Merge pull request #11 from Creoox/develop

Added support for different token types + authentication during login

Author: CreooxTech

README.md

@@ -66,6 +66,7 @@ Currently tested providers:
 | OIDC_CLIENT_SECRET       | string  | No         | OIDC client secret (if set)                                  |
 | OIDC_VERIFICATION_TYPE   | string  | Yes        | 'jwt' - decoding or 'introspection' - asking AS              |
 | JWT_STRICT_AUDIENCE      | boolean | Yes        | true if token should be used for strict audinence only       |
+| JWT_TOKEN_TYPE           | string  | No         | Used token, either 'access_token' (default) or 'id_token'    |
 | AUTH_ENDPOINT            | string  | No         | Service redirection endpoint, '/\_oauth' by default          |
 | AUTH_ALLOW_UNSEC_OPTIONS | boolean | No         | Allow unsecured OPTIONS request, false by default            |
 | LOGIN_WHEN_NO_TOKEN      | boolean | Yes        | true if login functionality should be on (**dev only!**)     |
@@ -161,7 +162,7 @@ traefik:
         - cx-example-net
 
   traefik-forward-auth:
-    image: creoox/cx-traefik-forward-auth:1.1.4
+    image: creoox/cx-traefik-forward-auth:1.1.5
     container_name: cx-example-traefik-forward-auth
     env_file:
       - ./cx-traefik-forward-auth.env

app/.env.example

@@ -1,6 +1,6 @@
 ## Application settings
 APP_NAME=cx-traefik-forward-auth
-APP_VERSION=1.1.4
+APP_VERSION=1.1.5
 APP_PORT=4181
 
 ## Environment settings
@@ -15,6 +15,7 @@ OIDC_VERIFICATION_TYPE=jwt
 
 ## Middelware behaviour settings
 JWT_STRICT_AUDIENCE=false
+JWT_TOKEN_TYPE=access_token
 AUTH_ENDPOINT=/_oauth
 AUTH_ALLOW_UNSEC_OPTIONS=true
 LOGIN_WHEN_NO_TOKEN=true

app/public/token/index.ejs

@@ -2,7 +2,7 @@
 <html lang="en">
   <head>
     <meta charset="UTF-8" />
-    <title>Access Token</title>
+    <title>Your Token</title>
 
     <style type="text/css">
       @import url("https://fonts.googleapis.com/css?family=Lato");
@@ -43,8 +43,8 @@
   </head>
   <body>
     <div class="container" style="text-align: center">
-      <h1><b>Acess Token</b></h1>
-      <p><%= access_token %></p>
+      <h1><b>Your <%= token_type %></b></h1>
+      <p><%= token %></p>
     </div>
   </body>
 </html>

app/src/app.ts

@@ -7,6 +7,7 @@ import {
   VERIF_TYPE,
   LOGIN_WHEN_NO_TOKEN,
   LOGIN_COOKIE_NAME,
+  JWT_TOKEN_TYPE,
   validateDotenvFile,
 } from "./models/dotenvModel";
 import { checkIfIntrospectionPossible } from "./services/preAuth";
@@ -79,7 +80,7 @@ const isSessionEstablished = (
   res: Response,
   next: NextFunction
 ) => {
-  if (LOGIN_WHEN_NO_TOKEN && !!(req.session as LoginSession).access_token) {
+  if (LOGIN_WHEN_NO_TOKEN && !!(req.session as LoginSession).token) {
     next();
   } else {
     next("route");
@@ -104,7 +105,8 @@ app.get(
       )
     ) {
       res.status(400).render("token/index.ejs", {
-        access_token: (req.session as LoginSession).access_token,
+        token_type: JWT_TOKEN_TYPE,
+        token: (req.session as LoginSession).token,
       });
       return;
     }

app/src/models/dotenvModel.ts

@@ -24,6 +24,7 @@ export const LOGIN_AUTH_FLOW = ((): "implicit" | "code" => {
     return "code";
   }
 })();
+export const JWT_TOKEN_TYPE = process.env.JWT_TOKEN_TYPE || "access_token";
 
 const boolTypes = [
   true,
@@ -56,6 +57,7 @@ const dotenvVars_optionalStr = [
   "AUTH_ALLOW_UNSEC_OPTIONS",
   "AUTH_ROLES_STRUCT",
   "AUTH_ROLE_NAME",
+  "JWT_TOKEN_TYPE",
 ] as const;
 const dotenvVars_optionalNum = ["APP_PORT"] as const;
 
@@ -157,5 +159,16 @@ export function validateDotenvFile(): void {
     );
   }
 
+  // Check if token type is of a valid type
+  if (
+    process.env["JWT_TOKEN_TYPE"] &&
+    process.env["JWT_TOKEN_TYPE"] !== "access_token" &&
+    process.env["JWT_TOKEN_TYPE"] !== "id_token"
+  ) {
+    throw new Error(
+      "Variable: JWT_TOKEN_TYPE has to be either 'access_token' (default) or 'id_token'"
+    );
+  }
+
   return;
 }

app/src/models/loginModel.ts

@@ -1,7 +1,7 @@
 import session from "express-session";
 
 export interface LoginSession extends Partial<session.SessionData> {
-  access_token?: string;
+  token?: string;
 }
 
 export interface LoginCache extends Partial<session.SessionData> {

app/src/services/auth.ts

@@ -10,10 +10,15 @@ import { getJwkKeys, getProviderEndpoints } from "./preAuth";
 import { AUTH_ENDPOINT, getOidcClient } from "../states/clients";
 import { getLoginCache } from "../states/cache";
 import { logger } from "./logger";
-import { getRandomString } from "./helpers";
+import { decodeB64, getRandomString } from "./helpers";
 import type { ActiveOidcToken, InactiveOidcToken } from "../models/authModel";
 import type { LoginSession, LoginCache } from "../models/loginModel";
-import { LOGIN_AUTH_FLOW, LOGIN_SCOPE } from "../models/dotenvModel";
+import {
+  LOGIN_AUTH_FLOW,
+  LOGIN_SCOPE,
+  JWT_TOKEN_TYPE,
+} from "../models/dotenvModel";
+import { validateTokenRoles } from "./postAuth";
 
 /* eslint-disable  @typescript-eslint/no-non-null-assertion */
 const JWT_STRICT_AUDIENCE = ["true", "True", "1"].includes(
@@ -114,35 +119,45 @@ export const handleCallback = async (
       { code_verifier: cache.code_verifier, state: params.state }
     );
   }
+  // for some reason we have make a copy
+  const token = JSON.parse(JSON.stringify(tokenSet[JWT_TOKEN_TYPE] as string));
 
   // create login session
   req.session.regenerate((err) => {
     if (err) {
       next(err);
     }
-    (req.session as LoginSession).access_token = tokenSet.access_token;
-    req.session.save((err) => {
-      if (err) {
-        return next(err);
-      }
-      if (req.headers["x-forwarded-uri"]) {
-        const originSchema = req.headers["x-forwarded-proto"];
-        const originHost = req.headers["x-forwarded-host"];
-        const originUri = req.headers["x-forwarded-uri"];
-        const url = `${originSchema}://${originHost}${originUri}`;
-        res.redirect(url);
-      } else {
-        return next(new Error("Missing `X-Forwarded-Uri` Header"));
-      }
-    });
+    try {
+      const payload = JSON.parse(decodeB64(token.split(".")[1]));
+      validateTokenRoles(payload);
+      (req.session as LoginSession).token = tokenSet[JWT_TOKEN_TYPE] as string;
+
+      req.session.save((err) => {
+        if (err) {
+          return next(err);
+        }
+        if (req.headers["x-forwarded-uri"]) {
+          const originSchema = req.headers["x-forwarded-proto"];
+          const originHost = req.headers["x-forwarded-host"];
+          const originUri = req.headers["x-forwarded-uri"];
+          const url = `${originSchema}://${originHost}${originUri}`;
+          res.redirect(url);
+        } else {
+          return next(new Error("Missing `X-Forwarded-Uri` Header"));
+        }
+      });
+    } catch (err) {
+      // return Promise.reject(`${err}`);
+      res.status(403).send(`${err}`);
+    }
   });
 };
 
 /**
  * Verify token via JWT - decode it using providers JWK Keys.
  *
- * @param token JWT access_token
- * @returns decoded access_token payload
+ * @param token JWT token (access_token or id_token)
+ * @returns decoded token payload
  */
 export const verifyTokenViaJwt = async (token: string): Promise<JWTPayload> => {
   if (!token.includes(".")) {
@@ -165,11 +180,11 @@ export const verifyTokenViaJwt = async (token: string): Promise<JWTPayload> => {
 };
 
 /**
- * Verify token via Token Introspection - validate access_token on the
+ * Verify token via Token Introspection - validate token on the
  * provider authorization server.
  *
- * @param token JWT access_token
- * @returns decoded access_token payload
+ * @param token JWT token (access_token or id_token)
+ * @returns decoded token payload
  */
 export const verifyTokenViaIntrospection = async (token: string) => {
   if (!token.includes(".")) {

app/src/services/helpers.ts

@@ -56,3 +56,12 @@ export const getStateParam = (url: string, authEndpoint: string): string => {
     )[0]
     .replace("state=", "");
 };
+
+/**
+ * Decodes b64 strings.
+ *
+ * @param str base64-encoded string
+ * @returns decoded string
+ */
+export const decodeB64 = (str: string): string =>
+  Buffer.from(str, "base64").toString("binary");

app/src/services/postAuth.ts

@@ -1,13 +1,15 @@
-import { ActiveOidcToken, InactiveOidcToken } from "../models/authModel";
+import {
+  ActiveOidcToken,
+  InactiveOidcToken,
+  OidcTokenCorePayload,
+} from "../models/authModel";
 import { logger } from "./logger";
 
 /**
- * Verifies token payload (authorizes caller). For the time being it's
- * open-to-implementation feature.
+ * Verifies token payload (checks whether token is active).
  *
- * @param payload
+ * @param payload token payload
  * @throws Error if token is inactive
- * @throws Error if authorization group is missing in token payload
  */
 export function validateTokenPayload<
   T extends ActiveOidcToken,
@@ -17,6 +19,18 @@ export function validateTokenPayload<
     throw new Error("Token is inactive.");
   }
 
+  return validateTokenRoles(payload as Partial<T>);
+}
+
+/**
+ * Verifies token payload (authorizes caller).
+ *
+ * @param payload token payload
+ * @throws Error if authorization group is missing in token payload
+ */
+export function validateTokenRoles<T extends OidcTokenCorePayload>(
+  payload: Partial<T>
+): void {
   const authGroupName = process.env.AUTH_ROLE_NAME;
   if (authGroupName) {
     const groupStruct = process.env.AUTH_ROLES_STRUCT?.split(

app/tests/models/dotenvModel.test.ts

@@ -235,4 +235,26 @@ describe("Validator for dotenv files", () => {
     process.env.AUTH_ROLE_NAME = "dummy-group";
     expect(() => validateDotenvFile()).not.toThrow(Error);
   });
+
+  it("fails if the `JWT_TOKEN_TYPE` is of a wrong type.", () => {
+    process.env = {
+      ...process.env,
+      ...stringifyObjectValues(dotenvFile),
+    };
+    process.env.JWT_TOKEN_TYPE = "dummy_type";
+    expect(() => validateDotenvFile()).toThrow(Error);
+  });
+
+  it("passes valid `JWT_TOKEN_TYPE` types.", () => {
+    process.env = {
+      ...process.env,
+      ...stringifyObjectValues(dotenvFile),
+    };
+    process.env.JWT_TOKEN_TYPE = "id_token";
+    expect(() => validateDotenvFile()).not.toThrow(Error);
+    process.env.JWT_TOKEN_TYPE = "access_token";
+    expect(() => validateDotenvFile()).not.toThrow(Error);
+    process.env.JWT_TOKEN_TYPE = undefined;
+    expect(() => validateDotenvFile()).not.toThrow(Error);
+  });
 });

app/tests/services/helpers.test.ts

@@ -4,7 +4,9 @@ import {
   getRandomString,
   getEnvInfo,
   getStateParam,
+  decodeB64,
 } from "../../src/services/helpers";
+import { demoUserToken } from "../testData";
 
 describe("Random string generator", () => {
   it("generates different strings", () => {
@@ -47,3 +49,9 @@ describe("State Parameter", () => {
     ).toEqual(testState);
   });
 });
+
+describe("base64 decoder", () => {
+  it("decodes token", () => {
+    expect(() => decodeB64(demoUserToken)).not.toThrow(Error);
+  });
+});

app/tests/testData.ts

@@ -95,3 +95,6 @@ export const testTokenPayload: Required<OidcTokenCorePayload> & any = {
   preferred_username: "Dummy",
   email: "[email protected]",
 };
+
+export const demoUserToken =
+  "eyJhdF9oYXNoIjoia2xkSHlCUm8tekRFbnRjZURpQ0F3ZyIsInN1YiI6ImRlbW8udXNlckBjcmVvb3guY29tIiwiaXNzIjoiaHR0cHM6Ly9zZXJ2aWNlcy11YXQudWdmaXNjaGVyLmNvbTo0NDMvYXV0aG9yaXphdGlvbnNlcnZlciIsImdyb3VwcyI6WyJGSVdFIiwid2Vic2VydmljZWdyb3VwIiwicmV0YWlsLWNvbm5lY3QtY2FydCIsIkZJV0UtREUiLCJkZWZhdWx0QjJCVW5pdCIsIkdST1VQLXBsYW5uZXIiLCJBQ0NFU1MtUFJJVklMRUdFUyIsImIyYmdyb3VwIiwiYjJiY3VzdG9tZXJncm91cCIsImN1c3RvbWVyZ3JvdXAiLCJGSVdFLVpaLWZpeHBlcmllbmNlIiwiRklXRS1aWi1MTVMiLCJHUk9VUC1mcm9udGVuZC1yZWdpc3RyYXRpb24tc2VsZWN0YWJsZSJdLCJub25jZSI6Ii13MC1MVEJRRzBCVHJmdk9kcW55bDJpbGpnMFhVanViZ0F2Uk02dUhLWm8iLCJhdWQiOiJmaXdlLXp6LWluc3RhbGxmaXgiLCJjb3VudHJ5SXNvIjoiREUiLCJzY29wZSI6WyJvcGVuaWQiXSwibmFtZSI6IkRlbW8gVXNlciIsInN0YXRlIjoiNWlKYXQ4V29EeWZDM3hqenFiODI0dU14aEpYcC1sSVRtUmZaTjJUUE9oMCIsImV4cCI6MTY4ODE1NzQzOSwiaWF0IjoxNjg4MDcxMDM5LCJlbWFpbCI6ImRlbW8udXNlckBjcmVvb3guY29tIn0";

docker-compose.yml

@@ -8,7 +8,7 @@ services:
       dockerfile: ./.docker/${ENVIRONMENT}.Dockerfile
       args:
         - node_env_type=${ENVIRONMENT}
-    # platform: linux/amd64
+    platform: linux/amd64
     image: creoox/cx-traefik-forward-auth:${APP_VERSION}
     container_name: ${APP_NAME}-${APP_VERSION}
     env_file: