references/plane
1
0
Fork 0
mirror of https://github.com/makeplane/plane.git synced 2026-06-14 03:30:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
components_refactor
plane/deployments/aio/community
T
History
sriram veeraghanta b1c78fe4c8 fix(api): rate-limit magic-code verify, bound per-token attempts (GHSA-9pvm-fcf6-9234) (#9130) 
* fix(api): rate-limit magic-code verification and bound per-token attempts

The magic-link sign-in / sign-up endpoints accept a 6-digit numeric code
(900k-value space, 600s TTL) but never increment a failure counter on a
wrong-code verify and extend django.views.View rather than DRF APIView,
so DRF's AuthenticationThrottle never runs against them. The space-side
generate endpoint also lacked throttle_classes. Combined, this allowed
an unauthenticated attacker who knew a victim's email to brute-force
the code within the TTL window and log in as the victim.

- Add MAX_VERIFY_ATTEMPTS=5 in MagicCodeProvider.set_user_data: failed
  comparisons now persist verify_attempts in Redis under the remaining
  TTL and, on hitting the limit, delete the key and raise
  EMAIL_CODE_ATTEMPT_EXHAUSTED. This is the load-bearing fix - it caps
  total attempts per issued token regardless of request rate.
- Add authentication_throttle_allows() so plain Django Views can apply
  AuthenticationThrottle without converting to APIView (would change
  CSRF + request-parsing semantics for the redirect-flow endpoints).
- Apply the throttle to MagicSignIn/UpEndpoint and the space variants;
  add throttle_classes to MagicGenerateSpaceEndpoint to match its app
  sibling.

Refs GHSA-9pvm-fcf6-9234.

* fix(api): make verify-attempt increment atomic, expose throttle rate via env

Address PR review feedback:

- Replace the JSON read-modify-write of verify_attempts with a Lua
  EVAL script that INCRs a dedicated counter key and EXPIREs it only
  on the first increment. The previous round-trip was racy: parallel
  wrong-code requests could read the same value and both write the
  same incremented count, letting an attacker exceed MAX_VERIFY_ATTEMPTS
  under concurrency. Counter is now reset on each new token issuance
  and cleared on successful verify / exhaustion.
- Make AuthenticationThrottle.rate configurable via the
  AUTHENTICATION_RATE_LIMIT env var (default 10/minute, down from 30
  to tighten the budget on unauth auth-adjacent endpoints). Document
  it in deployments/aio and deployments/cli variables.env.

* test(api): cover magic-code attempt cap, counter reset, and auth throttle

Add the contract tests called out in the PR test plan:

- TestMagicSignInVerifyAttempts:
  - test_exhausted_after_max_wrong_attempts: after MAX_VERIFY_ATTEMPTS
    wrong codes the next verify redirects with EMAIL_CODE_ATTEMPT_
    EXHAUSTED_SIGN_IN and both Redis keys are deleted; a follow-up
    verify reports EXPIRED.
  - test_counter_increments_on_each_wrong_attempt: the dedicated
    verify_attempts counter advances by exactly one per wrong POST,
    matching the atomic Lua INCR.
  - test_counter_resets_on_token_regeneration: regenerating the
    magic-link clears the counter so the user isn't pre-locked-out by
    a prior session's wrong attempts.
- TestMagicSignUpVerifyAttempts.test_signup_exhausted_after_max_wrong_attempts:
  the sign-up endpoint returns EMAIL_CODE_ATTEMPT_EXHAUSTED_SIGN_UP on
  the exhausting attempt.
- TestAuthenticationThrottle: exercises authentication_throttle_allows
  on the plain-View redirect-flow endpoints by patching the rate down
  and asserting RATE_LIMIT_EXCEEDED is appended to the redirect URL
  once the per-IP budget is exceeded, for both magic-sign-in and
  magic-sign-up.

Each new class clears Django cache (DRF throttle storage) and the
per-email Redis keys around every test so runs are independent.

* fix(api): clamp remaining_ttl to >=1 for verify-attempt counter EXPIRE

ri.ttl() returns 0 when the token has less than one second remaining
(Redis floors to whole seconds). The previous clamp only caught
None and < 0, so a sub-second TTL would pass through and the Lua
script's EXPIRE counter 0 would immediately delete the key — letting
an attacker bypass MAX_VERIFY_ATTEMPTS during the final second of the
token's life. Switch the comparison to <= 0.

Narrow real-world impact (sub-second window, throttle still bounds
the rate) but the cap should hold regardless of timing.
2026-06-01 18:44:57 +05:30
..
build.sh
[INFRA-287] Fix: AIO Docker Image build failure (#8311)
2025-12-11 18:06:27 +05:30
Dockerfile
fix(aio): use JSON array double quotes in VOLUME instruction (#9099)
2026-05-21 16:54:57 +05:30
README.md
[INFRA-346] chore: remove artifacts.plane.so references from community deployments (#8836)
2026-03-31 17:56:32 +05:30
start.sh
[INFRA-208] Reorganize deployment structure and update build workflows (#7391)
2025-07-14 14:38:43 +05:30
supervisor.conf
[INFRA-351] fix: correct directory and command for space program in supervisor.conf #8838
2026-03-31 18:53:51 +05:30
variables.env
fix(api): rate-limit magic-code verify, bound per-token attempts (GHSA-9pvm-fcf6-9234) (#9130)
2026-06-01 18:44:57 +05:30

README.md

Plane Community All-In-One (AIO) Docker Image

The Plane Community All-In-One Docker image packages all Plane services into a single container for easy deployment and testing. This image includes web interface, API server, background workers, live server, and more.

What's Included

The AIO image contains the following services:

  • Web App (Port 3001): Main Plane web interface
  • Space (Port 3002): Public project spaces
  • Admin (Port 3003): Administrative interface
  • API Server (Port 3004): Backend API
  • Live Server (Port 3005): Real-time collaboration
  • Proxy (Port 80, 443): Caddy reverse proxy
  • Worker & Beat: Background task processing

Prerequisites

Required External Services

The AIO image requires these external services to be running:

  • PostgreSQL Database: For data storage
  • Redis: For caching and session management
  • RabbitMQ: For message queuing
  • S3-Compatible Storage: For file uploads (AWS S3 or MinIO)

Required Environment Variables

You must provide these environment variables:

Core Configuration

  • DOMAIN_NAME: Your domain name or IP address
  • DATABASE_URL: PostgreSQL connection string
  • REDIS_URL: Redis connection string
  • AMQP_URL: RabbitMQ connection string

Storage Configuration

  • AWS_REGION: AWS region (e.g., us-east-1)
  • AWS_ACCESS_KEY_ID: S3 access key
  • AWS_SECRET_ACCESS_KEY: S3 secret key
  • AWS_S3_BUCKET_NAME: S3 bucket name
  • AWS_S3_ENDPOINT_URL: S3 endpoint (optional, defaults to AWS)

Quick Start

Basic Usage

docker run --name plane-aio --rm -it \
    -p 80:80 \
    -e DOMAIN_NAME=your-domain.com \
    -e DATABASE_URL=postgresql://user:pass@host:port/database \
    -e REDIS_URL=redis://host:port \
    -e AMQP_URL=amqp://user:pass@host:port/vhost \
    -e AWS_REGION=us-east-1 \
    -e AWS_ACCESS_KEY_ID=your-access-key \
    -e AWS_SECRET_ACCESS_KEY=your-secret-key \
    -e AWS_S3_BUCKET_NAME=your-bucket \
    makeplane/plane-aio-community:latest

Example with IP Address

MYIP=192.168.68.169
docker run --name myaio --rm -it \
    -p 80:80 \
    -e DOMAIN_NAME=${MYIP} \
    -e DATABASE_URL=postgresql://plane:plane@${MYIP}:15432/plane \
    -e REDIS_URL=redis://${MYIP}:16379 \
    -e AMQP_URL=amqp://plane:plane@${MYIP}:15673/plane \
    -e AWS_REGION=us-east-1 \
    -e AWS_ACCESS_KEY_ID=5MV45J9NF5TEFZWYCRAX \
    -e AWS_SECRET_ACCESS_KEY=7xMqAiAHsf2UUjMH+EwICXlyJL9TO30m8leEaDsL \
    -e AWS_S3_BUCKET_NAME=plane-app \
    -e AWS_S3_ENDPOINT_URL=http://${MYIP}:19000 \
    -e FILE_SIZE_LIMIT=10485760 \
    makeplane/plane-aio-community:latest

Configuration Options

Optional Environment Variables

Network & Protocol

  • SITE_ADDRESS: Server bind address (default: :80)

Security & Secrets

  • SECRET_KEY: Django secret key (default provided)
  • LIVE_SERVER_SECRET_KEY: Live server secret (default provided)

File Handling

  • FILE_SIZE_LIMIT: Maximum file upload size in bytes (default: 5242880 = 5MB)

API Configuration

  • API_KEY_RATE_LIMIT: API key rate limit (default: 60/minute)

Port Mapping

The following ports are exposed:

  • 80: Main web interface (HTTP)
  • 443: HTTPS (if SSL configured)

Volume Mounts

Recommended Persistent Volumes

-v /path/to/logs:/app/logs \
-v /path/to/data:/app/data

Building the Image

To build the AIO image yourself:

cd deployments/aio/community
IMAGE_NAME=myplane-aio ./build.sh --release=v0.27.1 [--platform=linux/amd64]

Available build options:

  • --release: Plane version to build (required)
  • --image-name: Custom image name (default: plane-aio-community)

Troubleshooting

Logs

All service logs are available in /app/logs/:

  • Access logs: /app/logs/access/
  • Error logs: /app/logs/error/

Health Checks

The container runs multiple services managed by Supervisor. Check service status:

docker exec -it <container-name> supervisorctl status

Common Issues

  1. Database Connection Failed: Ensure PostgreSQL is accessible and credentials are correct
  2. Redis Connection Failed: Verify Redis server is running and URL is correct
  3. File Upload Issues: Check S3 credentials and bucket permissions

Environment Validation

The container will validate required environment variables on startup and display helpful error messages if any are missing.

Production Considerations

  • Use proper SSL certificates for HTTPS
  • Configure proper backup strategies for data
  • Monitor resource usage and scale accordingly
  • Use external load balancer for high availability
  • Regularly update to latest versions
  • Secure your environment variables and secrets

Support

For issues and support, please refer to the official Plane documentation.

Reference in New Issue View Git Blame Copy Permalink