feat(auth): add optional OIDC-based JWT validation for API routes

[jescalada]

This PR adds optional JWT validation middleware for /repo, /user, and /push endpoints.

• If jwt auth method is present and enabled in the proxy.config.json

  • When logging in through the UI, you can access data as usual
  • Direct API requests require a JWT bearer token to go through
    • The JWT token is validated through the configuration in the jwtConfig in proxy.config.json.
    • The user issues their own JWT using the clientID, authorityURL (and potentially, the expectedAudience) provided in the config

• If jwt is not enabled, it works as it used to.

  • All API resources are accessible even to unlogged users
  • No JWT is required

To activate the JWT check, you must fill in the JWT details (proxy.config.json). The following will let you verify against my Google testing app:

{
  "type": "jwt",
  "enabled": true,
  "jwtConfig": {
    "clientID": "1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com",
    "authorityURL": "https://accounts.google.com"
  }
}

You can manually generate a sample JWT by accessing the following link in your browser:

https://accounts.google.com/o/oauth2/auth?client_id=1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com&redirect_uri=http://localhost:8080/api/auth/oidc/callback&response_type=code&scope=openid%20email%20profile

Upon successful login, it will redirect to the callback URL containing an auth code (code query param). Replace AUTHORIZATION_CODE below with the code, to issue a JWT:

curl -X POST "https://oauth2.googleapis.com/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com" \
     -d "client_secret=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" \
     -d "code=AUTHORIZATION_CODE" \
     -d "grant_type=authorization_code" \
     -d "redirect_uri=http://localhost:8080/api/auth/oidc/callback"

Note: Although my Google app secrets are exposed, only registered emails can use it. Let me know if you'd like to test it out, and I can add your email to the app!

Changelog

• Add a jwtAuthHandler middleware for /repo, /user, and /push endpoints
  • JWT check is optional based on config
  • Descriptive 401 errors are returned if failed to verify
    • Missing token
    • Missing configuration
    • Invalid token format/algorithm
    • Expired token

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 46.20253% with 85 lines in your changes missing coverage. Please review.

Please upload report for BASE (main@83e814b). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
src/service/passport/jwtAuthHandler.js	19.60%	41 Missing ⚠️
src/service/passport/activeDirectory.js	15.38%	22 Missing ⚠️
src/service/passport/jwt.js	30.76%	9 Missing ⚠️
src/service/passport/oidc.js	33.33%	6 Missing ⚠️
src/service/passport/local.js	84.61%	4 Missing ⚠️
src/service/routes/auth.js	66.66%	2 Missing ⚠️
src/config/index.js	85.71%	1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #30   +/-   ##
=======================================
  Coverage        ?   61.03%           
=======================================
  Files           ?       52           
  Lines           ?     1881           
  Branches        ?        0           
=======================================
  Hits            ?     1148           
  Misses          ?      733           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.