# Securing TiddlyWiki on Node.js

This guide covers using Pomerium to add authentication and authorization to an instance of TiddlyWiki on NodeJS (opens new window).

# What is TiddlyWiki on Node.js

TiddlyWiki is a personal wiki and a non-linear notebook for organizing and sharing complex information. It is available in two forms:

a single HTML page
a Node.js application (opens new window)

We are using the Node.js application in this guide.

# Where Pomerium fits

TiddlyWiki allows a simple form of authentication by using authenticated-user-header parameter of listen command (opens new window). Pomerium provides the ability to login with well-known identity providers.

# Pre-requisites

This guide assumes you have already completed one of the quick start guides, and have a working instance of Pomerium up and running. For purpose of this guide, We will use docker-compose, though any other deployment method would work equally well.

# Configure

# Pomerium Config

jwt_claims_headers: email
policy:
- from: https://wiki.example.local
  to: http://tiddlywiki:8080
  policy:
    - allow:
        or:
          - email:
              is: reader1@example.com
          - email:
              is: writer1@example.com

# Docker-compose

version: "3"

services:
  pomerium:
    image: pomerium/pomerium:latest
    volumes:
      # Use a volume to store ACME certificates
      - ./config.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443

  tiddlywiki_init:
    image: elasticdog/tiddlywiki:latest
    volumes:
      - ./wiki:/tiddlywiki
    command: ['mywiki', '--init', 'server']

  tiddlywiki:
    image: elasticdog/tiddlywiki:latest
    ports:
      - 8080:8080
    volumes:
      - ./wiki:/tiddlywiki
    command:
      - mywiki
      - --listen
      - host=0.0.0.0
      - authenticated-user-header=x-pomerium-claim-email
      - readers=reader1@example.com
      - writers=writer1@example.com
    depends_on:
      - tiddlywiki_init

# That's it

Navigate to your TiddlyWiki instance (e.g. https://wiki.example.local) and log in:

as reader1@example.com: user can read the wiki, but there is no create new tiddler button is show up.
as writer1@example.com: user can read the wiki and create new tiddlers.
as another email: pomerium displays a permission denied error.

← TCP Services Traefik Ingress →