OrchestrateUI - an API automation tool with a clean UI

JavaScript 83.8%
CSS 14.6%
Dockerfile 1%
HTML 0.6%

Find a file

SluberskiHomeLab 43a072e47e Merge pull request #2 from SluberskiHomeLab/copilot/add-authentication-options Add authentication/authorization with username/password, OIDC/Auth0, and LDAP options		2025-10-28 07:27:32 -05:00
.github	Add Copilot instructions for repository	2025-10-27 17:11:32 +00:00
backend	Add backend authentication infrastructure with username/password, OIDC, and LDAP support	2025-10-27 17:16:37 +00:00
frontend	Add frontend authentication UI with login, admin panel, and user management	2025-10-27 17:21:00 +00:00
.env.example	Address code review feedback: improve security warnings and fix configuration consistency	2025-10-27 17:32:29 +00:00
.gitignore	Add complete OrchestrateUI application with backend, frontend, and Docker support	2025-10-27 15:45:48 +00:00
docker-compose.yml	Address code review feedback: improve security warnings and fix configuration consistency	2025-10-27 17:32:29 +00:00
EXAMPLES.md	Fix Dockerfiles and add examples documentation	2025-10-27 16:06:01 +00:00
README.md	Add security considerations documentation based on CodeQL analysis	2025-10-27 17:34:46 +00:00

README.md

🎯 OrchestrateUI

A powerful, Docker-runnable API automation tool with a clean, modern UI and fast backend. Schedule API calls, trigger them manually, and get notifications through webhooks.

✨ Features

Clean Modern UI: Intuitive React-based interface for managing API automation tasks
Fast Backend: Built with Node.js and Express for high-performance API execution
Scheduled Tasks: Use cron expressions to schedule recurring API calls
Manual Execution: Trigger any task on-demand with a single click
Webhook Notifications: Get notified about task execution results via webhooks
RESTful API Support: Full support for GET, POST, PUT, PATCH, and DELETE methods
Execution History: Track all task executions with detailed logs
Docker Support: Easy deployment with Docker and Docker Compose

🚀 Quick Start

Using Docker Compose (Recommended)

Clone the repository:

git clone https://github.com/SluberskiHomeLab/orchestrateui.git
cd orchestrateui

Start the application:

docker-compose up -d

Open your browser and navigate to:

http://localhost

The backend API will be available at http://localhost:3001/api

Manual Setup

Backend

cd backend
npm install
npm start

Backend runs on port 3001 by default.

Frontend

cd frontend
npm install
npm start

Frontend development server runs on port 3000 by default.

📖 Usage

Creating a Task

Click the "+ New Task" button
Fill in the task details:
- Name: A descriptive name for your task
- Description: Optional description
- Method: HTTP method (GET, POST, PUT, PATCH, DELETE)
- URL: The API endpoint to call
- Headers: JSON object with request headers
- Body: Request body (for POST, PUT, PATCH)
- Schedule: Cron expression for automated execution
- Webhook URL: URL to receive execution notifications
Click "Create Task"

Schedule Examples

*/5 * * * * - Every 5 minutes
0 * * * * - Every hour
0 9 * * * - Every day at 9:00 AM
0 0 * * 0 - Every Sunday at midnight
*/30 * * * * - Every 30 minutes

Manual Execution

Click the "▶ Execute Now" button on any task card to run it immediately.

Webhook Notifications

Tasks can send execution results to a webhook URL. The webhook receives:

{
  "taskId": "uuid",
  "taskName": "Task Name",
  "execution": {
    "id": "uuid",
    "status": "success",
    "statusCode": 200,
    "duration": 150,
    "startTime": "2024-01-01T00:00:00.000Z",
    "endTime": "2024-01-01T00:00:00.150Z"
  },
  "timestamp": "2024-01-01T00:00:00.000Z"
}

🔌 API Endpoints

Tasks

GET /api/tasks - Get all tasks
GET /api/tasks/:id - Get specific task
POST /api/tasks - Create new task
PUT /api/tasks/:id - Update task
DELETE /api/tasks/:id - Delete task
POST /api/tasks/:id/execute - Execute task manually

History

GET /api/history - Get execution history (limit: 50)
GET /api/tasks/:id/history - Get history for specific task

Health

GET /api/health - Health check endpoint

🏗️ Architecture

orchestrateui/
├── backend/
│   ├── server.js           # Express server with task management
│   ├── package.json
│   └── Dockerfile
├── frontend/
│   ├── src/
│   │   ├── App.js          # Main React component
│   │   ├── App.css         # Styles
│   │   └── index.js
│   ├── public/
│   ├── package.json
│   ├── Dockerfile
│   └── nginx.conf          # Nginx configuration
└── docker-compose.yml      # Docker Compose configuration

🛠️ Technologies

Backend

Node.js - Runtime environment
Express - Web framework
node-cron - Task scheduling
Axios - HTTP client for API calls
CORS - Cross-origin resource sharing

Frontend

React - UI framework
Axios - API communication
CSS3 - Modern styling

DevOps

Docker - Containerization
Docker Compose - Multi-container orchestration
Nginx - Web server and reverse proxy

🔐 Authentication & Authorization

OrchestrateUI now supports optional authentication with multiple authentication methods:

Authentication Methods

Username/Password (Local Authentication)
- Traditional username and password authentication
- Passwords are securely hashed using bcrypt
- First registered user becomes an administrator
OIDC/OAuth2 (Auth0, Okta, etc.)
- Single Sign-On (SSO) with your organization's identity provider
- Supports Auth0, Okta, Azure AD, and other OIDC-compliant providers
LDAP Authentication
- Integration with Active Directory or LDAP servers
- Users can authenticate with their corporate credentials
API Keys
- Generate API keys for programmatic access
- Perfect for CI/CD pipelines and automation
- Keys can have optional expiration dates

Enabling Authentication

Authentication is disabled by default for backwards compatibility. To enable it:

Copy .env.example to .env:
```
cp .env.example .env
```
Set AUTH_ENABLED=true in your .env file
IMPORTANT: Set a strong, random JWT_SECRET in your .env file:
```
JWT_SECRET=$(openssl rand -hex 32)
```
Never use the default secret in production!
Configure your preferred authentication methods
Start the application:
```
docker-compose up -d
```
Register the first user (will automatically become an admin)

Admin Features

Administrators have access to an Admin panel with the following capabilities:

User Management: Create, edit, and delete user accounts
Role Assignment: Assign admin or user roles
API Key Management: Generate and manage API keys for users
Access Control: Tasks are automatically scoped to their creators

Configuration

See .env.example for all available authentication configuration options:

JWT Settings: Secret key and token expiration
OIDC/OAuth2: Provider URLs and credentials
LDAP: Server connection and search parameters

🔒 Security Notes

Important Security Considerations:

This is designed as a development/home lab tool for trusted environments
The application makes HTTP requests to user-provided URLs - this is intentional core functionality
Request Forgery Risk: Users can configure tasks to call any URL. In production environments, consider:
- Adding URL allowlisting/denylisting
- Network-level restrictions (firewall rules, network policies)
- Running in an isolated network segment
- Enabling authentication/authorization (now available!)

For production use, we recommend:

✅ Authentication/Authorization - Now available with multiple methods!
HTTPS/TLS - Encrypt traffic between client and server
Rate Limiting - Add rate limiting to prevent brute force attacks on login endpoints
CORS Configuration - Restrict CORS to specific domains (set CORS_ORIGIN in .env)
Input Validation - Additional validation for URLs, headers, and body content
Database Persistence - Replace in-memory storage with a database
URL Filtering - Allowlist/blocklist for target URLs
Network Isolation - Run in a restricted network environment
Audit Logging - Track all task executions and modifications

Known Security Considerations:

JWT tokens are used for authentication (not session cookies), reducing CSRF risk
Rate limiting is not implemented - consider adding a reverse proxy with rate limiting (e.g., nginx)
CORS is permissive by default - restrict in production via CORS_ORIGIN environment variable

Recommended Deployment:

Use in private/internal networks only
Enable authentication for production environments
Use strong JWT secrets (change default in .env)
Configure CORS to allow only your frontend domain
Add rate limiting via reverse proxy (nginx, Cloudflare, etc.)
Regular security audits
Keep dependencies updated

📝 Environment Variables

Docker Compose (using .env file)

See .env.example for all available configuration options including:

AUTH_ENABLED - Enable/disable authentication (default: false)
JWT_SECRET - Secret key for JWT tokens
JWT_EXPIRY - Token expiration time (default: 24h)
OIDC_* - OIDC/OAuth2 provider settings
LDAP_* - LDAP server configuration

Backend (direct node execution)

PORT - Server port (default: 3001)
See backend/.env.example for authentication settings

Frontend (build time)

REACT_APP_API_URL - Backend API URL (default: http://localhost:3001/api)

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

📄 License

MIT License - feel free to use this project for personal or commercial purposes.

🐛 Troubleshooting

Docker Issues

If containers fail to start:

docker-compose down
docker-compose up --build

Port Conflicts

If port 80 or 3001 is already in use, modify the docker-compose.yml:

ports:
  - "8080:80"  # Frontend
  - "3002:3001"  # Backend

API Connection Issues

Make sure the backend is running and accessible. Check Docker logs:

docker-compose logs backend
docker-compose logs frontend

📧 Support

For issues, questions, or suggestions, please open an issue on GitHub.