@apolitical/server 2.0.0-beta.0 → 2.0.0

package/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.0] - 2022-01-20
+### Added
+- Authorisation middleware
+- New logging middleware for production (based on Google Winston)
+### Changed
+- Updated dependencies
+- Upgraded Node.js version
+- Revamped GitLab pipelines
+### Removed
+- Unused logger helper
+
 ## [1.5.2] - 2021-10-18
 ### Changed
 - Allow cors options to be passed in as params on start

package/README.md

@@ -75,7 +75,7 @@ For usage examples, see [example.spec.js](tests/../test/integration/example.spec
 
 ### JWT authentication
 
-The __Apolitical Server__ has integrated JSON Web Token (JWT) functionality. The JWT authentication layer is intended to be used to secure endpoints without sessions. 
+The __Apolitical Server__ has integrated JSON Web Token (JWT) functionality. The JWT authentication layer is intended to be used to secure endpoints from requests without a valid session token. 
 
 ```js
 // The JWT strategy session secret
@@ -85,7 +85,7 @@ function appLoader(app) {
   // Setup the Apolitical JWT strategy 
   jwt.apolitical.setup(SESSION_SECRET);
   // Use the authentication middleware to reject unauthorised requests
-  app.use(middlewares.auth());
+  app.use(middlewares.authentication());
   // The example endpoint is now protected
   app.get('/example', exampleController);
 }
@@ -102,6 +102,29 @@ The JWT authentication must be defined with two steps:
 
 For usage examples, see [jwt.apolitical.spec.js](tests/../test/integration/jwt.apolitical.spec.js) test cases.
 
+### JWT authorisation
+
+The __Apolitical Server__ has integrated JSON Web Token (JWT) functionality. The JWT authorisation layer is intended to be used to protect endpoints from request with session token without the right permissions. 
+
+```js
+// The JWT strategy session secret
+const SESSION_SECRET = 'hello';
+
+function appLoader(app) {
+  // Setup the Apolitical JWT strategy 
+  jwt.apolitical.setup(SESSION_SECRET);
+  // Use the authentication middleware to reject unauthorised requests
+  app.use(middlewares.authentication());
+  // The example endpoint can only be accessed by admin users
+  app.get('/example', middlewares.authorisation(), exampleController);
+}
+
+// Start the server
+start({ appLoader, port: 3000 });
+```
+
+As before, the Apolitical token will be validated by the `authentication` middleware, and then, the `authorisation` middleware will check that the `role` property on the session token to determine the permissions. 
+
 ### Error handling
 
 The __Apolitical Server__ comes with a default error handler so you don’t need to write your own to get started. It’s important to ensure that your server catches all errors that occur while running your business logic. For more info see [express error handling](https://expressjs.com/en/guide/error-handling.html).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apolitical/server",
-  "version": "2.0.0-beta.0",
+  "version": "2.0.0",
   "description": "Node.js module to encapsulate Apolitical's express server setup",
   "author": "Apolitical Group Limited <engineering@apolitical.co>",
   "license": "MIT",
@@ -24,7 +24,7 @@
     "Node Modules"
   ],
   "dependencies": {
-    "@apolitical/logger": "2.0.0-beta.4",
+    "@apolitical/logger": "2.0.0",
     "@cloudnative/health-connect": "2.1.0",
     "awilix": "6.0.0",
     "body-parser": "1.19.1",
@@ -45,13 +45,13 @@
     "swagger-ui-express": "4.3.0"
   },
   "devDependencies": {
-    "@apolitical/eslint-config": "1.0.0-beta.0",
-    "@apolitical/testing": "0.0.4",
+    "@apolitical/eslint-config": "1.0.1",
+    "@apolitical/testing": "1.0.1",
     "audit-ci": "5.1.2",
     "husky": "7.0.4",
     "jest": "27.4.7",
     "jest-junit": "13.0.0",
-    "lint-staged": "12.1.7",
+    "lint-staged": "12.2.1",
     "mock-jwks": "1.0.1",
     "nock": "13.2.2"
   },

package/src/container.js

@@ -30,7 +30,6 @@ const serverError = require('./errors/server.error');
 const jwtDecodeHelper = require('./helpers/jwt/decode.helper');
 const jwtEncodeHelper = require('./helpers/jwt/encode.helper');
 const jwtPassportHelper = require('./helpers/jwt/passport.helper');
-const loggerHelper = require('./helpers/logger.helper');
 // Loaders
 const documentationLoader = require('./loaders/documentation.loader');
 const loggerLoader = require('./loaders/logger.loader');
@@ -38,11 +37,11 @@ const middlewaresLoader = require('./loaders/middlewares.loader');
 const probesLoader = require('./loaders/probes.loader');
 const staticLoader = require('./loaders/static.loader');
 // Middleware
-const authMiddleware = require('./middlewares/auth.middleware');
+const authenticationMiddleware = require('./middlewares/authentication.middleware');
+const authorisationMiddleware = require('./middlewares/authorisation.middleware');
 const jwtApoliticalMiddleware = require('./middlewares/jwt/apolitical.middleware');
 const jwtAuth0Middleware = require('./middlewares/jwt/auth0.middleware');
 const errorMiddleware = require('./middlewares/error.middleware');
-const permissionsMiddleware = require('./middlewares/permissions.middleware');
 // Services
 const jwtService = require('./services/jwt.service');
 const serverService = require('./services/server.service');
@@ -79,7 +78,6 @@ container.register({
   jwtDecodeHelper: asFunction(jwtDecodeHelper).singleton(),
   jwtEncodeHelper: asFunction(jwtEncodeHelper).singleton(),
   jwtPassportHelper: asFunction(jwtPassportHelper).singleton(),
-  loggerHelper: asFunction(loggerHelper).singleton(),
   // Loaders
   documentationLoader: asFunction(documentationLoader).singleton(),
   loggerLoader: asFunction(loggerLoader).singleton(),
@@ -87,11 +85,11 @@ container.register({
   probesLoader: asFunction(probesLoader).singleton(),
   staticLoader: asFunction(staticLoader).singleton(),
   // Middlewares
-  authMiddleware: asFunction(authMiddleware).singleton(),
+  authenticationMiddleware: asFunction(authenticationMiddleware).singleton(),
+  authorisationMiddleware: asFunction(authorisationMiddleware).singleton(),
   jwtApoliticalMiddleware: asFunction(jwtApoliticalMiddleware).singleton(),
   jwtAuth0Middleware: asFunction(jwtAuth0Middleware).singleton(),
   errorMiddleware: asFunction(errorMiddleware).singleton(),
-  permissionsMiddleware: asFunction(permissionsMiddleware).singleton(),
   // Services
   jwtService: asFunction(jwtService).singleton(),
   serverService: asFunction(serverService).singleton(),

package/src/helpers/jwt/passport.helper.js

@@ -11,7 +11,7 @@ module.exports = ({ passport, passportJwt, logger, config }) => {
       if (req && req.cookies && req.cookies[COOKIE_KEY]) {
         result = req.cookies[COOKIE_KEY];
       } else {
-        childLogger.debug('No Apolitical auth cookie');
+        childLogger.debug('Cannot find Apolitical token (cookie)');
       }
       childLogger.debug('Finished');
       return result;

package/src/loaders/documentation.loader.js

@@ -5,7 +5,7 @@ module.exports = ({
   config,
   logger,
   swaggerUi: { serve, setup },
-  permissionsMiddleware,
+  authorisationMiddleware,
 }) => {
   const { DOCUMENTATION } = config.ENDPOINTS;
 
@@ -17,7 +17,7 @@ module.exports = ({
       // Redirection to documentation
       app.use(`${DOCUMENTATION}index.html`, (req, res) => res.redirect(MOVED_PERMANENTLY, DOCUMENTATION));
       // Documentation express setup
-      app.use(DOCUMENTATION, permissionsMiddleware(), serve, setup(swaggerDocument));
+      app.use(DOCUMENTATION, authorisationMiddleware(), serve, setup(swaggerDocument));
     }
     childLogger.debug('Finished');
   };

package/src/loaders/logger.loader.js

@@ -1,6 +1,6 @@
 'use strict';
 
-module.exports = ({ apoliticalLogger, morgan, config, logger, loggerHelper }) => {
+module.exports = ({ apoliticalLogger, morgan, config, logger }) => {
   const {
     LOGGED_OUT_SLUG,
     TOKENS: { USER_SLUG },
@@ -26,24 +26,15 @@ module.exports = ({ apoliticalLogger, morgan, config, logger, loggerHelper }) =>
     childLogger.debug('Started');
     // Setup Morgan with custom format and Apolitical Logger stream
     morgan.token(USER_SLUG, getUserSlug);
-    const morganMiddleware = morgan(
-      buildCustomFormat,
-      loggerHelper.build({
-        filename: __filename,
-        method: 'morganMiddleware',
-        labels,
-      }),
-    );
+    const morganMiddleware = morgan(buildCustomFormat, logger.where(__filename, 'morganMiddleware', labels));
     app.use(morganMiddleware);
     // Setup Google Cloud with Apolitical Logger
-    const googleMiddleware = await apoliticalLogger.loggerMiddleware(
-      loggerHelper.build({
-        filename: __filename,
-        method: 'googleMiddleware',
-        labels,
-      }),
-    );
-    app.use(googleMiddleware);
+    if (config.NODE_ENV === 'production') {
+      const winstonMiddleware = await apoliticalLogger.loggerMiddleware(
+        logger.where(__filename, 'winstonMiddleware', labels),
+      );
+      app.use(winstonMiddleware);
+    }
     childLogger.debug('Finished');
   };
 };

package/src/middlewares/{permissions.middleware.js → authorisation.middleware.js}

@@ -5,7 +5,7 @@ module.exports = ({ logger, serverError: { Forbidden }, config }) => {
   // Define external options
   return ({ myselfSource = null, myselfTarget = null, allowNonAdmin = false } = {}) => {
     // Return middleware handler
-    return async function handler(req, res, next) {
+    return function handler(req, res, next) {
       const childLogger = logger.where(__filename, 'handler');
       childLogger.debug('Started');
       let isNotMyselfSlug = false;

package/src/middlewares/error.middleware.js

@@ -7,16 +7,11 @@ module.exports =
       JWT: { AUTH0 },
     },
     logger,
-    loggerHelper,
     serverError: { GeneralError },
   }) =>
   ({ labels, redirectURL }) => {
     // Apolitical Logger (with service metadata)
-    const errorLogger = loggerHelper.build({
-      filename: __filename,
-      method: 'errorMiddleware',
-      labels,
-    });
+    const errorLogger = logger.where(__filename, 'errorMiddleware', labels);
 
     // eslint-disable-next-line no-unused-vars
     return function handler(err, req, res, next) {

package/src/services/server.service.js

@@ -6,7 +6,8 @@ module.exports = ({
   logger,
   documentationLoader,
   loggerLoader,
-  authMiddleware,
+  authenticationMiddleware,
+  authorisationMiddleware,
   errorMiddleware,
   middlewaresLoader,
   probesLoader,
@@ -74,7 +75,8 @@ module.exports = ({
     jwt: jwtService,
     errors: serverError,
     middlewares: {
-      auth: authMiddleware,
+      authentication: authenticationMiddleware,
+      authorisation: authorisationMiddleware,
     },
   };
 };

package/src/helpers/logger.helper.js

@@ -1,12 +0,0 @@
-'use strict';
-
-module.exports = ({ apoliticalLogger, config: { LOG_LEVEL } }) => ({
-  build({ filename, method, labels }) {
-    const options = { logLevel: LOG_LEVEL };
-    if (labels) {
-      Object.assign(options, { labels });
-    }
-    const logger = apoliticalLogger.createLogger(options);
-    return logger.where(filename, method);
-  },
-});