feat: generate JWT for authenticating history queries

Users request device history from the hello.nrfcloud.com backend API, and
since the hello.nrfcloud.com/map backend "knows" about shared devices, it
creates a JWT that will be passed with history requests to the
hello.nrfcloud.com backend which then uses the hello.nrfcloud.com/map backend
public key to verify the authenticity of the request.

Author: coderbyheart

.github/workflows/test-and-release.yaml

@@ -207,6 +207,8 @@ jobs:
           ./cli.sh configure-nrfcloud-account apiKey apiKey_Nordic
           ./cli.sh configure-hello apiEndpoint ${{ env.HTTP_API_MOCK_API_URL }}hello-api/
 
+      - run: ./cli.sh generate-jwt-keypair
+
       - name: Deploy solution stack
         env:
           IS_TEST: 1

README.md

@@ -37,6 +37,21 @@ Provide your nRF Cloud API key:
 ./cli.sh configure-nrfcloud-account apiKey <API key>
 ```
 
+#### Keypair for signing history request
+
+The history is persisted in the
+[`backend`](https://github.com/hello-nrfcloud/backend), and the frontend
+requests device history using the same API as the
+[web application](https://github.com/hello-nrfcloud/web), however since public
+devices don't have a fingerprint, a JWT is created for public devices by the map
+backend, which is then used by the backend to authenticate history requests for
+devices. The following command installs a JWT keypair, and the public key is
+published at <https://api.nordicsemi.world/.well-known/jwks.json>.
+
+```bash
+./cli.sh generate-jwt-keypair
+```
+
 ### Build the docker images
 
 Some of the feature are run from docker containers, ensure they have been built

cdk/BackendStack.ts

@@ -22,6 +22,7 @@ import {
 	CustomDomain,
 	type CustomDomainDetails,
 } from './resources/api/CustomDomain.js'
+import { JWKS } from './resources/JWKS.js'
 
 /**
  * Provides resources for the backend serving data to hello.nrfcloud.com/map
@@ -34,6 +35,7 @@ export class BackendStack extends Stack {
 			apiDomain,
 			layer,
 			cdkLayer,
+			jwtLayer,
 			lambdaSources,
 			openSSLLambdaContainerTag,
 			repository,
@@ -43,6 +45,7 @@ export class BackendStack extends Stack {
 			apiDomain?: CustomDomainDetails
 			layer: PackedLayer
 			cdkLayer: PackedLayer
+			jwtLayer: PackedLayer
 			lambdaSources: BackendLambdas
 			openSSLLambdaContainerTag: string
 			repository: {
@@ -65,6 +68,17 @@ export class BackendStack extends Stack {
 			compatibleRuntimes: [Lambda.Runtime.NODEJS_20_X],
 		})
 
+		const jwtLayerVersion = new Lambda.LayerVersion(this, 'jwtLayer', {
+			layerVersionName: `${Stack.of(this).stackName}-jwtLayer`,
+			code: new LambdaSource(this, {
+				id: 'jwtLayer',
+				zipFile: jwtLayer.layerZipFile,
+				hash: jwtLayer.hash,
+			}).code,
+			compatibleArchitectures: [Lambda.Architecture.ARM_64],
+			compatibleRuntimes: [Lambda.Runtime.NODEJS_20_X],
+		})
+
 		const publicDevices = new PublicDevices(this)
 		new CfnOutput(this, 'publicDevicesTableName', {
 			exportName: `${this.stackName}:publicDevicesTableName`,
@@ -115,13 +129,15 @@ export class BackendStack extends Stack {
 		const shareAPI = new ShareAPI(this, {
 			domain,
 			baseLayer,
+			jwtLayer: jwtLayerVersion,
 			lambdaSources,
 			publicDevices,
 		})
 		api.addRoute('POST /share', shareAPI.shareFn)
 		api.addRoute('POST /share/confirm', shareAPI.confirmOwnershipFn)
 		api.addRoute('GET /share/status', shareAPI.sharingStatusFingerprintFn)
 		api.addRoute('GET /device/{id}', shareAPI.sharingStatusFn)
+		api.addRoute('GET /device/{id}/jwt', shareAPI.deviceJwtFn)
 
 		const devicesAPI = new DevicesAPI(this, {
 			baseLayer,
@@ -149,6 +165,15 @@ export class BackendStack extends Stack {
 
 		api.addRoute('POST /credentials', credentialsAPI.createCredentials)
 
+		// JWKS
+
+		const jwks = new JWKS(this, {
+			baseLayer,
+			jwtLayer: jwtLayerVersion,
+			lambdaSources,
+		})
+		api.addRoute('GET /.well-known/jwks.json', jwks.jwksFn)
+
 		// CD
 
 		const cd = new ContinuousDeployment(this, {

cdk/backend.ts

@@ -8,6 +8,7 @@ import { packBackendLambdas } from './packBackendLambdas.js'
 import { ACMClient } from '@aws-sdk/client-acm'
 import { getCertificateArnForDomain } from '../aws/acm.js'
 import { pack as packCDKLayer } from './cdkLayer.js'
+import { pack as packJWTLayer } from './jwtLayer.js'
 
 const repoUrl = new URL(pJSON.repository.url)
 const repository = {
@@ -31,6 +32,7 @@ new BackendApp({
 	lambdaSources: await packBackendLambdas(),
 	layer: await packBaseLayer(),
 	cdkLayer: await packCDKLayer(),
+	jwtLayer: await packJWTLayer(),
 	repository,
 	gitHubOICDProviderArn: await ensureGitHubOIDCProvider({
 		iam,

cdk/jwtLayer.ts

@@ -0,0 +1,15 @@
+import {
+	packLayer,
+	type PackedLayer,
+} from '@bifravst/aws-cdk-lambda-helpers/layer'
+import type pJson from '../package.json'
+
+const dependencies: Array<keyof (typeof pJson)['dependencies']> = [
+	'jsonwebtoken',
+]
+
+export const pack = async (): Promise<PackedLayer> =>
+	packLayer({
+		id: 'jwtLayer',
+		dependencies,
+	})

cdk/packBackendLambdas.ts

@@ -11,6 +11,8 @@ export type BackendLambdas = {
 	openSSL: PackedLambda
 	apiHealthCheck: PackedLambda
 	createCNAMERecord: PackedLambda
+	jwks: PackedLambda
+	deviceJwt: PackedLambda
 }
 
 const pack = async (id: string) => packLambdaFromPath(id, `lambda/${id}.ts`)
@@ -28,4 +30,6 @@ export const packBackendLambdas = async (): Promise<BackendLambdas> => ({
 		'createCNAMERecord',
 		'cdk/resources/api/createCNAMERecord.ts',
 	),
+	jwks: await pack('jwks'),
+	deviceJwt: await pack('deviceJwt'),
 })

cdk/resources/JWKS.ts

@@ -0,0 +1,30 @@
+import { PackedLambdaFn } from '@bifravst/aws-cdk-lambda-helpers/cdk'
+import { type aws_lambda as Lambda } from 'aws-cdk-lib'
+import { Construct } from 'constructs'
+import type { BackendLambdas } from '../packBackendLambdas.js'
+
+/**
+ * Provides the .well-known/jwks.json endpoint
+ */
+export class JWKS extends Construct {
+	public readonly jwksFn: Lambda.IFunction
+	constructor(
+		parent: Construct,
+		{
+			baseLayer,
+			jwtLayer,
+			lambdaSources,
+		}: {
+			baseLayer: Lambda.ILayerVersion
+			jwtLayer: Lambda.ILayerVersion
+			lambdaSources: Pick<BackendLambdas, 'jwks'>
+		},
+	) {
+		super(parent, 'JWKS')
+
+		this.jwksFn = new PackedLambdaFn(this, 'jwksFn', lambdaSources.jwks, {
+			description: 'Serve the JWT public key',
+			layers: [baseLayer, jwtLayer],
+		}).fn
+	}
+}

cdk/resources/ShareAPI.ts

@@ -8,24 +8,28 @@ export class ShareAPI extends Construct {
 	public readonly shareFn: Lambda.IFunction
 	public readonly confirmOwnershipFn: Lambda.IFunction
 	public readonly sharingStatusFn: Lambda.IFunction
+	public readonly deviceJwtFn: Lambda.IFunction
 	public readonly sharingStatusFingerprintFn: Lambda.IFunction
 	constructor(
 		parent: Construct,
 		{
 			domain,
 			baseLayer,
+			jwtLayer,
 			lambdaSources,
 			publicDevices,
 		}: {
 			domain: string
 			publicDevices: PublicDevices
 			baseLayer: Lambda.ILayerVersion
+			jwtLayer: Lambda.ILayerVersion
 			lambdaSources: Pick<
 				BackendLambdas,
 				| 'shareDevice'
 				| 'confirmOwnership'
 				| 'sharingStatus'
 				| 'sharingStatusFingerprint'
+				| 'deviceJwt'
 			>
 		},
 	) {
@@ -111,5 +115,21 @@ export class ShareAPI extends Construct {
 		publicDevices.publicDevicesTable.grantReadData(
 			this.sharingStatusFingerprintFn,
 		)
+
+		this.deviceJwtFn = new PackedLambdaFn(
+			this,
+			'deviceJwtFn',
+			lambdaSources.deviceJwt,
+			{
+				description:
+					'Returns a JWT for the device, confirming that it is shared.',
+				layers: [baseLayer, jwtLayer],
+				environment: {
+					PUBLIC_DEVICES_TABLE_NAME: publicDevices.publicDevicesTable.tableName,
+					PUBLIC_DEVICES_ID_INDEX_NAME: publicDevices.idIndex,
+				},
+			},
+		).fn
+		publicDevices.publicDevicesTable.grantReadData(this.deviceJwtFn)
 	}
 }

cli/cli.ts

@@ -13,13 +13,14 @@ import { registerDeviceCommand } from './commands/register-device.js'
 import type { CommandDefinition } from './commands/CommandDefinition.js'
 import { buildContainersCommand } from './commands/build-container.js'
 import { env } from '../aws/env.js'
-import { configureNrfCloudAccount } from './commands/configure-nrfcloud-account.js'
+import { configureNrfCloudAccountCommand } from './commands/configure-nrfcloud-account.js'
 import { logsCommand } from './commands/logs.js'
 import { CloudWatchLogsClient } from '@aws-sdk/client-cloudwatch-logs'
-import { configureHello } from './commands/configure-hello.js'
-import { shareDevice } from './commands/share-device.js'
+import { configureHelloCommand } from './commands/configure-hello.js'
+import { shareDeviceCommand } from './commands/share-device.js'
 import { listDevicesCommand } from './commands/listDevices.js'
 import { removeDeviceCommand } from './commands/remove-device.js'
+import { generateJWTKeypairCommand } from './commands/generate-jwt-keypair.js'
 
 const ssm = new SSMClient({})
 const db = new DynamoDBClient({})
@@ -53,13 +54,14 @@ const CLI = async ({ isCI }: { isCI: boolean }) => {
 		buildContainersCommand({
 			ecr,
 		}),
-		configureHello({ ssm }),
-		configureNrfCloudAccount({ ssm }),
+		configureHelloCommand({ ssm }),
+		configureNrfCloudAccountCommand({ ssm }),
 		logsCommand({
 			stackName: STACK_NAME,
 			cf,
 			logs,
 		}),
+		generateJWTKeypairCommand({ ssm }),
 	]
 
 	if (isCI) {
@@ -83,7 +85,7 @@ const CLI = async ({ isCI }: { isCI: boolean }) => {
 					ssm,
 					stackName: STACK_NAME,
 				}),
-				shareDevice({
+				shareDeviceCommand({
 					db,
 					publicDevicesTableName: backendOutputs.publicDevicesTableName,
 					idIndex: backendOutputs.publicDevicesTableIdIndexName,

cli/commands/configure-hello.ts

@@ -6,9 +6,9 @@ import {
 	deleteSettings,
 	putSetting,
 	type Settings,
-} from '../../hello/settings.js'
+} from '../../settings/hello.js'
 
-export const configureHello = ({
+export const configureHelloCommand = ({
 	ssm,
 }: {
 	ssm: SSMClient