chore: added expiry to jwt

chore: added stricter types

fix: rpc manifest

Author: aryanjassal

src/client/callers/authIdentityToken.ts

@@ -0,0 +1,12 @@
+import type { HandlerTypes } from '@matrixai/rpc';
+import type AuthIdentityToken from '../handlers/AuthIdentityToken.js';
+import { UnaryCaller } from '@matrixai/rpc';
+
+type CallerTypes = HandlerTypes<AuthIdentityToken>;
+
+const authIdentityToken = new UnaryCaller<
+  CallerTypes['input'],
+  CallerTypes['output']
+>();
+
+export default authIdentityToken;

src/client/callers/authSignToken.ts

@@ -4,7 +4,7 @@ import agentStop from './agentStop.js';
 import agentUnlock from './agentUnlock.js';
 import auditEventsGet from './auditEventsGet.js';
 import auditMetricGet from './auditMetricGet.js';
-import authSignToken from './authSignToken.js';
+import authIdentityToken from './authIdentityToken.js';
 import gestaltsActionsGetByIdentity from './gestaltsActionsGetByIdentity.js';
 import gestaltsActionsGetByNode from './gestaltsActionsGetByNode.js';
 import gestaltsActionsSetByIdentity from './gestaltsActionsSetByIdentity.js';
@@ -86,7 +86,7 @@ const clientManifest = {
   agentUnlock,
   auditEventsGet,
   auditMetricGet,
-  authSignToken,
+  authIdentityToken,
   gestaltsActionsGetByIdentity,
   gestaltsActionsGetByNode,
   gestaltsActionsSetByIdentity,
@@ -167,7 +167,7 @@ export {
   agentStop,
   agentUnlock,
   auditEventsGet,
-  authSignToken,
+  authIdentityToken,
   gestaltsActionsGetByIdentity,
   gestaltsActionsGetByNode,
   gestaltsActionsSetByIdentity,

src/client/callers/index.ts

@@ -28,6 +28,11 @@ class ErrorClientProtocolError<T> extends ErrorClient<T> {
   exitCode = sysexits.USAGE;
 }
 
+class ErrorClientAuthenticationInvalidJTI<T> extends ErrorClient<T> {
+  static description = 'Failed to generate JTI';
+  exitCode = sysexits.PROTOCOL;
+}
+
 class ErrorClientService<T> extends ErrorClient<T> {}
 
 class ErrorClientServiceRunning<T> extends ErrorClientService<T> {
@@ -50,22 +55,17 @@ class ErrorClientVerificationFailed<T> extends ErrorClientService<T> {
   exitCode = sysexits.USAGE;
 }
 
-class ErrorClientAuthenticationInvalidToken<T> extends ErrorClient<T> {
-  static description = 'Token is invalid';
-  exitCode = sysexits.PROTOCOL;
-}
-
 export {
   ErrorClient,
   ErrorClientAuthMissing,
   ErrorClientAuthFormat,
   ErrorClientAuthDenied,
   ErrorClientInvalidHeader,
   ErrorClientProtocolError,
+  ErrorClientAuthenticationInvalidJTI,
   ErrorClientService,
   ErrorClientServiceRunning,
   ErrorClientServiceNotRunning,
   ErrorClientServiceDestroyed,
   ErrorClientVerificationFailed,
-  ErrorClientAuthenticationInvalidToken,
 };

src/client/errors.ts

@@ -5,11 +5,13 @@ import type {
   TokenIdentityResponse,
 } from '../types.js';
 import type KeyRing from '../../keys/KeyRing.js';
+import { IdSortable } from '@matrixai/id';
 import { UnaryHandler } from '@matrixai/rpc';
 import Token from '../../tokens/Token.js';
 import * as nodesUtils from '../../nodes/utils.js';
+import * as clientErrors from '../errors.js';
 
-class AuthSignToken extends UnaryHandler<
+class AuthIdentityToken extends UnaryHandler<
   {
     keyRing: KeyRing;
   },
@@ -18,13 +20,19 @@ class AuthSignToken extends UnaryHandler<
 > {
   public handle = async (): Promise<TokenIdentityResponse> => {
     const { keyRing }: { keyRing: KeyRing } = this.container;
-    const tokenPayload: IdentityResponseData = {
-      nodeId: nodesUtils.encodeNodeId(keyRing.getNodeId()),
-    };
-    const outgoingToken = Token.fromPayload<IdentityResponseData>(tokenPayload);
+    const idGen = new IdSortable();
+    const jti = idGen.next().value;
+    if (jti == null) {
+      throw new clientErrors.ErrorClientAuthenticationInvalidJTI();
+    }
+    const outgoingToken = Token.fromPayload<IdentityResponseData>({
+      jti: jti.toMultibase('base64'),
+      exp: Math.floor(Date.now() / 1000) + 60, // 60 seconds after issuing
+      iss: nodesUtils.encodeNodeId(keyRing.getNodeId()),
+    });
     outgoingToken.signWithPrivateKey(keyRing.keyPair);
     return outgoingToken.toEncoded();
   };
 }
 
-export default AuthSignToken;
+export default AuthIdentityToken;

src/client/handlers/AuthSignToken.ts src/client/handlers/AuthIdentityToken.tssrc/client/handlers/AuthSignToken.ts renamed to src/client/handlers/AuthIdentityToken.ts

@@ -22,7 +22,7 @@ import AgentStop from './AgentStop.js';
 import AgentUnlock from './AgentUnlock.js';
 import AuditEventsGet from './AuditEventsGet.js';
 import AuditMetricGet from './AuditMetricGet.js';
-import AuthSignToken from './AuthSignToken.js';
+import AuthIdentityToken from './AuthIdentityToken.js';
 import GestaltsActionsGetByIdentity from './GestaltsActionsGetByIdentity.js';
 import GestaltsActionsGetByNode from './GestaltsActionsGetByNode.js';
 import GestaltsActionsSetByIdentity from './GestaltsActionsSetByIdentity.js';
@@ -123,7 +123,7 @@ const serverManifest = (container: {
     agentUnlock: new AgentUnlock(container),
     auditEventsGet: new AuditEventsGet(container),
     auditMetricGet: new AuditMetricGet(container),
-    authSignToken: new AuthSignToken(container),
+    authIdentityToken: new AuthIdentityToken(container),
     gestaltsActionsGetByIdentity: new GestaltsActionsGetByIdentity(container),
     gestaltsActionsGetByNode: new GestaltsActionsGetByNode(container),
     gestaltsActionsSetByIdentity: new GestaltsActionsSetByIdentity(container),
@@ -210,7 +210,7 @@ export {
   AgentUnlock,
   AuditEventsGet,
   AuditMetricGet,
-  AuthSignToken,
+  AuthIdentityToken,
   GestaltsActionsGetByIdentity,
   GestaltsActionsGetByNode,
   GestaltsActionsSetByIdentity,

src/client/handlers/index.ts

@@ -109,7 +109,9 @@ type TokenMessage = {
 };
 
 type IdentityResponseData = TokenPayload & {
-  nodeId: NodeIdEncoded;
+  jti: string;
+  exp: number;
+  iss: NodeIdEncoded;
 };
 
 type TokenIdentityResponse = SignedTokenEncoded;

src/client/types.ts

@@ -7,17 +7,17 @@ import Logger, { formatting, LogLevel, StreamHandler } from '@matrixai/logger';
 import { RPCClient } from '@matrixai/rpc';
 import { WebSocketClient } from '@matrixai/ws';
 import * as testsUtils from '../../utils/index.js';
-import { AuthSignToken } from '#client/handlers/index.js';
-import { authSignToken } from '#client/callers/index.js';
+import { AuthIdentityToken } from '#client/handlers/index.js';
+import { authIdentityToken } from '#client/callers/index.js';
 import KeyRing from '#keys/KeyRing.js';
 import Token from '#tokens/Token.js';
 import ClientService from '#client/ClientService.js';
 import * as keysUtils from '#keys/utils/index.js';
 import * as networkUtils from '#network/utils.js';
 import * as nodesUtils from '#nodes/utils.js';
 
-describe('authSignToken', () => {
-  const logger = new Logger('authSignToken test', LogLevel.WARN, [
+describe('authIdentityToken', () => {
+  const logger = new Logger('authIdentityToken test', LogLevel.WARN, [
     new StreamHandler(
       formatting.format`${formatting.level}:${formatting.keys}:${formatting.msg}`,
     ),
@@ -30,7 +30,7 @@ describe('authSignToken', () => {
   let clientService: ClientService;
   let webSocketClient: WebSocketClient;
   let rpcClient: RPCClient<{
-    authSignToken: typeof authSignToken;
+    authIdentityToken: typeof authIdentityToken;
   }>;
 
   beforeEach(async () => {
@@ -53,7 +53,7 @@ describe('authSignToken', () => {
     });
     await clientService.start({
       manifest: {
-        authSignToken: new AuthSignToken({
+        authIdentityToken: new AuthIdentityToken({
           keyRing,
         }),
       },
@@ -69,7 +69,7 @@ describe('authSignToken', () => {
     });
     rpcClient = new RPCClient({
       manifest: {
-        authSignToken,
+        authIdentityToken,
       },
       streamFactory: () => webSocketClient.connection.newStream(),
       toError: networkUtils.toError,
@@ -89,11 +89,13 @@ describe('authSignToken', () => {
   });
 
   test('should return a signed token', async () => {
-    const identityToken = await rpcClient.methods.authSignToken({});
+    const identityToken = await rpcClient.methods.authIdentityToken({});
     const decodedToken = Token.fromEncoded<IdentityResponseData>(identityToken);
     const decodedPublicKey = keysUtils.publicKeyFromNodeId(keyRing.getNodeId());
     expect(decodedToken.verifyWithPublicKey(decodedPublicKey)).toBeTrue();
     const encodedNodeId = nodesUtils.encodeNodeId(keyRing.getNodeId());
-    expect(decodedToken.payload.nodeId).toBe(encodedNodeId);
+    expect(decodedToken.payload.iss).toBe(encodedNodeId);
+    expect(decodedToken.payload.exp).toBeDefined();
+    expect(decodedToken.payload.jti).toBeDefined();
   });
 });