fix(security): add API auth and reduce response data

.github/workflows/dev-auth-registry-infra.yml

@@ -5,13 +5,13 @@ on:
     branches:
       - "master"
     paths:
-      - '**.js*'
-      - '**.ts*'
-      - 'package*.json'
-      - 'Dockerfile'
-      - 'entrypoint.sh'
-      - '.github/workflows/dev-auth-registry-infra.yml'
-    types: [ opened, synchronize, reopened, labeled ]
+      - "**.js*"
+      - "**.ts*"
+      - "package*.json"
+      - "Dockerfile"
+      - "entrypoint.sh"
+      - ".github/workflows/dev-auth-registry-infra.yml"
+    types: [opened, synchronize, reopened, labeled]
 
 env:
   ARTIFACT_REGISTRY_NAME: ${{ secrets.REPOSITORY_NAME}}
@@ -26,7 +26,7 @@ jobs:
 
     strategy:
       matrix:
-        node: ['14']
+        node: ["14"]
 
     steps:
       - uses: actions/checkout@v2
@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v3.x        
+        uses: rlespinasse/github-slug-action@v3.x
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
@@ -97,11 +97,11 @@ jobs:
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v3.x
 
-      - id: 'auth'
-        name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v0'
+      - id: "auth"
+        name: "Authenticate to Google Cloud"
+        uses: "google-github-actions/auth@v0"
         with:
-          credentials_json: '${{ secrets.GAR_JSON_KEY }}'
+          credentials_json: "${{ secrets.GAR_JSON_KEY }}"
 
       - id: deploy
         uses: google-github-actions/deploy-cloudrun@v1.0.1
@@ -118,6 +118,7 @@ jobs:
             NEXT_PUBLIC_SITE_KEY=${{ secrets.NEXT_PUBLIC_SITE_KEY }},
             NEXT_PUBLIC_PHOTO_API=${{ secrets.NEXT_PUBLIC_PHOTO_API }},
             NEXT_PUBLIC_PHOTO_API_KEY=${{ secrets.NEXT_PUBLIC_PHOTO_API_KEY }},
+            NEXT_PUBLIC_COOKIE_KEY=${{ secrets.NEXT_PUBLIC_COOKIE_KEY }},
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1

.github/workflows/prod-auth-registry-infra.yml

@@ -29,7 +29,7 @@ jobs:
         run: echo "::set-output name=version::${{ steps.get.outputs.result }}"
 
   build:
-    needs: ['versioning']
+    needs: ["versioning"]
     runs-on: ubuntu-latest
     environment: Production
 
@@ -88,11 +88,11 @@ jobs:
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v3.x
 
-      - id: 'auth'
-        name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v0'
+      - id: "auth"
+        name: "Authenticate to Google Cloud"
+        uses: "google-github-actions/auth@v0"
         with:
-          credentials_json: '${{ secrets.GAR_JSON_KEY }}'
+          credentials_json: "${{ secrets.GAR_JSON_KEY }}"
 
       - id: deploy
         uses: google-github-actions/deploy-cloudrun@v1.0.1
@@ -109,6 +109,7 @@ jobs:
             NEXT_PUBLIC_SITE_KEY=${{ secrets.NEXT_PUBLIC_SITE_KEY }},
             NEXT_PUBLIC_PHOTO_API=${{ secrets.NEXT_PUBLIC_PHOTO_API }},
             NEXT_PUBLIC_PHOTO_API_KEY=${{ secrets.NEXT_PUBLIC_PHOTO_API_KEY }},
+            NEXT_PUBLIC_COOKIE_KEY=${{ secrets.NEXT_PUBLIC_COOKIE_KEY }},
 
       - name: Testing Service with curl
-        run: curl "${{ steps.deploy.outputs.url }}"
+        run: curl "${{ steps.deploy.outputs.url }}"

next.config.js

@@ -7,6 +7,7 @@ const nextConfig = {
     NEXT_PUBLIC_CEDULA_API: process.env.NEXT_PUBLIC_CEDULA_API,
     NEXT_PUBLIC_CEDULA_API_KEY: process.env.NEXT_PUBLIC_CEDULA_API_KEY,
     NEXT_PUBLIC_SITE_KEY: process.env.NEXT_PUBLIC_SITE_KEY,
+    NEXT_PUBLIC_COOKIE_KEY: process.env.NEXT_PUBLIC_COOKIE_KEY,
   },
   reactStrictMode: false,
 };

package.json

@@ -21,6 +21,7 @@
     "@mui/material": "^5.11.12",
     "aws-amplify": "^5.1.4",
     "axios": "^1.4.0",
+    "cookie": "^0.5.0",
     "eslint": "8.35.0",
     "eslint-config-next": "13.2.3",
     "next": "13.2.3",
@@ -35,9 +36,10 @@
   },
   "devDependencies": {
     "@types/axios": "^0.14.0",
+    "@types/cookie": "^0.5.1",
     "@types/node": "^18.16.3",
     "@types/react": "^18.2.1",
     "@types/react-dom": "^18.2.2",
     "@types/react-google-recaptcha": "^2.1.5"
   }
-}
+}

src/pages/api/auth/index.ts

@@ -0,0 +1,20 @@
+import { NextApiRequest, NextApiResponse } from "next/types";
+import cookie from "cookie";
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse<void>
+): Promise<any> {
+  res.setHeader(
+    "Set-cookie",
+    cookie.serialize("token", process.env.NEXT_PUBLIC_COOKIE_KEY as string, {
+      httpOnly: true,
+      secure: true,
+      maxAge: 60 * 60 * 10,
+      sameSite: "strict",
+      path: "/",
+    })
+  );
+
+  return res.status(200).send();
+}

src/pages/api/biometric/index.ts

@@ -1,15 +1,15 @@
 import { NextApiRequest, NextApiResponse } from "next/types";
 import axios from "axios";
 
-import { getRekognitionClient, validateSameSiteRequest } from "@/helpers";
+import { getRekognitionClient } from "@/helpers";
 
 export default async function handler(
   req: NextApiRequest,
   res: NextApiResponse<any | void>
 ): Promise<any> {
-  const isValidRequest = validateSameSiteRequest(req.headers);
+  const { token } = req.cookies;
 
-  if (!isValidRequest) {
+  if (token !== process.env.NEXT_PUBLIC_COOKIE_KEY) {
     return res.status(401).send(null);
   }
 

src/pages/api/citizens/[cedula].ts

@@ -2,15 +2,14 @@ import { NextApiRequest, NextApiResponse } from "next/types";
 import axios from "axios";
 
 import { CitizensBasicInformationResponse } from "../types";
-import { validateSameSiteRequest } from "@/helpers";
 
 export default async function handler(
   req: NextApiRequest,
-  res: NextApiResponse<CitizensBasicInformationResponse | void>
+  res: NextApiResponse<{ name: string; id: string } | void>
 ): Promise<void> {
-  const isValidRequest = validateSameSiteRequest(req.headers);
+  const { token } = req.cookies;
 
-  if (!isValidRequest) {
+  if (token !== process.env.NEXT_PUBLIC_COOKIE_KEY) {
     return res.status(401).send();
   }
 
@@ -24,5 +23,8 @@ export default async function handler(
     `/${cedula}/info/basic?api-key=${process.env.NEXT_PUBLIC_CEDULA_API_KEY}`
   );
 
-  res.status(200).json(citizen);
+  let { names, id } = citizen.payload;
+  const name = names.split(" ")[0];
+
+  res.status(200).json({ name, id });
 }

src/pages/api/iam/index.ts

@@ -1,16 +1,15 @@
 import { NextApiRequest, NextApiResponse } from "next/types";
 import axios from "axios";
 
-import { validateSameSiteRequest } from "@/helpers";
 import { VerifyIamUserResponse } from "../types";
 
 export default async function handler(
   req: NextApiRequest,
   res: NextApiResponse<any>
 ): Promise<any> {
-  const isValidRequest = validateSameSiteRequest(req.headers);
+  const { token } = req.cookies;
 
-  if (!isValidRequest) {
+  if (token !== process.env.NEXT_PUBLIC_COOKIE_KEY) {
     return res.status(401).send(null);
   }
 

src/pages/register/stepper/index.tsx

@@ -5,6 +5,7 @@ import Button from "@mui/material/Button";
 import Step from "@mui/material/Step";
 import Box from "@mui/material/Box";
 import * as React from "react";
+import axios from "axios";
 
 import { routes } from "@/constants/routes";
 import { useRouter } from "next/router";
@@ -14,12 +15,28 @@ import Step3 from "./step3";
 
 const steps = ["PASO 1", "PASO 2", "PASO 3"];
 
+export async function getServerSideProps(ctx: any) {
+  await axios.get(`/api/auth`);
+
+  return {
+    props: { data: {} },
+  };
+}
+
 export default function StepperRegister() {
   const router = useRouter();
 
   const [activeStep, setActiveStep] = React.useState(0);
   const [skipped, setSkipped] = React.useState(new Set<number>());
 
+  React.useEffect(() => {
+    const fetcher = async (url: string) => {
+      await fetch(url);
+    };
+
+    fetcher(`/api/auth`).then().catch();
+  }, []);
+
   const [infoCedula, setInfoCedula] = React.useState({});
 
   const isStepOptional = (step: number) => {

src/pages/register/stepper/step1.tsx

@@ -46,8 +46,9 @@ export default function Step1({ setInfoCedula, handleNext }: any) {
       .match(/(\d{0,3})(\d{0,7})(\d{0,1})/);
     e.target.value = !cedulaValue[2]
       ? cedulaValue[1]
-      : `${cedulaValue[1]}-${cedulaValue[2]}${`${cedulaValue[3] ? `-${cedulaValue[3]}` : ""
-      }`}${`${cedulaValue[4] ? `-${cedulaValue[4]}` : ""}`}`;
+      : `${cedulaValue[1]}-${cedulaValue[2]}${`${
+          cedulaValue[3] ? `-${cedulaValue[3]}` : ""
+        }`}${`${cedulaValue[4] ? `-${cedulaValue[4]}` : ""}`}`;
     const numbers = e.target.value.replace(/(\D)/g, "");
     setValue("cedula", numbers);
   };
@@ -98,7 +99,10 @@ export default function Step1({ setInfoCedula, handleNext }: any) {
     <>
       {loading && <LoadingBackdrop />}
       <br />
-      <TextBody textCenter>Inicia colocando tu número de cédula para iniciar la verificación de tu identidad.</TextBody>
+      <TextBody textCenter>
+        Inicia colocando tu número de cédula para iniciar la verificación de tu
+        identidad.
+      </TextBody>
 
       <form onSubmit={handleSubmit(onSubmit)}>
         <GridContainer marginY>
@@ -127,7 +131,14 @@ export default function Step1({ setInfoCedula, handleNext }: any) {
           </GridItem>
 
           <GridItem md={12} lg={12}>
-            <hr style={{ background: "#CBE5FD", height: "1px", border: "none", borderRadius: "10px" }} />
+            <hr
+              style={{
+                background: "#CBE5FD",
+                height: "1px",
+                border: "none",
+                borderRadius: "10px",
+              }}
+            />
             <br />
             <div
               style={{

src/pages/register/stepper/step2.tsx

@@ -57,7 +57,12 @@ export default function Step2({ infoCedula, handleNext }: any) {
     <>
       <br />
       <TextBody textCenter>
-        ¡Hola {infoCedula?.payload?.names.split(" ")[0]}! <span style={{fontWeight: "400"}}>Ahora vamos a verificar tu identidad mediante autenticación biométrica y continuar con el proceso de tú registro, asegúrate de disponer de los siguientes elementos:</span>
+        ¡Hola {infoCedula?.name}!{" "}
+        <span style={{ fontWeight: "400" }}>
+          Ahora vamos a verificar tu identidad mediante autenticación biométrica
+          y continuar con el proceso de tú registro, asegúrate de disponer de
+          los siguientes elementos:
+        </span>
       </TextBody>
       <br />
 
@@ -145,7 +150,7 @@ export default function Step2({ infoCedula, handleNext }: any) {
                 open={open}
                 handleClick={handleClick}
                 handleNextForm={handleNext}
-                identity={infoCedula}
+                identity={infoCedula.id}
               />
             )}
           </GridItem>

src/pages/register/stepper/step2Modal.tsx

@@ -30,7 +30,6 @@ export default function Step2Modal({
   handleNextForm,
   identity,
 }: any) {
-
   return (
     <div>
       <Dialog
@@ -61,11 +60,18 @@ export default function Step2Modal({
           className="bg-primary"
           style={{ minHeight: "100vh", paddingTop: "100px" }}
         >
-          <div style={{width: "100%", maxWidth: "600px", margin: "auto", padding: "0 10px"}}>
+          <div
+            style={{
+              width: "100%",
+              maxWidth: "600px",
+              margin: "auto",
+              padding: "0 10px",
+            }}
+          >
             <ThemeProvider>
               <LivenessQuickStartReact
                 handleNextForm={handleNextForm}
-                cedula={identity?.payload?.id}
+                cedula={identity}
               />
             </ThemeProvider>
           </div>