feat(auth): can authenticate w/ Auth0 using OIDC

still need to implement adding "new" OIDC user to OADA
OADA · Feb 9, 2024 · 1da8a29 · 1da8a29
1 parent 02f2142
commit 1da8a29
Show file tree

Hide file tree

Showing 51 changed files with 2,376 additions and 2,108 deletions.
diff --git a/charts/oada/templates/configmap.yaml b/charts/oada/templates/configmap.yaml
@@ -47,9 +47,11 @@ data:
   KAFKA_BROKERS: {{ include "oada.kafka.brokers" . }}
   {{- end }}
   {{ if .Values.oauth.issuer -}}
-  AUTH_ISSUER: {{ .Values.oauth.issuer | quote }}
-  WELLKNOWN_SUBSERVICES: ""
+  OIDC_ISSUER: {{ .Values.oauth.issuer | quote }}
+  WELLKNOWN_SUBSERVICES: ''
   {{ else -}}
+  # Use our internal Auth server
+  OIDC_ISSUER: http://auth-{{ .Release.Name }}/oadaauth
   AUTH_PREFIX: /oadaauth/
   WELLKNOWN_SUBSERVICES: http://auth-{{ .Release.Name }}/oadaauth/
   {{- end }}

diff --git a/common.yml b/common.yml
@@ -27,6 +27,7 @@ services:
       # Should just be an external script someone can run on their instance?
       arangodb__ensureDefaults: 'true'
       DOMAIN: ${DOMAIN:-localhost}
+      AUTH_ISSUER: ${AUTH_ISSUER}
       NODE_TLS_REJECT_UNAUTHORIZED: ~
       PINO_TRANSPORT: ~
       PROFILE_AQL: ~

diff --git a/oada-server.code-workspace b/oada-server.code-workspace
@@ -163,6 +163,7 @@
       "groundnuty",
       "jwks",
       "jwku",
+      "JWTs",
       "kafa",
       "Kafkajs",
       "ksuid",

diff --git a/oada/.eslintrc.yaml b/oada/.eslintrc.yaml
@@ -1,16 +1,17 @@
 root: true
 
 extends:
+  - 'eslint:recommended'
   - 'plugin:@typescript-eslint/recommended'
   - plugin:node/recommended
   - plugin:github/recommended
   - plugin:promise/recommended
   - plugin:regexp/recommended
-  - plugin:array-func/recommended
+  #- plugin:array-func/recommended
   - plugin:optimize-regex/recommended
   - plugin:import/recommended
   - plugin:unicorn/recommended
-  - plugin:security/recommended
+  #- plugin:security/recommended
   - plugin:sonarjs/recommended
   - plugin:ava/recommended
   - xo
@@ -23,7 +24,7 @@ plugins:
   - github
   - promise
   - regexp
-  - array-func
+  #- array-func
   - optimize-regex
   - no-constructor-bind
   - import
@@ -51,10 +52,13 @@ overrides:
       ecmaVersion: 2020
       project: './**/tsconfig.*'
     rules:
+      # FIXME: Rule broken
+      '@typescript-eslint/prefer-nullish-coalescing': off
       '@typescript-eslint/naming-convention':
         [
           error,
           { selector: default, format: [camelCase] },
+          { selector: import, modifiers: [default], format: null },
           { selector: objectLiteralProperty, format: null },
           { selector: enumMember, format: [PascalCase] },
           { selector: typeProperty, format: null },
@@ -64,6 +68,7 @@ overrides:
             format: [camelCase, UPPER_CASE],
             leadingUnderscore: allow,
           },
+          { selector: variable, modifiers: [destructured], format: null },
           {
             selector: parameter,
             format: [camelCase],
@@ -94,8 +99,11 @@ overrides:
           },
         ]
       '@typescript-eslint/consistent-type-definitions': [warn, interface]
+      '@typescript-eslint/switch-exhaustiveness-check': off
 
 rules:
+  # FIXME: Rule broken
+  '@typescript-eslint/prefer-nullish-coalescing': off
   notice/notice:
     - error
     - template: |
@@ -128,17 +136,24 @@ rules:
   eslint-comments/no-use: off
   no-secrets/no-secrets: [error, { tolerance: 5 }]
   no-empty-label: off
-  no-warning-comments: off
+  no-warning-comments: 0
   node/no-missing-import: off
   import/no-unresolved: off
   import/extensions: off
   unicorn/prefer-spread: off
   unicorn/prevent-abbreviations:
-    [warn, { replacements: { db: false, req: false, doc: false } }]
+    - warn
+    - replacements:
+        db: false
+        req: false
+        res: false
+        err: false
+        doc: false
   no-constructor-bind/no-constructor-bind: error
   no-constructor-bind/no-constructor-state: error
   sort-imports: [warn, { allowSeparatedGroups: true }]
   ava/no-ignored-test-files: off
   ava/no-import-test-files: off
   ava/no-skip-test: warn
   ava/no-skip-assert: warn
+  '@typescript-eslint/switch-exhaustiveness-check': off
diff --git a/oada/.yarn/releases/yarn-4.0.2.cjs → oada/.yarn/releases/yarn-4.1.0.cjs b/oada/.yarn/releases/yarn-4.0.2.cjs → oada/.yarn/releases/yarn-4.1.0.cjs
diff --git a/oada/.yarnrc.yml b/oada/.yarnrc.yml
@@ -56,4 +56,4 @@ packageExtensions:
     peerDependencies:
       oauth2orize: "*"
 
-yarnPath: .yarn/releases/yarn-4.0.2.cjs
+yarnPath: .yarn/releases/yarn-4.1.0.cjs
diff --git a/oada/libs/lib-arangodb/farmhack-create.mjs b/oada/libs/lib-arangodb/farmhack-create.mjs
@@ -24,7 +24,7 @@ import debug from 'debug';
 
 import users from './dist/users.js';
 
-process.env.DEBUG = process.env.DEBUG || 'info:farmhack*';
+process.env.DEBUG ||= 'info:farmhack*';
 const info = debug('info:farmhack#init');
 const trace = debug('trace:farmhack#init');
 

diff --git a/oada/libs/lib-arangodb/package.json b/oada/libs/lib-arangodb/package.json
@@ -76,9 +76,9 @@
     "@types/deep-equal": "^1.0.4",
     "@types/flat": "^5.0.5",
     "@types/json-pointer": "^1.0.34",
-    "@types/node": "^20.11.4",
-    "ava": "6.0.1",
-    "type-fest": "^4.9.0"
+    "@types/node": "^20.11.17",
+    "ava": "6.1.1",
+    "type-fest": "^4.10.2"
   },
   "volta": {
     "node": "20.2.0"

diff --git a/oada/libs/lib-arangodb/src/db.ts b/oada/libs/lib-arangodb/src/db.ts
@@ -15,8 +15,6 @@
  * limitations under the License.
  */
 
-/* eslint-disable unicorn/prevent-abbreviations */
-
 import { setTimeout } from 'node:timers/promises';
 
 import { config } from './config.js';

diff --git a/oada/libs/lib-arangodb/src/init.ts b/oada/libs/lib-arangodb/src/init.ts
@@ -106,9 +106,7 @@ export async function run(): Promise<void> {
           await database.createEdgeCollection(c.name);
           trace('Edge collection %s has been created', c.name);
         } else {
-          if (!c.createOptions) {
-            c.createOptions = {};
-          }
+          c.createOptions ||= {};
 
           await database.createCollection(c.name, c.createOptions);
           trace('Document collection %s has been created', c.name);
@@ -168,10 +166,7 @@ export async function run(): Promise<void> {
           }
 
           // Have to use _key if we want the key to be our key:
-          if (!document._key) {
-            // This line is valid, it just confuses the highlighter
-            document._key = document._id.replace(/^[^/]*\//, '');
-          }
+          document._key ||= document._id.replace(/^[^/]*\//, '');
 
           if (
             colname === 'users' && // Oidc users don't have password, so you need to check for existence

diff --git a/oada/libs/lib-arangodb/src/libs/users.ts b/oada/libs/lib-arangodb/src/libs/users.ts
@@ -168,9 +168,7 @@ export async function findByUsernamePassword(
 export async function create(u: Omit<User, '_id' | '_rev'>): Promise<DBUser> {
   info(u, 'Create user was called');
 
-  if (u.password) {
-    u.password = await hashPw(u.password);
-  }
+  u.password &&= await hashPw(u.password);
 
   // Throws if username already exists
   const user = (await users.save(u, { returnNew: true })) as { new: DBUser };
@@ -185,9 +183,7 @@ export async function remove(u: Selector<User>): Promise<void> {
 export async function update(
   u: { _id: string } & Partial<DBUser>,
 ): Promise<{ _id: string; new: User }> {
-  if (u.password) {
-    u.password = await hashPw(u.password);
-  }
+  u.password &&= await hashPw(u.password);
 
   return (await users.update(u._id, u, { returnNew: true })) as {
     _id: string;

diff --git a/oada/libs/lib-config/package.json b/oada/libs/lib-config/package.json
@@ -36,7 +36,7 @@
     "convict": "^6.2.4",
     "convict-format-with-moment": "^6.2.0",
     "convict-format-with-validator": "^6.2.0",
-    "dotenv": "^16.3.1",
+    "dotenv": "^16.4.1",
     "json5": "^2.2.3",
     "tslib": "2.6.2",
     "yaml": "^2.3.4"

diff --git a/oada/libs/lib-config/src/index.ts b/oada/libs/lib-config/src/index.ts
@@ -15,6 +15,8 @@
  * limitations under the License.
  */
 
+/* eslint-disable unicorn/no-null, @typescript-eslint/ban-types */
+
 import { File } from 'node:buffer';
 import { extname } from 'node:path';
 import { pathToFileURL } from 'node:url';
@@ -55,12 +57,22 @@ const defaults = {
     default: process.env.NODE_ENV === 'production',
     env: 'isProduction',
   },
+  oidc: {
+    issuer: {
+      doc: 'OpenID Connect/Oauth2.0 issuer to use for auth',
+      format: 'url',
+      default: null as null | URL | string,
+      env: 'OIDC_ISSUER',
+      arg: 'oidc-issuer',
+    },
+  },
 };
 // FIXME: Why did this start making TS hang?
 // type D = typeof defaults extends Schema<infer D> ? D : never;
 
 // Add more formats to convict
 convict.addFormats(validator);
+// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
 convict.addFormats(moment);
 
 function fileUrl(pathOrUrl: string) {
@@ -72,7 +84,6 @@ function fileUrl(pathOrUrl: string) {
 }
 
 async function readFileUrl(url: URL) {
-  // eslint-disable-next-line security/detect-non-literal-fs-filename
   const buffer = await readFile(url);
   return new File([buffer], url.pathname);
 }

diff --git a/oada/libs/lib-kafka/package.json b/oada/libs/lib-kafka/package.json
@@ -48,9 +48,9 @@
     "@ava/typescript": "^4.1.0",
     "@types/convict": "^6.1.6",
     "@types/debug": "^4.1.12",
-    "@types/node": "^20.11.4",
-    "@types/uuid": "^9.0.7",
-    "ava": "6.0.1"
+    "@types/node": "^20.11.17",
+    "@types/uuid": "^9.0.8",
+    "ava": "6.1.1"
   },
   "volta": {
     "node": "20.2.0"

diff --git a/oada/libs/lib-kafka/src/Base.ts b/oada/libs/lib-kafka/src/Base.ts
@@ -40,7 +40,6 @@ function topicTimeout(topic: string): number {
   const topics = config.get('kafka.topics');
   for (const [topicK, topicV] of Object.entries(topics)) {
     if (topicV === topic) {
-      // eslint-disable-next-line security/detect-object-injection
       timeout = config.get('kafka.timeouts')[topicK] ?? timeout;
     }
   }
@@ -91,7 +90,6 @@ function isArray(value: unknown): value is unknown[] | readonly unknown[] {
   return Array.isArray(value);
 }
 
-// eslint-disable-next-line unicorn/prefer-event-target
 export class Base extends EventEmitter {
   protected static done = Symbol('kafka-base-done');
 

diff --git a/oada/libs/lib-kafka/src/Kafka.ts b/oada/libs/lib-kafka/src/Kafka.ts
@@ -61,7 +61,7 @@ export default class IKafka extends Kafka {
       logCreator() {
         return ({ namespace, label, log }) => {
           const l = label as keyof KafkajsDebug;
-          // eslint-disable-next-line security/detect-object-injection
+
           const logger = getKafkajsDebug(namespace)[l];
           if (log instanceof Error) {
             logger({ err: log }, log.message);

diff --git a/oada/libs/lib-kafka/src/ReResponder.ts b/oada/libs/lib-kafka/src/ReResponder.ts
@@ -28,7 +28,6 @@ export class ReResponder extends Responder {
 
     // Make everything look like a new request
     super.on(DATA, (request: Record<string, unknown>) => {
-      // eslint-disable-next-line security/detect-object-injection
       request[REQ_ID_KEY] = ksuid.randomSync().string;
     });
   }

diff --git a/oada/libs/lib-kafka/src/Requester.ts b/oada/libs/lib-kafka/src/Requester.ts
@@ -34,7 +34,7 @@ import {
 export class KafkaRequestTimeoutError extends Error {}
 
 export class Requester extends Base {
-  #timeouts = new Map<string, number>();
+  readonly #timeouts = new Map<string, number>();
 
   constructor({
     consumeTopic,
@@ -45,7 +45,6 @@ export class Requester extends Base {
     super({ consumeTopic, produceTopic, group, ...options });
 
     super.on(DATA, (resp) => {
-      // eslint-disable-next-line security/detect-object-injection
       const id = resp[REQ_ID_KEY];
       this.emit(`response-${id}`, resp);
     });
@@ -71,8 +70,7 @@ export class Requester extends Base {
       throw new Error('Send called with no topic specified');
     }
 
-    // eslint-disable-next-line security/detect-object-injection
-    const id = (request[REQ_ID_KEY] || ksuid.randomSync().string) as string;
+    const id = (request[REQ_ID_KEY] ?? ksuid.randomSync().string) as string;
     const timeout = this.#timeouts.get(topic) ?? topicTimeout(topic);
     this.#timeouts.set(topic, timeout);
 
@@ -103,13 +101,10 @@ export class Requester extends Base {
       throw new Error('Emit called with no topic specified');
     }
 
-    // eslint-disable-next-line unicorn/prefer-event-target
     const emitter = new EventEmitter();
 
-    // eslint-disable-next-line security/detect-object-injection
     const id = request[REQ_ID_KEY] ?? (await ksuid.random()).string;
 
-    // eslint-disable-next-line security/detect-object-injection
     request[REQ_ID_KEY] = id;
     // TODO: Handle partitions?
     request.resp_partition = 0;

diff --git a/oada/libs/lib-kafka/src/Responder.ts b/oada/libs/lib-kafka/src/Responder.ts
@@ -174,16 +174,15 @@ export class Responder<Request extends KafkaBase = KafkaBase> extends Base {
 
     for await (const r of it) {
       trace(r, 'received response');
-      // eslint-disable-next-line security/detect-object-injection
+
       if (r[REQ_ID_KEY] === null) {
         // FIXME: Remove once everything migrated
         const { string: newId } = await ksuid.random();
-        // eslint-disable-next-line security/detect-object-injection
+
         r[REQ_ID_KEY] = newId;
         // eslint-disable-next-line @typescript-eslint/no-empty-function
         util.deprecate(() => {}, 'Please use ReResponder instead')();
       } else {
-        // eslint-disable-next-line security/detect-object-injection
         r[REQ_ID_KEY] = id;
         // Check for cancelled requests
         if (!this.requests.has(id)) {

diff --git a/oada/libs/lib-prom/package.json b/oada/libs/lib-prom/package.json
@@ -42,9 +42,9 @@
   "devDependencies": {
     "@ava/typescript": "^4.1.0",
     "@types/convict": "^6.1.6",
-    "@types/node": "^20.11.4",
+    "@types/node": "^20.11.17",
     "@types/ws": "^8.5.10",
-    "ava": "6.0.1",
+    "ava": "6.1.1",
     "fastify-plugin": "^4.5.1"
   },
   "volta": {

diff --git a/oada/libs/pino-debug/package.json b/oada/libs/pino-debug/package.json
@@ -25,16 +25,16 @@
   "dependencies": {
     "cls-rtracer": "^2.6.3",
     "is-interactive": "^2.0.0",
-    "pino": "^8.17.2",
+    "pino": "^8.18.0",
     "pino-caller": "^3.4.0",
     "pino-debug": "^2.0.0",
-    "pino-loki": "^2.1.3",
+    "pino-loki": "^2.2.1",
     "pino-pretty": "^10.3.1",
     "tslib": "2.6.2"
   },
   "devDependencies": {
     "@types/debug": "^4.1.12",
-    "@types/node": "^20.11.4"
+    "@types/node": "^20.11.17"
   },
   "peerDependencies": {
     "debug": "*"
-Original file line number
+Diff line change
@@ Expand Up / @@ -163,6 +163,7 @@ @@
           "groundnuty",
           "jwks",
           "jwku",
+          "JWTs",
           "kafa",
           "Kafkajs",
           "ksuid",
@@ Expand Down @@