feat(token-kiosk): integerated with config-server MAPCO-8124 (#88)

* chore: wip

* feat: done with configuration

* deps: package lock

Author: CptSchnitz

package-lock.json

@@ -6,7 +6,6 @@
     "uiPath": "/api"
   },
   "telemetry": {
-    "metrics": {},
     "tracing": {
       "isEnabled": false
     },
@@ -33,10 +32,10 @@
   "db": {
     "host": "localhost",
     "port": 5432,
-    "user": "postgres",
+    "username": "postgres",
     "password": "postgres",
-    "enableSslAuth": false,
-    "sslPaths": {
+    "ssl": {
+      "enabled": false,
       "ca": "",
       "key": "",
       "cert": ""

packages/token-kiosk/config/default.json

@@ -0,0 +1,28 @@
+{
+  "auth": {
+    "openid": {
+      "clientId": "my-local-app",
+      "issuerBaseUrl": "http://localhost:8080/realms/my-local-realm",
+      "baseUrl": "http://localhost:5173",
+      "secret": "sdfsdasdsadsadsadsadsadas",
+      "clientSecret": "78vaqxyFyyf1xeTHXzgzNlhCVtW83Zi7",
+      "scopes": "openid profile email",
+      "idField": "email",
+      "metadataFields": ["email", "email_verified", "name", "given_name", "family_name", "preferred_username"]
+    }
+  },
+  "token": {
+    "environment": "prod",
+    "expirationDuration": "1w",
+    "domains": ["raster"],
+    "jwt": {
+      "subject": "c2b",
+      "issuer": "token-kiosk",
+      "algorithm": "RS256"
+    },
+    "authManager": {
+      "baseUrl": "http://localhost:8082",
+      "cacheTtlHours": 1
+    }
+  }
+}

packages/token-kiosk/config/development.json

@@ -35,7 +35,7 @@ paths:
       summary: Get current authenticated user information
       description: Returns information about the currently authenticated user
       security:
-        - bearerAuth: []
+        - openid: []
       responses:
         200:
           description: User information retrieved successfully
@@ -51,14 +51,13 @@ paths:
                 $ref: '#/components/schemas/error'
 security:
   - {}
-  - bearerAuth: []
+  - openid: []
 components:
   securitySchemes:
-    bearerAuth:
-      type: http
-      scheme: bearer
-      bearerFormat: JWT
-      description: Bearer token authentication using JWT access tokens
+    openid:
+      type: openIdConnect
+      openIdConnectUrl: http://localhost:8080/realms/my-local-app/.well-known/openid-configuration
+
   schemas:
     error:
       type: object
@@ -72,7 +71,6 @@ components:
       required:
         - token
         - expiration
-        - domains
       properties:
         token:
           type: string
@@ -81,11 +79,6 @@ components:
           type: string
           format: date-time
           description: Expiration date and time of the token
-        domains:
-          type: array
-          items:
-            type: string
-          description: List of domains the token is valid for
     userInfo:
       type: object
       required:

packages/token-kiosk/openapi3.yaml

@@ -30,13 +30,13 @@
   "license": "ISC",
   "dependencies": {
     "@godaddy/terminus": "^4.12.1",
-    "@map-colonies/config": "^2.2.0",
+    "@map-colonies/config": "^3.0.0",
     "@map-colonies/error-express-handler": "^3.0.0",
     "@map-colonies/express-access-log-middleware": "^3.0.1",
     "@map-colonies/js-logger": "^2.0.0",
     "@map-colonies/openapi-express-viewer": "^4.0.0",
     "@map-colonies/read-pkg": "^1.0.0",
-    "@map-colonies/schemas": "^1.3.0",
+    "@map-colonies/schemas": "https://ghatmpstorage.blob.core.windows.net/npm-packages/schemas-bc7a0664630e2a828ddc79244ecae27f4413592d.tgz",
     "@map-colonies/telemetry": "^10.0.1",
     "@opentelemetry/api": "^1.9.0",
     "async-cache-dedupe": "^2.2.0",

packages/token-kiosk/package.json

@@ -1,19 +1,26 @@
 import { RequestHandler } from 'express';
 import { auth } from 'express-openid-connect';
+import { DependencyContainer } from 'tsyringe';
+import { SERVICES } from '@src/common/constants';
+import type { ConfigType } from '@src/common/config';
+
+export function openidAuthMiddlewareFactory(container: DependencyContainer): RequestHandler {
+  const config = container.resolve<ConfigType>(SERVICES.CONFIG);
+
+  const authConfig = config.get('auth.openid');
 
-export function openidAuthMiddlewareFactory(): RequestHandler {
   return auth({
-    clientID: 'my-local-app',
-    issuerBaseURL: 'http://localhost:8080/realms/my-local-realm',
-    baseURL: 'http://localhost:5173',
+    clientID: authConfig.clientId,
+    issuerBaseURL: authConfig.issuerBaseUrl,
+    baseURL: authConfig.baseUrl,
     authRequired: true,
     authorizationParams: {
       // eslint-disable-next-line @typescript-eslint/naming-convention
       response_type: 'code',
-      scope: 'openid profile email',
+      scope: authConfig.scopes,
     },
-    secret: 'sdfsdasdsadsadsadsadsadas',
-    clientSecret: '78vaqxyFyyf1xeTHXzgzNlhCVtW83Zi7',
+    secret: authConfig.secret,
+    clientSecret: authConfig.clientSecret,
     auth0Logout: false,
   });
 }

packages/token-kiosk/src/auth/middlewares/openid.ts

@@ -0,0 +1,31 @@
+import { inject, injectable } from 'tsyringe';
+import { type Logger } from '@map-colonies/js-logger';
+import { type ConfigType } from '@src/common/config';
+import { SERVICES } from '@src/common/constants';
+
+@injectable()
+export class AuthManager {
+  public constructor(
+    @inject(SERVICES.CONFIG) private readonly config: ConfigType,
+    @inject(SERVICES.LOGGER) private readonly logger: Logger
+  ) {}
+
+  public getIdKey(): string {
+    return this.config.get('auth.openid.idField');
+  }
+
+  public metadataFieldsPicker(userData: Record<string, unknown>): Record<string, unknown> {
+    const metadataFields = this.config.get('auth.openid.metadataFields');
+    const result: Record<string, unknown> = {};
+
+    for (const field of metadataFields) {
+      if (field in userData) {
+        result[field] = userData[field];
+      } else {
+        this.logger.warn(`Field '${field}' does not exist in userData`);
+      }
+    }
+
+    return result;
+  }
+}

packages/token-kiosk/src/auth/model/authManager.ts

@@ -1,8 +1,8 @@
 import { type ConfigInstance, config } from '@map-colonies/config';
-import { commonBoilerplateV2, type commonBoilerplateV2Type } from '@map-colonies/schemas';
+import { infraOpalaTokenKioskV1, type infraOpalaTokenKioskV1Type } from '@map-colonies/schemas';
 
 // Choose here the type of the config instance and import this type from the entire application
-type ConfigType = ConfigInstance<commonBoilerplateV2Type>;
+type ConfigType = ConfigInstance<infraOpalaTokenKioskV1Type>;
 
 let configInstance: ConfigType | undefined;
 
@@ -13,7 +13,7 @@ let configInstance: ConfigType | undefined;
  */
 async function initConfig(offlineMode?: boolean): Promise<void> {
   configInstance = await config({
-    schema: commonBoilerplateV2,
+    schema: infraOpalaTokenKioskV1,
     offlineMode,
   });
 }

packages/token-kiosk/src/common/config.ts

@@ -3,6 +3,8 @@ import { readPackageJsonSync } from '@map-colonies/read-pkg';
 export const SERVICE_NAME = readPackageJsonSync().name ?? 'unknown_service';
 export const DEFAULT_SERVER_PORT = 80;
 
+export const DB_CONNECTION_TIMEOUT = 5000;
+
 export const IGNORED_OUTGOING_TRACE_ROUTES = [/^.*\/v1\/metrics.*$/];
 export const IGNORED_INCOMING_TRACE_ROUTES = [/^.*\/docs.*$/];
 
@@ -13,7 +15,9 @@ export const SERVICES = {
   TRACER: Symbol('Tracer'),
   METRICS: Symbol('METRICS'),
   AUTH_MANAGER_CLIENT: Symbol('AuthManagerClient'),
+  AUTH_MIDDLEWARE: Symbol('AuthMiddleware'),
   PG_POOL: Symbol('PgPool'),
   DRIZZLE: Symbol('Drizzle'),
+  HEALTHCHECK: Symbol('HealthCheck'),
 } satisfies Record<string, symbol>;
 /* eslint-enable @typescript-eslint/naming-convention */

packages/token-kiosk/src/common/constants.ts

@@ -0,0 +1,14 @@
+export class TimeoutError extends Error {}
+
+export async function promiseTimeout<T>(ms: number, promise: Promise<T>): Promise<T> {
+  // Create a promise that rejects in <ms> milliseconds
+  const timeout = new Promise<T>((_, reject) => {
+    const id = setTimeout(() => {
+      clearTimeout(id);
+      reject(new TimeoutError(`Timed out in + ${ms} + ms.`));
+    }, ms);
+  });
+
+  // Returns a race between our timeout and the passed in promise
+  return Promise.race([promise, timeout]);
+}