UNPKG

@labshare/services-auth

Version:

Loopback 4 plugin for resource scope-based HTTP route authz

github.com/ncats/auth-monorepo

ncats/auth-monorepo

358 lines (287 loc) 12.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
# @labshare/services-auth # Install `npm i @labshare/services-auth` # Usage Register the component and register the configuration for the action by injecting `AuthenticationBindings.AUTH_CONFIG`. ## Configuring the component ## Options | Property | Type | Details | | :------- | :----: | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | tenant | string | The LabShare Auth Tenant the Resource Server (API) is registered to. Example: `ncats`. | | authUrl | string | The full URL to the LabShare Auth API the Resource Server (API) is registered to. Example: `https://a.labshare.org` | | audience | string | The audience of the Resource Server. This is a unique identifier for the API registered on the LabShare Auth Service. It does not need match an actual API deployment host. This is required to check if a Client (application) is allowed to access the API. Example: `https://my.api.com/v2`. Optional. | | issuer | string | The issuer of the Bearer Token. Use this to validate the source of the Bearer Token. Optional. Example: `https://a.labshare.org/_api/ls` | ## Bindings (optional) To perform additional customization of token validation, you can bind Loopback [Providers](https://loopback.io/doc/en/lb4/Creating-components.html#providers) to the following keys: | Binding | Details | | :---------------------------------------------------- | :-----------------------------------------------------------------------------------------------------------------------------------------------------------------: | | `AuthenticationBindings.SECRET_PROVIDER` | Obtains the secret used to validate the JWT signature. Not required when using tokens signed by LabShare Auth. | | `AuthenticationBindings.IS_REVOKED_CALLBACK_PROVIDER` | Used to check if the token has been revoked. For example, a request to the `introspection_endpoint` can check if the JWT is still valid. | | `AuthenticationBindings.AUDIENCE_PROVIDER` | Provides the value for the audience the JWT will be validated against instead of using the audience configuration assigned to `AuthenticationBindings.AUTH_CONFIG`. | ### Example IsRevokedCallbackProvider ```ts import request = require("request-promise"); export class IsRevokedCallbackProvider { constructor() {} public async value() { return async ( req: Request, payload, callback: (error: Error, isRevoked: boolean) => void ) => { try { // ... request to introspection endpoint // ... check if token is valid callback(null, isTokenRevoked); } catch (error) { callback(error, false); } }; } } ``` ### Example SecretProvider ```ts import { jwk2pem } from "pem-jwk"; export class SecretProvider { constructor( @inject("MyJwkService") private jwkService: JwkService ) {} public async value() { return async ( req: Request, header, payload: any, cb: (err: any, secret?: any) => void ): Promise<void> => { if (!header) { log("Invalid JWT. No header found."); cb(null, null); return; } if (header.alg !== "RS256" || !payload || !payload.sub) { cb(null, null); return; } try { const publicJWK = await this.jwkService.getPublicJWK("..."); const secret = jwk2pem(publicJWK); cb(null, secret); } catch (error) { cb(null, null); } }; } } ``` ### Example AudienceProvider ```ts export class SecretProvider { constructor( // Constructor can inject services used to figure out which audience to use @inject(RestBindings.Http.REQUEST) public request: Request ) {} public async value() { // Determine the audience the JWT should be validated against, perhaps based on a value in the API request return "https://some.new.audience"; } } ``` #### Application Bootstrap Example ```ts import { LbServicesAuthComponent } from "@labshare/services-auth"; import { SecretProvider } from "secret.provider"; import { AudienceProvider } from "audience.provider"; import { IsRevokedCallbackProvider } from "is-revoked-callback.provider"; app = new Application(); app.component(LbServicesAuthComponent); app.bind(AuthenticationBindings.AUTH_CONFIG).to({ authUrl: "https://a.labshare.org/_api", tenant: "my-tenant", }); // Assign a custom JWT secret provider (optional) app.bind(AuthenticationBindings.SECRET_PROVIDER).toProvider(SecretProvider); // Assign a custom revoked JWT check (optional) app .bind(AuthenticationBindings.IS_REVOKED_CALLBACK_PROVIDER) .toProvider(IsRevokedCallbackProvider); // Assign a custom audience provider (optional) app .bind(AuthenticationBindings.IS_REVOKED_CALLBACK_PROVIDER) .toProvider(AudienceProvider); ``` ## Actions ### Authenticate Inject the authenticate action into the application sequence to require the user to pass a valid bearer token and optionally validate the bearer token's scope and audience claims. Ensure the authenticate action runs before the controller methods are invoked (see the example). #### Example ```ts import { AuthenticationBindings, AuthenticateFn } from "@labshare/services-auth"; class MySequence implements SequenceHandler { constructor( @inject(SequenceActions.FIND_ROUTE) protected findRoute: FindRoute, @inject(SequenceActions.PARSE_PARAMS) protected parseParams: ParseParams, @inject(SequenceActions.INVOKE_METHOD) protected invoke: InvokeMethod, @inject(SequenceActions.SEND) protected send: Send, @inject(SequenceActions.REJECT) protected reject: Reject, // Inject the new authentication action @inject(AuthenticationBindings.AUTH_ACTION) protected authenticateRequest: AuthenticateFn, ) {} async handle(context: RequestContext) { try { const {request, response} = context; const route = this.findRoute(request); // Authenticate the request. We need this sequence action to run before "invoke" to ensure authentication // occurs first. await this.authenticateRequest(request as any, response as any); const args = await this.parseParams(request, route); const result = await this.invoke(route, args); this.send(response, result); } catch (error) { this.reject(context, error); return; } } ``` ### User Info Inject the user info action provider into your application sequence to assign the user's profile on `request.userInfo`. The profile corresponds to the response returned by LabShare Auth's OIDC `user_info` route. #### Example ```ts import { AuthenticationBindings, AuthenticateFn } from "@labshare/services-auth"; class MySequence implements SequenceHandler { constructor( @inject(SequenceActions.FIND_ROUTE) protected findRoute: FindRoute, @inject(SequenceActions.PARSE_PARAMS) protected parseParams: ParseParams, @inject(SequenceActions.INVOKE_METHOD) protected invoke: InvokeMethod, @inject(SequenceActions.SEND) protected send: Send, @inject(SequenceActions.REJECT) protected reject: Reject, // Inject the new authentication action @inject(AuthenticationBindings.USER_INFO_ACTION) protected setUserInfo: AuthenticateFn, ) {} async handle(context: RequestContext) { try { const {request, response} = context; const route = this.findRoute(request); // Set the userInfo on the request await this.setUserInfo(request as any, response as any); const args = await this.parseParams(request, route); const result = await this.invoke(route, args); this.send(response, result); } catch (error) { this.reject(context, error); return; } } ``` ## Decorators ### @authenticate Use the `@authenticate` decorator for REST methods or controllers requiring authentication. ## Options | Property | Type | Details | | :------------------ | :-----: | :--------------------------------------------------------------------------------------------------------- | | scopes | array | A list of one zero or more arbitrary Resource Scope definitions. Example: `['read:users', 'update:users']` | | credentialsRequired | boolean | Set to `false` to support anonymous/public requests on an endpoint. Defaults to `true`. | ### Dynamic Scopes Dynamic path/query parameters can be injected into scope definitions using brackets. For example: [`read:users:{path.id}`, `update:users:{query.limit}`] assigned to a route such as `/users/{id}` would require the request's bearer token to contain a scope matching the `id` parameter in the route (for example: `'read:users:5'` if the request route is `/users/5`). #### Example ```ts import { authenticate } from "@labshare/services-auth"; import { Request } from "@loopback/core"; // Attach the decorator at the controller level to require authentication on all methods // and a scope of `my:shared:scope` @authenticate({ scope: 'my:shared:scope' }) class MyController { constructor( @inject(RestBindings.Http.REQUEST) public request: Request ) {} @authenticate() @get('/whoAmI', { 'x-operation-name': 'whoAmI', responses: { '200': { description: '', schema: { type: 'string', }, }, }, }) async whoAmI(): Promise<string> { return 'authenticated data'; } // This route supports both authenticated and anonymous requests @authenticate({ credentialsRequired: false }) @get('/resource', { 'x-operation-name': 'resource', responses: { '200': { description: '', schema: { type: 'string', }, }, }, }) async resource(): Promise<string> { if (this.request.user) { return 'Resource requiring authentication'; } return 'Public resource'; } // This route has an additional Resource Scope requirement. The user's bearer token will need to contain // 'read:users' in the `scope` claim. Otherwise, they will receive a 403 in the response. @authenticate({ scope: ['read:users'] }) @get('/users', { 'x-operation-name': 'users', responses: { '200': { description: '', schema: { type: 'string', }, }, } }) async users(): Promise<string> { return 'users'; } // This route has a dynamic scope parameter for validation. // The request will be unauthorized if the JWT does not contain the "tenantId", "someOtherParam" values in the route path and the "someParam" query parameter. @authenticate({ scope: ['{path.tenantId}:read:users:{query.someParam}:{path.someOtherParam}'] }) @get('{tenantId}/users') async users( @param.path.string('tenantId') tenantId: string, @param.path.number('someOtherParam') someOtherParam: number, @param.query.boolean('someParam') someParam: boolean ): Promise<string> { return `${tenantId} users'; } } app.controller(MyController); ``` ## Contributors See [all contributors](https://github.com/labshare/base-api/graphs/contributors). ## License MIT