From e6d1d8141f7713eeb130ed5f8e3f4a73c41ecf91 Mon Sep 17 00:00:00 2001
From: Rahul Goel <rgoel@expedia.com>
Date: Fri, 19 Jul 2019 14:50:04 +0530
Subject: [PATCH] feat: add JWT expiry

introduced the jwt expiry for forced logout of users; defaulting to 1 hour, overridable by env. variable KONGA_JWT_TOKEN_EXPIRY

Originally opened at https://github.com/pantsel/konga/pull/468
---
 .env_example                          | 1 +
 README.md                             | 1 +
 api/policies/authenticated.js         | 4 ++--
 api/services/Token.js                 | 5 +++--
 charts/konga/templates/configmap.yaml | 1 +
 charts/konga/values.yaml              | 3 ++-
 6 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.env_example b/.env_example
index f1873565d..7627ef9b8 100644
--- a/.env_example
+++ b/.env_example
@@ -3,6 +3,7 @@ KONGA_BASE_URL=http://localhost:1337
 KONGA_LOG_LEVEL=debug
 KONGA_SEED_KONG_NODE_DATA_SOURCE_FILE=./examples/kong_node.data
 KONGA_SEED_USER_DATA_SOURCE_FILE=./examples/konga_user.data
+KONGA_JWT_TOKEN_EXPIRY=3600
 DB_ADAPTER=postgres
 DB_HOST=localhost
 DB_USER=kong
diff --git a/README.md b/README.md
index d3394f41a..e1321eca9 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,7 @@ These are the general environment variables Konga uses.
 | SSL_KEY_PATH                          | If you want to use SSL, this will be the absolute path to the .key file. Both `SSL_KEY_PATH` & `SSL_CRT_PATH` must be set. | -                                     | null                                         |
 | SSL_CRT_PATH                          | If you want to use SSL, this will be the absolute path to the .crt file. Both `SSL_KEY_PATH` & `SSL_CRT_PATH` must be set. | -                                     | null                                         |
 | KONGA_HOOK_TIMEOUT                    | The time in ms that Konga will wait for startup tasks to finish before exiting the process.                                | -                                     | 60000                                        |
+| KONGA_JWT_TOKEN_EXPIRY                | The time in seconds that a user's  session is active for.                                                                  | -                                     | 3600                                         |
 | DB_ADAPTER                            | The database that Konga will use. If not set, the localDisk db will be used.                                               | `postgres`                            | -                                            |
 | DB_HOST                               | If `DB_URI` is not specified, this is the database host. Depends on `DB_ADAPTER`.                                          | -                                     | localhost                                    |
 | DB_PORT                               | If `DB_URI` is not specified, this is the database port.  Depends on `DB_ADAPTER`.                                         | -                                     | DB default.                                  |
diff --git a/api/policies/authenticated.js b/api/policies/authenticated.js
index 1d44d2868..5decbed0d 100644
--- a/api/policies/authenticated.js
+++ b/api/policies/authenticated.js
@@ -36,10 +36,10 @@ module.exports = function authenticated(request, response, next) {
    */
   var verify = function verify(error, token) {
     if (!(_.isEmpty(error) && token !== -1)) {
-      return response.json(401, {message: 'Given authorization token is not valid', logout: true});
+      return response.json(401, {message: 'Authorization token is invalid. Error: ' + error.message, logout: true});
     } else {
       // Store user id to request object
-      request.token = token;
+      request.token = token.id.toString();
 
       // We delete the token from query and body to not mess with blueprints
       request.query && delete request.query.token;
diff --git a/api/services/Token.js b/api/services/Token.js
index 77dfbba96..0d87d1358 100644
--- a/api/services/Token.js
+++ b/api/services/Token.js
@@ -19,8 +19,9 @@ module.exports.issue = function issue(payload) {
     sails.log.verbose(__filename + ':' + __line + ' [Service.Token.issue() called]');
 
     return jwt.sign(
-        payload, // This is the payload we want to put inside the token
-        process.env.TOKEN_SECRET || "oursecret" // Secret string which will be used to sign the token
+        { id: payload }, // This is the payload we want to put inside the token
+        process.env.TOKEN_SECRET || "oursecret", // Secret string which will be used to sign the token
+        { expiresIn: parseInt(process.env.KONGA_JWT_TOKEN_EXPIRY || 60 * 60 )}
     );
 };
 
diff --git a/charts/konga/templates/configmap.yaml b/charts/konga/templates/configmap.yaml
index 233b7e64a..4152788f1 100644
--- a/charts/konga/templates/configmap.yaml
+++ b/charts/konga/templates/configmap.yaml
@@ -14,6 +14,7 @@ data:
   SSL_KEY_PATH: {{ .Values.config.ssl_key_path }}
   SSL_CRT_PATH: {{ .Values.config.ssl_crt_path }}
   KONGA_HOOK_TIMEOUT: "{{ default 60000 .Values.config.konga_hook_timeout }}"
+  KONGA_JWT_TOKEN_EXPIRY: "{{ default 3600 .Values.config.konga_jwt_token_expiry }}"
   DB_ADAPTER: {{ default "postgres" .Values.config.db_adapter }}
   DB_URI: {{ .Values.config.db_uri }}
   DB_HOST: {{ default "localhost" .Values.config.db_host }}
diff --git a/charts/konga/values.yaml b/charts/konga/values.yaml
index 688391f2a..504248224 100644
--- a/charts/konga/values.yaml
+++ b/charts/konga/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  repository: pantsel/konga
+  repository: onematchfox/konga
   tag: latest
   pullPolicy: IfNotPresent
 
@@ -24,6 +24,7 @@ config: {}
 #   ssl_key_path:
 #   ssl_crt_path:
 #   konga_hook_timeout: 60000
+#   konga_jwt_token_expiry:
 #   db_adapter: postgres
 #   db_uri:
 #   db_host: localhost