add authentication support

Author: devksingh4

package.json

@@ -8,7 +8,7 @@
   "type": "module",
   "scripts": {
     "build": "rm -rf dist/ && tsc",
-    "dev": "tsx src/index.ts",
+    "dev": "tsx watch src/index.ts",
     "build:lambda": "yarn build && cp package.json dist/ && yarn lockfile-manage",
     "lockfile-manage": "synp --source-file yarn.lock && cp package-lock.json dist/ && rm package-lock.json",
     "typecheck": "tsc --noEmit",
@@ -31,14 +31,15 @@
     "eslint-plugin-prettier": "^5.2.1",
     "prettier": "^3.3.3",
     "synp": "^1.9.13",
-    "ts-node": "^10.9.2",
     "tsx": "^4.16.5",
     "typescript": "^5.5.4"
   },
   "dependencies": {
     "@fastify/auth": "^4.6.1",
     "@fastify/aws-lambda": "^4.1.0",
     "fastify": "^4.28.1",
-    "fastify-plugin": "^4.5.1"
+    "fastify-plugin": "^4.5.1",
+    "jsonwebtoken": "^9.0.2",
+    "jwks-rsa": "^3.1.0"
   }
 }

src/errors/index.ts

@@ -47,11 +47,11 @@ export class UnauthenticatedError extends BaseError<"UnauthenticatedError"> {
 }
 
 export class InternalServerError extends BaseError<"InternalServerError"> {
-  constructor() {
+  constructor({message}: {message?: string} = {}) {
     super({
       name: "InternalServerError",
       id: 100,
-      message: "An internal server error occurred. Please try again or contact support.",
+      message: message || "An internal server error occurred. Please try again or contact support.",
       httpStatusCode: 500,
     });
   }

src/index.ts

@@ -5,6 +5,8 @@ import FastifyAuthProvider from "@fastify/auth";
 import fastifyAuthPlugin from "./plugins/auth.js";
 import protectedRoute from "./routes/protected.js";
 import errorHandlerPlugin from "./plugins/errorHandler.js";
+import { RunEnvironment, runEnvironments } from "./roles.js";
+import { InternalServerError } from "./errors/index.js";
 
 const now = () => Date.now();
 
@@ -25,7 +27,13 @@ async function init() {
   await app.register(fastifyAuthPlugin);
   await app.register(FastifyAuthProvider);
   await app.register(errorHandlerPlugin);
-  app.runEnvironment = process.env.RunEnvironment ?? "dev";
+  if (!process.env.RunEnvironment) {
+    process.env.RunEnvironment = 'dev';
+  }
+  if (!(runEnvironments.includes(process.env.RunEnvironment as RunEnvironment))) {
+    throw new InternalServerError({message: `Invalid run environment ${app.runEnvironment}.`})
+  }
+  app.runEnvironment = process.env.RunEnvironment as RunEnvironment;
   app.addHook("onRequest", (req, _, done) => {
     req.startTime = now();
     req.log.info({ url: req.raw.url }, "received request");

src/plugins/auth.ts

@@ -1,42 +1,113 @@
 import { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
 import fp from "fastify-plugin";
-import { BaseError, UnauthenticatedError, UnauthorizedError } from "../errors/index.js";
-import { AppRoles } from "../roles.js";
+import { BaseError, InternalServerError, UnauthenticatedError, UnauthorizedError } from "../errors/index.js";
+import { AppRoles, RunEnvironment, runEnvironments } from "../roles.js";
+import jwksClient, {JwksClient} from "jwks-rsa";
+import jwt, { Algorithm } from "jsonwebtoken";
 
-// const GroupRoleMapping: Record<string, AppRoles[]> = {};
+const GroupRoleMapping: Record<RunEnvironment, Record<string, AppRoles[]>> = {
+  "prod": {"48591dbc-cdcb-4544-9f63-e6b92b067e33": [AppRoles.MANAGER]}, // Infra Chairs
+  "dev": {"48591dbc-cdcb-4544-9f63-e6b92b067e33": [AppRoles.MANAGER]}, // Infra Chairs
+};
+
+
+function intersection<T>(setA: Set<T>, setB: Set<T>): Set<T> {
+  let _intersection = new Set<T>();
+  for (let elem of setB) {
+      if (setA.has(elem)) {
+          _intersection.add(elem);
+      }
+  }
+  return _intersection;
+}
+
+
+type AadToken = {
+  aud: string;
+  iss: string;
+  iat: number;
+  nbf: number;
+  exp: number;
+  acr: string;
+  aio: string;
+  amr: string[];
+  appid: string;
+  appidacr: string;
+  email: string;
+  groups?: string[];
+  idp: string;
+  ipaddr: string;
+  name: string;
+  oid: string;
+  rh: string;
+  scp: string;
+  sub: string;
+  tid: string;
+  unique_name: string;
+  uti: string;
+  ver: string;
+}
 
 const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
   fastify.decorate(
-    "authenticate",
+    "authorize",
     async function (
       request: FastifyRequest,
       _reply: FastifyReply,
+      validRoles: AppRoles[],
     ): Promise<void> {
       try {
-        const clientId = process.env.AadValidClientId;
-        if (!clientId) {
-          throw new UnauthenticatedError({message: "Server could not find valid AAD Client ID."})
+        const AadClientId = process.env.AadValidClientId;
+        if (!AadClientId) {
+          request.log.error("Server is misconfigured, could not find `AadValidClientId`!")
+          throw new InternalServerError({message: "Server authentication is misconfigured, please contact your administrator."});
+        }
+        const authHeader = request.headers['authorization']
+        if (!authHeader) {
+          throw new UnauthenticatedError({"message": "Did not find bearer token in expected header."})
+        }
+        const [method, token] = authHeader.split(" ");
+        if (method != "Bearer") {
+          throw new UnauthenticatedError({"message": `Did not find bearer token, found ${method} token.`})
+        }
+        const decoded = jwt.decode(token, {complete: true})
+        const header = decoded?.header;
+        if (!header) {
+          throw new UnauthenticatedError({"message": "Could not decode token header."});
+        }
+        const verifyOptions = {algorithms: ['RS256' as Algorithm], header: decoded?.header, audience: `api://${AadClientId}`}
+        const client = jwksClient({
+          jwksUri: 'https://login.microsoftonline.com/common/discovery/keys'
+        });
+        const signingKey = (await client.getSigningKey(header.kid)).getPublicKey();
+        const verifiedTokenData = jwt.verify(token, signingKey, verifyOptions) as AadToken;
+        request.username = verifiedTokenData.email;
+        const userRoles = new Set([] as AppRoles[]);
+        const expectedRoles = new Set(validRoles)
+        if (verifiedTokenData.groups) {
+          for (const group of verifiedTokenData.groups) {
+            if (!GroupRoleMapping[fastify.runEnvironment][group]) {
+              continue;
+            }
+            for (const role of GroupRoleMapping[fastify.runEnvironment][group]) {
+              userRoles.add(role);
+            }
+          }
+        } else {
+          throw new UnauthenticatedError({message: "Could not find groups in token."})
+        }
+        if (intersection(userRoles, expectedRoles).size === 0) {
+          throw new UnauthorizedError({message: "User does not have the privileges for this task."})
         }
       } catch (err: unknown) {
         if (err instanceof BaseError) {
           throw err;
         }
-        throw new UnauthenticatedError({ message: "Could not verify JWT." });
-      }
-    },
-  );
-  fastify.decorate(
-    "authorize",
-    async function (
-      request: FastifyRequest,
-      _reply: FastifyReply,
-      _validRoles: AppRoles[],
-    ): Promise<void> {
-      try {
-        request.log.info("Authorizing JWT");
-      } catch (_: unknown) {
-        throw new UnauthorizedError({
-          message: "Could not get expected role.",
+        if (err instanceof Error) {
+          request.log.error("Failed to verify JWT: " + err.toString())
+        }
+        throw new UnauthenticatedError({
+          message: "Could not authenticate from token.",
         });
       }
     },

src/plugins/errorHandler.ts

@@ -1,7 +1,6 @@
 import fastify, { FastifyReply, FastifyRequest } from 'fastify';
 import fp from 'fastify-plugin';
 import { BaseError, InternalServerError, NotFoundError } from '../errors/index.js';
-import { request } from 'http';
 
 const errorHandlerPlugin = fp(async(fastify) => {
     fastify.setErrorHandler((err: unknown, request: FastifyRequest, reply: FastifyReply) => {

src/roles.ts

@@ -1,4 +1,6 @@
 /* eslint-disable import/prefer-default-export */
+export const runEnvironments = ['dev', 'prod'] as const;
+export type RunEnvironment = typeof runEnvironments[number];
 export enum AppRoles {
   MANAGER,
 }

src/routes/protected.ts

@@ -5,16 +5,14 @@ const protectedRoute: FastifyPluginAsync = async (fastify, _options) => {
   fastify.get(
     "/",
     {
-      onRequest: fastify.auth([
-        fastify.authenticate,
+      onRequest:
         async (request, reply) => {
-          fastify.authorize(request, reply, [AppRoles.MANAGER]);
-        },
-      ]),
+          await fastify.authorize(request, reply, [AppRoles.MANAGER]);
+        }
     },
     async (request, reply) => {
       reply.send({
-        message: "hi",
+        username: request.username,
       });
     },
   );

src/types.d.ts

@@ -1,5 +1,5 @@
 import { FastifyRequest, FastifyInstance, FastifyReply } from "fastify";
-import { AppRoles } from "./roles.ts";
+import { AppRoles, RunEnvironment } from "./roles.ts";
 declare module "fastify" {
   interface FastifyInstance {
     authenticate: (
@@ -11,9 +11,10 @@ declare module "fastify" {
       reply: FastifyReply,
       validRoles: AppRoles[],
     ) => Promise<void>;
-    runEnvironment: string;
+    runEnvironment: RunEnvironment;
   }
   interface FastifyRequest {
     startTime: number;
+    username?: string;
   }
 }

tsconfig.json

@@ -4,4 +4,7 @@
       "module": "Node16",
       "outDir": "dist",
   },
+  "ts-node": {
+    "esm": true
+  },
 }