feat: add public API foundation with OAuth2 authentication (CM-965) (#3841)

Signed-off-by: Yeganathan S <[email protected]>

Author: skwowet

backend/.env.dist.local

@@ -158,3 +158,7 @@ CROWD_GITHUB_IS_SNOWFLAKE_ENABLED=false
 
 # Tinybird
 CROWD_TINYBIRD_BASE_URL=http://localhost:7181/
+
+# Auth0
+CROWD_AUTH0_ISSUER_BASE_URL=
+CROWD_AUTH0_AUDIENCE=

backend/.eslintrc.js

@@ -12,6 +12,10 @@ module.exports = {
     'prefer-destructuring': ['error', { object: false, array: false }],
     'no-param-reassign': 0,
     'no-underscore-dangle': 0,
+    'no-unused-vars': [
+      'error',
+      { argsIgnorePattern: '^_', varsIgnorePattern: '^_', destructuredArrayIgnorePattern: '^_' },
+    ],
     '@typescript-eslint/naming-convention': [
       'error',
       {
@@ -46,6 +50,14 @@ module.exports = {
         'prefer-destructuring': ['error', { object: false, array: false }],
         'no-param-reassign': 0,
         'no-underscore-dangle': 0,
+        '@typescript-eslint/no-unused-vars': [
+          'error',
+          {
+            argsIgnorePattern: '^_',
+            varsIgnorePattern: '^_',
+            destructuredArrayIgnorePattern: '^_',
+          },
+        ],
         '@typescript-eslint/naming-convention': [
           'error',
           {

backend/config/custom-environment-variables.json

@@ -156,7 +156,9 @@
   },
   "auth0": {
     "clientId": "CROWD_AUTH0_CLIENT_ID",
-    "jwks": "CROWD_AUTH0_JWKS"
+    "jwks": "CROWD_AUTH0_JWKS",
+    "issuerBaseURL": "CROWD_AUTH0_ISSUER_BASE_URL",
+    "audience": "CROWD_AUTH0_AUDIENCE"
   },
   "sso": {
     "crowdTenantId": "CROWD_SSO_CROWD_TENANT_ID",

backend/package.json

@@ -101,6 +101,7 @@
     "emoji-dictionary": "^1.0.11",
     "erlpack": "^0.1.4",
     "express": "4.17.1",
+    "express-oauth2-jwt-bearer": "^1.7.4",
     "express-rate-limit": "6.5.1",
     "fast-levenshtein": "^3.0.0",
     "formidable-serverless": "1.1.1",

backend/src/api/apiRateLimiter.ts

@@ -1,28 +1,15 @@
 import rateLimit from 'express-rate-limit'
 
-export function createRateLimiter({
-  max,
-  windowMs,
-  message,
-}: {
-  max: number
-  windowMs: number
-  message: string
-}) {
+import { RateLimitError } from '@crowd/common'
+
+export function createRateLimiter({ max, windowMs }: { max: number; windowMs: number }) {
   return rateLimit({
     max,
     windowMs,
-    message,
-    skip: (req) => {
-      if (req.method === 'OPTIONS') {
-        return true
-      }
-
-      if (req.originalUrl.endsWith('/import')) {
-        return true
-      }
-
-      return false
+    handler: (_req, res) => {
+      const err = new RateLimitError()
+      res.status(err.status).json(err.toJSON())
     },
+    skip: (req) => req.method === 'OPTIONS' || req.originalUrl.endsWith('/import'),
   })
 }

backend/src/api/auth/index.ts

@@ -5,15 +5,13 @@ export default (app) => {
   const signInRateLimiter = createRateLimiter({
     max: 100,
     windowMs: 15 * 60 * 1000,
-    message: 'errors.429',
   })
 
   app.post(`/auth/sign-in`, signInRateLimiter, safeWrap(require('./authSignIn').default))
 
   const signUpRateLimiter = createRateLimiter({
     max: 20,
     windowMs: 60 * 60 * 1000,
-    message: 'errors.429',
   })
 
   app.post(`/auth/sign-up`, signUpRateLimiter, safeWrap(require('./authSignUp').default))

backend/src/api/index.ts

@@ -32,6 +32,7 @@ import { tenantMiddleware } from '../middlewares/tenantMiddleware'
 
 import { createRateLimiter } from './apiRateLimiter'
 import authSocial from './auth/authSocial'
+import { publicRouter } from './public'
 import WebSockets from './websockets'
 
 const serviceLogger = getServiceLogger()
@@ -87,6 +88,7 @@ setImmediate(async () => {
   )
 
   app.use((req, res, next) => {
+    // @ts-ignore
     req.profileSql = req.headers['x-profile-sql'] === 'true'
     next()
   })
@@ -126,30 +128,16 @@ setImmediate(async () => {
     })
   }
 
-  // initialize passport strategies
-  app.use(passportStrategyMiddleware)
-
-  // Sets the current language of the request
-  app.use(languageMiddleware)
-
-  // adds our ApiResponseHandler instance to the req object as responseHandler
-  app.use(responseHandlerMiddleware)
-
-  // Configures the authentication middleware
-  // to set the currentUser to the requests
-  app.use(authMiddleware)
+  // Enables Helmet, a set of tools to
+  // increase security.
+  app.use(helmet())
 
-  // Default rate limiter
   const defaultRateLimiter = createRateLimiter({
     max: 200,
     windowMs: 60 * 1000,
-    message: 'errors.429',
   })
-  app.use(defaultRateLimiter)
 
-  // Enables Helmet, a set of tools to
-  // increase security.
-  app.use(helmet())
+  app.use(defaultRateLimiter)
 
   app.use(
     bodyParser.json({
@@ -159,7 +147,25 @@ setImmediate(async () => {
 
   app.use(bodyParser.urlencoded({ limit: '5mb', extended: true }))
 
+  // Public API uses its own OAuth2 auth and error flow
+  // Must be mounted before internal endpoints.
+  app.use('/', publicRouter())
+
+  // initialize passport strategies
+  app.use(passportStrategyMiddleware)
+
+  // Sets the current language of the request
+  app.use(languageMiddleware)
+
+  // adds our ApiResponseHandler instance to the req object as responseHandler
+  app.use(responseHandlerMiddleware)
+
+  // Configures the authentication middleware
+  // to set the currentUser to the requests
+  app.use(authMiddleware)
+
   app.use((req, res, next) => {
+    // @ts-ignore
     req.userData = {
       ip: req.ip,
       userAgent: req.headers ? req.headers['user-agent'] : null,

backend/src/api/public/index.ts

@@ -0,0 +1,16 @@
+import { Router } from 'express'
+
+import { AUTH0_CONFIG } from '../../conf'
+
+import { errorHandler } from './middlewares/errorHandler'
+import { oauth2Middleware } from './middlewares/oauth2Middleware'
+import { v1Router } from './v1'
+
+export function publicRouter(): Router {
+  const router = Router()
+
+  router.use('/v1', oauth2Middleware(AUTH0_CONFIG), v1Router())
+  router.use(errorHandler)
+
+  return router
+}

backend/src/api/public/middlewares/errorHandler.ts

@@ -0,0 +1,38 @@
+import type { ErrorRequestHandler, NextFunction, Request, Response } from 'express'
+import {
+  InsufficientScopeError as Auth0InsufficientScopeError,
+  UnauthorizedError as Auth0UnauthorizedError,
+} from 'express-oauth2-jwt-bearer'
+
+import { HttpError, InsufficientScopeError, InternalError, UnauthorizedError } from '@crowd/common'
+
+/**
+ * Converts errors to structured JSON: `{ error: { code, message } }`.
+ * Defaults to 500 Internal Error for unhandled errors.
+ */
+export const errorHandler: ErrorRequestHandler = (
+  error: any,
+  req: Request,
+  res: Response,
+  _next: NextFunction,
+) => {
+  if (error instanceof HttpError) {
+    res.status(error.status).json(error.toJSON())
+    return
+  }
+
+  if (error instanceof Auth0InsufficientScopeError) {
+    const httpErr = new InsufficientScopeError(error.message || undefined)
+    res.status(httpErr.status).json(httpErr.toJSON())
+    return
+  }
+
+  if (error instanceof Auth0UnauthorizedError) {
+    const httpErr = new UnauthorizedError(error.message || undefined)
+    res.status(httpErr.status).json(httpErr.toJSON())
+    return
+  }
+
+  const unknownError = new InternalError()
+  res.status(unknownError.status).json(unknownError.toJSON())
+}

backend/src/api/public/middlewares/oauth2Middleware.ts

@@ -0,0 +1,38 @@
+import type { NextFunction, Request, RequestHandler, Response } from 'express'
+import { auth } from 'express-oauth2-jwt-bearer'
+
+import { UnauthorizedError } from '@crowd/common'
+
+import type { Auth0Configuration } from '@/conf/configTypes'
+import type { ApiRequest, Auth0TokenPayload } from '@/types/api'
+
+function resolveActor(req: Request, _res: Response, next: NextFunction): void {
+  const payload = (req.auth?.payload ?? {}) as Auth0TokenPayload
+
+  const rawId = payload.sub ?? payload.azp
+
+  if (!rawId) {
+    next(new UnauthorizedError('Token missing caller identity'))
+    return
+  }
+
+  const id = rawId.replace(/@clients$/, '')
+
+  const authReq = req as ApiRequest
+
+  const scopes = typeof payload.scope === 'string' ? payload.scope.split(' ').filter(Boolean) : []
+
+  authReq.actor = { id, type: 'service', scopes }
+
+  next()
+}
+
+export function oauth2Middleware(config: Auth0Configuration): RequestHandler[] {
+  return [
+    auth({
+      issuerBaseURL: config.issuerBaseURL,
+      audience: config.audience,
+    }),
+    resolveActor,
+  ]
+}