Sanofi-IADC · over-flo79 · Feb 24, 2022 · Jan 31, 2022 · Jan 31, 2022 · Feb 2, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v2
         with:
-          node-version: "12.x"
+          node-version: "16.x"
 
       - name: Cache dependencies
         uses: actions/cache@v2
@@ -83,7 +83,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v2
         with:
-          node-version: "12.x"
+          node-version: "16.x"
 
       - name: Cache dependencies
         uses: actions/cache@v2

diff --git a/.github/workflows/k6-load-test.yml b/.github/workflows/k6-load-test.yml
@@ -20,6 +20,7 @@ jobs:
       AWS_S3_ENDPOINT: http://localhost:4566
       AWS_ACCESS_KEY_ID: dummy
       AWS_SECRET_ACCESS_KEY: dummy
+      AUTH_CONFIG_SECRET: '{"config":[{"jwtFromRequest":{"funcName": "fromAuthHeaderAsBearerToken"},"ignoreExpiration":false,"secretOrKey":"VALID_SECRET_KEY", "secretOrKey":"VALID_SECRET_KEY"},{"jwtFromRequest": {"funcName": "fromAuthHeaderAsBearerToken"},"ignoreExpiration":false,"secretOrKey":"another_secret_key"}]}'
     services:
       mongo:
         image: mongo

diff --git a/.gitpod.spin-up.sh b/.gitpod.spin-up.sh
@@ -14,7 +14,7 @@ then
 fi
 echo
 echo "Setting node version just in case..."
-nvm install 12.13.0
+nvm install 16.14.0
 echo
 echo "Installing K6 for load testing..."
 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69 

diff --git a/.gitpod.yml b/.gitpod.yml
@@ -4,7 +4,7 @@ image:
 tasks:
   - init: |
       touch /tmp/.npm-lock
-      npm install && npm run build && make && npm i -g @nestjs/cli && nvm install 12.13.0
+      npm install && npm run build && make && npm i -g @nestjs/cli && nvm install 16.14.0
       rm /tmp/.npm-lock
     name: init
   - command: sudo docker-up

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-ARG NODE_VERSION=12.18.1
+ARG NODE_VERSION=16.14.0
 
 ########################
 # Builder stage

diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js
@@ -12,6 +12,7 @@ module.exports = {
             '/introduction/',
             '/architecture/',
             '/installation.html',
+            '/security.html',
             {
                 title: 'Api',
                 collapsable: false,

diff --git a/docs/installation.md b/docs/installation.md
@@ -159,6 +159,7 @@ MONGOOSE_PORT_READ = 27018
 
 REDIS_HOST = localhost
 REDIS_HOST_READ = localhost
+WHISPR_AUTH_CONFIG_SECRET = (change to your auth server - see [Security](./security.md))
 ```
 
 ### Setup a local AWS instance with localstack (optional)
@@ -189,9 +190,9 @@ Switch to Node 12 (required for some file upload dependencies)
 
 ```bash
 # Setting Node version
-nvm install 12.13.0
+nvm install 16.14.0
 
-# Check the node version is correctly set, must be 12.13.0
+# Check the node version is correctly set, must be 16.14.0
 node -v
 ```
 

diff --git a/docs/security.md b/docs/security.md
@@ -0,0 +1,82 @@
+# Security
+
+## Authentication
+
+Whispr supports authentication via JWT, and can be configured to authenticate against mutliple configurations (mutliple issuers, multiple secrets).
+
+### Configuration
+
+Security is implemented via an extended version of passport-jwt which allows an array of configurations to be passed on startup.
+
+To configure, set the `AUTH_CONFIG_SECRET`
+
+_ Note that even though the `AUTH_CONFIG_SECRET` is not necessarily a secret (in the case of config with JWKS providers), this environment variable is named `_SECRET` to ensure that it is hidden by APM tools in case it contains secret keys. _
+
+The provided configuration is very similar to the NestJS passport-jwt example with a few modifications:
+- it must be provided as a JSON string containing a `config` property which is an array of valid passport-jwt configurations
+- the `jwtFromRequest` function which tells passport-jwt where to find the JWT in the request (usually the `Authorization` header) function must be deconstructed into an object containing funcName and args properties
+- `passportJwtSecret` function should not be written in the configuration file, only the arguments are required in the `passportJwtSecret` object
+
+### Examples
+
+This is an example for multiple passport JWT configurations as they would be configured in Javascript.
+
+```js
+[{
+    secretOrKeyProvider: passportJwtSecret({
+        cache: true,
+        rateLimit: true,
+        jwksRequestsPerMinute: 5,
+        jwksUri: "https://auth.issuer.com",
+    }),
+
+    jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+    audience: 'MY_APP_AUDIENCE',
+    issuer: `https://auth.issuer.com/`,
+    algorithms: ['RS256'],
+},
+{
+    jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+    ignoreExpiration: false,
+    secretOrKey: 'APPX_SECRET_KEY',
+},
+{
+    jwtFromRequest: ExtractJwt.fromBodyField('USER_JWT'),
+    ignoreExpiration: false,
+    secretOrKey: 'APPY_SECRET_KEY',
+}]
+```
+
+And an example env file configuration for `AUTH_CONFIG_SECRET` based on the configuration above.
+
+```bash
+AUTH_CONFIG_SECRET = 
+# note that in a .env file this should be formatted onto one line - it is shown multiline here for easier readability
+# see project example.env file for a single line config
+{"config":[{
+        "secretOrKeyProvider": {
+            "cache": true,
+            "rateLimit": true,
+            "jwksRequestsPerMinute": 5,
+            "jwksUri": "https://uri.com"
+            },
+        "jwtFromRequest":{"funcName": "fromAuthHeaderAsBearerToken"},
+        "audience": "MY_APP_AUDIENCE",
+        "issuer":"https://fact.cognito.com/",
+        "algorithms": ['RS256']
+    },
+    {
+        "jwtFromRequest":{"funcName": "fromAuthHeaderAsBearerToken"},
+        "ignoreExpiration":false,
+        "secretOrKey":"APPX_SECRET_KEY"},
+    {
+        "jwtFromRequest": {"funcName": "fromBodyField", args: 'USER_JWT'},
+        "ignoreExpiration":false,
+        "secretOrKey":"APPY_SECRET_KEY"}
+    ]
+}
+```
+
+## Authorisation
+
+No specific authorisation is currently implemented in Whispr - if you are authenticated it is assumed that you should have access to all data in Whispr.
diff --git a/example.env b/example.env
@@ -25,3 +25,4 @@ AWS_S3_ENDPOINT = http://localstack:4566/
 AWS_BUCKET_NAME = demo-bucket
 
 EXAMPLE_TEST = test
+AUTH_CONFIG_SECRET = {"config":[{"jwtFromRequest":{"funcName": "fromAuthHeaderAsBearerToken"},"ignoreExpiration":false,"secretOrKeyProvider": { "cache": true, "rateLimit": true, "jwksRequestsPerMinute": 5, "jwksUri": "https://whispr-dev.authtest.com/.well-known/jwks.json"}, "iss": "https://whispr-dev.authtest.com/"}, {"jwtFromRequest": {"funcName": "fromAuthHeaderAsBearerToken"},"ignoreExpiration":false,"secretOrKey":"another_secret_key"}]}
diff --git a/example.rep.env b/example.rep.env
@@ -25,4 +25,5 @@ COGNITO_REGION
 COGNITO_IDENTITY_POOL_ID
 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
 AWS_S3_ENDPOINT
-AWS_BUCKET_NAME
+AWS_BUCKET_NAME
+AUTH_CONFIG_SECRET = {"config":[{"jwtFromRequest":{"funcName": "fromAuthHeaderAsBearerToken"},"ignoreExpiration":false,"secretOrKeyProvider": { "cache": true, "rateLimit": true, "jwksRequestsPerMinute": 5, "jwksUri": "https://whispr-dev.authtest.com/.well-known/jwks.json"}, "iss": "https://whispr-dev.authtest.com/"}, {"jwtFromRequest": {"funcName": "fromAuthHeaderAsBearerToken"},"ignoreExpiration":false,"secretOrKey":"another_secret_key"}]}
diff --git a/jest.config.js b/jest.config.js
@@ -13,4 +13,5 @@ module.exports = {
   collectCoverageFrom: ['**/src/**/*.{js,ts}'],
   coverageDirectory: 'tests/unit/coverage',
   testEnvironment: 'node',
+  "verbose": true
 };