first commit

Author: Bacto

.env-example

@@ -0,0 +1,3 @@
+MOSQUITTO_SERVER=XXXXX.stackhero-network.com
+MOSQUITTO_USERNAME=xxxxxxxxx
+MOSQUITTO_PASSWORD=xxxxxxxxx

.gitignore

@@ -0,0 +1,7 @@
+.DS_Store
+node_modules/
+git-crypt.key
+yarn.lock
+package-lock.json
+*.log
+.env

README.md

@@ -0,0 +1,67 @@
+# Getting started with Mosquitto
+
+You'll find in this repository two applications.
+
+The `client.js` is a MQTT client that will show you how to connect, publish and subscribe to a MQTT server.
+
+The `authenticationServer.js` is an API written with Express that will allow you to handle MQTT users authentication in a simple and powerful way.
+You'll get more informations about the API authentication on [Stackhero's documentation](https://www.stackhero.io/documentations/).
+
+## The client
+
+To use the client, you have to fill the file `.env-example` and then rename the file `.env`.
+Then simply run `node client.js` (or `npm run client`).
+
+
+## The authentication server
+
+The authentication server has to be accessible from your Mosquitto instance. It means that you can't run it directly on your computer.
+The simplest way to run it is to create a Node.js service on Stackhero and push the example to it.
+
+Here are the detailed procedure to do that in only 5 minutes.
+
+### 1. Create a Node.js service
+
+In stackhero, create a Node.js service. You can select LTS or CURRENT version, both will work, but we recommend the LTS one.
+Add your SSH public key in configuration and validate the configuration.
+
+
+### 2. Clone the app
+
+On your computer, clone this project:
+
+```
+git clone https://github.com/stackhero-io/mosquittoApiAuthentication.git
+cd mosquittoApiAuthentication
+```
+
+It's a good idea to check the `app.js` file content and change the default passwords, to avoid that someone connects to your Mosquitto server.
+
+
+### 3. Deploy the app
+
+From your Node.js service, in Stackhero's console, copy the `git remote command` and paste it to the cloned app directory (you'll have to do that only the first time).
+
+Then, deploy the app: `git push -u stackhero`
+
+If you want to change the `app.js` content, you'll have to commit the changes (`git add -A . && git commit`) then redeploy your app with `git push -u stackhero`.
+
+
+### 4. Configure your Mosquitto service
+
+In your Mosquitto's service configuration, enable `API authentication` and copy this configuration:
+  - Host: put your Node.js endpoint domain (XXXXXX.stackhero-network.com)
+  - Protocol: `HTTPS`
+  - Port: `443`
+  - User route: `/user`
+  - Super user route: `/superUser`
+  - ACLs route: `/acls`
+
+Validate the configuration and voila! Your Mosquitto is now using this Node.js API to validate devices authentication and ACLs!
+Note that if you defined users in your Mosquitto's service configuration, those users are still authorized too (but without ACLs rules).
+
+
+You now have a way to handle devices authentication directly with an app.
+You can now modify this code to check permissions, for example, in a database, letting you handle tons of devices in a dynamic way!
+
+Enjoy your code!

authenticationServer.js

@@ -0,0 +1,159 @@
+const express = require('express');
+const bodyParser = require('body-parser');
+const mqttWildcard = require('mqtt-wildcard');
+const app = express();
+app.use(bodyParser());
+const port = 8080;
+
+const users = [
+  {
+    login: 'testUser',
+    password: 'testPassword',
+    isSuper: false,
+    acls: [
+      {
+        topic: 'users/testUser/#',
+        permissions: [ 'read', 'write', 'subscribe' ] // Can be "read", "write" or "subscribe"
+      },
+      {
+        topic: 'global',
+        permissions: [ 'write', 'read', 'subscribe' ]
+      }
+    ]
+  },
+  {
+    login: 'testUser2',
+    password: 'testPassword2',
+    isSuper: false,
+    acls: [
+      {
+        topic: 'users/testUser2/#',
+        permissions: [ 'read', 'write', 'subscribe' ] // Can be "read", "write" or "subscribe"
+      },
+      {
+        topic: 'global',
+        permissions: [ 'write', 'read', 'subscribe' ]
+      }
+    ]
+  }
+];
+
+
+// Define POST route "/user"
+// This route will be used to check the user login and password
+app.post(
+  '/user',
+  (req, res) => {
+    // Mosquitto sends us the username and the password
+    const { username, password } = req.body;
+
+    // We try to find the user
+    const userFound = users.find(user => user.login === username && user.password === password);
+
+    // We send a 200 if the authentication succeed or 401 else
+    if (userFound) {
+      return res.status(200).send();
+    }
+    else {
+      console.warn(`⛔️ User ${username} doesn't exist or password is incorrect`);
+      return res.status(401).send();
+    }
+  }
+);
+
+
+// Define POST route "/superUser"
+// This route will be used to check if the user is a super user or not
+app.post(
+  '/superUser',
+  (req, res) => {
+    // Mosquitto sends us the username
+    const { username } = req.body;
+
+    // We try to find the user and check if he's a super user
+    const userFound = users.find(user => user.login === username);
+
+    // We send a 200 if he is a super user or 401 else
+    if (userFound && userFound.isSuper) {
+      return res.status(200).send();
+    }
+    else {
+      return res.status(401).send();
+    }
+  }
+);
+
+
+// Define POST route "/acls"
+// This route will be used to check the topic ACL
+app.post(
+  '/acls',
+  (req, res) => {
+    const { username, topic, clientId, acc } = req.body;
+
+    // "acc" represents the type of access required by the client to this topic
+    // - 1: read
+    // - 2: write
+    // - 3: read and write
+    // - 4: subscribe
+
+    const accToPermissions = {
+      1: [ 'read' ],
+      2: [ 'write' ],
+      3: [ 'read', 'write' ],
+      4: [ 'subscribe' ]
+    }
+
+    const allowed = users.find(user => {
+      if (user.login !== username) {
+        return false;
+      }
+
+      const aclValidated = user.acls.find(
+        acl => mqttWildcard(topic, acl.topic) !== null
+        && accToPermissions[acc].every(v => acl.permissions.includes(v))
+      );
+      return aclValidated;
+    });
+
+    if (allowed) {
+      return res.status(200).send();
+    }
+    else {
+      console.warn(`⛔️ Error when checking ACL for user ${username} on topic ${topic} with permission "${acc}"`);
+      return res.status(401).send();
+    }
+  }
+);
+
+
+
+// Start Express server
+const server = app.listen(port);
+
+// You'll see this log directly on your Stackhero's console
+console.log('🎉 The app has just start!');
+
+// Handle termination signal
+// When you'll push your code to Stackhero, we'll send a termination signal (SIGTERM).
+// The goal is to let you close cleanly connections from Express, connections to databases etc...
+process.on('SIGTERM', () => {
+  // You'll see this log directly on your Stackhero's console
+  console.info('😯 SIGTERM signal received.');
+
+  // Close the server and all connections
+  server.close(
+    err => {
+      if (err) {
+        // You'll see this log directly on your Stackhero's console
+        console.error(err);
+        process.exit(1);
+      }
+      else {
+        // You'll see this log directly on your Stackhero's console
+        console.log('👋 Exit the app with status code 0');
+        process.exit(0);
+      }
+    }
+  );
+});

client.js

@@ -0,0 +1,51 @@
+require('dotenv').config()
+const mqtt = require('mqtt');
+
+if (!process.env.MOSQUITTO_SERVER) {
+  throw Error('You should first fill the .env-example file and rename it to .env');
+}
+
+// Connection to MQTT server
+const client = mqtt.connect(
+  'mqtts://' + process.env.MOSQUITTO_SERVER,
+  {
+    username: process.env.MOSQUITTO_USERNAME,
+    password: process.env.MOSQUITTO_PASSWORD,
+    clean: true
+  }
+);
+
+
+// This callback will be executed when a message is received on topics you subscribed (see client.subscribe below)
+client.on('message', (topic, message) => {
+  // message is Buffer
+  console.log(`[${topic}]: ${message.toString()}`);
+})
+
+
+// Fired when connection to MQTT is done
+client.on('connect', () => {
+
+  // We subscribe to the topic "global"
+  client.subscribe('global', (err, granted) => {
+    if (err) { throw err; }
+
+    if (granted.find(({ qos }) => qos === 128)) {
+      throw Error(`Permission error when subscribing: ${JSON.stringify(granted)}`);
+    }
+  });
+
+
+  // We publish to the topic "global"
+  client.publish('global', 'Hello everyone!', { qos: 2 }, err => {
+    if (err) { throw err; }
+  });
+
+
+  // We publish to as user topic
+  client.publish('users/testUser/sensor1', '123', { qos: 2 }, err => {
+    if (err) { throw err; }
+  });
+
+  // Note: we can publish to a topic without "write" rights. MQTT will ignore the message without informing us.
+})

package.json

@@ -0,0 +1,15 @@
+{
+  "name": "mosquitto-api-authentication",
+  "version": "1.0.0",
+  "main": "app.js",
+  "license": "MIT",
+  "scripts": {
+    "start": "node authenticationServer.js",
+    "client": "node client.js"
+  },
+  "dependencies": {
+    "body-parser": "^1.18.3",
+    "express": "^4.16.4",
+    "mqtt-wildcard": "^3.0.9"
+  }
+}