Host a demo somewhere

[randombenj]

Host a demo site, where you can see what docat is able to do live!
If we want to do this we may also have to implement some very simple authentication
(maybe with a token or something like that).

[cicdguy]

How about hosting a demo on Heroku?

[fliiiix]

@dinakar29 any ideas how we can prevent this from getting abused? That is the main blocker right now for me.
Because we allow arbitrary user upload which we make available and i would hate to distribute illegal or offensive things

[cicdguy]

A few things I can think of:

1. Add a Demo Mode feature, wherein we'd allow a user to claim a token, create docs, and have docat let the docs and the token expire in a given amount of time using an auxiliary deletion job (JanitorService or some such thing). For the sake of Demo Mode and to prevent potential abuse, and to best leverage free hosting services, I'd recommend keeping the token expiry and docs expiry to something in the order of minutes (15 mins or so). Here's a simple example of what I am envisioning.

   sequenceDiagram
       actor User
       User-->>docat: Requests publishing token
       docat-->>TinyDB: Generates and stores token with request date
       docat-->>User: Returns token
       User-->>docat: Publishes docs with token, or without token via the GUI
       docat-->>TinyDB: Stores docs location, version, and publishing date
       loop JanitorService
     	  docat-->>TinyDB: Perpetually queries TinyDB for expired docs and tokens and deletes them
       end
   

   Loading

2. Integrating reCAPTCHA v3 to prevent incessant spamming from a GUI standpoint.

3. Leveraging an OIDC integration so that only authenticated users can access both the API and the GUI. Auth0 and Okta both offer free-tier ID management services. This will also enable trust-based adoption of docat by larger organizations.

[randombenj]

We could just add an nginx with basic auth on all post requests, that would be pretty simple:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

[feefladder]

Basic authenyification would not enable other users (on the hosted website) to be able to upload their files and be able to see their own documentation for the short timespan that their documentation is alive as in the example of @dinakar29.

But that depends totally on what type of hosting we want to do. If, for example, the Docat documentation would be hosted in a Docat server on Heroku, that would also showcase Docat. Adding the possibility for other users to host their own documentation would bring much more security and thus complexity.

But I'd be happy to work on an OAuth system that would need a username and password for claiming, uploading and deleting a project (and possibly limiting the number of projects of a user).

Otherwise, Nginx basic authentification is also something I could do, because I would need to do that anyways for my own usecase.

[larrycai]

For this as demo, could be docat + keycloak + gatekeeper

Using gatekeeper as sidecar inside k8s env is good to have as well to connect to external keycloak in production env.

And it will be good to support natively in docat code with oauth2, to be more specific, i am interesting to connect it with keycloak (oauth2)

[veitenti]

@randombenj I think basic auth in nginx might not be enough because we still need to clean up old files created by visitors of the demo.

I could image a cleanup job like @cicdguy mentioned. Maybe even a simple cronjob that deletes the documents every 10 minutes would be enough. I've seen similar things in other demos.

Another idea: What about preventing users from uploading documents at all and we only show them a set of demo documents?