User Authentication in Martin

[orttak]

How do you manage user authentication in martin? I want only certain users to see some data. does anyone have any suggestions what kind of middlaware would be good on martin?

I want to build web application with vue-3, postgis and martin. If I check user and token info with function like below(I create user table in same database), Do you think it is good practice? or Should I put Martin behind fastapi or express to check user authentication?
Thanks

CREATE OR REPLACE FUNCTION function_zxy_query(z integer, x integer, y integer, user_id integer, token text) RETURNS bytea AS $$
DECLARE
  mvt bytea;
  is_valid_token boolean;
BEGIN
  -- Token validation
  SELECT EXISTS (
    SELECT 1
    FROM token_table
    WHERE user_id = user_id AND token = token
  ) INTO is_valid_token;
  
  IF is_valid_token THEN
    SELECT INTO mvt ST_AsMVT(tile, 'function_zxy_query', 4096, 'geom') FROM (
      SELECT
        ST_AsMVTGeom(ST_Transform(ST_CurveToLine(geom), 3857), ST_TileEnvelope(z, x, y), 4096, 64, true) AS geom
      FROM table_source ts
      WHERE ts.geom && ST_Transform(ST_TileEnvelope(z, x, y), 4326)
    ) as tile WHERE geom IS NOT NULL;
  ELSE
    -- 
    RAISE EXCEPTION 'Invalid token';
  END IF;

  RETURN mvt;
END
$$ LANGUAGE plpgsql IMMUTABLE STRICT PARALLEL SAFE;

[nyurik]

I can think of two ways to do this - either introduce a new authentication proxy around Martin, and once the user is authenticated, pass validated value to the database as you describe, or, Martin can be used as a library, and you can introduce your own endpoint that simply uses Martin's internal logic.

[IncidGeo]

I've dockerize an nginx/geodjango/gunicorn/postgis/martin solution.
I'm really interested in the subject because I don't want to expose my data to unauthorized users.
Is there a solution whereby nginx can communicate with my django application to block access to Martin content if the user is not authenticated in the django app?
Any documentation/resources are welcome and thank you again for all the good work.

[nyurik]

Glad you got something working! TBH, I am not certain how nginx can communicate with some backend -- I haven't used nginx extensively beyond the trivial routing usage.

[IncidGeo]

I think there is something to do with this function :
http://nginx.org/r/auth_request
I'm gonna search a bit and I'll come back if I find a solution

[IncidGeo]

Here is an example of application :
https://github.com/cedadev/django-auth-service

[IncidGeo]

Here's a functional example of a Docker-based solution integrating PostgreSQL/Django/Nginx/Certbot.

• Martin streams from Postgres or Mbtiles are only accessible to authenticated Django users
• Certbot is utilized for SSL certificate management
• Macvlan ensures network isolation.

Note Macvlan allows Nginx container to have a different IP and MAC Address from the host on the same machine, while the other containers have addresses within the container and communicate using a separate bridge network. Additionally, port 80 traffic is redirected to port 443 in Nginx for secure communication. Port 5442 is expose on host to access the db.
Macvlan is use in this situation because host already serve 80, 443. 5442 is exposed on the machine host because 5432 is already in use. Macvlan is not necessary if those ports are not already in use. Cerbot is use to manage SSL independantly from the host but could also be managed by the host if same ip is use.

Security Note: Just to be clear, I'm not a security expert, and this is just the way I've approached it.

NGINX configuration :

# Define upstream server for Django application
upstream my_project_server {
    server djangoapp:8000; # Django application server running on port 8000
}

# Define upstream server for Martin application
upstream martin_server {
    server martin:3000; # Martin application server running on port 3000
}

# Server block for HTTP traffic (port 80)
server {
    listen 80; # Listen for incoming HTTP requests
    server_name my-domain.com; # Server name

    location / {
        return 301 https://$host$request_uri; # Redirect HTTP traffic to HTTPS
    }
}

# Server block for HTTPS traffic (port 443)
server {
    listen 443 ssl http2; # Listen for incoming HTTPS requests with HTTP/2 support
    listen [::]:443 ssl; # Listen for incoming HTTPS requests on IPv6

    http2 on; # Enable HTTP/2 protocol
    
    server_name my-domain.com; # Server name

    ssl_certificate /etc/letsencrypt/live/my-domain.com/fullchain.pem; # SSL certificate path
    ssl_certificate_key /etc/letsencrypt/live/my-domain.com/privkey.pem; # SSL certificate key path

    # Configuration for requests to the root URL "/"
    location / {
        proxy_no_cache 1; # Do not cache response
        proxy_cache_bypass 1; # Bypass cache
        proxy_pass http://my_project_server; # Forward requests to the Django application
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Set the X-Forwarded-For header
        proxy_set_header Host $host; # Set the Host header
        proxy_redirect off; # Disable automatic redirect
    }
 
    # Configuration for serving static files
    location /static/ {
        alias /opt/services/djangoapp/static/; # Alias for static files directory
    }
 
    # Configuration for serving media files
    location /media/ {
        alias /opt/services/djangoapp/media/; # Alias for media files directory
    }

    # Configuration for requests to the Martin application
    location /martin/ {
        auth_request /auth/; # Authenticate requests
        proxy_pass http://martin_server/; # Forward requests to the Martin application
        proxy_set_header X-Forwarded-Proto "https"; # Set X-Forwarded-Proto header to https
        proxy_set_header X-Rewrite-URL $uri; # Set X-Rewrite-URL header
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Set the X-Forwarded-For header
        proxy_set_header Host $host; # Set the Host header
        proxy_redirect off; # Disable automatic redirect
    }

    # Configuration for handling authentication requests
    location = /auth {
        proxy_pass http://my_project_server/auth; # Forward authentication requests to the Django application
        proxy_pass_request_body off; # Do not pass request body
        proxy_set_header Content-Length ""; # Set Content-Length header
        proxy_set_header X-Original-URI $request_uri; # Set X-Original-URI header
        proxy_set_header Host $host; # Set the Host header
    }

    # Configuration for Certbot ACME challenge
    location /.well-known/acme-challenge/ {
        root /var/www/certbot; # Root directory for Certbot challenges
    }
}

The important part is :

    location /martin/ {
        # Authenticate requests
        auth_request /auth/;  
...
}

and

location = /auth {
        proxy_pass http://my_project_server/auth; # Forward authentication requests to the Django application
        ....
    }

DAJNGO URL :

from django.urls import path
from . import views
from .views import Index,NginxAuthEndpointView

urlpatterns = [
    path("", Index.as_view()),
    path("auth/",  NginxAuthEndpointView.as_view(), name="auth"),
]

DJANGO VIEW :

from django.views.generic import View
from django.http import JsonResponse


class NginxAuthEndpointView(View):
    def get(self, request):
        if request.user.is_authenticated:
            return JsonResponse({'status': 'authenticated'}, status=200)  # Return HTTP 200 if authenticated
        else:
            return JsonResponse({'status': 'unauthenticated'}, status=401)  # Return HTTP 401 if not authenticated
  

DOCKER-COMPOSE yaml

version: '3'

services:

  nginx: 
    restart : unless-stopped
    build:
        context: .
        dockerfile: config/dockerfiles/Dockerfile_nginx # Build Nginx service using Dockerfile_nginx
        
    volumes:
      - ./config/nginx/conf.d:/etc/nginx/conf.d # Mount Nginx configuration
      - static_volume:/opt/services/djangoapp/static # Mount static files directory
      - media_volume:/opt/services/djangoapp/media   # Mount media files directory
      - certbot_data:/etc/letsencrypt  # Mount Certbot data directory
      - certbot_webroot:/var/www/certbot  # Mount Certbot webroot directory

    depends_on: 
      - djangoapp
      - martin

    networks:
      macvlan_network:
        ipv4_address: 192.168.30.xx # Assign static IP address within the Macvlan network

      docker_internal:
        aliases:
          - nginx
    mac_address: XX:XX:XX:XX:XX:XX # Assign MAC address for the Nginx container

  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - certbot_data:/etc/letsencrypt # Mount Certbot data directory
      - certbot_webroot:/var/www/certbot # Mount Certbot webroot directory

    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" # Auto-renew SSL certificates every 12 hours
    command: "certonly --webroot --webroot-path=/var/www/certbot -d my-domain.com"  # Issue SSL certificates for specified domain
    environment:
      - CERTBOT_EMAIL=usery@my-domain.com # Set Certbot email
      - CERTBOT_AGREE_TOS=true # Agree to Certbot's terms of service
      - CERTBOT_NO_EFF_EMAIL=true # Prevent EFF (Electronic Frontier Foundation) from sending emails

    depends_on:
      - nginx

    networks:
      - docker_internal

  djangoapp: 
    restart : unless-stopped
    build:
        context: .
        dockerfile: config/dockerfiles/Dockerfile_GeoDjango_python # Build Django application using Dockerfile_GeoDjango_python



    volumes:
      - .:/opt/services/djangoapp/src  # Mount Django source code directory
      - static_volume:/opt/services/djangoapp/static # Mount static files directory
      - media_volume:/opt/services/djangoapp/media  # Mount media files directory

    env_file:
      - config/django/django_env.env  # Load environment variables for Django application

    depends_on:
      - db 
      - martin

    networks:
      - docker_internal 


  db: 
    restart: unless-stopped
    build:
        context: .
        dockerfile: config/dockerfiles/Dockerfile_postgres # Build PostgreSQL service using Dockerfile_postgres
    ports:
      - 5442:5432 # Expose PostgreSQL port on the machine host

    volumes:  
      - ./db_data:/var/lib/postgresql/data # Mount PostgreSQL data directory
    env_file:
      - config/db/db_env.env  # Load environment variables for PostgreSQL

    networks:
      - docker_internal
       

  martin:  
    restart: unless-stopped
    build:
        context: .
        dockerfile: config/dockerfiles/Dockerfile_Martin # Build Martin service using Dockerfile_Martin
    volumes:
      - ./config/nginx/conf.d:/etc/nginx/conf.d  # Mount Nginx configuration directory
      - ./config/martin/settings:/settings  # Mount Martin settings directory
      - ./mbtiles:/mbtiles  # Mount mbtiles directory
      - ./svg_sprites:/svg_sprites  # Mount SVG sprites directory
    
    env_file:
      - config/martin/martin_env  # Load environment variables for Martin

    depends_on:
      - db

    networks:
      - docker_internal

networks:
  macvlan_network:
    driver: macvlan  # Use Macvlan network driver
    driver_opts:
      parent: eth4  # Specify parent interface for Macvlan network (you need to determine that)
    ipam:
      config:
        - subnet: 192.168.30.0/24  # Specify IP subnet for Macvlan network
  
  docker_internal:
    driver: bridge  # Use Bridge network driver


volumes: 
  static_volume:  # Define static files volume
  media_volume:  # Define media files volume
  certbot_data:  # Define Certbot data volume
  certbot_webroot:  # Define Certbot webroot volume

The access to martin in the json style file is not on :3000 port anymore but in /martin

	"my_example_source": {
		"type": "vector",
		"url": "https://my-domain.com/martin/my_example_martin_source",
		"minzoom": 0,
		"maxzoom": 19
	}

[nyurik]

@IncidGeo this is great! Could you perhaps submit it as a PR to the book? The markdown is in the /docs/src dir. Thx!

[IncidGeo]

Okay, I'll figure out how to do it.