feat: set app parameter forceGlobalSecureRequests = true forcing requests to go through https

docs: update INSTALL.md to include SSL certificate requirement + update install instructions

feat: set app parameter forceGlobalSecureRequests = true forcing requests to go through https
d9dff1b8 · Yassine Doghri · fad06e69 · d9dff1b8 · d9dff1b8 · d9dff1b8
Unverified Commit d9dff1b8 authored 3 years ago by Yassine Doghri
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -6,7 +6,9 @@ or shared hosting, you can install it on most PHP-MySQL compatible web servers.
 ## Table of contents <!-- omit in toc -->

 - [Install instructions](#install-instructions)
-  - [(optional) Manual configuration](#optional-manual-configuration)
+  - [0. Pre-requisites](#0-pre-requisites)
+  - [1. Install Wizard](#1-install-wizard)
+  - [1-alt Manual configuration](#1-alt-manual-configuration)
 - [Web Server Requirements](#web-server-requirements)
  - [PHP v7.3 or higher](#php-v73-or-higher)
  - [MySQL compatible database](#mysql-compatible-database)
@@ -16,34 +18,44 @@ or shared hosting, you can install it on most PHP-MySQL compatible web servers.

 ## Install instructions

-0. Create a MySQL database for Castopod Host with a user having access and
+### 0. Pre-requisites
+
+0. Get a Web Server with requirements installed
+1. Create a MySQL database for Castopod Host with a user having access and
   modification privileges (for more info, see
   [Web Server Requirements](#web-server-requirements)).
-1. Download and unzip the latest
+2. Activate HTTPS on your domain with an _SSL certificate_.
+3. Download and unzip the latest
   [Castopod Host Package](https://code.podlibre.org/podlibre/castopod-host/-/releases)
   onto the web server if you haven’t already.
   - ⚠️ Set the web server document root to the `public/` sub-folder.
-2. For broadcasting social activities to the fediverse, add a cron task on your
-   web server to run every minute (replace the paths accordingly):
+4. Add a cron task on your web server to run every minute (replace the paths
+   accordingly):

   ```php
      * * * * * /path/to/php /path/to/castopod-host/public/index.php scheduled-activities
   ```

-3. Run the Castopod Host install script by going to the install wizard page
-   (`https://your_domain_name.com/cp-install`) in your favorite web browser.
-4. Follow the instructions on your screen.
+   > ⚠️ Social features will not work properly if you do not set the task. It is
+   > used to broadcast social activities to the fediverse.

-All done, start podcasting!
+### 1. Install Wizard

-### (optional) Manual configuration
+1. Run the Castopod Host install script by going to the install wizard page
+   (`https://your_domain_name.com/cp-install`) in your favorite web browser.
+2. Follow the instructions on your screen.
+3. Start podcasting!

-Before uploading Castopod Host files to your web server:
+### 1-alt Manual configuration
+
+The install script writes a `.env` file in the package root. If you cannot go
+through the install wizard, you can create and update the `.env` file yourself:

 1. Rename the `.env.example` file to `.env` and update the default values with
   your own.
-2. Upload the Castopod Host files with `.env`
+2. Upload the `.env` file to the Castopod Host Package root on your server.
 3. Go to `/cp-install` to finish the install process.
+4. Start podcasting!

 ## Web Server Requirements

@@ -64,12 +76,16 @@ Additionally, make sure that the following extensions are enabled in your PHP:

 ### MySQL compatible database

-> We recommend using [MariaDB](https://mariadb.org)
+> We recommend using [MariaDB](https://mariadb.org).

 You will need the server hostname, database name, username and password to
 complete the installation process. If you do not have these, please contact your
 server administrator.

+> NB. Castopod Host only works with supported MySQL compatible databases. It
+> will break with MySQL v5.6 for example as its end of life was on February
+> 5, 2021.
+
 #### Privileges

 User must have at least these privileges on the database for Castopod Host to
@@ -78,7 +94,7 @@ work: `ALTER`, `DELETE`, `EXECUTE`, `INDEX`, `INSERT`, `SELECT`, `UPDATE`.
 ### (Optional) Other recommendations

 - Redis for better cache performances.
- CDN for better performances.
+- CDN for static files caching and better performances.
 - e-mail gateway for lost passwords.

 ## Security concerns

--- a/app/Config/App.php
+++ b/app/Config/App.php
@@ -148,7 +148,7 @@ class App extends BaseConfig
     *
     * @var boolean
     */
-    public $forceGlobalSecureRequests = false;
+    public $forceGlobalSecureRequests = true;

    /**
     * --------------------------------------------------------------------------

--- a/docs/setup-development.md
+++ b/docs/setup-development.md
@@ -25,7 +25,7 @@ to help you kickstart your contribution.
 > Know that you don't need any prior knowledge of Docker to follow the next
 > steps. However, if you wish to use your own environment, feel free to do so!

-## Prerequisites
+## Pre-requisites

 0. Install [docker desktop](https://www.docker.com/products/docker-desktop).

@@ -41,6 +41,11 @@ git clone https://code.podlibre.org/podlibre/castopod.git
 ```ini
 CI_ENVIRONMENT="development"

+# By default, this is set to true in the app config.
+# For development, this must be set to false as it is
+# on a local environment
+app.forceGlobalSecureRequests=false
+
 app.baseURL="http://localhost:8080/"
 app.mediaBaseURL="http://localhost:8080/"