Merge pull request #212 from FlowFuse/httpNodeAuth-token

Http node auth token

lib/auth/httpAuthMiddleware.js

@@ -1,4 +1,5 @@
 const crypto = require('crypto')
+const got = require('got')
 const session = require('express-session')
 const MemoryStore = require('memorystore')(session)
 const { Passport } = require('passport')
@@ -7,23 +8,61 @@ const { Strategy } = require('./strategy')
 let options
 let passport
 let httpNodeApp
+let client
+const httpTokenCache = {}
 
 module.exports = {
     init (_options) {
         options = _options
-        return (req, res, next) => {
-            try {
-                if (req.session.ffSession) {
-                    next()
-                } else {
-                    req.session.redirectTo = req.originalUrl
-                    passport.authenticate('FlowFuse', { session: false })(req, res, next)
+        return [
+            async (req, res, next) => {
+                try {
+                    if (req.session.ffSession) {
+                        next()
+                    } else if (req.get('Authorization')?.startsWith('Bearer')) {
+                        // We should include the Project ID and the path along with the token
+                        // to be checked to allow scoping tokens
+                        const token = req.get('Authorization').split(' ')[1]
+                        const cacheHit = httpTokenCache[token]
+                        if (cacheHit) {
+                            const age = (Date.now() - cacheHit.age) / 1000
+                            if (age < 300) {
+                                next()
+                                return
+                            }
+                            delete httpTokenCache[token]
+                        }
+                        const query = {
+                            path: req.path
+                        }
+                        try {
+                            await client.get(options.projectId, {
+                                headers: {
+                                    authorization: `Bearer ${token}`
+                                },
+                                searchParams: query
+                            })
+                            httpTokenCache[token] = { age: Date.now() }
+                            next()
+                        } catch (err) {
+                            // console.log(err)
+                            const error = new Error('Failed to check token')
+                            error.status = 401
+                            next(error)
+                        }
+                    } else {
+                        req.session.redirectTo = req.originalUrl
+                        passport.authenticate('FlowFuse', { session: false })(req, res, next)
+                    }
+                } catch (err) {
+                    console.log(err.stack)
+                    throw err
                 }
-            } catch (err) {
-                console.log(err.stack)
-                throw err
+            },
+            (err, req, res, next) => {
+                res.status(err.status).send()
             }
-        }
+        ]
     },
 
     setupAuthRoutes (app) {
@@ -89,5 +128,16 @@ module.exports = {
                 res.redirect('/')
             }
         })
+
+        // need to decide on the path here
+        client = got.extend({
+            prefixUrl: `${options.forgeURL}/account/check/http`,
+            headers: {
+                'user-agent': 'FlowFuse HTTP Node Auth'
+            },
+            timeout: {
+                request: 500
+            }
+        })
     }
 }

lib/runtimeSettings.js

@@ -44,7 +44,8 @@ function getSettingsFile (settings) {
     baseURL: '${settings.baseURL}',
     forgeURL: '${settings.forgeURL}',
     clientID: '${settings.clientID}',
-    clientSecret: '${settings.clientSecret}'
+    clientSecret: '${settings.clientSecret}',
+    projectId: '${settings.projectID}'
 })`
             projectSettings.httpNodeMiddleware = 'httpNodeMiddleware: flowforgeAuthMiddleware,'
         }

test/unit/lib/runtimeSettings_spec.js

@@ -260,12 +260,18 @@ describe('Runtime Settings', function () {
             const settings = await loadSettings(result)
             settings.should.not.have.property('httpNodeAuth')
             settings.should.have.property('httpNodeMiddleware')
-            ;(typeof settings.httpNodeMiddleware).should.equal('function')
+            settings.httpNodeMiddleware.should.be.an.Array()
+            ;(typeof settings.httpNodeMiddleware[0]).should.equal('function')
+            ;(typeof settings.httpNodeMiddleware[1]).should.equal('function')
             settings.should.have.property('ui')
             settings.ui.should.not.have.property('path')
             settings.ui.should.have.property('middleware')
-            ;(typeof settings.ui.middleware).should.equal('function')
+            console.log(settings.ui.middleware)
+            settings.ui.middleware.should.be.an.Array()
+            ;(typeof settings.ui.middleware[0]).should.equal('function')
+            ;(typeof settings.ui.middleware[1]).should.equal('function')
         } catch (err) {
+            console.log(err)
             // Temporary fix as this module will not be found when running in CI
             // until we publish the release of the new nr-auth module.
             err.toString().should.match(/Cannot find module '@flowfuse\/nr-auth\/middleware'/)
@@ -283,7 +289,9 @@ describe('Runtime Settings', function () {
             settings.should.have.property('ui')
             settings.ui.should.have.property('path', '/foo')
             settings.ui.should.have.property('middleware')
-            ;(typeof settings.ui.middleware).should.equal('function')
+            settings.ui.middleware.should.be.an.Array()
+            ;(typeof settings.ui.middleware[0]).should.equal('function')
+            ;(typeof settings.ui.middleware[1]).should.equal('function')
         } catch (err) {
             // Temporary fix as this module will not be found when running in CI
             // until we publish the release of the new nr-auth module.