Fix auth caching (#185)

Author: devksingh4

src/api/functions/authorization.ts

@@ -3,6 +3,10 @@ import { unmarshall } from "@aws-sdk/util-dynamodb";
 import { genericConfig } from "../../common/config.js";
 import { DatabaseFetchError } from "../../common/errors/index.js";
 import { allAppRoles, AppRoles } from "../../common/roles.js";
+import type Redis from "ioredis";
+import { AUTH_CACHE_PREFIX } from "api/plugins/auth.js";
+import type pino from "pino";
+import { type FastifyBaseLogger } from "fastify";
 
 export async function getUserRoles(
   dynamoClient: DynamoDBClient,
@@ -63,3 +67,27 @@ export async function getGroupRoles(
   }
   return items.roles as AppRoles[];
 }
+
+type ClearAuthCacheInput = {
+  redisClient: Redis.default;
+  username: string[];
+  logger: pino.Logger | FastifyBaseLogger;
+};
+export async function clearAuthCache({
+  redisClient,
+  username,
+  logger,
+}: ClearAuthCacheInput) {
+  logger.debug(`Clearing auth cache for: ${JSON.stringify(username)}.`);
+  const keys = (
+    await Promise.all(
+      username.map((x) => redisClient.keys(`${AUTH_CACHE_PREFIX}${x}*`)),
+    )
+  ).flat();
+  if (keys.length === 0) {
+    return 0;
+  }
+  const result = await redisClient.del(keys);
+  logger.debug(`Cleared ${result} auth cache keys.`);
+  return result;
+}

src/api/functions/entraId.ts

@@ -109,7 +109,9 @@ export async function getEntraIdToken({
         key: cacheKey,
         data: JSON.stringify({ token: result.accessToken }),
         expiresIn:
-          (result.expiresOn.getTime() - new Date().getTime()) / 1000 - 120, // get new token 2 min before expiry
+          Math.floor(
+            (result.expiresOn.getTime() - new Date().getTime()) / 1000,
+          ) - 120, // get new token 2 min before expiry
         encryptionSecret,
       });
     }
@@ -118,8 +120,9 @@ export async function getEntraIdToken({
     if (error instanceof BaseError) {
       throw error;
     }
+    logger.error(error);
     throw new InternalServerError({
-      message: `Failed to acquire token: ${error}`,
+      message: "Failed to acquire Entra ID token.",
     });
   }
 }

src/api/index.ts

@@ -48,6 +48,7 @@ import {
 import { ZodOpenApiVersion } from "zod-openapi";
 import { withTags } from "./components/index.js";
 import apiKeyRoute from "./routes/apiKey.js";
+import clearSessionRoute from "./routes/clearSession.js";
 import RedisModule from "ioredis";
 
 dotenv.config();
@@ -311,6 +312,7 @@ async function init(prettyPrint: boolean = false) {
       api.register(roomRequestRoutes, { prefix: "/roomRequests" });
       api.register(logsPlugin, { prefix: "/logs" });
       api.register(apiKeyRoute, { prefix: "/apiKey" });
+      api.register(clearSessionRoute, { prefix: "/clearSession" });
       if (app.runEnvironment === "dev") {
         api.register(vendingPlugin, { prefix: "/vending" });
       }

src/api/lambda.ts

@@ -17,7 +17,7 @@ const handler = async (event: APIGatewayEvent, context: Context) => {
     return "warmed";
   }
   // else proceed with handler logic
-  return realHandler(event, context).catch((e) => {
+  return await realHandler(event, context).catch((e) => {
     console.error(e);
     const newError = new InternalServerError({
       message: "Failed to initialize application.",

src/api/plugins/auth.ts

@@ -22,6 +22,8 @@ import { getGroupRoles, getUserRoles } from "../functions/authorization.js";
 import { getApiKeyData, getApiKeyParts } from "api/functions/apiKey.js";
 import { getKey, setKey } from "api/functions/redisCache.js";
 
+export const AUTH_CACHE_PREFIX = `authCache:`;
+
 export function intersection<T>(setA: Set<T>, setB: Set<T>): Set<T> {
   const _intersection = new Set<T>();
   for (const elem of setB) {
@@ -270,7 +272,7 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
           verifiedTokenData.sub;
         const expectedRoles = new Set(validRoles);
         const cachedRoles = await getKey<string[]>({
-          key: `authCache:${request.username}:roles`,
+          key: `${AUTH_CACHE_PREFIX}${request.username}:roles`,
           redisClient,
           logger: request.log,
         });
@@ -326,7 +328,7 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
           }
           request.userRoles = userRoles;
           setKey({
-            key: `authCache:${request.username}:roles`,
+            key: `${AUTH_CACHE_PREFIX}${request.username}:roles`,
             data: JSON.stringify([...userRoles]),
             redisClient,
             expiresIn: GENERIC_CACHE_SECONDS,

src/api/routes/clearSession.ts

@@ -0,0 +1,34 @@
+import { FastifyPluginAsync } from "fastify";
+import rateLimiter from "api/plugins/rateLimiter.js";
+import { withRoles, withTags } from "api/components/index.js";
+import { clearAuthCache } from "api/functions/authorization.js";
+
+const clearSessionPlugin: FastifyPluginAsync = async (fastify, _options) => {
+  fastify.register(rateLimiter, {
+    limit: 10,
+    duration: 30,
+    rateLimitIdentifier: "clearSession",
+  });
+  fastify.post(
+    "",
+    {
+      schema: withRoles(
+        [],
+        withTags(["Generic"], {
+          summary: "Clear user's session (usually on logout).",
+          hide: true,
+        }),
+      ),
+      onRequest: fastify.authorizeFromSchema,
+    },
+    async (request, reply) => {
+      reply.status(201).send();
+      const username = [request.username!];
+      const { redisClient } = fastify;
+      const { log: logger } = fastify;
+      await clearAuthCache({ redisClient, username, logger });
+    },
+  );
+};
+
+export default clearSessionPlugin;

src/api/routes/iam.ts

@@ -32,7 +32,7 @@ import {
   EntraGroupActions,
   entraProfilePatchRequest,
 } from "../../common/types/iam.js";
-import { getGroupRoles } from "../functions/authorization.js";
+import { clearAuthCache, getGroupRoles } from "../functions/authorization.js";
 import { getRoleCredentials } from "api/functions/sts.js";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 import { createAuditLogEntry } from "api/functions/auditLog.js";
@@ -162,6 +162,14 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
       const groupId = (request.params as Record<string, string>).groupId;
       try {
         const timestamp = new Date().toISOString();
+        const entraIdToken = await getEntraIdToken({
+          clients: await getAuthorizedClients(),
+          clientId: fastify.environmentConfig.AadValidClientId,
+          secretName: genericConfig.EntraSecretName,
+          encryptionSecret: fastify.secretConfig.encryption_key,
+          logger: request.log,
+        });
+        const groupMembers = listGroupMembers(entraIdToken, groupId);
         const command = new PutItemCommand({
           TableName: `${genericConfig.IAMTablePrefix}-grouproles`,
           Item: marshall({
@@ -187,6 +195,13 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
           request.body.roles,
           GENERIC_CACHE_SECONDS,
         );
+        const groupMemberEmails = (await groupMembers).map((x) => x.email);
+        await clearAuthCache({
+          redisClient: fastify.redisClient,
+          username: groupMemberEmails,
+          logger: request.log,
+        });
+        reply.send({ message: "OK" });
       } catch (e: unknown) {
         fastify.nodeCache.del(`grouproles-${groupId}`);
         if (e instanceof BaseError) {
@@ -198,7 +213,6 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
           message: "Could not create group role mapping.",
         });
       }
-      reply.send({ message: "OK" });
     },
   );
   fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().post(
@@ -525,6 +539,14 @@ No action is required from you at this time.
           );
         }
       }
+      const allEmailsModified = response.success.map((x) => x.email);
+      const { redisClient } = fastify;
+      const { log: logger } = request;
+      await clearAuthCache({
+        redisClient,
+        username: allEmailsModified,
+        logger,
+      });
       await Promise.allSettled(logPromises);
       reply.status(202).send(response);
     },

src/common/config.ts

@@ -8,7 +8,7 @@ type ValueOrArray<T> = T | ArrayOfValueOrArray<T>;
 
 type AzureRoleMapping = Record<string, readonly AppRoles[]>;
 
-export const GENERIC_CACHE_SECONDS = 300;
+export const GENERIC_CACHE_SECONDS = 600;
 
 export type ConfigType = {
   UserFacingUrl: string;

src/ui/components/ProfileDropdown/index.tsx

@@ -19,6 +19,7 @@ import { useState } from "react";
 import { AuthContextData, useAuth } from "../AuthContext/index.js";
 import classes from "../Navbar/index.module.css";
 import { useNavigate } from "react-router-dom";
+import { useApi } from "@ui/util/api.js";
 
 interface ProfileDropdownProps {
   userData?: AuthContextData;
@@ -31,6 +32,7 @@ const AuthenticatedProfileDropdown: React.FC<ProfileDropdownProps> = ({
   const theme = useMantineTheme();
   const navigate = useNavigate();
   const { logout } = useAuth();
+  const api = useApi("core");
   if (!userData) {
     return null;
   }
@@ -129,6 +131,7 @@ const AuthenticatedProfileDropdown: React.FC<ProfileDropdownProps> = ({
             variant="outline"
             fullWidth
             onClick={async () => {
+              await api.post("/api/v1/clearSession");
               await logout();
             }}
           >

tests/unit/auth.test.ts

@@ -1,5 +1,4 @@
 import { expect, test, vi } from "vitest";
-import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
 import {
   secretObject,