fix(authentication-service): added cache layer to the jwks implementation (#2241)

* fix(authentication-service):  added cache layer to the jwks implementation

* feat(authentication-service):  added ttl to public key repo

BREAKING CHANGE:

issue-2034

---------

Co-authored-by: prernagp <prernagp90@gmail.com>
Co-authored-by: prernagp <prerna.gupta@Prerna-SFIN372.local>

Author: 3 people

packages/cli/README.md

@@ -230,4 +230,4 @@ OPTIONS
 ```
 
 _See code: [src/commands/update.ts](https://github.com/sourcefuse/loopback4-microservice-catalog/blob/master/packages/cli/src/commands/update.ts)_
-<!-- commandsstop -->
+<!-- commandsstop -->

packages/core/locales/en.json

@@ -44,5 +44,6 @@
 	"Task completion cannot be done through the PATCH API.": "Task completion cannot be done through the PATCH API.",
 	"Unauthorized": "Unauthorized",
 	"No keys found": "No keys found",
-	"[{\"keyword\"": "\"type\",\"dataPath\":\".valueB\",\"schemaPath\":\"#/properties/valueB/type\",\"params\":{\"type\":\"string\"},\"message\":\"should be string\"}]"
+	"[{\"keyword\"": "\"type\",\"dataPath\":\".valueB\",\"schemaPath\":\"#/properties/valueB/type\",\"params\":{\"type\":\"string\"},\"message\":\"should be string\"}]",
+	"JSON.stringify(validate.errors) invalid": "JSON.stringify(validate.errors) invalid"
 }

packages/core/src/components/bearer-verifier/component.ts

@@ -5,19 +5,18 @@
 import {Binding, Component, inject, ProviderMap} from '@loopback/core';
 import {Class, Model, Repository} from '@loopback/repository';
 import {Strategies} from 'loopback4-authentication';
-import {JwtKeysRepository} from '../../repositories';
+import {JwtKeys, RevokedToken} from '../../models';
+import {PublicKeysRepository, RevokedTokenRepository} from '../../repositories';
 import {ILogger, LOGGER} from '../logger-extension';
 import {
   BearerVerifierBindings,
   BearerVerifierConfig,
   BearerVerifierType,
 } from './keys';
-import {JwtKeys, RevokedToken} from './models';
 import {FacadesBearerAsymmetricTokenVerifyProvider} from './providers/facades-bearer-asym-token-verify.provider';
 import {FacadesBearerTokenVerifyProvider} from './providers/facades-bearer-token-verify.provider';
 import {ServicesBearerAsymmetricTokenVerifyProvider} from './providers/services-bearer-asym-token-verifier';
 import {ServicesBearerTokenVerifyProvider} from './providers/services-bearer-token-verify.provider';
-import {RevokedTokenRepository} from './repositories';
 
 export class BearerVerifierComponent implements Component {
   constructor(
@@ -27,8 +26,8 @@ export class BearerVerifierComponent implements Component {
   ) {
     this.providers = {};
 
-    this.repositories = [RevokedTokenRepository, JwtKeysRepository];
     this.models = [RevokedToken, JwtKeys];
+    this.repositories = [RevokedTokenRepository, PublicKeysRepository];
 
     if (this.config && this.config.type === BearerVerifierType.service) {
       this.providers[Strategies.Passport.BEARER_TOKEN_VERIFIER.key] =

packages/core/src/components/bearer-verifier/index.ts

@@ -4,5 +4,3 @@
 // https://opensource.org/licenses/MIT
 export * from './component';
 export * from './keys';
-export * from './models';
-export * from './repositories';

packages/core/src/components/bearer-verifier/models/index.ts

@@ -14,20 +14,22 @@ import {
 } from 'loopback4-authentication';
 import moment from 'moment';
 import * as jose from 'node-jose';
-import {JwtKeysRepository} from '../../../repositories';
+import {
+  PublicKeysRepository,
+  RevokedTokenRepository,
+} from '../../../repositories';
 import {ILogger, LOGGER} from '../../logger-extension';
 import {IAuthUserWithPermissions} from '../keys';
-import {RevokedTokenRepository} from '../repositories';
 
 export class FacadesBearerAsymmetricTokenVerifyProvider
   implements Provider<VerifyFunction.BearerFn>
 {
   constructor(
     @repository(RevokedTokenRepository)
     public revokedTokenRepository: RevokedTokenRepository,
+    @repository(PublicKeysRepository)
+    public publicKeysRepository: PublicKeysRepository,
     @inject(LOGGER.LOGGER_INJECT) private readonly logger: ILogger,
-    @repository(JwtKeysRepository)
-    public jwtKeysRepo: JwtKeysRepository,
     @inject(AuthenticationBindings.USER_MODEL, {optional: true})
     public authUserModel?: Constructor<EntityWithIdentifier & IAuthUser>,
   ) {}
@@ -44,10 +46,49 @@ export class FacadesBearerAsymmetricTokenVerifyProvider
   value(): VerifyFunction.BearerFn {
     return async (token: string, req?: Request) => {
       await this._checkIfTokenRevoked(token);
-      const user = await this._verifyTokenAndGetUser(token);
+      let user = await this._verifyTokenAndGetUser(token);
       this._checkPasswordExpiry(user);
+      try {
+        // Get the key that matches the token's kid
+        const decoded = jwt.decode(token.trim(), {complete: true});
+        if (!decoded) {
+          throw new Error('Token is not valid');
+        }
+        const kid = decoded?.header.kid ?? '';
+
+        // Get the public key from the cache
+        const key = await this.publicKeysRepository.get(kid);
+
+        if (!key) {
+          throw new Error('Key not found for verification');
+        }
 
-      return this.authUserModel ? new this.authUserModel(user) : user;
+        // Convert the JWK to PEM format for verification
+        const jwkKey = await jose.JWK.asKey(key.publicKey, 'pem');
+        const pem = jwkKey.toPEM(false);
+
+        // Verify the token with the retrieved PEM-formatted public key
+        user = jwt.verify(token, pem, {
+          issuer: process.env.JWT_ISSUER,
+          algorithms: ['RS256'],
+        }) as IAuthUserWithPermissions;
+      } catch (error) {
+        this.logger.error(JSON.stringify(error));
+        throw new HttpErrors.Unauthorized('TokenExpired');
+      }
+
+      if (
+        user.passwordExpiryTime &&
+        moment().isSameOrAfter(moment(user.passwordExpiryTime))
+      ) {
+        throw new HttpErrors.Unauthorized('PasswordExpiryError');
+      }
+
+      if (this.authUserModel) {
+        return new this.authUserModel(user);
+      } else {
+        return user;
+      }
     };
   }
 
@@ -94,7 +135,7 @@ export class FacadesBearerAsymmetricTokenVerifyProvider
       }
 
       const kid = decoded?.header.kid;
-      const key = await this.jwtKeysRepo.findOne({where: {keyId: kid}});
+      const key = await this.publicKeysRepository.get(kid ?? '');
       if (!key) {
         throw new Error('Key not found for verification');
       }

packages/core/src/components/bearer-verifier/providers/facades-bearer-asym-token-verify.provider.ts

@@ -7,16 +7,16 @@ import {repository} from '@loopback/repository';
 import {HttpErrors, Request} from '@loopback/rest';
 import {verify} from 'jsonwebtoken';
 import {
-  VerifyFunction,
   AuthenticationBindings,
   EntityWithIdentifier,
   IAuthUser,
+  VerifyFunction,
 } from 'loopback4-authentication';
 import moment from 'moment';
 
+import {RevokedTokenRepository} from '../../../repositories';
 import {ILogger, LOGGER} from '../../logger-extension';
 import {IAuthUserWithPermissions} from '../keys';
-import {RevokedTokenRepository} from '../repositories';
 
 export class FacadesBearerTokenVerifyProvider
   implements Provider<VerifyFunction.BearerFn>

packages/core/src/components/bearer-verifier/providers/facades-bearer-token-verify.provider.ts

@@ -6,10 +6,10 @@ import {Constructor, inject, Provider} from '@loopback/context';
 import {HttpErrors} from '@loopback/rest';
 import {verify} from 'jsonwebtoken';
 import {
-  VerifyFunction,
   AuthenticationBindings,
   EntityWithIdentifier,
   IAuthUser,
+  VerifyFunction,
 } from 'loopback4-authentication';
 import moment from 'moment-timezone';
 import {ILogger, LOGGER} from '../../logger-extension';