chenkins · chenkins · May 11, 2023 · Jun 28, 2023
diff --git a/backend/README.md b/backend/README.md
@@ -13,6 +13,15 @@ mvn clean quarkus:dev
 
 > **_NOTE:_**  Quarkus now ships with a Dev UI, which is available in dev mode only at http://localhost:8080/q/dev/.
 
+To use proxyman for debgging, add the following lines to `/etc/hosts`:
+```
+127.0.0.1 proxyman.local
+::1 proxyman.local
+```
+Some browsers do not forward any requests to `localhost`, see [Proxyman Documentation](https://docs.proxyman.io/troubleshooting/couldnt-see-any-request-from-localhost-server) for more information.
+Caveat: `Proxyman` seems to modify some requests and invalidate JWT signatures. To be confirmed.
+
+
 ### Accessing Keycloak (Port 8180)
 
 During development, Keycloak is started as a Quarkus Dev Service using port 8180. When using alternative ports, you can also find it via [http://localhost:8080/q/dev](http://localhost:8080/q/dev).

diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
@@ -11,16 +11,28 @@ hub.public-root-path=${quarkus.http.root-path}
 
 # Connection Params for Keycloak Public Client (quarkus.oidc.auth-server-url may use network-private hostname)
 # `public-url` is used in the frontend (js), `local-url` in the backend. Maybe the same URL, but does not have to be.
+
+# If using proxyman.local for use with proxyman, start keycloak separately, see docker-compose.yml
+# uncomment to use proxyman.local setup
 hub.keycloak.public-url=http://localhost:8180
 hub.keycloak.local-url=http://localhost:8180
+
+#hub.keycloak.public-url=http://proxyman.local:8180
+#hub.keycloak.local-url=http://proxyman.local:8180
+#quarkus.oidc.auth-server-url=http://proxyman.local:8180/realms/cryptomator
 hub.keycloak.realm=cryptomator
 
 hub.managed-instance=false
 
 quarkus.resteasy-reactive.path=/api
 %test.quarkus.resteasy-reactive.path=/
 
+# uncomment to use proxyman.local setup
+# quarkus.http.host=proxyman.local
 quarkus.http.port=8080
+quarkus.http.access-log.enabled=true
+%dev.quarkus.log.level=INFO
+#%dev.quarkus.log.level=TRACE
 
 quarkus.oidc.application-type=service
 quarkus.oidc.client-id=cryptomatorhub
@@ -70,15 +82,15 @@ quarkus.flyway.locations=classpath:org/cryptomator/hub/flyway
 
 # Allow cross-origin requests in DEV profile
 %dev.quarkus.http.cors=true
-%dev.quarkus.http.cors.origins=http://localhost:3000,http//localhost:8080
+%dev.quarkus.http.cors.origins=http://localhost:3000,http//localhost:8080,http://proxyman.local:3000,http//proxyman.local:8080
 
 %test.quarkus.application.version=TEST_VERSION_3000
 
 # HTTP Security Headers see e.g. https://owasp.org/www-project-secure-headers/#div-bestpractices
 quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none'
-%dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org localhost:8180; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none'
+%dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org localhost:8180 proxyman.local:8180; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none'
 # dev-ui needs very permissive CSP:
-# %dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self' api.cryptomator.org localhost:8180;
+# %dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self' api.cryptomator.org localhost:8180 proxyman.local:8180;
 quarkus.http.header."Referrer-Policy".value=no-referrer
 quarkus.http.header."Strict-Transport-Security".value=max-age=31536000; includeSubDomains
 quarkus.http.header."X-Content-Type-Options".value=nosniff

diff --git a/backend/src/main/resources/dev-realm.json b/backend/src/main/resources/dev-realm.json
@@ -79,6 +79,23 @@
       "realmRoles": [
         "syncer"
       ]
+    },
+    {
+      "username": "user001",
+      "email": "user001@localhost",
+      "enabled": true,
+      "attributes": {
+        "picture": "https://cryptomator.org/img/logo.svg"
+      },
+      "credentials": [
+        {
+          "type": "password",
+          "value": "1234"
+        }
+      ],
+      "realmRoles": [
+        "user"
+      ]
     }
   ],
   "scopeMappings": [
@@ -99,7 +116,9 @@
       "enabled": true,
       "redirectUris": [
         "http://localhost:8080/*",
-        "http://localhost:3000/*"
+        "http://localhost:3000/*",
+        "http://proxyman.local:3000/*",
+        "http://proxyman.local:8080/*"
       ],
       "webOrigins": [
         "+"
@@ -145,7 +164,8 @@
       "name": "Cryptomator App",
       "enabled": true,
       "redirectUris": [
-        "http://127.0.0.1/*"
+        "http://127.0.0.1/*",
+        "http://proxyman.local:8080/*"
       ],
       "webOrigins": [
         "+"
@@ -155,7 +175,35 @@
       "protocol": "openid-connect",
       "attributes": {
         "pkce.code.challenge.method": "S256"
-      }
+      },
+      "directAccessGrantsEnabled": true,
+      "protocolMappers": [
+        {
+          "name": "realm roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String",
+            "multivalued": "true",
+            "usermodel.clientRoleMapping.clientId": "cryptomatorhub"
+          }
+        }
+      ]
     }
   ],
   "browserSecurityHeaders": {

diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
@@ -33,6 +33,8 @@ export default defineConfig({
     port: 3000,
     strictPort: true,
     proxy: {
+      // uncomment to use proxyman.local setup:
+      //'/api/': 'http://proxyman.local:8080'
       '/api/': 'http://127.0.0.1:8080'
     }
   }