fix(authentication-service): added cache layer to the jwks implementation

Author: prernagp90

packages/core/src/components/bearer-verifier/component.ts

@@ -5,7 +5,6 @@
 import {Binding, Component, inject, ProviderMap} from '@loopback/core';
 import {Class, Model, Repository} from '@loopback/repository';
 import {Strategies} from 'loopback4-authentication';
-import {JwtKeysRepository} from '../../repositories';
 import {ILogger, LOGGER} from '../logger-extension';
 import {
   BearerVerifierBindings,
@@ -17,7 +16,11 @@ import {FacadesBearerAsymmetricTokenVerifyProvider} from './providers/facades-be
 import {FacadesBearerTokenVerifyProvider} from './providers/facades-bearer-token-verify.provider';
 import {ServicesBearerAsymmetricTokenVerifyProvider} from './providers/services-bearer-asym-token-verifier';
 import {ServicesBearerTokenVerifyProvider} from './providers/services-bearer-token-verify.provider';
-import {RevokedTokenRepository} from './repositories';
+import {
+  JwtKeysRepository,
+  PublicKeysRepository,
+  RevokedTokenRepository,
+} from './repositories';
 
 export class BearerVerifierComponent implements Component {
   constructor(
@@ -27,7 +30,11 @@ export class BearerVerifierComponent implements Component {
   ) {
     this.providers = {};
 
-    this.repositories = [RevokedTokenRepository, JwtKeysRepository];
+    this.repositories = [
+      RevokedTokenRepository,
+      JwtKeysRepository,
+      PublicKeysRepository,
+    ];
     this.models = [RevokedToken, JwtKeys];
 
     if (this.config && this.config.type === BearerVerifierType.service) {

packages/core/src/components/bearer-verifier/providers/facades-bearer-asym-token-verify.provider.ts

@@ -14,20 +14,19 @@ import {
 } from 'loopback4-authentication';
 import moment from 'moment';
 import * as jose from 'node-jose';
-import {JwtKeysRepository} from '../../../repositories';
 import {ILogger, LOGGER} from '../../logger-extension';
 import {IAuthUserWithPermissions} from '../keys';
-import {RevokedTokenRepository} from '../repositories';
+import {PublicKeysRepository, RevokedTokenRepository} from '../repositories';
 
 export class FacadesBearerAsymmetricTokenVerifyProvider
   implements Provider<VerifyFunction.BearerFn>
 {
   constructor(
     @repository(RevokedTokenRepository)
     public revokedTokenRepository: RevokedTokenRepository,
+    @repository(PublicKeysRepository)
+    public publicKeysRepository: PublicKeysRepository,
     @inject(LOGGER.LOGGER_INJECT) private readonly logger: ILogger,
-    @repository(JwtKeysRepository)
-    public jwtKeysRepo: JwtKeysRepository,
     @inject(AuthenticationBindings.USER_MODEL, {optional: true})
     public authUserModel?: Constructor<EntityWithIdentifier & IAuthUser>,
   ) {}
@@ -53,14 +52,10 @@ export class FacadesBearerAsymmetricTokenVerifyProvider
         if (!decoded) {
           throw new Error('Token is not valid');
         }
-        const kid = decoded?.header.kid;
+        const kid = decoded?.header.kid ?? '';
 
-        // Load the JWKS
-        const key = await this.jwtKeysRepo.findOne({
-          where: {
-            keyId: kid,
-          },
-        });
+        // Get the public key from the cache
+        const key = await this.publicKeysRepository.get(kid);
 
         if (!key) {
           throw new Error('Key not found for verification');

packages/core/src/components/bearer-verifier/providers/services-bearer-asym-token-verifier.ts

@@ -14,9 +14,9 @@ import {
 } from 'loopback4-authentication';
 import moment from 'moment-timezone';
 import * as jose from 'node-jose';
-import {JwtKeysRepository} from '../../../repositories';
 import {ILogger, LOGGER} from '../../logger-extension';
 import {IAuthUserWithPermissions} from '../keys';
+import {JwtKeysRepository} from '../repositories';
 
 export class ServicesBearerAsymmetricTokenVerifyProvider
   implements Provider<VerifyFunction.BearerFn>

packages/core/src/components/bearer-verifier/repositories/index.ts

@@ -2,4 +2,6 @@
 //
 // This software is released under the MIT License.
 // https://opensource.org/licenses/MIT
+export * from './jwt-keys.repository';
+export * from './public-keys.repository';
 export * from './revoked-token.repository';

packages/core/src/components/bearer-verifier/repositories/public-keys.repository.ts

@@ -0,0 +1,17 @@
+// Copyright (c) 2023 Sourcefuse Technologies
+//
+// This software is released under the MIT License.
+// https://opensource.org/licenses/MIT
+import {inject} from '@loopback/core';
+import {DefaultKeyValueRepository, juggler} from '@loopback/repository';
+import {AuthCacheSourceName} from '../../../types';
+import {JwtKeys} from '../models';
+
+export class PublicKeysRepository extends DefaultKeyValueRepository<JwtKeys> {
+  constructor(
+    @inject(`datasources.${AuthCacheSourceName}`)
+    dataSource: juggler.DataSource,
+  ) {
+    super(JwtKeys, dataSource);
+  }
+}

packages/core/src/repositories/index.ts

@@ -5,4 +5,3 @@
 export * from './default-soft-crud.repository.base';
 export * from './default-transactional-user-modify-repository.base';
 export * from './default-user-modify-crud.repository.base';
-export * from './jwt-keys.repository';

packages/core/src/repositories/jwt-keys.repository.ts

@@ -63,7 +63,9 @@ export class MyApplication extends BootMixin(
 
 ### Asymmetric Token Signing and Verification
 
-If you are using asymmetric token signing and verification, you need to create a datasource for auth database. Example datasource file for auth:-
+If you are using asymmetric token signing and verification, you should have auth datasource present in the service and auth redis datasource on the facade level. Example datasource file for auth database is:-
+
+Auth DB datasource :-
 
 ```ts
 import {inject, lifeCycleObserver, LifeCycleObserver} from '@loopback/core';
@@ -121,6 +123,71 @@ export class AuthDataSource
 }
 ```
 
+Auth Cache Redis Datasource:-
+
+```ts
+import {inject, lifeCycleObserver, LifeCycleObserver} from '@loopback/core';
+import {AnyObject, juggler} from '@loopback/repository';
+import {readFileSync} from 'fs';
+import {AuthCacheSourceName} from '@sourceloop/core';
+
+const config = {
+  name: process.env.REDIS_NAME,
+  connector: 'kv-redis',
+  host: process.env.REDIS_HOST,
+  port: process.env.REDIS_PORT,
+  password: process.env.REDIS_PASSWORD,
+  db: process.env.REDIS_DATABASE,
+  url: process.env.REDIS_URL,
+  tls:
+    +process.env.REDIS_TLS_ENABLED! && process.env.REDIS_TLS_CERT
+      ? {
+          ca: readFileSync(process.env.REDIS_TLS_CERT),
+        }
+      : undefined,
+  sentinels:
+    +process.env.REDIS_HAS_SENTINELS! && process.env.REDIS_SENTINELS
+      ? JSON.parse(process.env.REDIS_SENTINELS)
+      : undefined,
+  sentinelPassword:
+    +process.env.REDIS_HAS_SENTINELS! && process.env.REDIS_SENTINEL_PASSWORD
+      ? process.env.REDIS_SENTINEL_PASSWORD
+      : undefined,
+  role:
+    +process.env.REDIS_HAS_SENTINELS! && process.env.REDIS_SENTINEL_ROLE
+      ? process.env.REDIS_SENTINEL_ROLE
+      : undefined,
+};
+
+@lifeCycleObserver('datasource')
+export class RedisDataSource
+  extends juggler.DataSource
+  implements LifeCycleObserver
+{
+  static readonly dataSourceName = AuthCacheSourceName;
+  static readonly defaultConfig = config;
+
+  constructor(
+    @inject(`datasources.config.${process.env.REDIS_NAME}`, {optional: true})
+    dsConfig: AnyObject = config,
+  ) {
+    if (
+      +process.env.REDIS_HAS_SENTINELS! &&
+      !!process.env.REDIS_SENTINEL_HOST &&
+      !!process.env.REDIS_SENTINEL_PORT
+    ) {
+      dsConfig.sentinels = [
+        {
+          host: process.env.REDIS_SENTINEL_HOST,
+          port: +process.env.REDIS_SENTINEL_PORT,
+        },
+      ];
+    }
+    super(dsConfig);
+  }
+}
+```
+
 ### Set the [environment variables](#environment-variables)
 
 The examples below show a common configuration for a PostgreSQL Database running locally.

services/audit-service/README.md

@@ -1,6 +1,7 @@
 import {Client, expect} from '@loopback/testlab';
+import {JwtKeysRepository} from '@sourceloop/core';
 import {LoginType} from '../../enums';
-import {JwtKeysRepository, LoginActivityRepository} from '../../repositories';
+import {LoginActivityRepository} from '../../repositories';
 import {TestingApplication} from '../fixtures/application';
 import {JwtToken} from '../fixtures/datasources/userCredsAndPermission';
 import {setupApplication} from './test-helper';

services/authentication-service/src/__tests__/acceptance/login-activity.controller.acceptance.ts

@@ -11,6 +11,7 @@ import {
   RestExplorerComponent,
 } from '@loopback/rest-explorer';
 import {ServiceMixin} from '@loopback/service-proxy';
+import {JwtKeysRepository, PublicKeysRepository} from '@sourceloop/core';
 import {Strategies} from 'loopback4-authentication';
 import {LocalPasswordStrategyFactoryProvider} from 'loopback4-authentication/passport-local';
 import {PassportOtpStrategyFactoryProvider} from 'loopback4-authentication/passport-otp';
@@ -61,6 +62,12 @@ export class TestingApplication extends BootMixin(
     );
     this.service(TestHelperService, {defaultScope: BindingScope.SINGLETON});
 
+    // add multiple repositories
+    this.bind('repositories.JwtKeysRepository').toClass(JwtKeysRepository);
+    this.bind('repositories.PublicKeysRepository').toClass(
+      PublicKeysRepository,
+    );
+
     this.projectRoot = __dirname;
     // Customize @loopback/boot Booter Conventions here
     this.bootOptions = {