feat: default service-key for single tenant

Author: fenos

.env.sample

@@ -14,16 +14,12 @@ SERVER_REGION=region-of-where-your-service-is-running
 #######################################
 AUTH_JWT_SECRET=f023d3db-39dc-4ac9-87b2-b2be72e9162b
 AUTH_JWT_ALGORITHM=HS256
-AUTH_ENCRYPTION_KEY=encryptionkey
 
 
 #######################################
 # Single Tenant
 #######################################
 TENANT_ID=bjhaohmqunupljrqypxz
-ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYxMzUzMTk4NSwiZXhwIjoxOTI5MTA3OTg1fQ.mqfi__KnQB4v6PkIjkhzfwWrYyF94MEbSC6LnuvVniE
-SERVICE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjEzNTMxOTg1LCJleHAiOjE5MjkxMDc5ODV9.th84OKK0Iz8QchDyXZRrojmKSEZ-OuitQm_5DvLiSIc
-
 
 #######################################
 # Multi Tenancy
@@ -33,7 +29,8 @@ SERVICE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiw
 # MULTI_TENANT=true
 DATABASE_MULTITENANT_URL=postgresql://postgres:[email protected]:5433/postgres
 REQUEST_X_FORWARDED_HOST_REGEXP=
-ADMIN_API_KEYS=apikey
+SERVER_ADMIN_API_KEYS=apikey
+AUTH_ENCRYPTION_KEY=encryptionkey
 
 
 #######################################

docker-compose.yml

@@ -21,11 +21,7 @@ services:
       # Auth
       AUTH_JWT_SECRET: f023d3db-39dc-4ac9-87b2-b2be72e9162b
       AUTH_JWT_ALGORITHM: HS256
-      AUTH_ENCRYPTION_KEY: encryptionkey
       # Single tenant Mode
-      TENANT_ID: bjwdssmqcnupljrqypxz
-      ANON_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYxMzUzMTk4NSwiZXhwIjoxOTI5MTA3OTg1fQ.mqfi__KnQB4v6PkIjkhzfwWrYyF94MEbSC6LnuvVniE
-      SERVICE_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjEzNTMxOTg1LCJleHAiOjE5MjkxMDc5ODV9.th84OKK0Iz8QchDyXZRrojmKSEZ-OuitQm_5DvLiSIc
       DATABASE_URL: postgres://postgres:postgres@tenant_db:5432/postgres
       DATABASE_POOL_URL: postgresql://postgres:postgres@pg_bouncer:6432/postgres
       # Migrations

src/auth/jwt.ts

@@ -1,8 +1,7 @@
-import { getJwtSecret as getJwtSecretForTenant } from '../database/tenant'
 import jwt from 'jsonwebtoken'
 import { getConfig } from '../config'
 
-const { isMultitenant, jwtSecret, jwtAlgorithm } = getConfig()
+const { jwtAlgorithm } = getConfig()
 
 interface jwtInterface {
   sub?: string
@@ -21,19 +20,6 @@ export type SignedUploadToken = {
   exp: number
 }
 
-/**
- * Gets the JWT secret key from the env PGRST_JWT_SECRET when running in single-tenant
- * or querying the multi-tenant database by the given tenantId
- * @param tenantId
- */
-export async function getJwtSecret(tenantId: string): Promise<string> {
-  let secret = jwtSecret
-  if (isMultitenant) {
-    secret = await getJwtSecretForTenant(tenantId)
-  }
-  return secret
-}
-
 /**
  * Verifies if a JWT is valid
  * @param token

src/config.ts

@@ -1,4 +1,5 @@
 import dotenv from 'dotenv'
+import jwt from 'jsonwebtoken'
 
 export type StorageBackendType = 'file' | 's3'
 
@@ -8,7 +9,6 @@ type StorageConfigType = {
   headersTimeout: number
   adminApiKeys: string
   adminRequestIdHeader?: string
-  anonKey: string
   encryptionKey: string
   uploadFileSizeLimit: number
   uploadFileSizeLimitStandard?: number
@@ -162,8 +162,8 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
     ),
 
     // Auth
-    anonKey: getOptionalIfMultitenantConfigFromEnv('ANON_KEY') || '',
-    serviceKey: getOptionalIfMultitenantConfigFromEnv('SERVICE_KEY') || '',
+    serviceKey: getOptionalConfigFromEnv('SERVICE_KEY') || '',
+
     encryptionKey: getOptionalConfigFromEnv('AUTH_ENCRYPTION_KEY', 'ENCRYPTION_KEY') || '',
     jwtSecret: getOptionalIfMultitenantConfigFromEnv('AUTH_JWT_SECRET', 'PGRST_JWT_SECRET') || '',
     jwtAlgorithm: getOptionalConfigFromEnv('AUTH_JWT_ALGORITHM', 'PGRST_JWT_ALGORITHM') || 'HS256',
@@ -330,5 +330,12 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
     ),
   }
 
+  if (!config.isMultitenant && !config.serviceKey) {
+    config.serviceKey = jwt.sign({ role: config.dbServiceRole }, config.jwtSecret, {
+      expiresIn: '10y',
+      algorithm: config.jwtAlgorithm as jwt.Algorithm,
+    })
+  }
+
   return config
 }

src/database/tenant.ts

@@ -7,7 +7,7 @@ import { JwtPayload } from 'jsonwebtoken'
 import { PubSubAdapter } from '../pubsub'
 
 interface TenantConfig {
-  anonKey: string
+  anonKey?: string
   databaseUrl: string
   databasePoolUrl?: string
   maxConnections?: number
@@ -26,11 +26,23 @@ export interface Features {
   }
 }
 
-const { isMultitenant, serviceKey, jwtSecret } = getConfig()
+const { isMultitenant, dbServiceRole, serviceKey, jwtSecret } = getConfig()
 
 const tenantConfigCache = new Map<string, TenantConfig>()
 
-let singleTenantServiceKeyPayload: ({ role: string } & JwtPayload) | undefined = undefined
+const singleTenantServiceKey:
+  | {
+      jwt: string
+      payload: { role: string } & JwtPayload
+    }
+  | undefined = !isMultitenant
+  ? {
+      jwt: serviceKey,
+      payload: {
+        role: dbServiceRole,
+      },
+    }
+  : undefined
 
 /**
  * Runs migrations in a specific tenant
@@ -116,44 +128,22 @@ export async function getTenantConfig(tenantId: string): Promise<TenantConfig> {
   return config
 }
 
-/**
- * Get the anon key from the tenant config
- * @param tenantId
- */
-export async function getAnonKey(tenantId: string): Promise<string> {
-  const { anonKey } = await getTenantConfig(tenantId)
-  return anonKey
-}
-
 export async function getServiceKeyUser(tenantId: string) {
-  let serviceKeyPayload: { role?: string } | undefined
-  let tenantJwtSecret = jwtSecret
-  let tenantServiceKey = serviceKey
-
   if (isMultitenant) {
     const tenant = await getTenantConfig(tenantId)
-    serviceKeyPayload = tenant.serviceKeyPayload
-    tenantJwtSecret = tenant.jwtSecret
-    tenantServiceKey = tenant.serviceKey
-  } else {
-    serviceKeyPayload = await getSingleTenantServiceKeyPayload()
-  }
 
-  return {
-    jwt: tenantServiceKey,
-    payload: serviceKeyPayload,
-    jwtSecret: tenantJwtSecret,
+    return {
+      jwt: tenant.serviceKey,
+      payload: tenant.serviceKeyPayload,
+      jwtSecret: tenant.jwtSecret,
+    }
   }
-}
 
-export async function getSingleTenantServiceKeyPayload() {
-  if (singleTenantServiceKeyPayload) {
-    return singleTenantServiceKeyPayload
+  return {
+    jwt: singleTenantServiceKey!.jwt,
+    payload: singleTenantServiceKey!.payload,
+    jwtSecret: jwtSecret,
   }
-
-  singleTenantServiceKeyPayload = await verifyJWT(serviceKey, jwtSecret)
-
-  return singleTenantServiceKeyPayload
 }
 
 /**
@@ -170,7 +160,10 @@ export async function getServiceKey(tenantId: string): Promise<string> {
  * @param tenantId
  */
 export async function getJwtSecret(tenantId: string): Promise<string> {
-  const { jwtSecret } = await getTenantConfig(tenantId)
+  if (isMultitenant) {
+    const { jwtSecret } = await getTenantConfig(tenantId)
+    return jwtSecret
+  }
   return jwtSecret
 }
 

src/http/plugins/jwt.ts

@@ -1,6 +1,7 @@
 import fastifyPlugin from 'fastify-plugin'
 import { createResponse } from '../generic-routes'
-import { getJwtSecret, getOwner } from '../../auth'
+import { getOwner } from '../../auth'
+import { getJwtSecret } from '../../database/tenant'
 
 declare module 'fastify' {
   interface FastifyRequest {

src/http/routes/object/getSignedObject.ts

@@ -1,8 +1,9 @@
 import { FastifyInstance } from 'fastify'
 import { FromSchema } from 'json-schema-to-ts'
 import { getConfig } from '../../../config'
-import { getJwtSecret, SignedToken, verifyJWT } from '../../../auth'
+import { SignedToken, verifyJWT } from '../../../auth'
 import { StorageBackendError } from '../../../storage'
+import { getJwtSecret } from '../../../database/tenant'
 
 const { storageS3Bucket } = getConfig()
 

src/http/routes/object/uploadSignedObject.ts

@@ -1,7 +1,8 @@
 import { FastifyInstance } from 'fastify'
 import { FromSchema } from 'json-schema-to-ts'
-import { getJwtSecret, SignedUploadToken, verifyJWT } from '../../../auth'
+import { SignedUploadToken, verifyJWT } from '../../../auth'
 import { StorageBackendError } from '../../../storage'
+import { getJwtSecret } from '../../../database/tenant'
 
 const uploadSignedObjectParamsSchema = {
   type: 'object',

src/http/routes/render/renderSignedImage.ts

@@ -1,9 +1,10 @@
-import { getConfig } from '../../../config'
 import { FromSchema } from 'json-schema-to-ts'
 import { FastifyInstance } from 'fastify'
+import { getConfig } from '../../../config'
 import { ImageRenderer } from '../../../storage/renderer'
-import { getJwtSecret, SignedToken, verifyJWT } from '../../../auth'
+import { SignedToken, verifyJWT } from '../../../auth'
 import { StorageBackendError } from '../../../storage'
+import { getJwtSecret } from '../../../database/tenant'
 
 const { storageS3Bucket } = getConfig()
 

src/storage/object.ts

@@ -1,7 +1,7 @@
 import { StorageBackendAdapter, ObjectMetadata, withOptionalVersion } from './backend'
 import { Database, FindObjectFilters, SearchObjectOption } from './database'
 import { mustBeValidKey } from './limits'
-import { getJwtSecret, signJWT } from '../auth'
+import { signJWT } from '../auth'
 import { getConfig } from '../config'
 import { FastifyRequest } from 'fastify'
 import { Uploader } from './uploader'
@@ -15,6 +15,7 @@ import {
 } from '../queue'
 import { randomUUID } from 'crypto'
 import { StorageBackendError } from './errors'
+import { getJwtSecret } from '../database/tenant'
 
 export interface UploadObjectOptions {
   objectName: string

src/test/bucket.test.ts

@@ -1,11 +1,10 @@
 'use strict'
 import dotenv from 'dotenv'
 import app from '../app'
-import { getConfig } from '../config'
 import { S3Backend } from '../storage/backend'
 
 dotenv.config({ path: '.env.test' })
-const { anonKey } = getConfig()
+const anonKey = process.env.ANON_KEY || ''
 
 beforeAll(() => {
   jest.spyOn(S3Backend.prototype, 'deleteObjects').mockImplementation(() => {

src/test/object.test.ts

@@ -16,7 +16,8 @@ import { Knex } from 'knex'
 
 dotenv.config({ path: '.env.test' })
 
-const { anonKey, jwtSecret, serviceKey, tenantId } = getConfig()
+const { jwtSecret, serviceKey, tenantId } = getConfig()
+const anonKey = process.env.ANON_KEY || ''
 
 let tnx: Knex.Transaction | undefined
 async function getSuperuserPostgrestClient() {