Serve on docs.restate.dev

.gitignore

@@ -6,6 +6,7 @@
 
 # Generated files
 .docusaurus
+.netlify
 .cache-loader
 
 # Misc

docker/Dockerfile

@@ -16,6 +16,6 @@ RUN yarn build
 FROM nginx:stable-alpine as deploy
 WORKDIR /restate-documentation
 # Copy what we've built from production
-COPY --from=builder /restate-documentation/build /usr/share/nginx/html/docs
+COPY --from=builder /restate-documentation/build /usr/share/nginx/html/
 # Update nginx configuration
 COPY --from=builder /restate-documentation/docker/nginx.conf /etc/nginx/

docker/nginx.conf

@@ -36,9 +36,12 @@ http {
         # keep request port
         absolute_redirect off;
 
-        # redirect to /docs path which is the base url of the documentation
-        location = / {
-            return 301 /docs;
+        # redirect /docs/ to / as some browsers may have the old /docs/ redirect cached
+        location = /docs/ {
+            return 301 /;
+        }
+        location = /docs {
+           return 301 /;
         }
     }
 }

docs/deployment-operations/errors.md

@@ -72,7 +72,7 @@ Make sure, when updating a service endpoint, to assign it a new uri.
 
 You can force the override using the `"force": true` field in the discover request, but beware that this can lead in-flight invocations to an unrecoverable error state.  
 
-See the [versioning documentation](http://restate.dev/docs/deployment-operations/versioning) for more information.
+See the [versioning documentation](./versioning) for more information.
 
 ## META0005 {#META0005}
 
@@ -89,7 +89,7 @@ When implementing a new service revision, make sure that:
 * The service instance type and the key definition, if any, is exactly the same as of the previous revisions.
 * The Protobuf contract and message definitions are backward compatible.
 
-See the [versioning documentation](http://restate.dev/docs/deployment-operations/versioning) for more information.
+See the [versioning documentation](./versioning) for more information.
 
 ## RT0001 {#RT0001}
 
@@ -105,7 +105,7 @@ Suggestions:
 
 Cannot start Restate because the configuration cannot be parsed. Check the configuration file and the environment variables provided.
 
-For a complete list of configuration options, and a sample configuration, check http://restate.dev/docs/deployment-operations/configuration
+For a complete list of configuration options, and a sample configuration, check http://docs.restate.dev/deployment-operations/configuration
 
 ## RT0003 {#RT0003}
 

docusaurus.config.js

@@ -25,10 +25,10 @@ const config = {
   favicon: 'img/favicon.ico',
 
   // Set the production url of your site here
-  url: 'https://restate.dev',
+  url: 'https://docs.restate.dev',
   // Set the /<baseUrl>/ pathname under which your site is served
   // For GitHub pages deployment, it is often '/<projectName>/'
-  baseUrl: '/docs',
+  baseUrl: '/',
 
   // GitHub pages deployment config.
   // If you aren't using GitHub pages, you don't need these.

netlify.toml

@@ -0,0 +1,4 @@
+[[edge_functions]]
+function = "auth"
+path = "/*"
+excludedPath = "/oauth"

netlify/edge-functions/auth.ts

@@ -0,0 +1,108 @@
+import type {Context} from "https://edge.netlify.com";
+import {create, verify} from "https://deno.land/x/[email protected]/mod.ts";
+import {getCookies, setCookie} from "https://deno.land/[email protected]/http/cookie.ts";
+
+const deploy_context = Deno.env.get("DEPLOY_CONTEXT");
+const client_id = Deno.env.get("GITHUB_CLIENT_ID");
+const client_secret = Deno.env.get("GITHUB_CLIENT_SECRET");
+const allowlist = new Set((Deno.env.get("GITHUB_ALLOWLIST") || "").split(","));
+const jwt_secret = Deno.env.get("JWT_SECRET")
+
+const login = async (context: Context, code: string, key: CryptoKey) => {
+  const token_response = await fetch(
+    "https://github.com/login/oauth/access_token",
+    {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "user-agent": "cloudflare-worker-github-oauth-login-demo",
+        accept: "application/json",
+      },
+      body: JSON.stringify({client_id, client_secret, code}),
+    }
+  );
+  const token_result = await token_response.json();
+  const headers = {
+    "Access-Control-Allow-Origin": "*",
+  };
+
+  if (token_result.error) {
+    return new Response(JSON.stringify(token_result), {status: 401, headers});
+  }
+
+  const user_response = await fetch(
+    "https://api.github.com/user",
+    {
+      method: "GET",
+      headers: {
+        "user-agent": "cloudflare-worker-github-oauth-login-demo",
+        accept: "application/vnd.github+json",
+      },
+    }
+  );
+
+  const user_result = await user_response.json();
+
+  if (!user_result.login) {
+    return new Response("No login found in user response from GitHub", {status: 500, headers});
+  }
+
+  // issue a jwt to avoid having to do a github api call on every request
+  const jwt = await create({alg: "HS512", typ: "JWT"}, {aud: user_result.login}, key)
+
+  const next = await context.next();
+  setCookie(next.headers, {name: "RESTATE_DOCS", value: jwt})
+
+  return next
+}
+
+const redirect = Response.redirect(`https://github.com/login/oauth/authorize?client_id=${client_id}`, 302)
+
+export default async (request: Request, context: Context) => {
+  if (!(deploy_context === "PRODUCTION" || deploy_context === "LOCAL")) {
+    // there's no way to do oauth on branch or preview builds as url is unpredictable; we use passwords there instead
+    // for local we use a different github oauth app that redirects to localhost:8888
+    return context.next()
+  }
+
+  const key = await crypto.subtle.importKey("jwk", {
+      alg: "HS512", ext: true,
+      k: jwt_secret,
+      key_ops: [
+        "sign",
+        "verify"
+      ],
+      kty: "oct"
+    },
+    {name: "HMAC", hash: "SHA-512"},
+    true,
+    ["sign", "verify"],
+  )
+
+  const code = new URL(request.url).searchParams.get("code");
+
+  if (code) {
+    // this is a redirect from github auth; process the code
+    return login(context, code, key);
+  }
+
+  // no code, check for jwt
+
+  const cookies = getCookies(request.headers);
+  if (!cookies.RESTATE_DOCS) {
+    // no code or cookie, login flow
+    return redirect
+  }
+
+  const payload = await verify(cookies.RESTATE_DOCS, key)
+  if (!payload.login) {
+    // weird payload, get them to oauth
+    return redirect
+  }
+  if (!payload.aud || !(typeof payload.aud == "string") || !allowlist.has(payload.aud)) {
+    return new Response("GitHub user not allowlisted.", {status: 403})
+  }
+
+  // load page
+  return context.next()
+}