parse-hipaa

dashboard

Example of how to setup and run your own HIPAA & GDPR compliant parse-server with postgres or mongo. parse-hipaa also includes parse-dashboard for viewing/modifying your data in the Cloud. Since parse-hipaa is a pare-server, it can be used for iOS, Android, and web based apps. API's such as GraphQL, REST, and JS are also enabled in parse-hipaa and can be tested directly or via the "API Console" in parse-dashboard. See the Parse SDK documentation for details and examples of how to leverage parse-hipaa for your language(s) of interest. These docker images include the necessary database auditing and logging for HIPAA compliance.

The parse-hipaa repo provides the following:

  • Auditing & logging at server-admin level (Parse) and at the database level (postgres or mongo)
  • The User class (and the ParseCareKit classes if you are using them) are locked down and doesn't allow unauthenticated access (the standard parse-server allows unauthenticated read access by default)
  • The creation of new Parse Classes and the addition of adding fields from the client-side are disabled. These can be created/added on the server-side using Parse Dashboard (the standard parse-server allows Class and field creation on the client-side by default)
  • File uploads are only allowed by authenticated users (the standard parse-server allows unauthenticated uploads by default)
  • File uploads are encrypted with AES-256-GCM by default (the standard parse-server doesn't encrypt files by default)
  • File uploads are scanned for viruses and malware by clamscan before they are saved to parse-hipaa. If any virus or malware is detected the files won't be saved
  • Encryption in transit - parse-hipaa and it's companion images are setup to run behind a proxy with files & directions on how to complete the process with Nginx and LetsEncrypt

You will still need to setup the following on your own to be fully HIPAA & GDPR compliant:

  • Encryption in transit - you will need to complete the process
  • Encryption at rest - Mount to your own encrypted storage drive for your database (Linux and macOS have API's for this) and store the drive in a "safe" location
  • Be sure to do anything else HIPAA & GDPR requires

A modified example of Apple's CareKit sample app, CareKitSample-ParseCareKit, uses parse-hipaa along with ParseCareKit.

To get started with parse-hipaa simply type:

docker-compose up

Use at your own risk. There is not promise that this is HIPAA compliant and we are not responsible for any mishandling of your data

HIPAA compliant parse-server with postgres or mongo

By default, the docker-compose.yml uses postgres 14. A mongo variant (uses percona-server-mongodb 4 is included in this repo. To use the mongo HIPAA compliant variant of parse-hipaa, simply type:

docker-compose -f docker-compose.mongo.yml up

If you would like to use a non-HIPAA compliant postgres version:

docker-compose -f docker-compose.no.hipaa.yml up

A non-HIPAA compliant mongo version isn't provided as this is the default parse-server deployment and many examples of how to set this up are online already exist.

Getting started

parse-hipaa is made up of four (4) seperate docker images (you use 3 of them at a time) that work together as one system. It's important to set the environment variables for your parse-hipaa server.

Environment Variables

netreconlab/parse-hipaa

PARSE_SERVER_APPLICATION_ID # Unique string value
PARSE_SERVER_PRIMARY_KEY # Unique string value
PARSE_SERVER_READ_ONLY_PRIMARY_KEY # Unique string value
PARSE_SERVER_ENCRYPTION_KEY # Unique string used for encrypting files stored by parse-hipaa
PARSE_SERVER_OBJECT_ID_SIZE # Integer value, parse defaults to 10, 32 is probably better for medical apps and large tables
PARSE_SERVER_DATABASE_URI # URI to connect to parse-hipaa. postgres://${PG_PARSE_USER}:${PG_PARSE_PASSWORD}@db:5432/${PG_PARSE_DB} or mongodb://${MONGO_PARSE_USER}:${MONGO_PARSE_PASSWORD}@db:27017/${MONGO_PARSE_DB}
PORT # Port for parse-hipaa, default is 1337
PARSE_SERVER_MOUNT_PATH: # Mounting path for parse-hipaa, default is /parse
PARSE_SERVER_URL # Server URL, default is http://parse:${PORT}/parse
PARSE_PUBLIC_SERVER_URL # Public Server URL, default is http://localhost:${PORT}/parse
PARSE_SERVER_CLOUD # Path to cloud code, default is /parse/cloud/main.js
PARSE_SERVER_MOUNT_GRAPHQL # Enable graphql, default is 'true'
PARSE_SET_USER_CLP # Set the Class Level Permissios of the _User schema so only authenticated users can access, default 1
PARSE_SERVER_ALLOW_CLIENT_CLASS_CREATION # String value of 'false' or 'true'. Prohibits class creation on the client side. Classes can still be created using Parse Dashboard by `useMasterKey`, default 'false'
PARSE_SERVER_ALLOW_CUSTOM_OBJECTID # Required to be true for ParseCareKit
PARSE_SERVER_ENABLE_SCHEMA_HOOKS # Keeps the schema in sync across all instances
PARSE_SERVER_DIRECT_ACCESS # Known to cause crashes when true on single instance of server and not behind public server
PARSE_SERVER_ENABLE_PRIVATE_USERS # Set to 'true' if new users should be created without public read and write access
PARSE_USING_PARSECAREKIT # If you are not using ParseCareKit, set this to 'false', or else enable with 'true'. The default value is 'true'
PARSE_VERBOSE # Enable verbose output on the server
POSTGRES_PASSWORD: # Needed for wait-for-postgres.sh. Should be the same as POSTGRES_PASSWORD in netreconlab/hipaa-postgres

parseplatform/parse-dashboard

PARSE_DASHBOARD_TRUST_PROXY: # Default is 1, this should always be left as 1 when using docker
PARSE_DASHBOARD_COOKIE_SESSION_SECRET: # Unique string. This should be constant across all deployments on your system
MOUNT_PATH: # The default is "/dashboard". This needs to be exactly what you plan it to be behind the proxy, i.e. If you want to access cs.uky.edu/dashboard it should be "/dashboard"

netreconlab/hipaa-postgres

POSTGRES_PASSWORD # Password for postgress db cluster
PG_PARSE_USER # Username for logging into PG_PARSE_DB
PG_PARSE_PASSWORD # Password for logging into PG_PARSE_DB
PG_PARSE_DB # Name of parse-hipaa database

netreconlab/hipaa-mongo

# Warning, if you want to make changes to the vars below they need to be changed manually in /scripts/mongo-init.js as the env vars are not passed to the script
MONGO_INITDB_ROOT_USERNAME # Username for mongo db. Should be MONGO_PARSE_USER
MONGO_INITDB_ROOT_PASSWORD # Password for mongo db. Should be MONGO_PARSE_PASSWORD
MONGO_INITDB_DATABASE # Name of mongo db. Should be MONGO_PARSE_DB
MONGO_PARSE_USER # Username for logging into mongo db for parse-hipaa.
MONGO_PARSE_PASSWORD # Password for logging into mongo db for parse-hipaa
MONGO_PARSE_DB # Name of mongo db for parse-hipaa

Starting up parse-hipaa

  • For the default HIPAA compliant postgres version: docker-compose up
  • or for the HIPAA compliant mongo version: docker-compose -f docker-compose.mongo.yml up
  • or for the non-HIPAA compliant postgres version: docker-compose -f docker-compose.no.hipaa.yml up
  • A non-HIPAA compliant mongo version isn't provided in this repo as that's just a standard parse-server

Imporant Note: On the very first run, the "parse-server"(which will show up as "parse_1" in the console) will sleep and error a few times because it can't connect to postgres (the "db") container. This is suppose to happen and is due to postgres needing to configure and initialize, install the necessary extensions, and setup it's databases. Let it keep running and eventually you will see something like:

db_1         | PostgreSQL init process complete; ready for start up.

The parse-server container will automatically keep attempting to connect to the postgres container and when it's connected you will see:

parse_1      | parse-server running on port 1337.
parse_1      | publicServerURL: http://localhost:1337/parse, serverURL: http://parse:1337/parse
parse_1      | GraphQL API running on http://localhost:1337/parsegraphql
parse_1      | info: Parse LiveQuery Server starts running

You may also see output such as the following in the console or log files:

db_1         | 2020-03-18 21:59:21.550 UTC [105] ERROR:  duplicate key value violates unique constraint "pg_type_typname_nsp_index"
db_1         | 2020-03-18 21:59:21.550 UTC [105] DETAIL:  Key (typname, typnamespace)=(_SCHEMA, 2200) already exists.
db_1         | 2020-03-18 21:59:21.550 UTC [105] STATEMENT:  CREATE TABLE IF NOT EXISTS "_SCHEMA" ( "className" varChar(120), "schema" jsonb, "isParseClass" bool, PRIMARY KEY ("className") )
db_1         | 2020-03-18 21:59:21.550 UTC [106] ERROR:  duplicate key value violates unique constraint "pg_type_typname_nsp_index"
...

The lines above are console output from parse because they attempt to check and configure the postgres database if necessary. They doesn't hurt or slow down your parse-hipaa server.

Parse Server

Your parse-server is binded to all of your interfaces on port 1337/parse and be can be accessed as such, e.g. http://localhost:1337/parse.

The standard configuration can be modified to your liking by editing index.js. Here you can add/modify things like push notifications, password resets, adapters, etc. This file as an express app and some examples provided from parse can be found here. Note that there is no need to rebuild your image when modifying files in the "index.js" file since it is volume mounted, but you will need to restart the parse container for your changes to take effect.

Configuring

Default values for environment variables: PARSE_SERVER_APPLICATION_ID and PARSE_SERVER_PRIMARY_KEY are provided in docker-compose.yml for quick local deployment. If you plan on using this image to deploy in production, you should definitely change both values. Environment variables, PARSE_SERVER_DATABASE_URI, PARSE_SERVER_URL, PORT, PARSE_PUBLIC_SERVER_URL, PARSE_SERVER_CLOUD, and PARSE_SERVER_MOUNT_GRAPHQL should not be changed unles you are confident with configuring parse-server or else you image may not work properly. In particular, changing PORT should only be done in .env and will also require you to change the port manually in the parse-dashboard-config.json for both "serverURL" and "graphQLServerURL" to have the Parse Dashboard work correctly.

Running in production for ParseCareKit

If you are plan on using parse-hipaa in production. You should run the additional scripts to create the rest of the indexes for optimized queries.

Idempotency

You most likely want to enable Idempotency. Read more about how to configure on Parse Server. If you are using Postgres, look here for the script.

Postgres

If you are using hipaa_postgres or parse-postgres (the two images included in this repo). The setup-parse-index.sh is already in the container. You just have to run it.

  1. Log into your docker container, type: docker exec -u postgres -ti parse-hipaa_db_1 bash
  2. Run the script, type: ./parseScripts/setup-parse-index.h

If you are using your own postgres image, you should copy setup-parse-index.sh to your container and complete the login and run steps above (be sure to switch parse-hipaa_db_1 to your actual running container name).

Mongo

Will be created in the future...

Other parse-server environment variables can be set, but they require you to make additions/modifications to the index.js.

Cloud Code

For verfying and cleaning your data along with other added functionality, you can add Cloud Code to the cloud folder. Note that there is no need to rebuild your image when modifying files in the "cloud" folder since this is volume mounted, but you may need to restart the parse container for your changes to take effect.

Viewing Your Data via Parse Dashboard

Parse-dashboard is binded to your localhost on port 4040 and can be accessed as such, e.g. http://localhost:4040/dashboard. The default login for the parse dashboard is username: "parse", password: "1234". For production you should change the password in the postgres-dashboard-config.json. Note that ideally the password should be hashed by using something like bcrypt-generator or using multi factor authentication. You can also add more users through this method.

  1. Open your browser and go to http://localhost:4040/dashboard
  2. Username: parse # You can use parseRead to login as a read only user
  3. Password: 1234
  4. Be sure to refresh your browser to see new changes synched from your CareKitSample app

Configuring

As mentioned, the default address and port the parse-server dashboard is binded to is 127.0.0.1:4040:4040 which means it can only be accessed by your local machine. If you want to change this, you should do it here. If you plan on using this image to deploy in production, it is recommended to run this behind a proxy and add the environment variable PARSE_DASHBOARD_TRUST_PROXY=1 to the dashboard container. Note that since the parse dashboard is running in docker, the following should remain in the yml, command: parse-dashboard --dev.

Postgres

The image used is postgis which is an extention built on top of the official postgres image. Note that postgres is not binded to your interfaces and is only local to the docker virtual network. This was done on purpose as the parse and parse-desktop is already exposed.

If you want to persist the data in the database, you can uncomment the volume lines in docker-compose

Configuring

Default values for environment variables: POSTGRES_PASSWORD, PG_PARSE_USER, PG_PARSE_PASSWORD, PG_PARSE_DB are provided in docker-compose.yml for quick local deployment. If you plan on using this image to deploy in production, you should definitely change POSTGRES_PASSWORD, PG_PARSE_USER, PG_PARSE_PASSWORD. Note that the postgres image provides a default user of "postgres" to configure the database cluster, you can change the password for the "postgres" user by changing POSTGRES_PASSWORD. There are plenty of postgres environment variables that can be modified. Environment variables should not be changed unles you are confident with configuring postgres or else you image may not work properly. Note that changes to the aforementioned paramaters will only take effect if you do them before the first build and run of the image. Afterwards, you will need to make all changes by connecting to the image typing:

docker exec -u postgres -ti parse-hipaa_db_1 bash

You can then make modifications using psql. Through psql, you can also add multiple databases and users to support a number of parse apps. Note that you will also need to add the respecting parse-server containers (copy parse container in the .yml and rename to your new app) along with the added app in postgres-dashboard-config.json.

Deploying on a real system

The docker yml's here are intended to run behind a proxy that properly has ssl configured to encrypt data in transit. To create a proxy to parse-hipaa, nginx files are provided here. Simply add the sites-available folder to your nginx directory and add the following to "http" in your nginx.conf:

http {
    include /usr/local/etc/nginx/sites-enabled/*.conf; # Add this line to end. This is for macOS, do whatever is appropriate on your system
}

Setup your free certificates using LetsEncrypt, follow the directions here. Be sure to change the certificate and key lines to point to correct location in default-ssl.conf.

Is there a mongo version available?

The mongo equivalent is available in this repo. The same steps as above. but use:

docker-compose -f docker-compose.mongo.yml up

Parse Hipaa

HIPAA & GDPR compliant parse-server with postgres/mongo, parse-dashboard, and graphql. Compatible with ParseCareKit

Parse Hipaa Info

⭐ Stars 41
🔗 Source Code github.com
🕒 Last Update 4 months ago
🕒 Created 2 years ago
🐞 Open Issues 0
➗ Star-Issue Ratio Infinity
😎 Author netreconlab