From 5762efb532c7e58a642cfe27f8d06fffbac47b90 Mon Sep 17 00:00:00 2001 From: "Michael B. Klein" Date: Fri, 30 Aug 2024 19:07:28 +0000 Subject: [PATCH] Add /auth/token route --- node/src/api/api-token.js | 5 + node/src/handlers/get-auth-token.js | 51 +++++++ node/test/integration/get-auth-token.test.js | 136 +++++++++++++++++++ template.yaml | 24 ++++ 4 files changed, 216 insertions(+) create mode 100644 node/src/handlers/get-auth-token.js create mode 100644 node/test/integration/get-auth-token.test.js diff --git a/node/src/api/api-token.js b/node/src/api/api-token.js index 51a6f49..03d1958 100644 --- a/node/src/api/api-token.js +++ b/node/src/api/api-token.js @@ -10,6 +10,7 @@ function emptyToken() { isLoggedIn: false, }; } + class ApiToken { constructor(signedToken) { if (signedToken) { @@ -75,6 +76,10 @@ class ApiToken { return this.update(); } + expireAt(dateTime) { + this.token.exp = Math.floor(Number(dateTime) / 1000); + } + update() { this._updated = true; return this; diff --git a/node/src/handlers/get-auth-token.js b/node/src/handlers/get-auth-token.js new file mode 100644 index 0000000..c3ae45d --- /dev/null +++ b/node/src/handlers/get-auth-token.js @@ -0,0 +1,51 @@ +const { wrap } = require("./middleware"); +const Honeybadger = require("../honeybadger-setup"); + +const DEFAULT_TTL = 86400; // one day +const MAX_TTL = DEFAULT_TTL * 7; // one week; + +const makeError = (code, message) => { + return { + statusCode: code, + headers: { + "Content-Type": "text/plain", + }, + body: message, + }; +}; + +const present = (value) => + value !== undefined && value !== null && value !== ""; + +/** + * Token - Returns auth token for current user with requested expiration + * + */ +exports.handler = wrap(async (event) => { + try { + const ttl = event.queryStringParameters?.ttl; + if (present(ttl) && ttl.match(/\D/)) { + return makeError(400, `'${ttl}' is not a valid value for ttl`); + } + const ttl_in_seconds = Number(ttl) || DEFAULT_TTL; + if (ttl_in_seconds > MAX_TTL) { + return makeError(400, `ttl cannot exceed ${MAX_TTL} seconds`); + } + + const token = event.userToken; + const expiration = new Date(new Date().getTime() + ttl_in_seconds * 1000); + expiration.setMilliseconds(0); + token.expireAt(expiration); + + return { + statusCode: 200, + body: JSON.stringify({ + token: token.sign(), + expires: expiration.toISOString(), + }), + }; + } catch (error) { + await Honeybadger.notifyAsync(error); + return makeError(401, "Error verifying API token: " + error.message); + } +}); diff --git a/node/test/integration/get-auth-token.test.js b/node/test/integration/get-auth-token.test.js new file mode 100644 index 0000000..cd25500 --- /dev/null +++ b/node/test/integration/get-auth-token.test.js @@ -0,0 +1,136 @@ +"use strict"; + +const chai = require("chai"); +const expect = chai.expect; +const jwt = require("jsonwebtoken"); + +const getAuthTokenHandler = requireSource("handlers/get-auth-token"); + +// Utility functions to calculate the number of seconds or milliseconds from the epoch plus +// an offset in seconds, but with one-second resolution +const fromNowSeconds = (seconds) => + Math.floor((new Date().getTime() + seconds * 1000) / 1000); + +describe("auth token", function () { + helpers.saveEnvironment(); + let payload; + + beforeEach(() => { + payload = { + iss: "https://example.com", + sub: "user123", + name: "Some One", + exp: Math.floor(Number(new Date()) / 1000) + 12 * 60 * 60, + iat: Math.floor(Number(new Date()) / 1000), + email: "user@example.com", + }; + }); + + it("works with anonymous users", async () => { + const event = helpers.mockEvent("GET", "/auth/token").render(); + + const expectedExpiration = fromNowSeconds(86400); + const result = await getAuthTokenHandler.handler(event); + expect(result.statusCode).to.eq(200); + const body = JSON.parse(result.body); + + // Built-in Date will be in millis and our expiration is in seconds + expect(Date.parse(body.expires)).to.be.within( + (expectedExpiration - 1) * 1000, + (expectedExpiration + 1) * 1000 + ); + + const resultToken = jwt.verify(body.token, process.env.API_TOKEN_SECRET); + expect(resultToken.exp).to.be.within( + expectedExpiration - 1, + expectedExpiration + 1 + ); + expect(resultToken.isLoggedIn).to.eq(false); + }); + + it("returns a token with a default ttl of 1 day", async () => { + const token = jwt.sign(payload, process.env.API_TOKEN_SECRET); + const event = helpers + .mockEvent("GET", "/auth/token") + .headers({ + Cookie: `${process.env.API_TOKEN_NAME}=${token};`, + }) + .render(); + + const expectedExpiration = fromNowSeconds(86400); + const result = await getAuthTokenHandler.handler(event); + expect(result.statusCode).to.eq(200); + const body = JSON.parse(result.body); + + // Built-in Date will be in millis and our expiration is in seconds + expect(Date.parse(body.expires)).to.be.within( + (expectedExpiration - 1) * 1000, + (expectedExpiration + 1) * 1000 + ); + + const resultToken = jwt.verify(body.token, process.env.API_TOKEN_SECRET); + expect(resultToken.exp).to.be.within( + expectedExpiration - 1, + expectedExpiration + 1 + ); + expect(resultToken.name).to.eq("Some One"); + }); + + it("returns a token with the requested ttl", async () => { + const token = jwt.sign(payload, process.env.API_TOKEN_SECRET); + const ttl = 3600 * 18; // 18 hours + const event = helpers + .mockEvent("GET", "/auth/token") + .queryParams({ ttl: ttl.toString() }) + .headers({ + Cookie: `${process.env.API_TOKEN_NAME}=${token};`, + }) + .render(); + + const expectedExpiration = fromNowSeconds(ttl); + const result = await getAuthTokenHandler.handler(event); + expect(result.statusCode).to.eq(200); + const body = JSON.parse(result.body); + + // Built-in Date will be in millis and our expiration is in seconds + expect(Date.parse(body.expires)).to.be.within( + (expectedExpiration - 1) * 1000, + (expectedExpiration + 1) * 1000 + ); + + const resultToken = jwt.verify(body.token, process.env.API_TOKEN_SECRET); + expect(resultToken.exp).to.be.within( + expectedExpiration - 1, + expectedExpiration + 1 + ); + expect(resultToken.name).to.eq("Some One"); + }); + + it("rejects a request with a non-numeric ttl", async () => { + const token = jwt.sign(payload, process.env.API_TOKEN_SECRET); + const event = helpers + .mockEvent("GET", "/auth/token") + .queryParams({ ttl: "blargh" }) + .headers({ + Cookie: `${process.env.API_TOKEN_NAME}=${token};`, + }) + .render(); + const result = await getAuthTokenHandler.handler(event); + expect(result.statusCode).to.eq(400); + expect(result.body).to.eq("'blargh' is not a valid value for ttl"); + }); + + it("rejects a request with a ttl that's too high", async () => { + const token = jwt.sign(payload, process.env.API_TOKEN_SECRET); + const event = helpers + .mockEvent("GET", "/auth/token") + .queryParams({ ttl: "864000" }) + .headers({ + Cookie: `${process.env.API_TOKEN_NAME}=${token};`, + }) + .render(); + const result = await getAuthTokenHandler.handler(event); + expect(result.statusCode).to.eq(400); + expect(result.body).to.eq("ttl cannot exceed 604800 seconds"); + }); +}); diff --git a/template.yaml b/template.yaml index 67fd7ad..a4aeda2 100644 --- a/template.yaml +++ b/template.yaml @@ -196,6 +196,30 @@ Resources: ApiId: !Ref dcApi Path: /auth/logout Method: GET + getAuthTokenFunction: + Type: AWS::Serverless::Function + Properties: + Handler: handlers/get-auth-token.handler + Description: Function to retrieve raw JWT. + #* Layers: + #* - !Ref apiDependencies + Environment: + Variables: + NUSSO_API_KEY: !Ref NussoApiKey + NUSSO_BASE_URL: !Ref NussoBaseUrl + Events: + ApiGet: + Type: HttpApi + Properties: + ApiId: !Ref dcApi + Path: /auth/token + Method: GET + ApiHead: + Type: HttpApi + Properties: + ApiId: !Ref dcApi + Path: /auth/token + Method: HEAD getAuthWhoAmIFunction: Type: AWS::Serverless::Function Properties: