feat: Add JWT Authentication and Authorization

ducktors · Dec 3, 2024 · 0cfbf26 · 0cfbf26
1 parent cd7dd4a
commit 0cfbf26
Show file tree

Hide file tree

Showing 22 changed files with 1,248 additions and 475 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -46,6 +46,7 @@ build
 .vscode
 .env
 .env.example
+.envrc
 LICENSE
 README.md
 .dockerignore

diff --git a/.env.example b/.env.example
@@ -3,11 +3,18 @@ PORT=
 LOG_MODE=
 LOG_LEVEL=
 LOG_FILE=
-TURBO_TOKEN=
 STORAGE_PROVIDER=
 STORAGE_PATH=
 BODY_LIMIT=
 STORAGE_PATH_USE_TMP_FOLDER=
+# Auth
+TURBO_TOKEN=
+# ...or
+JWKS_URL=
+JWT_ISSUER=
+JWT_AUDIENCE=
+JWT_READ_SCOPES=
+JWT_WRITE_SCOPES=
 # AWS S3 Storage Provider
 AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=

diff --git a/.gitignore b/.gitignore
@@ -64,3 +64,4 @@ junit-testresults.xml
 # Misc
 .DS_Store
 build
+.envrc
diff --git a/docs/environment-variables.md b/docs/environment-variables.md
@@ -10,11 +10,17 @@ nav_order: 2
 | -- | -- | -- | -- | -- |
 | `NODE_ENV` | string | optional | `production` | Possible values are `development` or `production`|
 | `PORT` | number | optional | `3000` |   |
-| `TURBO_TOKEN` | string | mandatory |  | Secret token used for the authentication. You can specify multiple tokens separated by comma (e.g. `TURBO_TOKEN=token1,token2,token3`). The value must be the same one provided for the `token` parameter of the `build` script. See enable [custom remote caching](https://ducktors.github.io/turborepo-remote-cache/custom-remote-caching) in a Turborepo monorepo |
-| `LOG_LEVEL` | string | optional | Possibile values are [one of these](https://github.com/ducktors/turborepo-remote-cache/blob/main/src/logger.ts#L3)  | `'info'` |
-| `LOG_MODE` | string | optional | Setting it to 'file' enables writing logs to file | `stdout` |
-| `LOG_FILE` | string | optional | Path and file name where save .log file (e.g. /path/to/my/file.log) | `server.log` |
-| `STORAGE_PROVIDER` | string | optional | Possible values are `local`, `s3`, `google-cloud-storage` or `azure-blob-storage`. Use this var to choose the storage provider. | `local`  |
+| `TURBO_TOKEN` | string | optional |  | Secret token used for the authentication. Required if `AUTH_MODE` is undefined or `static`. You can specify multiple tokens separated by comma (e.g. `TURBO_TOKEN=token1,token2,token3`). The value must be the same one provided for the `token` parameter of the `build` script. See enable [custom remote caching](https://ducktors.github.io/turborepo-remote-cache/custom-remote-caching) in a Turborepo monorepo |
+| `AUTH_MODE` | string | optional | `static` | Which authentication mode to use, possible values are `static` or `jwt`|
+| `JWKS_URL` | string | optional | | JWKS metadata url for retrieving public keys for verifying JWTs|
+| `JWT_ISSUER` | string | optional | | JWT Issuer, optional even if using JWT authentication, to match `iss` field in JWT.
+| `JWT_AUDIENCE` | string | optional | | JWT Audience, optional even if using JWT authentication, to match `aud` field in JWT.
+| `JWT_READ_SCOPES` | string | optional | | If specified, one of the scopes listed here must be present in order to read from the cache. You can specify multiple options with a comma-delimited string of scopes.
+| `JWT_WRITE_SCOPES` | string | optional | | If specified, one of the scopes listed here must be present in order to write to the cache. You can specify multiple options with a comma-delimited string of scopes.
+| `LOG_LEVEL` | string | optional | `'info'` | Possibile values are [one of these](https://github.com/ducktors/turborepo-remote-cache/blob/main/src/logger.ts#L3) |
+| `LOG_MODE` | string | optional | `stdout` | Setting it to 'file' enables writing logs to file |
+| `LOG_FILE` | string | optional | `server.log` | Path and file name where save .log file (e.g. /path/to/my/file.log) |
+| `STORAGE_PROVIDER` | string | optional | `local` | Possible values are `local`, `s3`, `google-cloud-storage` or `azure-blob-storage`. Use this var to choose the storage provider. |
 | `STORAGE_PATH` | string | optional |  | Caching folder under `/tmp` if `STORAGE_PROVIDER` is set to `local`. If `STORAGE_PROVIDER` is set to `s3`, `google-cloud-storage` or `azure-blob-storage`, this will be the name of the bucket. |
 | `STORAGE_PATH_USE_TMP_FOLDER` | boolean | optional | `true` | Uses the system tmp folder as a prefix to `STORAGE_PATH` |
 | `BODY_LIMIT` | number | optional | `104857600` | The limit for artifact upload size  |
diff --git a/package.json b/package.json
@@ -47,6 +47,7 @@
   "dependencies": {
     "@azure/storage-blob": "^12.23.0",
     "@fastify/aws-lambda": "^5.0.0",
+    "@fastify/jwt": "9.0.1",
     "@google-cloud/storage": "6.9.2",
     "@hapi/boom": "10.0.0",
     "@sinclair/typebox": "0.25.21",
@@ -55,6 +56,7 @@
     "close-with-grace": "1.1.0",
     "env-schema": "5.2.0",
     "fastify": "5.1.0",
+    "fastify-jwt-jwks": "^2.0.0",
     "fastify-plugin": "5.0.1",
     "fs-blob-store": "6.0.0",
     "hyperid": "3.1.1",
@@ -75,18 +77,20 @@
     "@semantic-release/npm": "^12.0.1",
     "@semantic-release/release-notes-generator": "^14.0.1",
     "@types/node": "^20.6.3",
+    "@types/s3rver": "^3.7.4",
     "c8": "^9.0.0",
     "commitizen": "^4.3.1",
     "commitlint-config-cz": "^0.13.3",
     "commitlint-plugin-function-rules": "^2.0.2",
     "cz-conventional-changelog": "^3.3.0",
     "fastify-tsconfig": "^2.0.0",
     "husky": "^8.0.3",
+    "mock-jwks": "^3.2.2",
     "npm-run-all": "^4.1.5",
     "rimraf": "^4.1.2",
     "s3rver": "^3.7.1",
     "semantic-release": "^22.0.12",
-    "tsx": "^4.7.0",
+    "tsx": "^4.19.2",
     "typescript": "^5.2.2"
   },
   "bugs": {
-Original file line number
+Diff line change
@@ Expand Up / @@ -46,6 +46,7 @@ build @@
     .vscode
     .env
     .env.example
+    .envrc
     LICENSE
     README.md
     .dockerignore
@@ Expand Down @@