[STALE] Enforce signup and login only via campus network

SUBSCRIPTION_INSTRUCTION.md

@@ -4,7 +4,7 @@ Narada (Sanskrit: नारद, IAST: Nārada), or Narada Muni, is a sage-divini
 
 ## User Registration
 
-1. Visit [Naarad Signup](https://naarad.metakgp.org/signup) page
+1. Visit [Naarad Signup](https://naarad-signup.metakgp.org/) page
 2. You will be prompted to enter your institute email
 3. Once email is entered, you will receive a verification OTP on the provided email
 4. Enter the OTP in the available field and click the `Verify` button
@@ -123,3 +123,45 @@ If the [automatic](#automatic) method doesn't work, then you can do it manually
 <div align="center">
   <img src="https://github.com/metakgp/naarad/assets/86282911/647f290d-51e8-4340-8033-61e47e326f74">
 </div>
+
+## Enforced Campus Login
+
+Since, CDC period (for internships) starts during the summer vacation and majority of the students are not on campus during that time, [login](#user-login) is open from any network. One day after the **CDC travel window** is over, following changes are implemented:
+- User database is deleted
+- __User Signup & Login__ are restricted only to campus network
+- Once logged in, via campus network, the app is functional on all networks
+
+> [!Warning]
+> Make sure you are connected to campus network, before following ahead in the documentation.
+
+Users have to initiate the registration process again and receive new credentials. This time, just visit [https://naarad.metakgp.org/signup](https://naarad-signup.metakgp.org). You will receive the new credentials on your institute email within a few seconds. 
+
+It's now time to re-login with your new credentials, in-order to do that first remove the previous sessions from your webapp and app.
+
+### Webapp
+
+1. Click on the account icon on top right corner
+2. Logout the current user
+3. Visit [Naarad Login](https://naarad.metakgp.org/login)
+
+<div align="center">
+  <img src="https://github.com/metakgp/naarad/assets/86282911/d20e5684-4831-439e-a81c-28a7f23aff9c">
+</div>
+
+### Mobile
+
+1. Press the _three-dots_ on top-right corner
+2. Choose `Settings` option from the context-menu
+3. Select `Manage Users` in the _General_ section below
+4. Press on the user corresponding to your institute email (auto-generated username, which you received on your email)
+5. A dialogue will appear, select `Delete User` there
+6. Now go back to the home screen, select the `kgp-mftp` topic and press the _three-dots_ there on top-right corner
+7. Choose `Unsubscribe` option from the context-menu
+8. A dialogue will appear, select `Delete Permanently` there
+9. Now that the user has been removed properly, follow the [Subscribing to MFTP](#subscribing-to-mftp) section once again while being connected on campus network
+
+| ![](https://github.com/metakgp/naarad/assets/86282911/34a7e162-68b0-454e-98a5-b61bac62e898) | ![](https://github.com/metakgp/naarad/assets/86282911/4beb8bf5-bc28-4164-a4a4-f05f04644fe9) |
+| ---------------------------------- | -------------------------------- |
+| ![](https://github.com/metakgp/naarad/assets/86282911/6606ee7e-030f-48ec-b886-fe143bcbcbb7) | ![](https://github.com/metakgp/naarad/assets/86282911/3ed6ec9a-b57d-441c-8933-3365ebeba287) |
+| ![](https://github.com/metakgp/naarad/assets/86282911/0829d4d6-fc88-4d24-8dbb-75810e800c40) | ![](https://github.com/metakgp/naarad/assets/86282911/cfb77e27-0e93-4897-9480-1530eaa67e38) |
+| ![](https://github.com/metakgp/naarad/assets/86282911/8f366eb4-0cfb-4ee5-a272-8c0efe362d59) | ![](https://github.com/metakgp/naarad/assets/86282911/461f550d-9148-43a1-bc24-c29f1b47b271) |

metaploy/naarad.metaploy.conf

@@ -16,12 +16,8 @@ server {
         proxy_pass http://naarad;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
-    ## Allows the app to be functional 
+    ## Allows the app to be functional
     ## as it doesn't have Heimdall Session Auth
-    ### Allowing login
-    location ~ ^/[^/]+/auth$ {
-        proxy_pass http://naarad;
-    }
     ### Allowing polling via websocket
     location ~ ^/[^/]+/ws$ {
         proxy_pass http://naarad;
@@ -33,7 +29,7 @@ server {
         proxy_pass http://naarad;
         add_header Content-Type application/json;
     }
-    
+
     # Restricting user account registration only via
     # naarad-signup service (our custom registration layer)
     ## BACKEND
@@ -60,20 +56,42 @@ server {
         return 301 https://naarad-signup.metakgp.org;
     }
 
-    # All the endpoints except (signup, healthcheck and 
-    # mobile application related) 
+    # Protecting User Login via Campus Network
+    ## /login: frontend route
+    ## /<topic>/auth: topic specific auth route
+    ## /v1/account/token: account sign in route
+    location ~ ^/(v1/account/token|login|[^/]+/auth)$ {
+        auth_request /campus-auth;
+        error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_campus_auth;
+
+        proxy_pass http://naarad;
+    }
+
+    # Internal authorisation endpoint via Campus Network
+    location = /campus-auth {
+        internal;
+        proxy_pass http://heimdall_server/;
+    }
+
+    # Handle case when auth fails in /campus-auth sub request
+    location @handle_campus_auth {
+        return 403;
+    }
+
+    # All the endpoints except (signup, healthcheck and
+    # mobile application related)
     # described above are protected via Heimdall Session
     location / {
-        auth_request /auth;
-        error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_auth;
+        auth_request /kgpian-auth;
+        error_page 300 301 302 303 304 305 306 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 = @handle_kgpian_auth;
 
         proxy_pass http://naarad;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
     }
 
     # Internal authorisation endpoint via heimdall
-    location = /auth {
+    location = /kgpian-auth {
         internal;
 
         proxy_pass http://heimdall_server/validate-jwt;
@@ -83,8 +101,8 @@ server {
         proxy_set_header Cookie $http_cookie;
     }
 
-    # Handle case when auth fails in /auth sub request
-    location @handle_auth {
+    # Handle case when auth fails in /kgpian-auth sub request
+    location @handle_kgpian_auth {
         return 302 https://heimdall.metakgp.org/?redirect_url=https://$server_name$request_uri;
     }
 }