Use DID Auth in cookies mode (#74)

* Improve setup

* Partial: set DID Auth cookies in service

* Use DID Auth in cookies mode (2) (#80)

* Add Access-Control-Allow-Origin header

* Update Express DID Auth - move x-csrf-token to headers

* Add testing auth manager

* Move all requests to auth manager

* Rename testing auth manager

* Client get working with authentication

* Add missing headers

* Implement post, put and delete

* Refactor requests

* Lint

* Fix types

* Update modules/ipfs-cpinner-service/src/index.ts

* Fix service lock

* Update package lock

* Fix ipfs-http-client version

* Unfix ipfs-http-client and ignore type

Author: ilanolkies

README.md

@@ -36,7 +36,6 @@ Install dependencies
 ```
 npm i
 npm run setup
-npm run build
 ```
 
 Install IPFS CLI. Find your option: https://docs.ipfs.io/how-to/command-line-quick-start/.

jest.config.js

@@ -3,6 +3,7 @@ module.exports = {
   testEnvironment: 'node',
   reporters: ['default', 'jest-junit'],
   testResultsProcessor: 'jest-junit',
+  testTimeout: 120000,
   globals: {
     'ts-jest': {
       tsConfig: './modules/tsconfig.settings.json'

modules/ipfs-cpinner-client/package.json

@@ -24,8 +24,8 @@
   },
   "homepage": "https://github.com/rsksmart/rif-data-vault#readme",
   "devDependencies": {
-    "@rsksmart/ipfs-cpinner-provider": "0.1.1-beta.9",
-    "@rsksmart/ipfs-cpinner-service": "0.1.1-beta.13",
+    "@rsksmart/ipfs-cpinner-provider": "0.1.1",
+    "@rsksmart/ipfs-cpinner-service": "0.1.1",
     "@rsksmart/rif-id-ethr-did": "^0.1.0",
     "@rsksmart/rif-id-mnemonic": "^0.1.0",
     "@types/axios": "^0.14.0",

modules/ipfs-cpinner-client/src/auth-manager/index.ts

@@ -1,101 +1,90 @@
 import axios from 'axios'
-import { decodeJWT } from 'did-jwt'
-import { ACCESS_TOKEN_KEY, REFRESH_TOKEN_KEY } from './constants'
+import { IAuthManager, DIDAuthConfig, KeyValueStore, PersonalSign } from './types'
 import { LocalStorage } from './store'
-import { LoginResponse, DIDAuthConfig, PersonalSign, KeyValueStore, DIDAuthStoreConfig, DIDAuthServiceConfig } from './types'
-import { Web3Provider } from '../web3provider/types'
 
-class AuthManager {
+const xCsrfToken = 'x-csrf-token'
+
+class AuthManager implements IAuthManager {
   store: KeyValueStore
   did: string
   serviceUrl: string
   personalSign: PersonalSign
 
-  constructor (config: DIDAuthConfig) {
-    this.store = config.store || new LocalStorage()
-    this.did = config.did
-    this.serviceUrl = config.serviceUrl
-    this.personalSign = config.personalSign
+  constructor ({ store, did, serviceUrl, personalSign }: DIDAuthConfig) {
+    this.store = store || new LocalStorage()
+    this.did = did
+    this.serviceUrl = serviceUrl
+    this.personalSign = personalSign
+
+    axios.defaults.withCredentials = true
   }
 
-  // store
-  private storeTokens = async ({ accessToken, refreshToken }: { accessToken: string, refreshToken: string }) => {
-    await Promise.all([
-      this.store.set(`${ACCESS_TOKEN_KEY}-${this.did}`, accessToken),
-      this.store.set(`${REFRESH_TOKEN_KEY}-${this.did}`, refreshToken)
-    ])
+  private saveCsrf = async (response) => {
+    const token = await this.store.get(xCsrfToken)
 
-    return { accessToken, refreshToken }
-  }
+    if (!token) {
+      await this.store.set(xCsrfToken, response.headers[xCsrfToken])
+    }
 
-  private getStoredAccessToken = () => this.store.get(`${ACCESS_TOKEN_KEY}-${this.did}`)
-  private getStoredRefreshToken = () => this.store.get(`${REFRESH_TOKEN_KEY}-${this.did}`)
+    return response
+  }
 
   // did auth challenge-response authentication
   private getChallenge = (): Promise<string> => axios.get(`${this.serviceUrl}/request-auth/${this.did}`)
-    .then(res => res.status === 200 && !!res.data && res.data.challenge)
+    .catch(e => this.saveCsrf(e.response))
+    .then(res => {
+      this.store.set(xCsrfToken, res.headers[xCsrfToken])
+      return res.data.challenge
+    })
+    .then(this.saveCsrf)
 
   private signChallenge = (challenge: string) => this.personalSign(
     `Are you sure you want to login to the RIF Data Vault?\nURL: ${this.serviceUrl}\nVerification code: ${challenge}`
   ).then(sig => ({ did: this.did, sig }))
 
-  private login = (): Promise<LoginResponse> => this.getChallenge()
-    .then(this.signChallenge)
-    .then(signature => axios.post(`${this.serviceUrl}/auth`, { response: signature }))
-    .then(res => res.status === 200 && res.data)
-    .then(this.storeTokens)
-
-  private async refreshAccessToken (): Promise<LoginResponse> {
-    const refreshToken = await this.getStoredRefreshToken()
-
-    if (!refreshToken) return this.login()
-
-    return axios.post(`${this.serviceUrl}/refresh-token`, { refreshToken })
-      .then(res => res.status === 200 && res.data)
-      .then(this.storeTokens)
-      .catch(err => {
-        if (err.response.status !== 401) throw err
-
-        // if it is expired, do another login
-        return this.login()
-      })
-  }
-
-  // api
-  public async getAccessToken () {
-    const accessToken = await this.getStoredAccessToken()
-
-    if (!accessToken) return this.login().then(tokens => tokens.accessToken)
+  private login = (): Promise<void> => this.store.get(xCsrfToken)
+    .then(token => this.getChallenge()
+      .then(this.signChallenge)
+      .then(signature => axios.post(`${this.serviceUrl}/auth`, { response: signature }, {
+        headers: { 'x-csrf-token': token }
+      })))
+
+  private getConfig = () => this.store.get(xCsrfToken).then(token => ({
+    headers: {
+      'x-csrf-token': token,
+      'x-logged-did': this.did
+    }
+  }))
 
-    // TODO: should we verify?
-    const { payload } = decodeJWT(accessToken)
+  private async refreshAccessToken (): Promise<void> {
+    const config = await this.getConfig()
 
-    if (payload.exp <= Math.floor(Date.now() / 1000)) {
-      return this.refreshAccessToken().then(tokens => tokens.accessToken)
+    try {
+      await axios.post(`${this.serviceUrl}/refresh-token`, {}, config)
+    } catch (e) {
+      if (e.response.status !== 401) throw e
+      await this.login()
     }
-
-    return accessToken
   }
 
-  public storedTokens = () => Promise.all([
-    this.getStoredAccessToken(),
-    this.getStoredRefreshToken()
-  ]).then(([accessToken, refreshToken]) => ({
-    accessToken,
-    refreshToken
-  }))
-
-  static fromWeb3Provider (config: DIDAuthServiceConfig & DIDAuthStoreConfig, provider: Web3Provider) {
-    return provider.request({
-      method: 'eth_accounts'
-    }).then(accounts => new AuthManager({
-      ...config,
-      personalSign: (data: string) => provider.request({
-        method: 'personal_sign',
-        params: [data, accounts[0]]
+  private request = (method: any) => async (...args) => {
+    const config = await this.getConfig()
+    return await method(config, ...args)
+      .then(r => r as any)
+      .catch(e => {
+        if (e.response.status === 401) {
+          return this.saveCsrf(e.response)
+            .then(() => this.refreshAccessToken())
+            .then(() => method(config, ...args))
+        }
+        throw e
       })
-    }))
   }
+
+  get: typeof axios.get = this.request((config, ...args) => axios.get(args[0], config))
+  post: typeof axios.post = this.request((config, ...args) => axios.post(args[0], args[1], config))
+  put: typeof axios.put = this.request((config, ...args) => axios.put(args[0], args[1], config))
+  delete: typeof axios.delete = this.request((config, ...args) => axios.delete(args[0], config))
 }
 
 export default AuthManager

modules/ipfs-cpinner-client/src/auth-manager/testing.ts

@@ -0,0 +1,142 @@
+import axios from 'axios'
+import { decodeJWT } from 'did-jwt'
+import { ACCESS_TOKEN_KEY, REFRESH_TOKEN_KEY } from './constants'
+import { LocalStorage } from './store'
+import { IAuthManager, LoginResponse, DIDAuthConfig, PersonalSign, KeyValueStore, DIDAuthStoreConfig, DIDAuthServiceConfig } from './types'
+import { Web3Provider } from '../web3provider/types'
+
+class AuthManager implements IAuthManager {
+  store: KeyValueStore
+  did: string
+  serviceUrl: string
+  personalSign: PersonalSign
+  csrfHeader: string
+  cookies: string[]
+
+  constructor (config: DIDAuthConfig) {
+    this.store = config.store || new LocalStorage()
+    this.did = config.did
+    this.serviceUrl = config.serviceUrl
+    this.personalSign = config.personalSign
+  }
+
+  // store
+  private storeTokens = async ({ accessToken, refreshToken }: { accessToken: string, refreshToken: string }) => {
+    await Promise.all([
+      this.store.set(`${ACCESS_TOKEN_KEY}-${this.did}`, accessToken),
+      this.store.set(`${REFRESH_TOKEN_KEY}-${this.did}`, refreshToken)
+    ])
+
+    return { accessToken, refreshToken }
+  }
+
+  private getStoredAccessToken = () => this.store.get(`${ACCESS_TOKEN_KEY}-${this.did}`)
+  private getStoredRefreshToken = () => this.store.get(`${REFRESH_TOKEN_KEY}-${this.did}`)
+
+  // did auth challenge-response authentication
+  private getChallenge = (): Promise<string> => axios.get(`${this.serviceUrl}/request-auth/${this.did}`)
+    .then(res => {
+      if (!(res.status === 200 && !!res.data)) throw new Error('Invalid response')
+
+      this.csrfHeader = res.headers['x-csrf-token']
+      this.cookies = res.headers['set-cookie'].map(cookie => cookie.split(';')[0])
+
+      return res.data.challenge
+    })
+
+  private signChallenge = (challenge: string) => this.personalSign(
+    `Are you sure you want to login to the RIF Data Vault?\nURL: ${this.serviceUrl}\nVerification code: ${challenge}`
+  ).then(sig => ({ did: this.did, sig }))
+
+  private login = (): Promise<LoginResponse> => this.getChallenge()
+    .then(this.signChallenge)
+    .then(signature => axios.post(`${this.serviceUrl}/auth`, { response: signature }, {
+      headers: {
+        'x-csrf-token': this.csrfHeader,
+        cookie: this.cookies
+      }
+    }))
+    .then(res => res.status === 200 && {
+      accessToken: res.headers['set-cookie'][0].split(';')[0].split('=')[1],
+      refreshToken: res.headers['set-cookie'][1].split(';')[0].split('=')[1]
+    })
+    .then(this.storeTokens)
+
+  private async refreshAccessToken (): Promise<LoginResponse> {
+    const refreshToken = await this.getStoredRefreshToken()
+
+    if (!refreshToken) return this.login()
+
+    return axios.post(`${this.serviceUrl}/refresh-token`, {}, {
+      headers: {
+        'x-csrf-token': this.csrfHeader,
+        cookie: `refresh-token-${this.did}=${refreshToken};${this.cookies[0]}`
+      }
+    })
+      .then(res => res.status === 200 && res.data)
+      .then(this.storeTokens)
+      .catch(err => {
+        if (err.response.status !== 401) throw err
+
+        // if it is expired, do another login
+        return this.login()
+      })
+  }
+
+  // api
+  public async getAccessToken () {
+    const accessToken = await this.getStoredAccessToken()
+
+    if (!accessToken) return this.login().then(tokens => tokens.accessToken)
+
+    // TODO: should we verify?
+    const { payload } = decodeJWT(accessToken)
+
+    if (payload.exp <= Math.floor(Date.now() / 1000)) {
+      return this.refreshAccessToken().then(tokens => tokens.accessToken)
+    }
+
+    return accessToken
+  }
+
+  public storedTokens = () => Promise.all([
+    this.getStoredAccessToken(),
+    this.getStoredRefreshToken()
+  ]).then(([accessToken, refreshToken]) => ({
+    accessToken,
+    refreshToken
+  }))
+
+  public getHeaders = () => this.getAccessToken()
+    .then(accessToken => ({
+      'x-logged-did': this.did,
+      'x-csrf-token': this.csrfHeader,
+      cookie: `authorization-${this.did}=${accessToken};${this.cookies[0]}`
+    }))
+
+  public get: typeof axios.get = (...args) => this.getHeaders()
+    .then(headers => axios.get(args[0], { headers }))
+
+  public post: typeof axios.post = (...args) => this.getHeaders()
+    .then(headers => axios.post(args[0], args[1], { headers }))
+
+  public delete: typeof axios.delete = (...args) => this.getHeaders()
+    .then(headers => axios.delete(args[0], { headers }))
+
+  public put: typeof axios.put = (...args) => this.getHeaders()
+    .then(headers => axios.put(args[0], args[1], { headers }))
+
+  static fromWeb3Provider (config: DIDAuthServiceConfig & DIDAuthStoreConfig, provider: Web3Provider) {
+    return provider.request({
+      method: 'eth_accounts'
+    }).then(accounts => new AuthManager({
+      ...config,
+      personalSign: (data: string) => provider.request({
+        method: 'personal_sign',
+        params: [data, accounts[0]]
+      })
+    }))
+  }
+}
+
+export default AuthManager

modules/ipfs-cpinner-client/src/auth-manager/types.ts

@@ -1,3 +1,5 @@
+import axios from 'axios'
+
 export type LoginResponse = { accessToken: string, refreshToken: string }
 
 export type PersonalSign = (data: string) => Promise<string>
@@ -23,3 +25,10 @@ export type DIDAuthStoreConfig = {
 }
 
 export type DIDAuthConfig = DIDAuthServiceConfig & DIDAuthClientConfig & DIDAuthStoreConfig
+
+export interface IAuthManager {
+  get: typeof axios.get
+  post: typeof axios.post
+  delete: typeof axios.delete
+  put: typeof axios.put
+}