docat Host a demo somewhere

Host a demo site, where you can see what docat is able to do live! If we want to do this we may also have to implement some very simple authentication (maybe with a token or something like that).

Jan 15 '20 09:01 randombenj

How about hosting a demo on Heroku?

Oct 25 '21 22:10 cicdguy

@dinakar29 any ideas how we can prevent this from getting abused? That is the main blocker right now for me. Because we allow arbitrary user upload which we make available and i would hate to distribute illegal or offensive things

Mar 13 '22 09:03 fliiiix

A few things I can think of:

Add a Demo Mode feature, wherein we'd allow a user to claim a token, create docs, and have docat let the docs and the token expire in a given amount of time using an auxiliary deletion job (JanitorService or some such thing). For the sake of Demo Mode and to prevent potential abuse, and to best leverage free hosting services, I'd recommend keeping the token expiry and docs expiry to something in the order of minutes (15 mins or so). Here's a simple example of what I am envisioning.
```
sequenceDiagram
	  actor User
    User-->>docat: Requests publishing token
	  docat-->>TinyDB: Generates and stores token with request date
    docat-->>User: Returns token
    User-->>docat: Publishes docs with token, or without token via the GUI
	  docat-->>TinyDB: Stores docs location, version, and publishing date
	  loop JanitorService
		  docat-->>TinyDB: Perpetually queries TinyDB for expired docs and tokens and deletes them
	  end
```
Integrating reCAPTCHA v3 to prevent incessant spamming from a GUI standpoint.
Leveraging an OIDC integration so that only authenticated users can access both the API and the GUI. Auth0 and Okta both offer free-tier ID management services. This will also enable trust-based adoption of docat by larger organizations.

Mar 13 '22 14:03 cicdguy

We could just add an nginx with basic auth on all post requests, that would be pretty simple: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

Apr 08 '22 14:04 randombenj

Basic authenyification would not enable other users (on the hosted website) to be able to upload their files and be able to see their own documentation for the short timespan that their documentation is alive as in the example of @dinakar29.

But that depends totally on what type of hosting we want to do. If, for example, the Docat documentation would be hosted in a Docat server on Heroku, that would also showcase Docat. Adding the possibility for other users to host their own documentation would bring much more security and thus complexity.

But I'd be happy to work on an OAuth system that would need a username and password for claiming, uploading and deleting a project (and possibly limiting the number of projects of a user).

Otherwise, Nginx basic authentification is also something I could do, because I would need to do that anyways for my own usecase.

Apr 10 '22 22:04 feefladder

For this as demo, could be docat + keycloak + gatekeeper

Using gatekeeper as sidecar inside k8s env is good to have as well to connect to external keycloak in production env.

And it will be good to support natively in docat code with oauth2, to be more specific, i am interesting to connect it with keycloak (oauth2)

Mar 27 '23 13:03 larrycai

@randombenj I think basic auth in nginx might not be enough because we still need to clean up old files created by visitors of the demo.

I could image a cleanup job like @cicdguy mentioned. Maybe even a simple cronjob that deletes the documents every 10 minutes would be enough. I've seen similar things in other demos.

Another idea: What about preventing users from uploading documents at all and we only show them a set of demo documents?

Jan 18 '24 21:01 veitenti

docat docat copied to clipboard

Host a demo somewhere

docat
docat copied to clipboard