docker-compose.auth.yml

version: "3.8"

services:

  # Broker
  emqx:
    environment:
      # Applying authn/authz only to the websocket listener as that is the only one publicly exposed
      - EMQX_LISTENERS__WS__DEFAULT__ENABLE_AUTHN=true
      - EMQX_LISTENERS__WS__DEFAULT__AUTHENTICATION__1__ENABLE=true
      - EMQX_LISTENERS__WS__DEFAULT__AUTHENTICATION__1__MECHANISM=jwt
      - EMQX_LISTENERS__WS__DEFAULT__AUTHENTICATION__1__ALGORITHM=hmac-based
      - EMQX_LISTENERS__WS__DEFAULT__AUTHENTICATION__1__USE_JWKS=false
      - EMQX_LISTENERS__WS__DEFAULT__AUTHENTICATION__1__SECRET="${PONTOS_JWT_SECRET}"
      - EMQX_LISTENERS__WS__DEFAULT__AUTHENTICATION__1__SECRET_BASE64_ENCODED=false
      - EMQX_LISTENERS__WS__DEFAULT__AUTHENTICATION__1__VERIFY_CLAIMS={sub:"$${username}"}

      # Authorization must be global
      - EMQX_AUTHORIZATION__NO_MATCH=deny
      - EMQX_AUTHORIZATION__DENY_ACTION=disconnect
    volumes:
      - ./broker/acl.conf:/opt/emqx/etc/acl.conf

  # REST api
  api:
    environment:
      - PGRST_DB_ANON_ROLE=web_anon # Does NOT have read permissions!
      - PGRST_OPENAPI_MODE=ignore-privileges # But we anyway show docs for the full API
      - PGRST_OPENAPI_SECURITY_ACTIVE=true # And allow to manually input a JWT
      - PGRST_JWT_SECRET=${PONTOS_JWT_SECRET}
      - PGRST_JWT_SECRET_IS_BASE64=false

  # JWT issuer
  jwt:
    build:
      context: ./auth
    restart: unless-stopped
    environment:
      - JWT_ISSUER="pontos-hub"
      - JWT_EXPIRY=1M # 1 month
      - JWT_SECRET=${PONTOS_JWT_SECRET}
      - JWT_CLAIM_role=web_user
      - JWT_CLAIM_sub=__token__
      # Empty value to make sure we overwrite anything that comes through shell2http
      - JWT_CLAIM_acl=
    labels:
      - "pontos.expose=true"
      - "traefik.http.routers.jwt.rule=PathPrefix(`/token`)"
      - "traefik.http.routers.jwt.entryPoints=web"
      - "traefik.http.middlewares.jwt-stripprefix.stripprefix.prefixes=/token"
      - "traefik.http.routers.jwt.middlewares=jwt-stripprefix@docker"

    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"