Merge pull request #372 from developmentseed/fix/token-validation

Token Validation for API calls, fix #354

Author: kamicut

.env.test

@@ -2,4 +2,5 @@ NEXTAUTH_URL=http://127.0.0.1:3000
 NEXTAUTH_SECRET=next-auth-cypress-secret
 DATABASE_URL=postgres://postgres:postgres@localhost:5434/osm-teams-test
 TESTING=true
-LOG_LEVEL=silent
+LOG_LEVEL=silent
+AUTH_URL=http://127.0.0.1:3000

next.config.js

@@ -11,21 +11,14 @@ module.exports = {
       process.env.OSM_API ||
       process.env.OSM_DOMAIN ||
       'https://www.openstreetmap.org',
-    OSM_HYDRA_ID: process.env.OSM_HYDRA_ID || 'manage',
-    OSM_HYDRA_SECRET: process.env.OSM_HYDRA_SECRET || 'manage-secret',
-    OSM_CONSUMER_KEY: process.env.OSM_CONSUMER_KEY,
-    OSM_CONSUMER_SECRET: process.env.OSM_CONSUMER_SECRET,
-    HYDRA_TOKEN_HOST: process.env.HYDRA_TOKEN_HOST || 'http://localhost:4444',
-    HYDRA_TOKEN_PATH: process.env.HYDRA_TOKEN_PATH || '/oauth2/token',
-    HYDRA_AUTHZ_HOST: process.env.HYDRA_AUTHZ_HOST || 'http://localhost:4444',
-    HYDRA_AUTHZ_PATH: process.env.HYDRA_AUTHZ_PATH || '/oauth2/auth',
-    HYDRA_ADMIN_HOST: process.env.HYDRA_ADMIN_HOST || 'http://localhost:4445',
   },
   basePath: process.env.BASE_PATH || '',
   env: {
     APP_URL: process.env.APP_URL || vercelUrl || 'http://127.0.0.1:3000',
     OSM_NAME: process.env.OSM_NAME || 'OSM',
     BASE_PATH: process.env.BASE_PATH || '',
+    HYDRA_URL: process.env.HYDRA_URL || 'https://auth.mapping.team/hyauth',
+    AUTH_URL: process.env.AUTH_URL || 'https://auth.mapping.team',
   },
   eslint: {
     dirs: [

src/middlewares/base-handler.js

@@ -1,6 +1,7 @@
 import nc from 'next-connect'
 import logger from '../lib/logger'
 import { getToken } from 'next-auth/jwt'
+import Boom from '@hapi/boom'
 
 /**
  * This file contains the base handler to be used in all API routes.
@@ -57,9 +58,40 @@ export function createBaseHandler() {
 
   // Add session to request
   baseHandler.use(async (req, res, next) => {
-    const token = await getToken({ req })
-    if (token) {
-      req.session = { user_id: token.userId || token.sub }
+    /** Handle authorization using either Bearer token auth or
+     * using the next-auth session
+     */
+    if (req.headers.authorization) {
+      // introspect the token
+      const [type, token] = req.headers.authorization.split(' ')
+      if (type !== 'Bearer') {
+        throw Boom.badRequest(
+          'Authorization scheme not supported. Only Bearer scheme is supported'
+        )
+      } else {
+        const result = await fetch(`${process.env.AUTH_URL}/api/introspect`, {
+          method: 'POST',
+          headers: {
+            Accept: 'application/json',
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({
+            token: token,
+          }),
+        }).then((response) => {
+          return response.json()
+        })
+        if (result && result.active) {
+          req.session = { user_id: result.sub }
+        } else {
+          throw Boom.badRequest('Invalid token')
+        }
+      }
+    } else {
+      const token = await getToken({ req })
+      if (token) {
+        req.session = { user_id: token.userId || token.sub }
+      }
     }
     next()
   })

src/middlewares/can/authenticated.js

@@ -0,0 +1,19 @@
+import Boom from '@hapi/boom'
+
+/**
+ * Authenticated
+ *
+ * To view this route you must be authenticated
+ *
+ * @returns {Promise<boolean>}
+ */
+export default async function isAuthenticated(req, res, next) {
+  const userId = req.session?.user_id
+
+  // Must be owner or manager
+  if (!userId) {
+    throw Boom.unauthorized()
+  } else {
+    next()
+  }
+}

src/pages/api/auth/[...nextauth].js

@@ -9,8 +9,7 @@ export const authOptions = {
       id: 'osm-teams',
       name: 'OSM Teams',
       type: 'oauth',
-      wellKnown:
-        'https://auth.mapping.team/hyauth/.well-known/openid-configuration',
+      wellKnown: `${process.env.HYDRA_URL}/.well-known/openid-configuration`,
       authorization: { params: { scope: 'openid offline' } },
       idToken: true,
       async profile(profile) {

src/pages/api/introspect.js

@@ -0,0 +1,24 @@
+const { decode } = require('next-auth/jwt')
+/**
+ * !! This function is only used for testing
+ * purposes, it mocks the hydra access token introspection
+ */
+export default async function handler(req, res) {
+  if (req.method === 'POST') {
+    // Process a POST request
+    const { token } = req.body
+    const decodedToken = await decode({
+      token,
+      secret: process.env.NEXT_AUTH_SECRET,
+    })
+
+    const result = {
+      active: true,
+      sub: decodedToken.userId,
+    }
+
+    res.status(200).json(result)
+  } else {
+    res.status(400)
+  }
+}

src/pages/api/my/teams.js

@@ -2,6 +2,7 @@ import * as Yup from 'yup'
 import Team from '../../../models/team'
 import { createBaseHandler } from '../../../middlewares/base-handler'
 import { validate } from '../../../middlewares/validation'
+import isAuthenticated from '../../../middlewares/can/authenticated'
 
 const handler = createBaseHandler()
 
@@ -26,6 +27,7 @@ const handler = createBaseHandler()
  *                   $ref: '#/components/schemas/ArrayOfTeams'
  */
 handler.get(
+  isAuthenticated,
   validate({
     query: Yup.object({
       page: Yup.number().min(0).integer(),

tests/api/team-api.test.js

@@ -4,9 +4,11 @@ const { resetDb, disconnectDb } = require('../utils/db-helpers')
 const createAgent = require('../utils/create-agent')
 
 let user1Agent
+let user1HttpAgent
 test.before(async () => {
   await resetDb()
   user1Agent = await createAgent({ id: 1 })
+  user1HttpAgent = await createAgent({ id: 1, http: true })
 })
 
 test.after.always(disconnectDb)
@@ -252,7 +254,13 @@ test('get my teams list', async (t) => {
       data: teams,
     },
   } = await user1Agent.get(`/api/my/teams`).expect(200)
+
   t.is(total, 2)
   t.is(teams[0].name, 'Team 1')
   t.is(teams[1].name, 'Team 2')
+
+  const httpApiResponse = await user1HttpAgent.get(`/api/my/teams`).expect(200)
+
+  // Has to be the same
+  t.deepEqual(httpApiResponse.body.data, teams)
 })

tests/utils/create-agent.js

@@ -1,13 +1,16 @@
 const getSessionToken = require('./get-session-token')
 
-async function createAgent(user) {
+async function createAgent(user, http = false) {
   const agent = require('supertest').agent('http://localhost:3000')
 
   if (user) {
     const encryptedToken = await getSessionToken(
       user,
       process.env.NEXTAUTH_SECRET
     )
+    if (http) {
+      agent.set('Authorization', `Bearer ${encryptedToken}`)
+    }
     agent.set('Cookie', [`next-auth.session-token=${encryptedToken}`])
   }
 

tests/utils/get-session-token.js

@@ -5,7 +5,7 @@ async function getSessionToken(userObj, secret) {
   const token = { ...userObj, userId: userObj.id }
 
   // Function logic derived from https://github.com/nextauthjs/next-auth/blob/5c1826a8d1f8d8c2d26959d12375704b0a693bfc/packages/next-auth/src/jwt/index.ts#L113-L121
-  const encryptionSecret = await await hkdf(
+  const encryptionSecret = await hkdf(
     'sha256',
     secret,
     '',