feat(authentication-service): added the logic for rotation of keys wi…

…th database

2034

services/authentication-service/.env.defaults

@@ -61,4 +61,6 @@ AZURE_AUTH_COOKIE_KEY=
 
 #iv is 12 bit
 
-AZURE_AUTH_COOKIE_IV=
+AZURE_AUTH_COOKIE_IV=
+
+MAX_JWT_KEYS=2

services/authentication-service/.env.example

@@ -83,3 +83,5 @@ AUTH0_DOMAIN=
 AUTH0_CLIENT_ID=
 AUTH0_CLIENT_SECRET=
 AUTH0_CALLBACK_URL=
+
+MAX_JWT_KEYS=

services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js

@@ -0,0 +1,59 @@
+'use strict';
+
+var dbm;
+var type;
+var seed;
+var fs = require('fs');
+var path = require('path');
+var Promise;
+
+/**
+ * We receive the dbmigrate dependency from dbmigrate initially.
+ * This enables us to not have to rely on NODE_PATH.
+ */
+exports.setup = function (options, seedLink) {
+  dbm = options.dbmigrate;
+  type = dbm.dataType;
+  seed = seedLink;
+  Promise = options.Promise;
+};
+
+exports.up = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-up.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports.down = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-down.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports._meta = {
+  version: 1,
+};

services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql

@@ -0,0 +1 @@
+DROP TABLE main.jwt_keys;

services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql

@@ -0,0 +1,7 @@
+CREATE TABLE main.jwt_keys (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    key_id VARCHAR(100) UNIQUE NOT NULL,
+    public_key TEXT NOT NULL,                -- Public key in PEM format
+    private_key TEXT NOT NULL,               -- Private key in PEM format
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);

services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js

@@ -0,0 +1,59 @@
+'use strict';
+
+var dbm;
+var type;
+var seed;
+var fs = require('fs');
+var path = require('path');
+var Promise;
+
+/**
+ * We receive the dbmigrate dependency from dbmigrate initially.
+ * This enables us to not have to rely on NODE_PATH.
+ */
+exports.setup = function (options, seedLink) {
+  dbm = options.dbmigrate;
+  type = dbm.dataType;
+  seed = seedLink;
+  Promise = options.Promise;
+};
+
+exports.up = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-up.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports.down = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-down.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports._meta = {
+  version: 1,
+};

services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql

@@ -0,0 +1 @@
+DROP TABLE main.jwt_keys;

services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql

@@ -0,0 +1,7 @@
+CREATE TABLE main.jwt_keys (
+    id SERIAL PRIMARY KEY,
+    key_id VARCHAR(100) UNIQUE NOT NULL,
+    public_key TEXT NOT NULL,                -- Public key in PEM format
+    private_key TEXT NOT NULL,               -- Private key in PEM format
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+);

services/authentication-service/openapi.json

@@ -752,7 +752,7 @@
         ],
         "responses": {
           "200": {
-            "description": "Google Token Response,\n         (Deprecated: Possible security issue if secret is passed via query params, \n          please use the post endpoint)",
+            "description": "Google Token Response,\n         (Deprecated: Possible security issue if secret is passed via query params,\n          please use the post endpoint)",
             "content": {
               "application/json": {
                 "schema": {
@@ -1720,6 +1720,144 @@
         "operationId": "IdentityServerController.connectAuth"
       }
     },
+    "/connect/endsession": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "logout",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
+        "description": "To logout",
+        "responses": {
+          "200": {
+            "description": "Success Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/SuccessResponse"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "parameters": [
+          {
+            "name": "Authorization",
+            "in": "header",
+            "schema": {
+              "type": "string"
+            },
+            "description": "This is the access token which is required to authenticate user."
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/RefreshTokenRequestPartial"
+              }
+            }
+          },
+          "x-parameter-index": 1
+        },
+        "operationId": "IdentityServerController.logout"
+      }
+    },
+    "/connect/token": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "getToken",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "description": "Send the code received from the POST /auth/login api and get refresh token and access token (webapps)",
+        "responses": {
+          "200": {
+            "description": "Token Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/TokenResponse"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AuthTokenRequest"
+              }
+            }
+          }
+        },
+        "operationId": "IdentityServerController.getToken"
+      }
+    },
+    "/connect/userinfo": {
+      "get": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "me",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
+        "description": "To get the user details",
+        "responses": {
+          "200": {
+            "description": "User Object",
+            "content": {}
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "operationId": "IdentityServerController.me"
+      }
+    },
     "/google/logout": {
       "post": {
         "x-controller-name": "LogoutController",