kordis-leitstelle · timonmasberg · Feb 13, 2024 · Aug 11, 2023 · Aug 11, 2023 · Nov 27, 2023
diff --git a/apps/api/.env.template b/apps/api/.env.template
@@ -1,3 +1,7 @@
 MONGODB_URI=$MONGODB_URI
 ENVIRONMENT_NAME=$ENVIRONMENT_NAME
 SENTRY_KEY=$SENTRY_KEY# Prod
+AADB2C_TENANT_NAME=$AADB2C_TENANT_NAME# Prod
+AADB2C_SIGN_IN_POLICY=$AADB2C_SIGN_IN_POLICY# Prod
+AADB2C_CLIENT_ID=$AADB2C_CLIENT_ID# Prod
+AADB2C_ISSUER=$AADB2C_ISSUER# Prod
diff --git a/apps/api/src/app/app.module.ts b/apps/api/src/app/app.module.ts
@@ -8,10 +8,7 @@ import { MongooseModule } from '@nestjs/mongoose';
 import * as path from 'path';
 
 import { AuthModule } from '@kordis/api/auth';
-import {
-	DevObservabilityModule,
-	SentryObservabilityModule,
-} from '@kordis/api/observability';
+import { ObservabilityModule } from '@kordis/api/observability';
 import { OrganizationModule } from '@kordis/api/organization';
 import { SharedKernel, errorFormatterFactory } from '@kordis/api/shared';
 
@@ -21,13 +18,15 @@ import { GraphqlSubscriptionsController } from './controllers/graphql-subscripti
 import { HealthCheckController } from './controllers/health-check.controller';
 import environment from './environment';
 
+const isNextOrProdEnv = ['next', 'prod'].includes(
+	process.env.ENVIRONMENT_NAME ?? '',
+);
+
 const FEATURE_MODULES = [OrganizationModule];
 const UTILITY_MODULES = [
 	SharedKernel,
-	AuthModule,
-	...(process.env.NODE_ENV === 'production' && !process.env.GITHUB_ACTIONS
-		? [SentryObservabilityModule]
-		: [DevObservabilityModule]),
+	AuthModule.forRoot(isNextOrProdEnv ? 'aadb2c' : 'dev'),
+	ObservabilityModule.forRoot(isNextOrProdEnv ? 'sentry' : 'dev'),
 ];
 
 @Module({

diff --git a/apps/api/tsconfig.json b/apps/api/tsconfig.json
@@ -4,11 +4,11 @@
   "include": [],
   "references": [
     {
-      "path": "./tsconfig.app.json"
+      "path": "./tsconfig.app.json",
     },
     {
-      "path": "./tsconfig.spec.json"
-    }
+      "path": "./tsconfig.spec.json",
+    },
   ],
   "compilerOptions": {
     "esModuleInterop": true,
@@ -18,6 +18,6 @@
     "noPropertyAccessFromIndexSignature": false,
     "noImplicitOverride": true,
     "noImplicitReturns": true,
-    "noFallthroughCasesInSwitch": true
-  }
+    "noFallthroughCasesInSwitch": true,
+  },
 }
diff --git a/apps/spa-e2e/tsconfig.json b/apps/spa-e2e/tsconfig.json
@@ -4,7 +4,7 @@
   "include": [],
   "references": [
     {
-      "path": "./tsconfig.e2e.json"
-    }
-  ]
+      "path": "./tsconfig.e2e.json",
+    },
+  ],
 }
diff --git a/apps/spa/tsconfig.json b/apps/spa/tsconfig.json
@@ -7,26 +7,26 @@
     "noImplicitOverride": true,
     "noPropertyAccessFromIndexSignature": true,
     "noImplicitReturns": true,
-    "noFallthroughCasesInSwitch": true
+    "noFallthroughCasesInSwitch": true,
   },
   "files": [],
   "include": [],
   "references": [
     {
-      "path": "./tsconfig.app.json"
+      "path": "./tsconfig.app.json",
     },
     {
-      "path": "./tsconfig.spec.json"
+      "path": "./tsconfig.spec.json",
     },
     {
-      "path": "./tsconfig.editor.json"
-    }
+      "path": "./tsconfig.editor.json",
+    },
   ],
   "extends": "../../tsconfig.base.json",
   "angularCompilerOptions": {
     "enableI18nLegacyMessageIdFormat": false,
     "strictInjectionParameters": true,
     "strictInputAccessModifiers": true,
-    "strictTemplates": true
-  }
+    "strictTemplates": true,
+  },
 }
diff --git a/libs/api/auth/src/lib/auth-strategies/verify-aadb2c-jwt.strategy.spec.ts b/libs/api/auth/src/lib/auth-strategies/verify-aadb2c-jwt.strategy.spec.ts
@@ -0,0 +1,136 @@
+import { createMock } from '@golevelup/ts-jest';
+import { ConfigService } from '@nestjs/config';
+import { Test, TestingModule } from '@nestjs/testing';
+import jwt from 'jsonwebtoken';
+
+import { KordisRequest } from '@kordis/api/shared';
+
+import { VerifyAADB2CJWTStrategy } from './verify-aadb2c-jwt.strategy';
+
+jest.mock('jwks-rsa', () => () => {
+	return {
+		getKeys: jest.fn(),
+		getSigningKey: jest.fn().mockResolvedValue({
+			kid: 'kid',
+			alg: 'alg',
+			getPublicKey: jest.fn().mockReturnValue('publicKey'),
+			rsaPublicKey: 'publicKey',
+		}),
+		getSigningKeys: jest.fn(),
+	};
+});
+
+describe('VerifyAADB2CJWTStrategy', () => {
+	let verifyAADB2CJWTStrategy: VerifyAADB2CJWTStrategy;
+
+	beforeEach(async () => {
+		jest.clearAllMocks();
+
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				{
+					provide: ConfigService,
+					useValue: createMock<ConfigService>({
+						getOrThrow: jest
+							.fn()
+							.mockReturnValue('tenant')
+							.mockReturnValue('policy')
+							.mockReturnValue('clientId')
+							.mockReturnValue('issuer'),
+					}),
+				},
+				VerifyAADB2CJWTStrategy,
+			],
+		}).compile();
+
+		verifyAADB2CJWTStrategy = module.get<VerifyAADB2CJWTStrategy>(
+			VerifyAADB2CJWTStrategy,
+		);
+	});
+
+	it('should verify and return user on valid JWT', async () => {
+		const req = createMock<Omit<KordisRequest, 'user'>>({
+			headers: {
+				authorization: 'Bearer 123',
+			},
+		});
+
+		jest.spyOn(jwt, 'decode').mockImplementationOnce(
+			() =>
+				({
+					header: { kid: 'mockKid' },
+					payload: {
+						sub: 'id',
+						given_name: 'foo',
+						family_name: 'bar',
+						emails: ['[email protected]'],
+						organization: 'testorg',
+					},
+				}) as any,
+		);
+
+		const verifySpy = jest.spyOn(jwt, 'verify').mockReturnValueOnce(undefined);
+		await expect(
+			verifyAADB2CJWTStrategy.verifyUserFromRequest(req),
+		).resolves.toEqual({
+			id: 'id',
+			email: '[email protected]',
+			firstName: 'foo',
+			lastName: 'bar',
+			organization: 'testorg',
+		});
+
+		expect(verifySpy).toHaveBeenCalledWith(
+			'123',
+			'publicKey',
+			expect.anything(),
+		);
+	});
+
+	it('should return null on empty authorization header', async () => {
+		const req = createMock<Omit<KordisRequest, 'user'>>({
+			headers: {},
+		});
+
+		await expect(
+			verifyAADB2CJWTStrategy.verifyUserFromRequest(req),
+		).resolves.toBeNull();
+	});
+
+	it('should return null on invalid JWT', async () => {
+		const req = createMock<Omit<KordisRequest, 'user'>>({
+			headers: {
+				authorization: 'Bearer 123',
+			},
+		});
+
+		jest.spyOn(jwt, 'decode').mockImplementationOnce(
+			() =>
+				({
+					header: { kid: 'mockKid' },
+				}) as any,
+		);
+
+		jest.spyOn(jwt, 'verify').mockImplementationOnce(() => {
+			throw new Error('Invalid JWT');
+		});
+
+		await expect(
+			verifyAADB2CJWTStrategy.verifyUserFromRequest(req),
+		).resolves.toBeNull();
+	});
+
+	it('should return null on jwt decode fail', async () => {
+		const req = createMock<Omit<KordisRequest, 'user'>>({
+			headers: {
+				authorization: 'Bearer 123',
+			},
+		});
+
+		jest.spyOn(jwt, 'decode').mockImplementationOnce(() => null);
+
+		await expect(
+			verifyAADB2CJWTStrategy.verifyUserFromRequest(req),
+		).resolves.toBeNull();
+	});
+});
diff --git a/libs/api/auth/src/lib/auth-strategies/verify-aadb2c-jwt.strategy.ts b/libs/api/auth/src/lib/auth-strategies/verify-aadb2c-jwt.strategy.ts
@@ -0,0 +1,82 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { Request } from 'express';
+import * as jwt from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+
+import { AuthUser } from '@kordis/shared/auth';
+
+import { VerifyAuthUserStrategy } from './verify-auth-user.strategy';
+
+declare module 'jsonwebtoken' {
+	export interface JwtPayload {
+		sub?: string;
+		oid: string;
+		emails: string[];
+		given_name: string;
+		family_name: string;
+		organization: string;
+	}
+}
+
+@Injectable()
+export class VerifyAADB2CJWTStrategy extends VerifyAuthUserStrategy {
+	private readonly client: jwksClient.JwksClient;
+	private readonly verifyOptions: jwt.VerifyOptions;
+
+	constructor(config: ConfigService) {
+		super();
+
+		const tenant = config.getOrThrow<string>('AADB2C_TENANT_NAME');
+		const signInPolicy = config.getOrThrow<string>('AADB2C_SIGN_IN_POLICY');
+		const clientId = config.getOrThrow<string>('AADB2C_CLIENT_ID');
+		const issuer = config.getOrThrow<string>('AADB2C_ISSUER');
+
+		this.verifyOptions = {
+			algorithms: ['RS256'],
+			audience: clientId,
+			issuer,
+		};
+		this.client = jwksClient({
+			jwksUri: `https://${tenant}.b2clogin.com/${tenant}.onmicrosoft.com/${signInPolicy}/discovery/v2.0/keys`,
+		});
+	}
+
+	async verifyUserFromRequest(req: Request): Promise<AuthUser | null> {
+		const authHeaderValue = req.headers['authorization'];
+
+		if (!authHeaderValue) {
+			return null;
+		}
+		const bearerToken = authHeaderValue.split(' ')[1];
+
+		const decodedToken = jwt.decode(bearerToken, {
+			complete: true,
+		});
+		if (!decodedToken) {
+			return null;
+		}
+
+		const key = await this.client.getSigningKey(decodedToken.header.kid);
+		const publicKey = key.getPublicKey();
+
+		try {
+			jwt.verify(bearerToken, publicKey, this.verifyOptions);
+		} catch {
+			return null;
+		}
+
+		const { payload } = decodedToken;
+		if (typeof payload === 'string') {
+			return null;
+		}
+
+		return {
+			id: payload['sub'] ?? payload['oid'],
+			email: payload['emails'][0],
+			firstName: payload['given_name'],
+			lastName: payload['family_name'],
+			organization: payload['organization'],
+		};
+	}
+}
diff --git a/libs/api/auth/src/lib/auth-strategies/verify-auth-user.strategy.ts b/libs/api/auth/src/lib/auth-strategies/verify-auth-user.strategy.ts
@@ -0,0 +1,10 @@
+import { Request } from 'express';
+
+import { AuthUser } from '@kordis/shared/auth';
+
+export abstract class VerifyAuthUserStrategy {
+	/*
+	 * Returns the AuthUser if the user is authenticated, otherwise null.
+	 */
+	abstract verifyUserFromRequest(req: Request): Promise<AuthUser | null>;
+}
diff --git a/...act-user-from-ms-principle-header.spec.ts → ...tegies/verify-dev-bearer.strategy.spec.ts b/...act-user-from-ms-principle-header.spec.ts → ...tegies/verify-dev-bearer.strategy.spec.ts
@@ -2,36 +2,33 @@ import { createMock } from '@golevelup/ts-jest';
 
 import { KordisRequest } from '@kordis/api/shared';
 
-import {
-	AuthUserExtractorStrategy,
-	ExtractUserFromMsPrincipleHeader,
-} from './auth-user-extractor.strategy';
+import { VerifyAuthUserStrategy } from './verify-auth-user.strategy';
+import { VerifyDevBearerStrategy } from './verify-dev-bearer.strategy';
 
-describe('ExtractUserFromMsPrincipleHeader', () => {
-	let extractStrat: AuthUserExtractorStrategy;
+describe('VerifyDevBearerStrategy', () => {
+	let extractStrat: VerifyAuthUserStrategy;
 
 	beforeEach(() => {
-		extractStrat = new ExtractUserFromMsPrincipleHeader();
+		extractStrat = new VerifyDevBearerStrategy();
 	});
 
-	it('should return null if the authorization header is not present', () => {
+	it('should return null if the authorization header is not present', async () => {
 		const req = createMock<Omit<KordisRequest, 'user'>>({
 			headers: {},
 		});
-		const result = extractStrat.getUserFromRequest(req);
 
-		expect(result).toBeNull();
+		await expect(extractStrat.verifyUserFromRequest(req)).resolves.toBeNull();
 	});
 
-	it('should extract user correctly from signed access token', () => {
+	it('should extract user correctly from signed access token', async () => {
 		const headerValue =
 			'Bearer eyJhbGciOiJIUzI1NiJ9.eyJvaWQiOiJjMGNjNDQwNC03OTA3LTQ0ODAtODZkMy1iYTRiZmM1MTNjNmQiLCJzdWIiOiJjMGNjNDQwNC03OTA3LTQ0ODAtODZkMy1iYTRiZmM1MTNjNmQiLCJnaXZlbl9uYW1lIjoiVGVzdCIsImZhbWlseV9uYW1lIjoiVXNlciIsImVtYWlscyI6WyJ0ZXN0QHRpbW9ubWFzYmVyZy5jb20iXX0.9FXjgT037QkeE0KptQo3MzMriuXGzqCNfBDVEkWbJaA';
 
 		const req = createMock<Omit<KordisRequest, 'user'>>({
 			headers: { authorization: headerValue },
 		});
 
-		expect(extractStrat.getUserFromRequest(req)).toEqual({
+		await expect(extractStrat.verifyUserFromRequest(req)).resolves.toEqual({
 			id: 'c0cc4404-7907-4480-86d3-ba4bfc513c6d',
 			email: '[email protected]',
 			firstName: 'Test',