feat(auth): progress towards auth0/oidc support

oada/libs/lib-config/package.json

@@ -38,7 +38,7 @@
     "convict-format-with-moment": "^6.2.0",
     "convict-format-with-validator": "^6.2.0",
     "debug": "^4.3.4",
-    "dotenv": "^16.4.4",
+    "dotenv": "^16.4.5",
     "json5": "^2.2.3",
     "tslib": "2.6.2",
     "yaml": "^2.3.4"

oada/libs/pino-debug/package.json

@@ -25,7 +25,7 @@
   "dependencies": {
     "cls-rtracer": "^2.6.3",
     "is-interactive": "^2.0.0",
-    "pino": "^8.18.0",
+    "pino": "^8.19.0",
     "pino-caller": "^3.4.0",
     "pino-debug": "^2.0.0",
     "pino-loki": "^2.2.1",

oada/oada.config.mjs

@@ -162,10 +162,9 @@ export default {
       domain,
     },
     'mergeSubServices': [
-      { resource: 'oada-configuration', base: 'http://auth:8080' },
       { resource: 'openid-configuration', base: 'http://auth:8080' },
     ],
-    'oada-configuration': {
+    'openid-configuration': {
       // eslint-disable-next-line camelcase
       well_known_version: '1.1.0',
       // eslint-disable-next-line camelcase

oada/package.json

@@ -19,8 +19,8 @@
     "@types/eslint": "^8.56.2",
     "@types/mocha": "^10.0.6",
     "@types/node": "^20.11.19",
-    "@typescript-eslint/eslint-plugin": "^7.0.1",
-    "@typescript-eslint/parser": "^7.0.1",
+    "@typescript-eslint/eslint-plugin": "^7.0.2",
+    "@typescript-eslint/parser": "^7.0.2",
     "@yarnpkg/sdks": "^3.1.0",
     "browserslist": "^4.23.0",
     "c8": "^9.1.0",

oada/services/auth/package.json

@@ -52,13 +52,14 @@
     "@fastify/cors": "^9.0.1",
     "@fastify/formbody": "^7.4.0",
     "@fastify/helmet": "^11.1.1",
+    "@fastify/jwt": "^8.0.0",
     "@fastify/passport": "^2.4.0",
     "@fastify/rate-limit": "^9.1.0",
     "@fastify/request-context": "^5.1.0",
     "@fastify/secure-session": "^7.1.0",
     "@fastify/sensible": "^5.5.0",
     "@fastify/static": "^7.0.1",
-    "@fastify/view": "^8.2.0",
+    "@fastify/view": "^9.0.0",
     "@oada/certs": "^4.1.1",
     "@oada/error": "^2.0.1",
     "@oada/lib-arangodb": "^3.7.0",

oada/services/auth/src/auth.ts

@@ -15,13 +15,16 @@
  * limitations under the License.
  */
 
+import {
+  Strategy as BearerStrategy,
+  type VerifyFunctionWithRequest,
+} from 'passport-http-bearer';
 import {
   Strategy as JWTStrategy,
   type VerifyCallbackWithRequest,
 } from 'passport-jwt';
 import { type RSA_JWK, jwk2pem } from 'pem-jwk';
 import { Authenticator } from '@fastify/passport';
-import { Strategy as BearerStrategy } from 'passport-http-bearer';
 import ClientPassword from 'passport-oauth2-client-password';
 import { Strategy as LocalStrategy } from 'passport-local';
 import debug from 'debug';
@@ -34,9 +37,10 @@ import {
   findByUsernamePassword,
   findById as findUserById,
 } from './db/models/user.js';
+import type { FastifyRequest } from 'fastify';
 import { _defaultHack } from './index.js';
 import { findById } from './db/models/client.js';
-import { findByToken } from './db/models/token.js';
+import { verifyToken } from './oauth2.js';
 
 export const fastifyPassport = new Authenticator({
   clearSessionOnLogin: process.env.NODE_ENV === 'development',
@@ -208,19 +212,25 @@ fastifyPassport.use(
 // BearerStrategy used to protect userinfo endpoint
 fastifyPassport.use(
   'bearer',
-  new BearerStrategy(async (token, done) => {
+  new BearerStrategy({}, (async (request, token, done) => {
     try {
-      const t = await findByToken(token);
-      if (!t) {
+      const issuer = `${request.protocol}://${request.hostname}/` as const;
+      const payload = await verifyToken(issuer, token);
+      (request as unknown as FastifyRequest).log.debug(
+        { issuer, jwt: token, payload },
+        'JWT Bearer token verify',
+      );
+
+      if (!payload) {
         // eslint-disable-next-line unicorn/no-null
         done(null, false);
         return;
       }
 
       // eslint-disable-next-line unicorn/no-null
-      done(null, t.user, { scope: t.scope.slice() });
+      done(null, payload.user, { scope: [...payload.scope] });
     } catch (error: unknown) {
       done(error);
     }
-  }),
+  }) satisfies VerifyFunctionWithRequest),
 );

oada/services/auth/src/config.ts

@@ -265,6 +265,11 @@ export const { config, schema } = await libConfig({
         nullable: true,
         default: null as unknown as Promise<File | null>,
       },
+      alg: {
+        doc: 'Algorithm to use for encrypting codes',
+        format: String,
+        default: 'HS256' as 'HS256' | 'RS256' | 'PS256',
+      },
       pkce: {
         required: {
           format: Boolean,
@@ -277,14 +282,21 @@ export const { config, schema } = await libConfig({
       },
     },
     token: {
-      length: {
-        format: 'nat',
-        default: 40,
-      },
       expiresIn: {
         format: 'duration',
         default: 0,
       },
+      key: {
+        doc: 'Key to use for signing tokens',
+        format: 'file-url',
+        nullable: true,
+        default: null as unknown as Promise<File | null>,
+      },
+      alg: {
+        doc: 'Algorithm to use for signing tokens',
+        format: String,
+        default: 'RS256' as 'HS256' | 'RS256' | 'PS256',
+      },
     },
     idToken: {
       expiresIn: {
@@ -297,6 +309,11 @@ export const { config, schema } = await libConfig({
         nullable: true,
         default: null as unknown as Promise<File | null>,
       },
+      alg: {
+        doc: 'Algorithm to use for signing id tokens',
+        format: String,
+        default: 'RS256' as 'HS256' | 'RS256' | 'PS256',
+      },
     },
     certs: {
       // If you want to run in https mode you need certs here.