From e5142af66063293845fc8de412e326e466130dcf Mon Sep 17 00:00:00 2001
From: John Grubba <nicjontrickshots@gmail.com>
Date: Fri, 26 Jul 2024 10:34:01 +0200
Subject: [PATCH] SSL / HTTPS Support

---
 docs/advanced/ssl.md               | 31 ++++++++++++++++++++++++++++++
 mkdocs.yml                         |  4 ++++
 src/Dockerfile                     |  6 +++++-
 src/start.sh                       |  7 +++++++
 src/tools/conf/EmailConfig.py      |  2 +-
 src/tools/conf/testing_config.json |  2 +-
 6 files changed, 49 insertions(+), 3 deletions(-)
 create mode 100644 docs/advanced/ssl.md
 create mode 100644 src/start.sh

diff --git a/docs/advanced/ssl.md b/docs/advanced/ssl.md
new file mode 100644
index 0000000..38f3704
--- /dev/null
+++ b/docs/advanced/ssl.md
@@ -0,0 +1,31 @@
+If you want to deploy EZAuth you may want to run it via `HTTPS` instead of `HTTP`. This can be easily achieved with EZAuth, by putting certificates in the `config/ssl` directory. The certificates have to be named **`cert.pem` and `key.pem`**. The `cert.pem` file should contain the certificate and the intermediate certificate, while the `key.pem` file should contain the private key.
+
+EZAuth will automatically detect the certificates and run on `HTTPS` instead of `HTTP`. If you want to run EZAuth on `HTTP` again, just remove the certificates from the `config/ssl` directory.
+
+## Self Signing with [MKCert](https://github.com/FiloSottile/mkcert)
+
+If you want to test EZAuth with self-signed certificates, you can use [MKCert](https://github.com/FiloSottile/mkcert).
+
+!!! warning "SSL Certificates"
+    Make sure that the certificates are valid and not self-signed. Browsers will not accept self-signed certificates and will show a warning to the user. Use [Let's Encrypt](https://letsencrypt.org/) or a similar service to get valid certificates.
+
+To generate a self-signed certificate with MKCert, [install MKCert](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installation) and follow the instructions below.
+
+=== "Debian/Ubuntu"
+    Run the following commands to generate a Certificate with MKCert
+
+    ```bash
+    cd config
+    mkdir -p ssl
+    cd ssl
+    mkcert yourdomain.com localhost 127.0.0.1
+    ```
+
+=== "Windows"
+    Create a new folder in the `config` directory called `ssl`. Open a command prompt and navigate to the `config/ssl` directory. Run the following command to generate a Certificate with MKCert
+
+    ```sh
+    mkcert yourdomain.com localhost 127.0.0.1
+    ```
+
+After running the command, you will see two files in the `config/ssl` directory: `yourdomain.com.pem` and `yourdomain.com-key.pem`. Rename the files to `cert.pem` and `key.pem` respectively. Then restart the EZAuth service to apply the changes.
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index 75073b4..36511fe 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -15,6 +15,7 @@ nav:
     - Advanced E-Mail Templating: advanced/email_templates.md
     - Further Customization: advanced/further_custom.md
     - OAuth: advanced/oauth.md
+    - SSL / HTTPS: advanced/ssl.md
 theme:
   name: material
   logo: "ezauth_logo.png"
@@ -54,3 +55,6 @@ markdown_extensions:
   - pymdownx.inlinehilite
   - pymdownx.snippets
   - pymdownx.superfences
+  - pymdownx.tabbed:
+      alternate_style: true
+  - pymdownx.tilde
\ No newline at end of file
diff --git a/src/Dockerfile b/src/Dockerfile
index 925ada7..4455e10 100644
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -13,4 +13,8 @@ RUN pip install --no-cache-dir --upgrade -r /src/app/requirements.txt
 
 COPY . /src/app
 
-CMD ["uvicorn", "api.main:app", "--host", "0.0.0.0", "--port", "80", "--log-level", "critical"]
+# Add a startup script
+COPY start.sh /src/app/start.sh
+RUN chmod +x /src/app/start.sh
+
+CMD ["/src/app/start.sh"]
diff --git a/src/start.sh b/src/start.sh
new file mode 100644
index 0000000..547de02
--- /dev/null
+++ b/src/start.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ -f "/src/app/config/ssl/key.pem" ] && [ -f "/src/app/config/ssl/cert.pem" ]; then
+    uvicorn api.main:app --host 0.0.0.0 --port 80 --log-level critical --ssl-keyfile /src/app/config/ssl/key.pem --ssl-certfile /src/app/config/ssl/cert.pem
+else
+    uvicorn api.main:app --host 0.0.0.0 --port 80 --log-level critical
+fi
\ No newline at end of file
diff --git a/src/tools/conf/EmailConfig.py b/src/tools/conf/EmailConfig.py
index f5dd795..128f012 100644
--- a/src/tools/conf/EmailConfig.py
+++ b/src/tools/conf/EmailConfig.py
@@ -50,7 +50,7 @@ def validate_values(self) -> None:
                     self.sender_email
                 )
             )
-        if "http" in self.smtp_host or "smtp" in self.smtp_host:
+        if self.smtp_host.startswith("http"):
             raise ValueError(
                 "email.smtp_host must not contain `http` or `https` or `smtp` (got {})".format(
                     self.smtp_host
diff --git a/src/tools/conf/testing_config.json b/src/tools/conf/testing_config.json
index f5a4dfe..0819e39 100644
--- a/src/tools/conf/testing_config.json
+++ b/src/tools/conf/testing_config.json
@@ -15,7 +15,7 @@
         "login_usr": "",
         "login_pwd": "",
         "sender_email": "",
-        "smtp_host": "",
+        "smtp_host": "smtp.gmail.com",
         "smtp_port": 465
     },
     "session": {