chore: refactor storage api - code quality & reusability (#209)

Author: fenos

src/admin-app.ts

@@ -1,17 +1,16 @@
 import fastify, { FastifyInstance, FastifyServerOptions } from 'fastify'
 import { default as metrics } from 'fastify-metrics'
 import { Registry } from 'prom-client'
-import tenantRoutes from './routes/tenant'
-import logRequest from './plugins/log-request'
+import { routes, plugins } from './http'
 
 export interface AdminOptions {
   register?: Registry
 }
 
 const build = (opts: FastifyServerOptions = {}, adminOpts: AdminOptions = {}): FastifyInstance => {
   const app = fastify(opts)
-  app.register(logRequest({ excludeUrls: ['/status'] }))
-  app.register(tenantRoutes, { prefix: 'tenants' })
+  app.register(plugins.logRequest({ excludeUrls: ['/status'] }))
+  app.register(routes.tenant, { prefix: 'tenants' })
   app.register(metrics, {
     endpoint: '/metrics',
     defaultMetrics: {

src/app.ts

@@ -1,14 +1,7 @@
 import fastify, { FastifyInstance, FastifyServerOptions } from 'fastify'
 import fastifyMultipart from '@fastify/multipart'
 import fastifySwagger from '@fastify/swagger'
-import bucketRoutes from './routes/bucket/'
-import objectRoutes from './routes/object'
-import renderRoutes from './routes/render'
-import { authSchema } from './schemas/auth'
-import { errorSchema } from './schemas/error'
-import logTenantId from './plugins/log-tenant-id'
-import tenantId from './plugins/tenant-id'
-import logRequest from './plugins/log-request'
+import { routes, schemas, plugins, setErrorHandler } from './http'
 
 interface buildOpts extends FastifyServerOptions {
   exposeDocs?: boolean
@@ -50,15 +43,17 @@ const build = (opts: buildOpts = {}): FastifyInstance => {
   }
 
   // add in common schemas
-  app.addSchema(authSchema)
-  app.addSchema(errorSchema)
+  app.addSchema(schemas.authSchema)
+  app.addSchema(schemas.errorSchema)
 
-  app.register(tenantId)
-  app.register(logTenantId)
-  app.register(logRequest({ excludeUrls: ['/status'] }))
-  app.register(bucketRoutes, { prefix: 'bucket' })
-  app.register(objectRoutes, { prefix: 'object' })
-  app.register(renderRoutes, { prefix: 'render' })
+  app.register(plugins.tenantId)
+  app.register(plugins.logTenantId)
+  app.register(plugins.logRequest({ excludeUrls: ['/status'] }))
+  app.register(routes.bucket, { prefix: 'bucket' })
+  app.register(routes.object, { prefix: 'object' })
+  app.register(routes.render, { prefix: 'render' })
+
+  setErrorHandler(app)
 
   app.get('/status', async (request, response) => response.status(200).send())
 

src/utils/crypto.ts renamed to src/auth/crypto.ts

@@ -1,13 +1,21 @@
 import AES from 'crypto-js/aes'
 import Utf8 from 'crypto-js/enc-utf8'
-import { getConfig } from './config'
+import { getConfig } from '../config'
 
 const { encryptionKey } = getConfig()
 
+/**
+ * Decrypts a text with the configured encryption key via ENCRYPTION_KEY env
+ * @param ciphertext
+ */
 export function decrypt(ciphertext: string): string {
   return AES.decrypt(ciphertext, encryptionKey).toString(Utf8)
 }
 
+/**
+ * Encrypts a text with the configured encryption key via ENCRYPTION_KEY env
+ * @param plaintext
+ */
 export function encrypt(plaintext: string): string {
   return AES.encrypt(plaintext, encryptionKey).toString()
 }

src/auth/index.ts

@@ -0,0 +1,2 @@
+export * from './crypto'
+export * from './jwt'

src/auth/jwt.ts

@@ -0,0 +1,77 @@
+import { getJwtSecret as getJwtSecretForTenant } from '../database/tenant'
+import jwt from 'jsonwebtoken'
+import { getConfig } from '../config'
+
+const { isMultitenant, jwtSecret, jwtAlgorithm } = getConfig()
+
+interface jwtInterface {
+  sub: string
+}
+
+export type SignedToken = {
+  url: string
+}
+
+/**
+ * Gets the JWT secret key from the env PGRST_JWT_SECRET when running in single-tenant
+ * or querying the multi-tenant database by the given tenantId
+ * @param tenantId
+ */
+export async function getJwtSecret(tenantId: string): Promise<string> {
+  let secret = jwtSecret
+  if (isMultitenant) {
+    secret = await getJwtSecretForTenant(tenantId)
+  }
+  return secret
+}
+
+/**
+ * Verifies if a JWT is valid
+ * @param token
+ * @param secret
+ */
+export function verifyJWT(
+  token: string,
+  secret: string
+): Promise<string | jwt.JwtPayload | undefined> {
+  return new Promise((resolve, reject) => {
+    jwt.verify(token, secret, { algorithms: [jwtAlgorithm as jwt.Algorithm] }, (err, decoded) => {
+      if (err) return reject(err)
+      resolve(decoded)
+    })
+  })
+}
+
+/**
+ * Sign a JWT
+ * @param payload
+ * @param secret
+ * @param expiresIn
+ */
+export function signJWT(
+  payload: string | object | Buffer,
+  secret: string,
+  expiresIn: string | number
+): Promise<string | undefined> {
+  return new Promise((resolve, reject) => {
+    jwt.sign(
+      payload,
+      secret,
+      { expiresIn, algorithm: jwtAlgorithm as jwt.Algorithm },
+      (err, token) => {
+        if (err) return reject(err)
+        resolve(token)
+      }
+    )
+  })
+}
+
+/**
+ * Extract the owner (user) from the provided JWT
+ * @param token
+ * @param secret
+ */
+export async function getOwner(token: string, secret: string): Promise<string | undefined> {
+  const decodedJWT = await verifyJWT(token, secret)
+  return (decodedJWT as jwtInterface)?.sub
+}

src/backend/file.ts

@@ -85,7 +85,7 @@ export function getConfig(): StorageConfigType {
       '',
     urlLengthLimit: Number(getOptionalConfigFromEnv('URL_LENGTH_LIMIT')) || 7_500,
     xForwardedHostRegExp: getOptionalConfigFromEnv('X_FORWARDED_HOST_REGEXP'),
-    logLevel: getOptionalConfigFromEnv('LOG_LEVEL') || 'trace',
+    logLevel: getOptionalConfigFromEnv('LOG_LEVEL') || 'info',
     logflareEnabled: getOptionalConfigFromEnv('LOGFLARE_ENABLED') === 'true',
     logflareApiKey: getOptionalConfigFromEnv('LOGFLARE_API_KEY'),
     logflareSourceToken: getOptionalConfigFromEnv('LOGFLARE_SOURCE_TOKEN'),

src/backend/generic.ts

@@ -0,0 +1,4 @@
+export * as migrate from './migrate'
+export * as multiTenant from './multitenant-db'
+export * from './postgrest'
+export * as tenant from './tenant'