enable custom jwt auth

Author: devksingh4

.eslintrc

@@ -1,5 +1,5 @@
 {
-  "extends": ["airbnb-base", "plugin:prettier/recommended", "plugin:@typescript-eslint/recommended"],
+  "extends": ["plugin:prettier/recommended", "plugin:@typescript-eslint/recommended"],
   "plugins": ["import"],
   "rules": {
     // turn on errors for missing imports

generate_jwt.js

@@ -0,0 +1,31 @@
+import jwt from 'jsonwebtoken';
+
+const payload = {
+    aud: "custom_jwt",
+    iss: "custom_jwt",
+    iat: Math.floor(Date.now() / 1000),
+    nbf: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + (3600 * 24), // Token expires after 24 hour
+    acr: "1",
+    aio: "AXQAi/8TAAAA",
+    amr: ["pwd"],
+    appid: "your-app-id",
+    appidacr: "1",
+    email: "[email protected]",
+    groups: ["0"],
+    idp: "https://login.microsoftonline.com",
+    ipaddr: "192.168.1.1",
+    name: "John Doe",
+    oid: "00000000-0000-0000-0000-000000000000",
+    rh: "rh-value",
+    scp: "user_impersonation",
+    sub: "subject",
+    tid: "tenant-id",
+    unique_name: "[email protected]",
+    uti: "uti-value",
+    ver: "1.0"
+};
+
+const secretKey = process.env.JwtSigningKey;
+const token = jwt.sign(payload, secretKey, { algorithm: 'HS256' });
+console.log(token)

package.json

@@ -23,7 +23,6 @@
     "@typescript-eslint/parser": "^8.0.1",
     "esbuild": "^0.23.0",
     "eslint": "^8.57.0",
-    "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-esnext": "^4.1.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-import-resolver-typescript": "^3.6.1",
@@ -35,6 +34,7 @@
     "typescript": "^5.5.4"
   },
   "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.624.0",
     "@fastify/auth": "^4.6.1",
     "@fastify/aws-lambda": "^4.1.0",
     "fastify": "^4.28.1",

src/errors/index.ts

@@ -24,8 +24,9 @@ export abstract class BaseError<T extends string> extends Error {
       Error.captureStackTrace(this, this.constructor);
     }
   }
+
   toString() {
-    return `Error ${this.id} (${this.name}): ${this.message}\n\n${this.stack}`
+    return `Error ${this.id} (${this.name}): ${this.message}\n\n${this.stack}`;
   }
 }
 
@@ -47,19 +48,20 @@ export class UnauthenticatedError extends BaseError<"UnauthenticatedError"> {
 }
 
 export class InternalServerError extends BaseError<"InternalServerError"> {
-  constructor({message}: {message?: string} = {}) {
+  constructor({ message }: { message?: string } = {}) {
     super({
       name: "InternalServerError",
       id: 100,
-      message: message || "An internal server error occurred. Please try again or contact support.",
+      message:
+        message ||
+        "An internal server error occurred. Please try again or contact support.",
       httpStatusCode: 500,
     });
   }
 }
 
-
 export class NotFoundError extends BaseError<"NotFoundError"> {
-  constructor({endpointName}: {endpointName: string}) {
+  constructor({ endpointName }: { endpointName: string }) {
     super({
       name: "NotFoundError",
       id: 103,

src/index.ts

@@ -28,10 +28,12 @@ async function init() {
   await app.register(FastifyAuthProvider);
   await app.register(errorHandlerPlugin);
   if (!process.env.RunEnvironment) {
-    process.env.RunEnvironment = 'dev';
+    process.env.RunEnvironment = "dev";
   }
-  if (!(runEnvironments.includes(process.env.RunEnvironment as RunEnvironment))) {
-    throw new InternalServerError({message: `Invalid run environment ${app.runEnvironment}.`})
+  if (!runEnvironments.includes(process.env.RunEnvironment as RunEnvironment)) {
+    throw new InternalServerError({
+      message: `Invalid run environment ${app.runEnvironment}.`,
+    });
   }
   app.runEnvironment = process.env.RunEnvironment as RunEnvironment;
   app.addHook("onRequest", (req, _, done) => {

src/plugins/auth.ts

@@ -1,28 +1,39 @@
 import { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
 import fp from "fastify-plugin";
-import { BaseError, InternalServerError, UnauthenticatedError, UnauthorizedError } from "../errors/index.js";
-import { AppRoles, RunEnvironment, runEnvironments } from "../roles.js";
-import jwksClient, {JwksClient} from "jwks-rsa";
+import jwksClient from "jwks-rsa";
 import jwt, { Algorithm } from "jsonwebtoken";
+import {
+  SecretsManagerClient,
+  GetSecretValueCommand,
+} from "@aws-sdk/client-secrets-manager";
+import { AppRoles, RunEnvironment } from "../roles.js";
+import {
+  BaseError,
+  InternalServerError,
+  UnauthenticatedError,
+  UnauthorizedError,
+} from "../errors/index.js";
 
+const CONFIG_SECRET_NAME = "infra-events-api-config" as const;
 const GroupRoleMapping: Record<RunEnvironment, Record<string, AppRoles[]>> = {
-  "prod": {"48591dbc-cdcb-4544-9f63-e6b92b067e33": [AppRoles.MANAGER]}, // Infra Chairs
-  "dev": {"48591dbc-cdcb-4544-9f63-e6b92b067e33": [AppRoles.MANAGER]}, // Infra Chairs
+  prod: { "48591dbc-cdcb-4544-9f63-e6b92b067e33": [AppRoles.MANAGER] }, // Infra Chairs
+  dev: {
+    "48591dbc-cdcb-4544-9f63-e6b92b067e33": [AppRoles.MANAGER], // Infra Chairs
+    "0": [AppRoles.MANAGER], // Dummy Group for development only
+  },
 };
 
-
 function intersection<T>(setA: Set<T>, setB: Set<T>): Set<T> {
-  let _intersection = new Set<T>();
-  for (let elem of setB) {
-      if (setA.has(elem)) {
-          _intersection.add(elem);
-      }
+  const _intersection = new Set<T>();
+  for (const elem of setB) {
+    if (setA.has(elem)) {
+      _intersection.add(elem);
+    }
   }
   return _intersection;
 }
 
-
-type AadToken = {
+export type AadToken = {
   aud: string;
   iss: string;
   iat: number;
@@ -46,7 +57,29 @@ type AadToken = {
   unique_name: string;
   uti: string;
   ver: string;
-}
+};
+const smClient = new SecretsManagerClient({
+  region: process.env.AWS_REGION || "us-east-1",
+});
+
+const getSecretValue = async (
+  secretId: string,
+): Promise<Record<string, string | number | boolean> | null> => {
+  const data = await smClient.send(
+    new GetSecretValueCommand({ SecretId: secretId }),
+  );
+  if (!data.SecretString) {
+    return null;
+  }
+  try {
+    return JSON.parse(data.SecretString) as Record<
+      string,
+      string | number | boolean
+    >;
+  } catch {
+    return null;
+  }
+};
 
 const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
   fastify.decorate(
@@ -57,57 +90,114 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
       validRoles: AppRoles[],
     ): Promise<void> {
       try {
-        const AadClientId = process.env.AadValidClientId;
-        if (!AadClientId) {
-          request.log.error("Server is misconfigured, could not find `AadValidClientId`!")
-          throw new InternalServerError({message: "Server authentication is misconfigured, please contact your administrator."});
-        }
-        const authHeader = request.headers['authorization']
+        const authHeader = request.headers.authorization;
         if (!authHeader) {
-          throw new UnauthenticatedError({"message": "Did not find bearer token in expected header."})
+          throw new UnauthenticatedError({
+            message: "Did not find bearer token in expected header.",
+          });
         }
         const [method, token] = authHeader.split(" ");
-        if (method != "Bearer") {
-          throw new UnauthenticatedError({"message": `Did not find bearer token, found ${method} token.`})
+        if (method !== "Bearer") {
+          throw new UnauthenticatedError({
+            message: `Did not find bearer token, found ${method} token.`,
+          });
         }
-        const decoded = jwt.decode(token, {complete: true})
-        const header = decoded?.header;
-        if (!header) {
-          throw new UnauthenticatedError({"message": "Could not decode token header."});
+        /* eslint-disable @typescript-eslint/no-explicit-any */
+        const decoded = jwt.decode(token, { complete: true }) as Record<
+          string,
+          any
+        >;
+        let signingKey = "";
+        let verifyOptions = {};
+        if (decoded?.payload.iss === "custom_jwt") {
+          if (fastify.runEnvironment === "prod") {
+            throw new UnauthenticatedError({
+              message: "Custom JWTs cannot be used in Prod environment.",
+            });
+          }
+          signingKey =
+            process.env.JwtSigningKey ||
+            (((await getSecretValue(CONFIG_SECRET_NAME)) || { jwt_key: "" })
+              .jwt_key as string) ||
+            "";
+          if (signingKey === "") {
+            throw new UnauthenticatedError({
+              message: "Invalid token.",
+            });
+          }
+          verifyOptions = { algorithms: ["HS256" as Algorithm] };
+        } else {
+          const AadClientId = process.env.AadValidClientId;
+          if (!AadClientId) {
+            request.log.error(
+              "Server is misconfigured, could not find `AadValidClientId`!",
+            );
+            throw new InternalServerError({
+              message:
+                "Server authentication is misconfigured, please contact your administrator.",
+            });
+          }
+          const header = decoded?.header;
+          if (!header) {
+            throw new UnauthenticatedError({
+              message: "Could not decode token header.",
+            });
+          }
+          verifyOptions = {
+            algorithms: ["RS256" as Algorithm],
+            header: decoded?.header,
+            audience: `api://${AadClientId}`,
+          };
+          const client = jwksClient({
+            jwksUri: "https://login.microsoftonline.com/common/discovery/keys",
+          });
+          signingKey = (await client.getSigningKey(header.kid)).getPublicKey();
         }
-        const verifyOptions = {algorithms: ['RS256' as Algorithm], header: decoded?.header, audience: `api://${AadClientId}`}
-        const client = jwksClient({
-          jwksUri: 'https://login.microsoftonline.com/common/discovery/keys'
-        });
-        const signingKey = (await client.getSigningKey(header.kid)).getPublicKey();
-        const verifiedTokenData = jwt.verify(token, signingKey, verifyOptions) as AadToken;
+
+        const verifiedTokenData = jwt.verify(
+          token,
+          signingKey,
+          verifyOptions,
+        ) as AadToken;
+        request.tokenPayload = verifiedTokenData;
         request.username = verifiedTokenData.email;
         const userRoles = new Set([] as AppRoles[]);
-        const expectedRoles = new Set(validRoles)
+        const expectedRoles = new Set(validRoles);
         if (verifiedTokenData.groups) {
           for (const group of verifiedTokenData.groups) {
             if (!GroupRoleMapping[fastify.runEnvironment][group]) {
               continue;
             }
-            for (const role of GroupRoleMapping[fastify.runEnvironment][group]) {
+            for (const role of GroupRoleMapping[fastify.runEnvironment][
+              group
+            ]) {
               userRoles.add(role);
             }
           }
         } else {
-          throw new UnauthenticatedError({message: "Could not find groups in token."})
+          throw new UnauthenticatedError({
+            message: "Could not find groups in token.",
+          });
         }
         if (intersection(userRoles, expectedRoles).size === 0) {
-          throw new UnauthorizedError({message: "User does not have the privileges for this task."})
+          throw new UnauthorizedError({
+            message: "User does not have the privileges for this task.",
+          });
         }
       } catch (err: unknown) {
         if (err instanceof BaseError) {
           throw err;
         }
+        if (err instanceof jwt.TokenExpiredError) {
+          throw new UnauthenticatedError({
+            message: "Token has expired.",
+          });
+        }
         if (err instanceof Error) {
-          request.log.error("Failed to verify JWT: " + err.toString())
+          request.log.error(`Failed to verify JWT: ${err.toString()}`);
         }
         throw new UnauthenticatedError({
-          message: "Could not authenticate from token.",
+          message: "Invalid token.",
         });
       }
     },