Skip to main content

TiddlyWiki

Learn how to add authentication and authorization to an instance of TiddlyWiki on NodeJS with Pomerium.

What is TiddlyWiki on Node.js

TiddlyWiki is a personal wiki and a non-linear notebook for organizing and sharing complex information. It is available in two forms:

You will use the Node.js application in this guide.

Authentication with Pomerium

TiddlyWiki allows you to authenticate users with the authenticated-user-header parameter of listen command. Pomerium provides the ability to login with well-known identity providers (IdP).

Pomerium can forward specific user session data to upstream applications. In the case of this guide, Pomerium will forward the email associated with your IdP to TiddlyWiki.

Set up your environment

To complete this guide, you need:

Refer to the quick-start guide for more information on how to run Pomerium Core with Docker and Docker Compose.

Configure Pomerium

Add the following code in your config.yaml file:

config.yaml
jwt_claims_headers: email
routes:
- from: https://wiki.example.local
to: http://tiddlywiki:8080
policy:
- allow:
or:
- email:
is: reader@example.com
- email:
is: writer@example.com

The jwt_claims_header forwards the email associated with your IdP in the HTTP request header to TiddlyWiki.

In the policy above, the emails specified (reader@example.com and writer@example.com) will be forwarded to TiddlyWiki.

Configure Docker-Compose

Add the following code in your docker-compose.yaml file:

docker-compose.yaml
version: "3"

services:
pomerium:
image: pomerium/pomerium:latest
volumes:
# Use a volume to store ACME certificates
- ./config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443

tiddlywiki_init:
image: elasticdog/tiddlywiki:latest
volumes:
- ./wiki:/tiddlywiki
command: ['mywiki', '--init', 'server']

tiddlywiki:
image: elasticdog/tiddlywiki:latest
ports:
- 8080:8080
volumes:
- ./wiki:/tiddlywiki
command:
- mywiki
- --listen
- host=0.0.0.0
- authenticated-user-header=x-pomerium-claim-email
- readers=reader@example.com
- writers=writer@example.com
- username=<reader/writer@example.com>
- password=password
depends_on:
- tiddlywiki_init

Here is what the code is doing:

  • mywiki --listen host=0.0.0.0 starts the TiddlyWiki server, and maps ports 0.0.0.0 and 8080
  • authenticated-user-header=x-pomerium-claim-email enables Tiddlywiki to receive the user's email address from Pomerium
  • readers and writers authorizes users to read and/or write to the TiddlyWiki server
  • username and password specify which user can access TiddlyWiki in a session; excluding these variables will result in a 401 error

Run docker-compose up.

Test your routes

Navigate to your TiddlyWiki instance (e.g. https://wiki.example.local) and log in using the following usernames:

  • If you log in as reader@example.com, you can only read tiddlers
  • If you log in as writer@example.com, you can read and write tiddlers
  • If you log in as user@example.com, you will receive a 401 error