feat(authentication-service): added ttl to public key repo

BREAKING CHANGE:

issue-2034

Author: prernagp

services/authentication-service/README.md

@@ -501,6 +501,29 @@ Authenttication service can be used as a identity server. Following endpoints ha
   </tbody>
 </table>
 
+Here is the flow diagram to understand how IDP Server works:-
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant IdP as ARC IDP
+    participant Authentication Service
+
+    Client->>IdP: GET /.well-known/openid-configuration
+    IdP-->>Client: Returns IdP config (includes jwks_uri)
+
+    Client->>IdP: GET JWKS (using jwks_uri /connect/get-keys)
+    IdP-->>Client: Returns JWKS (public keys)
+
+    Client->>Client: Decode JWT token\nExtract kid from header
+
+    Client->>Client: Find public key from JWKS by kid
+
+    Client->>Authentication Service: Send JWT token + public key
+
+    Authentication Service->>Authentication Service: Verify JWT signature using public key
+```
+
 ### Setting up a `DataSource`
 
 Here is a sample Implementation `DataSource` implementation using environment variables and PostgreSQL as the data source. The `auth-multitenant-example` utilizes both Redis and PostgreSQL as data sources.

services/authentication-service/src/__tests__/unit/sequelize/sequelize.component.unit.ts

@@ -13,7 +13,6 @@ import {
 import {AppleLoginController} from '../../../modules/auth/controllers';
 import {
   AuthClientRepository,
-  LoginActivityRepository,
   RoleRepository,
   TenantConfigRepository,
   UserCredentialsRepository,
@@ -144,7 +143,6 @@ describe('Sequelize Component', () => {
           UserLevelResourceRepository,
           UserLevelPermissionRepository,
           UserTenantRepository,
-          LoginActivityRepository,
         ],
         props: [
           'authClientRepository',
@@ -155,7 +153,6 @@ describe('Sequelize Component', () => {
           'userResourcesRepository',
           'utPermsRepo',
           'userTenantRepo',
-          'loginActivityRepo',
         ],
       },
     ];

services/authentication-service/src/controllers/index.ts

@@ -21,6 +21,7 @@ import {ForgetPasswordController} from './forget-password.controller';
 import {LoginActivityController} from './login-activity.controller';
 import {SignupRequestController} from './signup-request.controller';
 
+export * from '../modules/auth/controllers/identity-server.controller';
 export * from '../modules/auth/controllers/login.controller';
 export * from '../modules/auth/controllers/logout.controller';
 export * from '../modules/auth/controllers/otp.controller';

services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts

@@ -174,7 +174,7 @@ export class IdentityServerController {
     },
   })
   async rotateKeys(): Promise<void> {
-    return this.idpLoginService.generateNewKey();
+    return this.idpLoginService.generateNewKey(true);
   }
 
   @authorize({permissions: ['*']})

services/authentication-service/src/modules/auth/controllers/login.controller.ts

@@ -6,7 +6,6 @@ import {inject} from '@loopback/context';
 import {AnyObject, DataObject, Model, repository} from '@loopback/repository';
 import {
   HttpErrors,
-  RequestContext,
   get,
   getModelSchemaRef,
   oas,
@@ -28,7 +27,6 @@ import {
   UserStatus,
   X_TS_TYPE,
 } from '@sourceloop/core';
-import crypto from 'crypto';
 import {
   AuthErrorKeys,
   AuthenticationBindings,
@@ -38,27 +36,15 @@ import {
   authenticateClient,
 } from 'loopback4-authentication';
 import {AuthorizeErrorKeys, authorize} from 'loopback4-authorization';
-import moment from 'moment-timezone';
 import {LoginType} from '../../../enums';
-import {AuthServiceBindings} from '../../../keys';
-import {
-  AuthClient,
-  LoginActivity,
-  RefreshToken,
-  User,
-  UserTenant,
-} from '../../../models';
+import {AuthClient, RefreshToken, User} from '../../../models';
 import {
   AuthCodeBindings,
   AuthCodeGeneratorFn,
-  JWTSignerFn,
-  JWTVerifierFn,
-  JwtPayloadFn,
   UserValidationServiceBindings,
 } from '../../../providers';
 import {
   AuthClientRepository,
-  LoginActivityRepository,
   OtpCacheRepository,
   RefreshTokenRepository,
   RevokedTokenRepository,
@@ -71,12 +57,7 @@ import {
   UserTenantRepository,
 } from '../../../repositories';
 import {IdpLoginService, LoginHelperService} from '../../../services';
-import {
-  ActorId,
-  ExternalTokens,
-  IUserActivity,
-  UserValidationFn,
-} from '../../../types';
+import {UserValidationFn} from '../../../types';
 import {
   AuthRefreshTokenRequest,
   AuthTokenRequest,
@@ -116,27 +97,14 @@ export class LoginController {
     @repository(UserCredentialsRepository)
     public userCredsRepository: UserCredentialsRepository,
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
-    @inject(AuthServiceBindings.JWTPayloadProvider)
-    private readonly getJwtPayload: JwtPayloadFn,
     @inject('services.LoginHelperService')
     private readonly loginHelperService: LoginHelperService,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject(AuthCodeBindings.JWT_SIGNER)
-    private readonly jwtSigner: JWTSignerFn<object>,
-    @repository(LoginActivityRepository)
-    private readonly loginActivityRepo: LoginActivityRepository,
-    @inject(AuthServiceBindings.ActorIdKey)
-    private readonly actorKey: ActorId,
-    @inject.context() private readonly ctx: RequestContext,
     @inject(UserValidationServiceBindings.VALIDATE_USER)
     private readonly userValidationProvider: UserValidationFn,
-    @inject(AuthCodeBindings.JWT_VERIFIER.key)
-    private readonly jwtVerifier: JWTVerifierFn<AnyObject>,
-    @inject(AuthServiceBindings.MarkUserActivity, {optional: true})
-    private readonly userActivity?: IUserActivity,
   ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
@@ -232,7 +200,11 @@ export class LoginController {
         await this.userRepo.updateLastLogin(payload.user.id);
       }
 
-      return await this.createJWT(payload, this.client, LoginType.ACCESS);
+      return await this.idpLoginService.createJWT(
+        payload,
+        this.client,
+        LoginType.ACCESS,
+      );
     } catch (error) {
       this.logger.error(error);
       throw new HttpErrors.Unauthorized(AuthErrorKeys.InvalidCredentials);
@@ -297,7 +269,7 @@ export class LoginController {
     );
 
     if (isAuthenticated) {
-      return this.createJWT(
+      return this.idpLoginService.createJWT(
         {
           clientId: payload.refreshPayload.clientId,
           userId: payload.refreshPayload.userId,
@@ -546,7 +518,7 @@ export class LoginController {
     }
 
     const payload = await this.createTokenPayload(req);
-    return this.createJWT(
+    return this.idpLoginService.createJWT(
       {
         clientId: payload.refreshPayload.clientId,
         user: this.user,
@@ -590,159 +562,4 @@ export class LoginController {
       authClient: authClient,
     };
   }
-  private async createJWT(
-    payload: ClientAuthCode<User, typeof User.prototype.id> & ExternalTokens,
-    authClient: AuthClient,
-    loginType: LoginType,
-    tenantId?: string,
-  ): Promise<TokenResponse> {
-    try {
-      const size = 32;
-      const ms = 1000;
-      let user: User | undefined;
-      if (payload.user) {
-        user = payload.user;
-      } else if (payload.userId) {
-        user = await this.userRepo.findById(payload.userId, {
-          include: [
-            {
-              relation: 'defaultTenant',
-            },
-          ],
-        });
-        if (payload.externalAuthToken && payload.externalRefreshToken) {
-          (user as AuthUser).externalAuthToken = payload.externalAuthToken;
-          (user as AuthUser).externalRefreshToken =
-            payload.externalRefreshToken;
-        }
-      } else {
-        // Do nothing and move ahead
-      }
-      if (!user) {
-        throw new HttpErrors.Unauthorized(
-          AuthenticateErrorKeys.UserDoesNotExist,
-        );
-      }
-      const data: AnyObject = await this.getJwtPayload(
-        user,
-        authClient,
-        tenantId,
-      );
-      const accessToken = await this.jwtSigner(data, {
-        expiresIn: authClient.accessTokenExpiration,
-      });
-      const refreshToken: string = crypto.randomBytes(size).toString('hex');
-      // Set refresh token into redis for later verification
-      await this.refreshTokenRepo.set(
-        refreshToken,
-        {
-          clientId: authClient.clientId,
-          userId: user.id,
-          username: user.username,
-          accessToken,
-          externalAuthToken: (user as AuthUser).externalAuthToken,
-          externalRefreshToken: (user as AuthUser).externalRefreshToken,
-          tenantId: data.tenantId,
-        },
-        {ttl: authClient.refreshTokenExpiration * ms},
-      );
-
-      const userTenant = await this.userTenantRepo.findOne({
-        where: {userId: user.id},
-      });
-      if (this.userActivity?.markUserActivity)
-        this.markUserActivity(user, userTenant, {...data}, loginType);
-
-      return new TokenResponse({
-        accessToken,
-        refreshToken,
-        expires: moment()
-          .add(authClient.accessTokenExpiration, 's')
-          .toDate()
-          .getTime(),
-      });
-    } catch (error) {
-      this.logger.error(error);
-      if (HttpErrors.HttpError.prototype.isPrototypeOf(error)) {
-        throw error;
-      } else {
-        throw new HttpErrors.Unauthorized(AuthErrorKeys.InvalidCredentials);
-      }
-    }
-  }
-
-  private markUserActivity(
-    user: User,
-    userTenant: UserTenant | null,
-    payload: AnyObject,
-    loginType: LoginType,
-  ) {
-    const size = 16;
-    const encryptionKey = process.env.ENCRYPTION_KEY;
-
-    if (encryptionKey) {
-      const iv = crypto.randomBytes(size);
-
-      /* encryption of IP Address */
-      const cipherIp = crypto.createCipheriv('aes-256-gcm', encryptionKey, iv);
-      const ip =
-        this.ctx.request.headers['x-forwarded-for']?.toString() ??
-        this.ctx.request.socket.remoteAddress?.toString() ??
-        '';
-      const encyptIp = Buffer.concat([
-        cipherIp.update(ip, 'utf8'),
-        cipherIp.final(),
-      ]);
-      const authTagIp = cipherIp.getAuthTag();
-      const ipAddress = JSON.stringify({
-        iv: iv.toString('hex'),
-        encryptedData: encyptIp.toString('hex'),
-        authTag: authTagIp.toString('hex'),
-      });
-
-      /* encryption of Paylolad Address */
-      const cipherPayload = crypto.createCipheriv(
-        'aes-256-gcm',
-        encryptionKey,
-        iv,
-      );
-      const activityPayload = JSON.stringify(payload);
-      const encyptPayload = Buffer.concat([
-        cipherPayload.update(activityPayload, 'utf8'),
-        cipherPayload.final(),
-      ]);
-      const authTagPayload = cipherIp.getAuthTag();
-      const tokenPayload = JSON.stringify({
-        iv: iv.toString('hex'),
-        encryptedData: encyptPayload.toString('hex'),
-        authTag: authTagPayload.toString('hex'),
-      });
-      // make an entry to mark the users login activity
-      let actor: string;
-      let tenantId: string;
-      if (userTenant) {
-        actor = userTenant[this.actorKey]?.toString() ?? '0';
-        tenantId = userTenant.tenantId;
-      } else {
-        actor = user['id']?.toString() ?? '0';
-        tenantId = user.defaultTenantId;
-      }
-      const loginActivity = new LoginActivity({
-        actor,
-        tenantId,
-        loginTime: new Date(),
-        tokenPayload,
-        loginType,
-        deviceInfo: this.ctx.request.headers['user-agent']?.toString(),
-        ipAddress,
-      });
-      this.loginActivityRepo.create(loginActivity).catch(() => {
-        this.logger.error(
-          `Failed to add the login activity => ${JSON.stringify(
-            loginActivity,
-          )}`,
-        );
-      });
-    }
-  }
 }