decouples token extraction and authentication

Author: albinrm

core/src/app.ts

@@ -10,6 +10,7 @@ import { routes as healthRoutes } from './services/health-service'
 import { logger, loggerMiddlewares } from '@onecore/utilities'
 import { koaSwagger } from 'koa2-swagger-ui'
 import { routes as swagggerRoutes } from './services/swagger'
+import { extractToken } from './middlewares/extract-token'
 import { requireAuth, requireRole } from './middlewares/keycloak-auth'
 
 const app = new Koa()
@@ -52,7 +53,10 @@ healthRoutes(publicRouter)
 swagggerRoutes(publicRouter)
 app.use(publicRouter.routes())
 
-// Unified authentication (cookie + Basic Auth)
+// Token extraction (cookie -> Bearer -> Basic Auth)
+app.use(extractToken)
+
+// Authentication — verifies the extracted token
 app.use(requireAuth)
 
 // Role-based authorization

core/src/middlewares/extract-token.ts

@@ -0,0 +1,141 @@
+import { Context, Next } from 'koa'
+import axios from 'axios'
+import auth from '../services/auth-service/keycloak'
+import config from '../common/config'
+import { logger } from '@onecore/utilities'
+
+/**
+ * Exchange Basic Auth credentials with Keycloak using client_credentials grant.
+ * Takes the raw base64-encoded credentials from the Basic header.
+ * Returns the access_token JWT string, or undefined on failure.
+ */
+async function exchangeBasicForToken(
+  ctx: Context,
+  base64Credentials: string
+): Promise<string | undefined> {
+  const credentialsString = Buffer.from(base64Credentials, 'base64').toString(
+    'utf-8'
+  )
+  const separatorIndex = credentialsString.indexOf(':')
+
+  if (separatorIndex === -1) {
+    ctx.status = 401
+    ctx.set('WWW-Authenticate', `Basic realm="${config.auth.keycloak.realm}"`)
+    ctx.body = { message: 'Invalid Basic Auth format' }
+    return undefined
+  }
+
+  const clientId = credentialsString.slice(0, separatorIndex)
+  const clientSecret = credentialsString.slice(separatorIndex + 1)
+
+  if (!clientId || !clientSecret) {
+    ctx.status = 401
+    ctx.set('WWW-Authenticate', `Basic realm="${config.auth.keycloak.realm}"`)
+    ctx.body = { message: 'Missing client credentials' }
+    return undefined
+  }
+
+  const tokenEndpoint = `${config.auth.keycloak.url}/realms/${config.auth.keycloak.realm}/protocol/openid-connect/token`
+
+  try {
+    const params = new URLSearchParams({
+      grant_type: 'client_credentials',
+      client_id: clientId,
+      client_secret: clientSecret,
+    }).toString()
+
+    const response = await axios.post(tokenEndpoint, params, {
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      timeout: 10000,
+    })
+
+    const accessToken = response.data.access_token
+    if (!accessToken) {
+      logger.error('Keycloak returned success but no access_token')
+      ctx.status = 401
+      ctx.body = { message: 'Invalid credentials' }
+      return undefined
+    }
+
+    return accessToken
+  } catch (err) {
+    logger.error(
+      { err, clientId },
+      'Service account authentication failed — Keycloak rejected credentials'
+    )
+    ctx.status = 401
+    ctx.set('WWW-Authenticate', `Basic realm="${config.auth.keycloak.realm}"`)
+    ctx.body = { message: 'Invalid credentials' }
+    return undefined
+  }
+}
+
+// --- Token extraction middlewares ---
+// Each one tries to set ctx.state.accessToken from its source,
+// then delegates to the next extractor if it didn't find anything.
+
+async function extractCookieToken(ctx: Context, next: Next) {
+  let token = ctx.cookies.get('auth_token')
+  if (!token) return next()
+
+  // Proactive token refresh
+  const refreshToken = ctx.cookies.get('refresh_token')
+  if (refreshToken && auth.isTokenExpiringSoon(token, 60)) {
+    try {
+      const newTokens = await auth.refreshAccessToken(refreshToken)
+      auth.tokenService.setCookies(ctx, newTokens)
+      token = newTokens.access_token
+    } catch (refreshError) {
+      logger.error(
+        refreshError,
+        'Token refresh failed, falling back to existing token'
+      )
+    }
+  }
+
+  ctx.state.accessToken = token
+  await next()
+}
+
+async function extractBasicAuthToken(ctx: Context, next: Next) {
+  if (ctx.state.accessToken) return next()
+
+  const authHeader = ctx.get('Authorization')
+  if (!authHeader?.startsWith('Basic ')) return next()
+
+  const token = await exchangeBasicForToken(
+    ctx,
+    authHeader.slice('Basic '.length)
+  )
+  if (token) {
+    ctx.state.accessToken = token
+  }
+  await next()
+}
+
+async function extractBearerToken(ctx: Context, next: Next) {
+  if (ctx.state.accessToken) return next()
+
+  const authHeader = ctx.get('Authorization')
+  if (authHeader?.startsWith('Bearer ')) {
+    ctx.state.accessToken = authHeader.slice('Bearer '.length)
+  }
+  await next()
+}
+
+/**
+ * Middleware that tries to extract a token from multiple sources (in order):
+ *   1. Cookie (auth_token)
+ *   2. Basic Auth (exchanged for Keycloak token)
+ *   3. Bearer header
+ *
+ * Sets ctx.state.accessToken from the first matching source.
+ * Token verification (Keycloak JWKS / legacy JWT) happens in requireAuth.
+ */
+export const extractToken = async (ctx: Context, next: Next) => {
+  await extractCookieToken(ctx, async () => {
+    await extractBasicAuthToken(ctx, async () => {
+      await extractBearerToken(ctx, next)
+    })
+  })
+}

core/src/middlewares/keycloak-auth.ts

@@ -1,138 +1,25 @@
+import assert from 'node:assert'
 import { Context, Next } from 'koa'
-import axios from 'axios'
 import jwt from 'jsonwebtoken'
 import auth from '../services/auth-service/keycloak'
 import config from '../common/config'
 import { logger } from '@onecore/utilities'
 
 /**
- * Exchange Basic Auth credentials with Keycloak using client_credentials grant.
- * Returns the access_token JWT string, or null if the exchange fails
- * (in which case ctx.status and ctx.body are already set).
+ * Middleware to protect routes. Must run after extractToken.
+ * Verifies the token (Keycloak JWKS, with legacy JWT fallback) and sets ctx.state.user.
  */
-async function exchangeBasicForToken(
-  ctx: Context
-): Promise<string | undefined> {
-  const authHeader = ctx.get('Authorization')
-  if (!authHeader?.startsWith('Basic ')) return undefined
-
-  const base64Credentials = authHeader.slice('Basic '.length)
-  const credentialsString = Buffer.from(base64Credentials, 'base64').toString(
-    'utf-8'
-  )
-  const separatorIndex = credentialsString.indexOf(':')
-
-  if (separatorIndex === -1) {
-    ctx.status = 401
-    ctx.set('WWW-Authenticate', `Basic realm="${config.auth.keycloak.realm}"`)
-    ctx.body = { message: 'Invalid Basic Auth format' }
-    return undefined
-  }
-
-  const clientId = credentialsString.slice(0, separatorIndex)
-  const clientSecret = credentialsString.slice(separatorIndex + 1)
-
-  if (!clientId || !clientSecret) {
-    ctx.status = 401
-    ctx.set('WWW-Authenticate', `Basic realm="${config.auth.keycloak.realm}"`)
-    ctx.body = { message: 'Missing client credentials' }
-    return undefined
-  }
-
-  const tokenEndpoint = `${config.auth.keycloak.url}/realms/${config.auth.keycloak.realm}/protocol/openid-connect/token`
-
-  try {
-    const params = new URLSearchParams({
-      grant_type: 'client_credentials',
-      client_id: clientId,
-      client_secret: clientSecret,
-    }).toString()
-
-    const response = await axios.post(tokenEndpoint, params, {
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      timeout: 10000,
-    })
-
-    const accessToken = response.data.access_token
-    if (!accessToken) {
-      logger.error('Keycloak returned success but no access_token')
-      ctx.status = 401
-      ctx.body = { message: 'Invalid credentials' }
-      return undefined
-    }
+export const requireAuth = async (ctx: Context, next: Next) => {
+  const accessToken: string | undefined = ctx.state.accessToken
 
-    return accessToken
-  } catch (err) {
-    logger.error(
-      { err, clientId },
-      'Service account authentication failed — Keycloak rejected credentials'
-    )
+  if (!accessToken) {
     ctx.status = 401
-    ctx.set('WWW-Authenticate', `Basic realm="${config.auth.keycloak.realm}"`)
-    ctx.body = { message: 'Invalid credentials' }
-    return undefined
-  }
-}
-
-/**
- * Try legacy Bearer JWT authentication (tokens from /auth/generatetoken).
- * Returns true if the request was authenticated, false otherwise.
- */
-async function tryLegacyBearerAuth(ctx: Context, next: Next): Promise<boolean> {
-  const authHeader = ctx.get('Authorization')
-  if (!authHeader?.startsWith('Bearer ')) return false
-
-  const token = authHeader.slice('Bearer '.length)
-  const decoded = jwt.verify(token, config.auth.secret) as {
-    sub: string
-    username: string
-  }
-  ctx.state.user = {
-    id: decoded.sub,
-    username: decoded.username,
-    source: 'legacy-jwt',
-    // REMOVE WHEN INTERNAL PORTAL USES KEYCLOAK
-    realm_access: { roles: ['api-access'] },
-    //TODO: Fix auth in internal portal to use keycloak! we cannot support roles in legacy tokens without a major refactor, so we just give them api-access for now
+    ctx.body = { message: 'Authentication required' }
+    return
   }
-  await next()
-  return true
-}
 
-// Middleware to protect routes with proactive token refresh, Basic Auth, and legacy Bearer JWT support
-export const requireAuth = async (ctx: Context, next: Next) => {
   try {
-    let accessToken =
-      ctx.cookies.get('auth_token') ?? (await exchangeBasicForToken(ctx))
-
-    if (!accessToken) {
-      if (await tryLegacyBearerAuth(ctx, next)) return
-
-      if (ctx.status !== 401) {
-        ctx.status = 401
-        ctx.body = { message: 'Authentication required' }
-      }
-      return
-    }
-
-    // Proactive token refresh (cookie path only)
-    const refreshToken = ctx.cookies.get('refresh_token')
-    if (refreshToken && auth.isTokenExpiringSoon(accessToken, 60)) {
-      try {
-        const newTokens = await auth.refreshAccessToken(refreshToken)
-        auth.tokenService.setCookies(ctx, newTokens)
-        accessToken = newTokens.access_token
-      } catch (refreshError) {
-        logger.error(
-          refreshError,
-          'Token refresh failed, falling back to existing token'
-        )
-      }
-    }
-
-    // Single verification path for all token sources
     const verifiedToken = await auth.jwksService.verifyToken(accessToken)
-
     ctx.state.user = {
       id: verifiedToken.sub,
       email: verifiedToken.email,
@@ -141,7 +28,24 @@ export const requireAuth = async (ctx: Context, next: Next) => {
       source: 'keycloak',
       realm_access: verifiedToken.realm_access,
     }
+    return next()
+  } catch {
+    // Not a Keycloak token — try legacy JWT. TODO: Remove legacy JWT use in the codebase
+  }
 
+  try {
+    const decoded = jwt.verify(accessToken, config.auth.secret) as {
+      sub: string
+      username: string
+    }
+    ctx.state.user = {
+      id: decoded.sub,
+      username: decoded.username,
+      source: 'legacy-jwt',
+      // REMOVE WHEN INTERNAL PORTAL USES KEYCLOAK
+      realm_access: { roles: ['api-access'] },
+      //TODO: Fix auth in internal portal to use keycloak! we cannot support roles in legacy tokens without a major refactor, so we just give them api-access for now
+    }
     return next()
   } catch (error) {
     logger.error(error, 'Authentication error:')
@@ -151,11 +55,16 @@ export const requireAuth = async (ctx: Context, next: Next) => {
 }
 
 // Middleware to check for specific Keycloak realm roles.
-// Must run after requireAuth (ctx.state.user must already be set).
+// Must run after requireAuth.
 export const requireRole = (requiredRoles: string | string[]) => {
   const roles = Array.isArray(requiredRoles) ? requiredRoles : [requiredRoles]
 
   return async (ctx: Context, next: Next) => {
+    assert(
+      ctx.state.user,
+      'requireRole middleware must run after requireAuth — ctx.state.user is not set'
+    )
+
     try {
       const userRoles: string[] = ctx.state.user?.realm_access?.roles || []
       const hasRequiredRole = roles.some((role) => userRoles.includes(role))

core/src/services/auth-service/index.ts

@@ -5,6 +5,7 @@ import { logger } from '@onecore/utilities'
 import hash from './hash'
 import { createToken } from './jwt'
 import auth from './keycloak'
+import { extractToken } from '../../middlewares/extract-token'
 import { requireAuth } from '../../middlewares/keycloak-auth'
 
 /**
@@ -235,7 +236,7 @@ export const routes = (router: KoaRouter) => {
    *       '401':
    *         description: Unauthorized
    */
-  router.get('(.*)/auth/profile', requireAuth, async (ctx) => {
+  router.get('(.*)/auth/profile', extractToken, requireAuth, async (ctx) => {
     ctx.body = ctx.state.user
   })