refactor(auth): convert jwt auth to API-only (remove jwt passport strategy)

jescalada · jescalada · commit edf4f7daef2b · 2025-04-10T16:47:56.000+09:00
diff --git a/config.schema.json b/config.schema.json
@@ -78,6 +78,13 @@
           "type": "object"
         }
       }
+    },
+    "apiAuthentication": {
+      "description": "List of authentication sources for API endpoints. May be empty, in which case all endpoints are public.",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/authentication"
+      }
     }
   },
   "definitions": {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -53,6 +53,7 @@
     "history": "5.3.0",
     "isomorphic-git": "^1.27.1",
     "jsonschema": "^1.4.1",
+    "jsonwebtoken": "^9.0.2",
     "jwk-to-pem": "^2.0.7",
     "load-plugin": "^6.0.0",
     "lodash": "^4.17.21",
@@ -64,7 +65,6 @@
     "parse-diff": "^0.11.1",
     "passport": "^0.7.0",
     "passport-activedirectory": "^1.0.4",
-    "passport-jwt": "^4.0.1",
     "passport-local": "^1.0.0",
     "perfect-scrollbar": "^1.5.5",
     "prop-types": "15.8.1",
diff --git a/proxy.config.json b/proxy.config.json
@@ -49,28 +49,19 @@
         "baseDN": "",
         "searchBase": ""
       }
-    },
+    },    
     {
       "type": "openidconnect",
-      "enabled": false,
+      "enabled": true,
       "oidcConfig": {
-        "issuer": "",
-        "clientID": "",
-        "clientSecret": "",
-        "authorizationURL": "",
-        "tokenURL": "",
-        "userInfoURL": "",
-        "callbackURL": "",
-        "scope": ""
-      }
-    },
-    {
-      "type": "jwt",
-      "enabled": false,
-      "jwtConfig": {
-        "clientID": "",
-        "authorityURL": "",
-        "expectedAudience": ""
+        "issuer": "https://accounts.google.com",
+        "clientID": "1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com",
+        "clientSecret": "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",
+        "authorizationURL": "https://accounts.google.com/o/oauth2/auth",
+        "tokenURL": "https://oauth2.googleapis.com/token",
+        "userInfoURL": "https://openidconnect.googleapis.com/v1/userinfo",
+        "callbackURL": "http://localhost:8080/api/auth/oidc/callback",
+        "scope": "openid email profile"
       }
     }
   ],
@@ -120,5 +111,15 @@
   "urlShortener": "",
   "contactEmail": "",
   "csrfProtection": true,
-  "plugins": []
+  "plugins": [],
+  "apiAuthentication": [
+    {
+      "type": "jwt",
+      "enabled": true,
+      "jwtConfig": {
+        "clientID": "1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com",
+        "authorityURL": "https://accounts.google.com"
+      }
+    }
+  ]
 }
diff --git a/src/config/index.js b/src/config/index.js
@@ -10,6 +10,7 @@ if (fs.existsSync(userSettingsPath)) {
 let _authorisedList = defaultSettings.authorisedList;
 let _database = defaultSettings.sink;
 let _authentication = defaultSettings.authentication;
+let _apiAuthentication = defaultSettings.apiAuthentication;
 let _tempPassword = defaultSettings.tempPassword;
 let _proxyUrl = defaultSettings.proxyUrl;
 let _api = defaultSettings.api;
@@ -88,6 +89,24 @@ const getAuthMethods = () => {
   return enabledAuthMethods;
 };
 
+/**
+ * Get the list of enabled authentication methods for API endpoints
+ * @return {Array} List of enabled authentication methods
+ */
+const getAPIAuthMethods = () => {
+  if (_userSettings !== null && _userSettings.apiAuthentication) {
+    _apiAuthentication = _userSettings.apiAuthentication;
+  }
+
+  const enabledAuthMethods = _apiAuthentication.filter(auth => auth.enabled);
+
+  if (enabledAuthMethods.length === 0) {
+    throw new Error("No authentication method enabled.");
+  }
+
+  return enabledAuthMethods;
+};
+
 // Log configuration to console
 const logConfiguration = () => {
   console.log(`authorisedList = ${JSON.stringify(getAuthorisedList())}`);
@@ -205,6 +224,7 @@ exports.getAuthorisedList = getAuthorisedList;
 exports.getDatabase = getDatabase;
 exports.logConfiguration = logConfiguration;
 exports.getAuthMethods = getAuthMethods;
+exports.getAPIAuthMethods = getAPIAuthMethods;
 exports.getTempPasswordConfig = getTempPasswordConfig;
 exports.getCookieSecret = getCookieSecret;
 exports.getSessionMaxAgeHours = getSessionMaxAgeHours;
diff --git a/src/service/passport/index.js b/src/service/passport/index.js
@@ -2,7 +2,6 @@ const passport = require("passport");
 const local = require('./local');
 const activeDirectory = require('./activeDirectory');
 const oidc = require('./oidc');
-const jwt = require('./jwt');
 const config = require('../../config');
 
 // Allows obtaining strategy config function and type
@@ -11,7 +10,6 @@ const authStrategies = {
   local: local,
   activedirectory: activeDirectory,
   openidconnect: oidc,
-  jwt: jwt,
 };
 
 const configure = async () => {
diff --git a/src/service/passport/jwt.js b/src/service/passport/jwt.js
diff --git a/src/service/passport/jwtAuthHandler.js b/src/service/passport/jwtAuthHandler.js
@@ -65,8 +65,8 @@ async function validateJwt(token, authorityUrl, clientID, expectedAudience) {
 
 const jwtAuthHandler = () => {
   return async (req, res, next) => {
-    const authMethods = require('../../config').getAuthMethods();
-    const jwtAuthMethod = authMethods.find((method) => method.type.toLowerCase() === "jwt");
+    const apiAuthMethods = require('../../config').getAPIAuthMethods();
+    const jwtAuthMethod = apiAuthMethods.find((method) => method.type.toLowerCase() === "jwt");
       if (!jwtAuthMethod) {
           return next();
       }

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,13 @@`
`78`	`78`	`"type": "object"`
`79`	`79`	`}`
`80`	`80`	`}`
	`81`	`+ },`
	`82`	`+ "apiAuthentication": {`
	`83`	`+ "description": "List of authentication sources for API endpoints. May be empty, in which case all endpoints are public.",`
	`84`	`+ "type": "array",`
	`85`	`+ "items": {`
	`86`	`+ "$ref": "#/definitions/authentication"`
	`87`	`+ }`
`81`	`88`	`}`
`82`	`89`	`},`
`83`	`90`	`"definitions": {`