical-client-secret&gt; </code></pre> </div> <ul> <li><p>INFISICAL_ENV<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgefx88cm51unw26q13z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgefx88cm51unw26q13z.png" alt="INFISICAL_ENV" width="800" height="410"></a></p></li> <li><p>INFISICAL_PROJECT_ID<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcx4e3u6153jwrxv8abrx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcx4e3u6153jwrxv8abrx.png" alt="INFISICAL_PROJECT_ID" width="800" height="206"></a></p></li> <li><p>INFISICAL_CLIENT_ID and INFISICAL_CLIENT_SECRET<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm23zablo8vskomys0qph.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm23zablo8vskomys0qph.png" alt="id and secret" width="800" height="426"></a></p></li> </ul> <p>And import it into your <code>app.module.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">InfisicalModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span><span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">})]</span> <span class="p">})</span> </code></pre> </div> <p>Then, you can use it as <code>ConfigService</code> of nestjs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">infisicalService</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">YOUR_ENV_SETUP_IN_INFISICAL</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <p>That is</p> infisical nestjs security dx Enhance your python code security using bandit whchi Thu, 29 Feb 2024 03:11:38 +0000 https://forem.com/whchi/enhance-your-python-code-security-using-bandit-14gb https://forem.com/whchi/enhance-your-python-code-security-using-bandit-14gb <p>In the constantly evolving realm of technology, ensuring the security of your code is also an important part of software development.</p> <p>Here, I am using Bandit, a tool designed to find common security issues in Python code, to improve my project's security.</p> <h2> Severity vs Confidence </h2> <p>In the context of Information Security, severity and confidence are two important metrics. Both of them are leveled into Low, Medium and High.</p> <p><strong>Severity</strong>, it measures the seriousness of the consequences that may arise if the security issue is exploited or left unaddressed.</p> <p><strong>Confidence</strong>, it reflects how well the information is validated, verified, or understood.</p> <h2> Call to action </h2> <p>The result of a Bandit scan is a detailed report that outlines potential security issues in the code. This report includes the severity and confidence of each issue, as well as the part of the code where the issue was detected. The report can be <br> output in several formats, including CSV, HTML, JSON, text, XML, and YAML. This allows developers to easily parse and analyze the results and take appropriate action to improve the security of their code.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5u2qddo1hlfrjf3dtiwu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5u2qddo1hlfrjf3dtiwu.png" alt="Bandit scanning result" width="800" height="364"></a></p> <p>The following are some simple judgment criteria after scan.</p> <ul> <li><p><strong>High Severity, High Confidence</strong>: Immediate action is typically taken due to a well-understood and verified security threat with potentially severe consequences.</p></li> <li><p><strong>High Severity, Low Confidence</strong>: Caution is exercised, and further investigation is needed to increase confidence in the assessment before taking decisive action.</p></li> <li><p><strong>Low Severity, High Confidence</strong>: Proactive measures may be taken even for low-severity issues if there is high confidence in the assessment.</p></li> <li><p><strong>Low Severity, Low Confidence</strong>: Ongoing monitoring and investigation are required to either confirm the low risk or gather additional information.</p></li> </ul> <h2> Setup </h2> <p>With <code>pre-commit</code> you can integrate bandit into your python project very easily</p> <ol> <li>pyproject.toml: skip folders you don't want to be scanned </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[tool.bandit]</span> <span class="py">exclude_dirs</span> <span class="p">=</span> <span class="p">[</span> <span class="s">".venv"</span><span class="p">,</span> <span class="s">".git"</span><span class="p">,</span> <span class="s">"__pycache__"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p>2 .pre-commit-config.yml: add pre-commit hook<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">repos</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/PyCQA/bandit</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">1.7.7</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">bandit</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pyproject.toml"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-r"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">."</span><span class="pi">]</span> <span class="na">additional_dependencies</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">bandit[toml]"</span><span class="pi">]</span> </code></pre> </div> <p>That is.</p> webdev python security tutorial Speed up your pull request review with CodiumAI PR agent whchi Tue, 12 Dec 2023 16:03:33 +0000 https://forem.com/whchi/speed-up-your-pull-request-review-with-codiumai-pr-agent-1n90 https://forem.com/whchi/speed-up-your-pull-request-review-with-codiumai-pr-agent-1n90 <p>Pull Request (PR) is an essential process in software development that ensures code quality and collaboration among developers. PRs are also a way to learn from others and get better at coding, a good PR process helps people work together better and keeps the code easy to use and understand.</p> <h2> Problems with PR </h2> <p>However, PRs can be a bottleneck in software development lifecycle. Developers often face challenges such as large codebases, time constraints, and the need for thorough code analysis.</p> <p>Here are some common problems of PR:</p> <ol> <li> <strong>Time Consumption(No time to review)</strong>: Reviewers who are familiar with the codebase often do not have enough time to conduct a thorough review in a short period.</li> <li> <strong>Context Switching</strong>: Reviewers may have to switch contexts frequently, especially if they are reviewing multiple PRs from different parts of the codebase.</li> <li> <strong>Feedback Fatigue</strong>: Reviewers may experience fatigue, especially when dealing with a high volume of PRs, which can lead to less thorough reviews.</li> <li> <strong>Technical Debt and Bugs</strong>: Identifying deeper issues like technical debt or potential bugs can be challenging, especially under time constraints.</li> <li> <strong>Unclear Descriptions</strong>: If the PR descriptions are not clear or detailed enough, it becomes difficult for reviewers to understand the purpose and scope of the changes, leading to inefficient reviews.</li> <li> <strong>Coding style</strong>: Inconsistencies in coding style and lack of adherence to best practices can lead to future maintenance issues.</li> <li> <strong>Large PRs</strong>: ****Very large PRs can be overwhelming to review, often resulting in missed issues or superficial reviews.</li> </ol> <p>There are several tools available to address these issues, such as <strong>linters</strong>, <strong>automated tests</strong>, and <strong>contribution guidelines</strong>. Additionally, <strong>training sessions</strong> can be beneficial if you are part of a well-resourced company (although they might not be as common in open-source projects)</p> <h2> How AI Can Help </h2> <p>In November 2022, OpenAI launched ChatGPT, showcasing how AI, particularly through Large Language Model (LLM) APIs, can empower individuals and enhance the PR review experience.</p> <p>Subsequently, numerous AI tools based on Large Language Models (LLMs) were developed to address the aforementioned issues. These tools have been created by both large enterprises, such as <em>GitHub</em>, <em>AWS</em>, and <em>Microsoft</em>, and startups, including <em>CodiumAI</em>, <em>BLACKBOX AI</em>, and <em>Tabnine</em>.</p> <p>In this section, I will provide an extensive comparison of some of the most notable tools designed to facilitate PR reviews. This comparison will focus specifically on two key examples:</p> <ul> <li>From an enterprise perspective: <strong>GitHub Copilot</strong> </li> <li>From a startup perspective: <strong>CodiumAI PR Agent</strong> </li> </ul> <h3> Comparison of CodiumAI PR agent and Github Copilot </h3> <p>I’m still in the waiting list of Github Copilot, so the Github part in this comparison table might change</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>CodiumAI PR Agent</th> <th>Github Copilot</th> </tr> </thead> <tbody> <tr> <td>pricing</td> <td>free</td> <td>paid</td> </tr> <tr> <td>opensource</td> <td>✅</td> <td></td> </tr> <tr> <td>PR review</td> <td><code>/review</code></td> <td><code>copilot:summary</code></td> </tr> <tr> <td>PR description</td> <td><code>/describe</code></td> <td><code>copilot:walkthrough</code></td> </tr> <tr> <td>code suggestion</td> <td><code>/improve</code></td> <td>✅</td> </tr> <tr> <td>interestring tricks</td> <td><code>/ask "your-question"</code></td> <td><code>copilot:poem</code></td> </tr> <tr> <td>support code hosting platforms</td> <td>github, gitlab, bitbucket, AWS CodeCommit, azure devops, gerrit</td> <td>github</td> </tr> <tr> <td>Granularity</td> <td>focus in PR</td> <td>more general</td> </tr> <tr> <td>website</td> <td><a href="https://github.com/Codium-ai/pr-agent" rel="noopener noreferrer">https://github.com/Codium-ai/pr-agent</a></td> <td><a href="https://githubnext.com/projects/copilot-for-pull-requests" rel="noopener noreferrer">https://githubnext.com/projects/copilot-for-pull-requests</a></td> </tr> </tbody> </table></div> <p>CodiumAI PR Agent also includes commands such as <code>/update_changelog</code> for writing release logs, <code>/similiar_issue</code> to find identical issues in large codebases, <code>/add_docs</code> for more detailed descriptions, and <code>/generate_labels</code> to enhance documentation clarity.</p> <h3> Real world example using CodiumAI PR Agent </h3> <p>Here's an example of package development, focusing only on the tools listed in the comparison table.</p> <ul> <li><p><code>/review</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnqy63rjck5dn81757321.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnqy63rjck5dn81757321.png" alt="review command" width="800" height="739"></a></p></li> <li><p><code>/describe</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7l45a1f9blbc4lzqie4u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7l45a1f9blbc4lzqie4u.png" alt="describe command" width="800" height="714"></a></p></li> <li><p><code>/improve</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq8umvg8otkmzl0ru6ek8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq8umvg8otkmzl0ru6ek8.png" alt="improve command" width="800" height="556"></a></p></li> <li><p><code>/ask "what is the biggest changes? what is the latest commit doing?"</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcq0gz3xtajrjk5kos1ac.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcq0gz3xtajrjk5kos1ac.png" alt="ask command" width="800" height="661"></a></p></li> </ul> <p>I've tested all the commands of CodiumAI PR Agent except for <strong><code>/similar_issue</code></strong>. That's a total of <strong>7 features</strong>, which cost me <strong>$0.86</strong> for using the OpenAI API, and it takes me only <strong>5</strong> minutes to review <strong>17</strong> files. </p> <p>That’s a huge improvement.</p> <h2> Conclusion </h2> <p>AI is revolutionizing individual performance across various fields. I currently use tools like ChatGPT, Bard, and claude.ai for scripting codes, solving math problems, and creating tests. These tools often generate an initial proof of concept (POC) or even a minimum viable product (MVP) in under a minute, significantly boosting my overall productivity.</p> <p>I'm also exploring the use of PR agents in my work. So far, I find them suitable for open-source projects, and as AI technology advances, I anticipate their integration into enterprise environments in the near future.</p> ai productivity programming Mocking Async API Calls in FastAPI Tests whchi Sat, 02 Dec 2023 08:48:13 +0000 https://forem.com/whchi/testing-fastapi-async-function-and-httpx-asyncclient-1glc https://forem.com/whchi/testing-fastapi-async-function-and-httpx-asyncclient-1glc <p>When engaging in software development, there is often a need to send SMS, emails, or make API calls to other systems. When testing such programs, it is common to mock these interactions to ensure that the testing process does not fail due to an unavailable network connection.</p> <p>In FastAPI, there are two ways to define functions: using <code>def</code> and <code>async def</code>. According to the official documentation, testing these functions requires the use of <code>TestClient</code> for <code>def</code> and <code>httpx.AsyncClient</code> for <code>async def</code>. </p> <p>This article provides a practical method for mocking the API caller within <code>async def</code> functions.</p> <h2> code </h2> <p>Here the API endpoint makes an API call to 3rd party<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># example_router.py </span> <span class="kn">import</span> <span class="n">httpx</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">'</span><span class="s">/examples</span><span class="sh">'</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_example</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">r</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">'</span><span class="s">https://3rd-party-api.example.com</span><span class="sh">'</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="o">**</span><span class="n">payload</span><span class="p">.</span><span class="nf">dict</span><span class="p">()})</span> <span class="n">r</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">500</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">))</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="p">{})</span> </code></pre> </div> <p>We should mock the <code>httpx.AsyncClient</code> inside <code>add_example</code>.</p> <p>First, make a fixture<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># conftest.py </span> <span class="nd">@pytest.fixture</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">async_client</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">AsyncClient</span><span class="p">:</span> <span class="k">return</span> <span class="nc">AsyncClient</span><span class="p">(</span><span class="n">app</span><span class="o">=</span><span class="n">app</span><span class="p">,</span> <span class="n">base_url</span><span class="o">=</span><span class="sh">'</span><span class="s">http://localhost:1234</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>Then write the test with mock, the key points are:</p> <ol> <li>Uses the <code>with patch</code> to mock the <code>httpx.AsyncClient</code>.</li> <li>Mock your calling method, here is <code>post</code> </li> </ol> <p>You cannot patch the whole <code>httpx.AsyncClient</code> using <code>@patch</code> decorator because it will mock all <code>httpx.AsyncClient</code> including the one declared in your test.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># test_example_router.py </span> <span class="kn">from</span> <span class="n">unittest.mock</span> <span class="kn">import</span> <span class="n">AsyncMock</span><span class="p">,</span> <span class="n">patch</span> <span class="kn">from</span> <span class="n">httpx</span> <span class="kn">import</span> <span class="n">AsyncClient</span> <span class="kn">import</span> <span class="n">pytest</span> <span class="nd">@pytest.mark.asyncio</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_contact_us</span><span class="p">(</span><span class="n">async_client</span><span class="p">:</span> <span class="n">AsyncClient</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">with</span> <span class="nf">patch</span><span class="p">(</span><span class="sh">'</span><span class="s">httpx.AsyncClient</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">mock_client</span><span class="p">:</span> <span class="n">mock_post</span> <span class="o">=</span> <span class="nc">AsyncMock</span><span class="p">()</span> <span class="n">mock_client</span><span class="p">.</span><span class="n">return_value</span><span class="p">.</span><span class="n">__aenter__</span><span class="p">.</span><span class="n">return_value</span><span class="p">.</span><span class="n">post</span> <span class="o">=</span> <span class="n">mock_post</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">async_client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="o">=</span><span class="sh">'</span><span class="s">/api/examples</span><span class="sh">'</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">desc</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">desc</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Brid Pett</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">phone</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">123456789</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">test@cc.cc</span><span class="sh">'</span><span class="p">,</span> <span class="p">})</span> <span class="n">mock_post</span><span class="p">.</span><span class="nf">assert_called_once</span><span class="p">()</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="n">status_code</span> </code></pre> </div> <p>That's all.</p> fastapi python testing webdev Reading notes | Software Engineer-The Soft Part whchi Fri, 20 Oct 2023 02:46:37 +0000 https://forem.com/whchi/reading-notes-software-engineer-the-soft-part-bkm https://forem.com/whchi/reading-notes-software-engineer-the-soft-part-bkm <p>This is a very pragmatic book, and it is also quite thin. The author is Addy Osmani, the person in charge of the Google Chrome project. The content is a compilation of his past experiences and soft skills guidance.</p> <p>I will note down some parts of the book that I personally found impactful, there are 33 points.</p> <h1> notes </h1> <ol> <li><p>Mastery of technology means delivering high value per hour worked. This means you can identify which tasks bring value and help the team focus on those tasks. It also means knowing how to avoid work that does not add value. The best engineers can even guide the entire team to avoid work that does not add value.</p></li> <li><p>Critical thinking is thinking purposefully to form your own conclusions. It allows you to focus more on root causes and avoid potential future problems.<br> Avoid falling into the trap of assuming correlation implies causation. Someone with critical thinking may question such assumptions and ask why we believe it to be true.</p></li> <li><p>The long-term value of learning fundamentals is their transferability, while the short-term value is helping you make better decisions. Transferable skills have macro and micro aspects. Macroscopically, the basic principles of programming languages are mostly the same, and frequently applying the basic principles can generate tremendous value. </p></li> <li><p>Microscopically, syntax may be familiar but the skills are not transferable. You should also not overfocus on fundamentals, the key is to learn for application.</p></li> <li><p>Having a solid foundation of knowledge allows you to make better decisions and go further, such as considering frameworks or avoiding choosing the wrong technologies.</p></li> <li><p>"You haven't mastered a tool until you understand when it<br> should not be used." - @kelseyhightower</p></li> <li><p>Focus on the user/developer experience, don't make decisions based on specific solutions (e.g. just using Laravel because it's good).</p></li> <li><p>Use boring (proven) technologies, then consciously choose the tools most suited to solving the problem. FOMO may not be an effective approach in tech - understanding how to use things is important, but the focus should still be on delivering value, unless those technologies can increase the value you produce.</p></li> <li><p>The best time to learn new technologies is by using new projects - use the Feynman learning technique to accelerate learning.</p></li> <li><p>To enable a project to evolve, become its caretaker rather than its owner - document it well so it can continue when you're gone.</p></li> <li><p>The value of software lies in the accumulated knowledge of its producers, not the code itself - don't rewrite code for no reason, you're discarding collective knowledge.</p></li> <li><p>YAGNI (You aren't gonna need it) means don't add features until needed, focus on what really delivers value. But maintain appropriate abstraction - avoid premature abstraction (AHA). Decoupling solutions for specific problems while trying to extract reusability is better.</p></li> <li><p>The best modules are those with maximum benefit and minimum cost. Interfaces should be narrow, functionality deep.</p></li> <li><p>A good mindset for legacy code is to not assume every line is relevant - understand it then remove unnecessary parts.</p></li> <li><p>Defining "done" is important when tackling problems - avoids unnecessary future revisions. This could include meeting acceptance criteria, passing tests, documentation, etc.</p></li> <li><p>Debug messages show the truth, don't keep making small changes trying to fix issues.</p></li> <li><p>Design docs are part of software engineering, not an afterthought. Coordinate reviews of design docs, compare to original as it evolves to validate addressing issues.</p></li> <li><p>Focus communication on kindness - may take more time but makes others more willing to communicate for effective outcomes. Avoid jargon, match vocabulary to audience.</p></li> <li><p>Saying no is better than over promising.</p></li> <li><p>A senior engineer should be skilled at designing software systems and human/team systems. You can lead a diverse engineering team, delegate tasks, guide them to focus on code quality, performance and simplicity. Provide feedback when needed, defend them when necessary. You should also be able to market yourself, your work, and problem-solving abilities for exposure in the organization. Overall, manage relationships well internally and with management.</p></li> <li><p>Guide junior engineers to ask the right questions in a way that lets them know you're glad they asked.</p></li> <li><p>Strongly defend your views but re-examine assumptions when new evidence arrives.</p></li> <li><p>Teach the team to fish - coordinate internally and externally, aim to increase team output. More senior means focusing more on managing relationships with management and the team.</p></li> <li><p>Team efficiency is efficiency - accept imposter syndrome, it can motivate you to learn.</p></li> <li><p>Understand the business model, your code hugely impacts business logic. Insight into commercial software is key to influencing, as you're closer to the market so naturally do impactful things.</p></li> <li><p>Start from the user experience and work backwards to required tech.</p></li> <li><p>Mentoring is guiding - suggest ideas for mentees to try. If they can't solve a problem, show your approach and thinking for reference e.g. debugging steps rather than the answer directly.</p></li> <li><p>Don't try to do too much at once, focused deep work time is very important.</p></li> <li><p>Estimates can be updated anytime, software estimates are inherently complex until requirements are deeply understood, then they become more accurate. A better way is rough estimate, detailed estimate, staged rollout.</p></li> <li><p>A leader confidently admitting not knowing something is powerful. This confidence reduces expectations for senior engineers to know everything. You absolutely don't need all the answers, but admitting you're human and committed to solving problems together is most important.</p></li> <li><p>Tech debt repayment should be regular time allocated by tech leads for cleanup - prevention over cure.</p></li> <li><p>Focus on the problem - issues in other projects may also be issues in yours.</p></li> <li><p>"Surround yourself by excellence and work with people who are<br> the best as what they do" - Brian Staufenbiel</p></li> </ol> <h1> source </h1> <p><a href="https://addyosmani.com/blog/software-engineering-soft-parts/" rel="noopener noreferrer">https://addyosmani.com/blog/software-engineering-soft-parts/</a></p> programming beginners productivity career Localize your FastAPI validation message whchi Thu, 17 Aug 2023 06:14:04 +0000 https://forem.com/whchi/localize-your-fastapi-validation-message-38h4 https://forem.com/whchi/localize-your-fastapi-validation-message-38h4 <p>When working on website frontend development, a significant amount of time is spent on handling form validation. If your service caters to a global audience (not only within your country), it's advisable to incorporate internationalization (i18n) error messages into it.</p> <p>If the situation involves frontend-backend separation, managing the validation i18n message communication becomes a troublesome task. </p> <p>The question arises: should the validation messages be managed on the backend or the frontend?</p> <p>Generally, messages should be managed closer to the rendering (frontend mostly) interface for better organization. A common approach is to use error codes paired with corresponding messages.</p> <p>However, there are numerous validation methods for forms, and if error codes were applied to forms, maintenance would become quite challenging. Therefore, it's best to centrally manage form-type validation by either the frontend or the backend.</p> <p><strong>FastAPI</strong> employs <strong>Pydantic</strong> to encapsulate most scenarios of form validation and provides corresponding error messages. This works well in a purely English environment, but if we require i18n, it's clear that this approach falls short.</p> <p>This article will work through the whole concept of how to integrate i18n into FastAPI's request validation error messages with pseudo code.</p> <h2> middleware </h2> <p>Firstly we need to know what locale it is, we can archive this using middleware<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">LocaleMiddleware</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">dispatch</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="n">req</span><span class="p">.</span><span class="n">locale</span> <span class="o">=</span> <span class="n">incoming_locale</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span><span class="n">LocaleMiddleware</span><span class="p">)</span> </code></pre> </div> <h2> exception handler </h2> <p>Then we register our own exception handler to handle <code>RequestValidationError</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">i18n_exception_handler</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">exc</span><span class="p">):</span> <span class="n">msg</span> <span class="o">=</span> <span class="nf">make_i18n_msg</span><span class="p">(</span><span class="n">exc</span><span class="p">,</span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">locale</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">errors</span><span class="sh">"</span><span class="p">:</span> <span class="n">exc</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">422</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_exception_handler</span><span class="p">(</span><span class="n">RequestValidationError</span><span class="p">,</span> <span class="n">i18n_exception_handler</span><span class="p">)</span> </code></pre> </div> <h2> translate </h2> <p>Finally, we make translate action, the exc of FastAPI is object of object, so we need to extract the message recursively<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">make_i18n_msg</span><span class="p">(</span><span class="n">exc</span><span class="p">,</span> <span class="n">locale</span><span class="p">):</span> <span class="k">if</span> <span class="nf">isinstanceof</span><span class="p">(</span><span class="n">exc</span><span class="p">,</span> <span class="n">wrapper</span><span class="p">):</span> <span class="k">return</span> <span class="nf">make_i18n_msg</span><span class="p">(</span><span class="n">exc</span><span class="p">,</span> <span class="n">locale</span><span class="p">)</span> <span class="k">return</span> <span class="nc">Translator</span><span class="p">(</span><span class="n">locale</span><span class="p">).</span><span class="nf">t</span><span class="p">(</span><span class="sh">'</span><span class="s">trans.file.key</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>And we need a translation file looks like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">zh-TW.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field required"</span><span class="p">:</span><span class="w"> </span><span class="s2">"欄位必填"</span><span class="p">,</span><span class="w"> </span><span class="nl">"extra fields not permitted"</span><span class="p">:</span><span class="w"> </span><span class="s2">"不允許額外的欄位"</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">ja-JP.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field required"</span><span class="p">:</span><span class="w"> </span><span class="s2">"フィールドは必須です"</span><span class="p">,</span><span class="w"> </span><span class="nl">"extra fields not permitted"</span><span class="p">:</span><span class="w"> </span><span class="s2">"余分なフィールドは許可されていません"</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then when you send with locale to your API pydantic validation, you will get something like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "errors": [ { "loc": [ "body", "string" ], "msg": "フィールドは必須です", "type": "value_missing.field_required" }, { "loc": [ "body", "string" ], "msg": "余分なフィールドは許可されていません", "type": "value_error.extra_fields_are_not_permitted" } } </code></pre> </div> <p>That's the essence of it, and I've written a package for it.</p> <blockquote> <p><a href="https://pypi.org/project/fastapi-validation-i18n/" rel="noopener noreferrer"><strong>fastapi-validation-i18n</strong></a></p> </blockquote> <p>You can accomplish this by adhering to the documentation, contributions are also encouraged and welcome.</p> fastapi webdev python Nginx setup for Next.js subdomain routing whchi Sat, 12 Aug 2023 07:01:13 +0000 https://forem.com/whchi/nginx-setup-for-nextjs-subdomain-routing-5934 https://forem.com/whchi/nginx-setup-for-nextjs-subdomain-routing-5934 <blockquote> <p><strong>Don't do it unless you can 100% control your nginx</strong></p> </blockquote> <p>In this article, I will guide you through the process of setting up Nginx(<em>only</em>) for subdomain routing to a Next.js router. To illustrate this, I'll use a page router as an example.</p> <p>Here's a sample page router structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pages/ ├──subdomain-1/ │ ├──index.tsx │ └──blogs/ └──subdomain-2/ ├──index.tsx └──orders/ </code></pre> </div> <p>The expect behavior is </p> <ol> <li>subdomain-1.com -&gt; /pages/subdomain-1/index.tsx</li> <li>subdomain-1.com/blogs -&gt; /pages/subdomain-1/blogs/index.tsx</li> <li>subdomain-2.com/orders -&gt; /pages/subdomain-2/orders/index.tsx</li> </ol> <h2> nginx.conf </h2> <p>The idea is simple, use <code>server_name</code> to setup 2 virtual hosts and <code>proxy_pass</code> proxy to the backend<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http { upstream nextjs { http://localhost:3000; } server { listen 80; server_name subdomain-1.com; location / { # for i18n set $locale_prefix '/subdomain-1'; set $rest $request_uri; if ($request_uri ~ ^/(en|ja|zh-TW)(.*)$) { set $locale_prefix '/$1/subdomain-1'; set $rest $2; } proxy_pass http://nextjs$locale_prefix$rest; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 80; server_name subdomain-2; location / { set $locale_prefix '/subdomain-2'; set $rest $request_uri; if ($request_uri ~ ^/(en|ja|zh-TW)(.*)$) { set $locale_prefix '/$1/subdomain-2'; set $rest $2; } proxy_pass http://nextjs$locale_prefix$rest; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } </code></pre> </div> <h2> next.js </h2> <p>you need to replace your paths in code, use <code>router.push('/blogs')</code> instead of <code>router.push('/domain-2/blogs')</code> and separate the local and production environment's behavior.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// @ts-nocheck</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">setPath</span> <span class="o">=</span> <span class="p">(</span><span class="nx">path</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">PATH_PREFIXES</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/subdomain-1</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/subdomain-2</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">prefix</span> <span class="k">of</span> <span class="nx">PATH_PREFIXES</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">prefix</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">path</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">prefix</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">path</span><span class="p">;</span> <span class="p">};</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nf">setPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">/subdomain-1/blogs</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <h2> pros and cons </h2> <ul> <li>pros <ul> <li>microservices alignment</li> <li>deployment specific subdomain won't affect your application</li> <li>tls are managed by nginx, you can support different level of subdomain</li> <li>cleaner code structure, each folder points to a subdomain</li> </ul> </li> <li>cons <ul> <li>development and deployment are more complex</li> <li>difficult to maintain, next.js folder will be constrained by nginx config</li> <li>initial setup is difficult, frontends need to know about nginx config</li> </ul> </li> </ul> <p>Typically, in Next.js, you should use <strong><a href="https://nextjs.org/docs/pages/building-your-application/routing/middleware" rel="noopener noreferrer">middleware</a></strong> for subdomain routing.</p> <blockquote> <p><strong>Don't do it unless you can 100% control your nginx</strong></p> </blockquote> nextjs nginx Protect your FastAPI document with HTTP basic authN whchi Wed, 09 Aug 2023 02:32:03 +0000 https://forem.com/whchi/protect-your-fastapi-document-with-http-basic-authn-45c7 https://forem.com/whchi/protect-your-fastapi-document-with-http-basic-authn-45c7 <p>When working in enterprise with frontends as a backend engineer, it common to deploy a staging(test) environment to expedite development. </p> <p>One of the advantages of using FastAPI is it built-in API documentation. However, we don't want to expose it in the staging environment to the public, unless you can control the networking aspect.</p> <p>In this article, I'll demonstrate how to secure it using HTTP basic authentication.</p> <h2> Code </h2> <ol> <li>disable doc url by env </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">app_env</span> <span class="o">==</span> <span class="sh">'</span><span class="s">staging</span><span class="sh">'</span><span class="p">:</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">docs_url</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">openapi_url</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">redoc_url</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> </code></pre> </div> <ol> <li>create a middleware for http basic authN </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">secrets</span> <span class="kn">from</span> <span class="n">starlette.middleware.base</span> <span class="kn">import</span> <span class="n">BaseHTTPMiddleware</span><span class="p">,</span> <span class="n">RequestResponseEndpoint</span> <span class="kn">from</span> <span class="n">starlette.requests</span> <span class="kn">import</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">starlette.responses</span> <span class="kn">import</span> <span class="n">Response</span> <span class="k">class</span> <span class="nc">ApidocBasicAuthMiddleware</span><span class="p">(</span><span class="n">BaseHTTPMiddleware</span><span class="p">):</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">dispatch</span><span class="p">(</span> <span class="c1"># type: ignore </span> <span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">:</span> <span class="n">RequestResponseEndpoint</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">path</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">'</span><span class="s">/docs</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/openapi.json</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/redoc</span><span class="sh">'</span><span class="p">]:</span> <span class="n">auth_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">auth_header</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">scheme</span><span class="p">,</span> <span class="n">credentials</span> <span class="o">=</span> <span class="n">auth_header</span><span class="p">.</span><span class="nf">split</span><span class="p">()</span> <span class="k">if</span> <span class="n">scheme</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="o">==</span> <span class="sh">'</span><span class="s">basic</span><span class="sh">'</span><span class="p">:</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">credentials</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">ascii</span><span class="sh">'</span><span class="p">)</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span> <span class="o">=</span> <span class="n">decoded</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)</span> <span class="n">correct_username</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span> <span class="n">username</span><span class="p">,</span> <span class="sh">'</span><span class="s">YOUR_USERNAME</span><span class="sh">'</span><span class="p">)</span> <span class="n">correct_password</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">compare_digest</span><span class="p">(</span> <span class="n">password</span><span class="p">,</span> <span class="sh">'</span><span class="s">YOUR_PASSWORD</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">correct_username</span> <span class="ow">and</span> <span class="n">correct_password</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="bp">...</span> <span class="n">response</span> <span class="o">=</span> <span class="nc">Response</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="sh">'</span><span class="s">Unauthorized</span><span class="sh">'</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">'</span><span class="s">WWW-Authenticate</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">Basic</span><span class="sh">'</span> <span class="k">return</span> <span class="n">response</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span><span class="n">ApidocBasicAuthMiddleware</span><span class="p">)</span> </code></pre> </div> <p>replace <strong>YOUR_USERNAME</strong> and <strong>YOUR_PASSWORD</strong></p> <ol> <li>enable document paths and document html </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Dict</span> <span class="kn">from</span> <span class="n">fastapi.openapi.docs</span> <span class="kn">import</span> <span class="n">get_redoc_html</span><span class="p">,</span> <span class="n">get_swagger_ui_html</span> <span class="kn">from</span> <span class="n">fastapi.openapi.utils</span> <span class="kn">import</span> <span class="n">get_openapi</span> <span class="nd">@app.get</span><span class="p">(</span> <span class="sh">'</span><span class="s">/docs</span><span class="sh">'</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">documentation</span><span class="sh">'</span><span class="p">],</span> <span class="n">include_in_schema</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_swagger_documentation</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">HTMLResponse</span><span class="p">:</span> <span class="k">return</span> <span class="nf">get_swagger_ui_html</span><span class="p">(</span><span class="n">openapi_url</span><span class="o">=</span><span class="sh">'</span><span class="s">/openapi.json</span><span class="sh">'</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="sh">'</span><span class="s">docs</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span> <span class="sh">'</span><span class="s">/openapi.json</span><span class="sh">'</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">documentation</span><span class="sh">'</span><span class="p">],</span> <span class="n">include_in_schema</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">openapi</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="k">return</span> <span class="nf">get_openapi</span><span class="p">(</span><span class="n">title</span><span class="o">=</span><span class="sh">'</span><span class="s">FastAPI</span><span class="sh">'</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">'</span><span class="s">0.1.0</span><span class="sh">'</span><span class="p">,</span> <span class="n">routes</span><span class="o">=</span><span class="n">app</span><span class="p">.</span><span class="n">routes</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span> <span class="sh">'</span><span class="s">/redoc</span><span class="sh">'</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">documentation</span><span class="sh">'</span><span class="p">],</span> <span class="n">include_in_schema</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_redoc</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">HTMLResponse</span><span class="p">:</span> <span class="k">return</span> <span class="nf">get_redoc_html</span><span class="p">(</span><span class="n">openapi_url</span><span class="o">=</span><span class="sh">'</span><span class="s">/openapi.json</span><span class="sh">'</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="sh">'</span><span class="s">docs</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>That is, you will see the login modal when entering doc path</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7hspuantobkn6qn82fvm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7hspuantobkn6qn82fvm.png" alt="Image description" width="800" height="182"></a></p> <h2> Put it all together </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">secrets</span> <span class="kn">from</span> <span class="n">starlette.middleware.base</span> <span class="kn">import</span> <span class="n">BaseHTTPMiddleware</span><span class="p">,</span> <span class="n">RequestResponseEndpoint</span> <span class="kn">from</span> <span class="n">starlette.requests</span> <span class="kn">import</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">starlette.responses</span> <span class="kn">import</span> <span class="n">Response</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Dict</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.openapi.docs</span> <span class="kn">import</span> <span class="n">get_redoc_html</span><span class="p">,</span> <span class="n">get_swagger_ui_html</span> <span class="kn">from</span> <span class="n">fastapi.openapi.utils</span> <span class="kn">import</span> <span class="n">get_openapi</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">docs_url</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">openapi_url</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">redoc_url</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span><span class="n">ApidocBasicAuthMiddleware</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span> <span class="sh">'</span><span class="s">/docs</span><span class="sh">'</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">documentation</span><span class="sh">'</span><span class="p">],</span> <span class="n">include_in_schema</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_swagger_documentation</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">HTMLResponse</span><span class="p">:</span> <span class="k">return</span> <span class="nf">get_swagger_ui_html</span><span class="p">(</span><span class="n">openapi_url</span><span class="o">=</span><span class="sh">'</span><span class="s">/openapi.json</span><span class="sh">'</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="sh">'</span><span class="s">docs</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span> <span class="sh">'</span><span class="s">/openapi.json</span><span class="sh">'</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">documentation</span><span class="sh">'</span><span class="p">],</span> <span class="n">include_in_schema</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">openapi</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="k">return</span> <span class="nf">get_openapi</span><span class="p">(</span><span class="n">title</span><span class="o">=</span><span class="sh">'</span><span class="s">FastAPI</span><span class="sh">'</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">'</span><span class="s">0.1.0</span><span class="sh">'</span><span class="p">,</span> <span class="n">routes</span><span class="o">=</span><span class="n">app</span><span class="p">.</span><span class="n">routes</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span> <span class="sh">'</span><span class="s">/redoc</span><span class="sh">'</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">documentation</span><span class="sh">'</span><span class="p">],</span> <span class="n">include_in_schema</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_redoc</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">HTMLResponse</span><span class="p">:</span> <span class="k">return</span> <span class="nf">get_redoc_html</span><span class="p">(</span><span class="n">openapi_url</span><span class="o">=</span><span class="sh">'</span><span class="s">/openapi.json</span><span class="sh">'</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="sh">'</span><span class="s">docs</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> fastapi webdev