@bigid/apps-infrastructure-node-js 1.194.0 → 1.197.1

package/lib/abstractProviders/logsProvider.js

@@ -3,11 +3,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.fetchLogs = void 0;
 const fs_1 = require("fs");
 const constants_1 = require("../utils/constants");
-const READONLY_MODE_ENABLED = process.env.READONLY_MODE_ENABLED === "true";
-const logFolder = READONLY_MODE_ENABLED ? constants_1.TMP_LOGS_PATH : constants_1.LOGS_PATH;
 const fetchLogs = (req, res) => {
     const tenantId = req.headers.tenantid;
-    const data = (0, fs_1.readFileSync)(logFolder, { encoding: 'utf8' });
+    const data = (0, fs_1.readFileSync)(constants_1.LOGS_PATH, { encoding: 'utf8' });
     const lines = data.split('\n');
     const tenantLogLines = lines
         .filter(line => line.includes(`[tenantId: ${tenantId}`) || !line.includes('[tenantId: '))

package/lib/dto/signatureData.d.ts

@@ -0,0 +1,5 @@
+import { SignaturePayload } from './signaturePayload';
+export interface SignatureData {
+    signaturePayload: SignaturePayload;
+    signature: string;
+}

package/lib/dto/signatureData.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/dto/signaturePayload.d.ts

@@ -0,0 +1,4 @@
+export interface SignaturePayload {
+    exp: number;
+    kid: string;
+}

package/lib/dto/signaturePayload.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/interceptor/signatureValidationInterceptor.d.ts

@@ -0,0 +1,2 @@
+import { Request, Response, NextFunction } from 'express';
+export declare const signatureValidationInterceptor: (baseUrl: string | undefined) => (req: Request, res: Response, next: NextFunction) => Promise<void>;

package/lib/interceptor/signatureValidationInterceptor.js

@@ -0,0 +1,58 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signatureValidationInterceptor = void 0;
+const signatureValidationService_1 = require("../services/signatureValidationService");
+const utils_1 = require("../utils");
+const signatureValidationInterceptor = (baseUrl) => {
+    return (req, res, next) => __awaiter(void 0, void 0, void 0, function* () {
+        if (baseUrl == null) {
+            res.status(500).send({ message: 'Internal server error - Missing base API URL' });
+            return;
+        }
+        const signedToken = req.header('X-Signed-Token');
+        if (signedToken) {
+            try {
+                const decodedBytes = Buffer.from(signedToken, 'base64');
+                const decodedToken = decodedBytes.toString();
+                const signatureData = JSON.parse(decodedToken);
+                (0, utils_1.logDebug)(`Decoded X-Signed-Token: ${decodedToken}`);
+                if (!isTokenValid(decodedToken, signatureData.signaturePayload.exp)) {
+                    (0, utils_1.logError)('Expired Signature');
+                    res.status(401).send({ message: 'Unauthorized: Expired signature' });
+                    return;
+                }
+                const tenantId = req.header('Tenantid');
+                const isValidSignature = yield (0, signatureValidationService_1.validateSignature)(signatureData.signaturePayload.kid, signatureData.signature, JSON.stringify(signatureData.signaturePayload), tenantId, baseUrl);
+                if (!isValidSignature) {
+                    (0, utils_1.logError)('Invalid Signature');
+                    res.status(401).send({ message: 'Unauthorized: Invalid signature' });
+                    return;
+                }
+                next();
+            }
+            catch (error) {
+                (0, utils_1.logError)(`Error processing the signed token ${error.message}`);
+                res.status(500).send({ message: `Internal server error - ${error.message}` });
+                return;
+            }
+        }
+        else {
+            (0, utils_1.logError)('Request intercepted: X-Signed-Token header is missing or empty');
+            res.status(403).send({ message: 'Forbidden: Missing or invalid X-Signed-Token' });
+            return;
+        }
+    });
+};
+exports.signatureValidationInterceptor = signatureValidationInterceptor;
+const isTokenValid = (token, exp) => {
+    return token !== '' && Date.now() < exp * 1000;
+};

package/lib/server.d.ts

@@ -11,5 +11,7 @@ export type ServerInit = {
     serverPort?: number;
     additionalEndpoints?: (app: Express) => void;
     expressBodyLimit?: string;
+    signatureValidationEnabled?: boolean;
+    baseUrl?: string;
 };
-export declare const deployServer: ({ manifestController, iconsController, executionController, serverPort, configureController, additionalEndpoints, expressBodyLimit, }: ServerInit) => void;
+export declare const deployServer: ({ manifestController, iconsController, executionController, serverPort, configureController, additionalEndpoints, expressBodyLimit, signatureValidationEnabled, baseUrl, }: ServerInit) => void;

package/lib/server.js

@@ -43,8 +43,9 @@ const executionProvider_1 = require("./abstractProviders/executionProvider");
 const logsProvider_1 = require("./abstractProviders/logsProvider");
 const http_errors_1 = __importDefault(require("http-errors"));
 const configureProvider_1 = require("./abstractProviders/configureProvider");
+const signatureValidationInterceptor_1 = require("./interceptor/signatureValidationInterceptor");
 const app = (0, express_1.default)();
-const deployServer = ({ manifestController, iconsController, executionController, serverPort, configureController, additionalEndpoints, expressBodyLimit, }) => {
+const deployServer = ({ manifestController, iconsController, executionController, serverPort, configureController, additionalEndpoints, expressBodyLimit, signatureValidationEnabled = false, baseUrl, }) => {
     app.use(express_1.default.urlencoded({ extended: false }));
     app.use(bodyParser.json({ limit: expressBodyLimit || '5mb' }));
     app.get('/assets/icon', (req, res) => res.sendFile(iconsController.getIconPath()));
@@ -52,7 +53,7 @@ const deployServer = ({ manifestController, iconsController, executionController
     app.get('/manifest', manifestController.getManifest);
     app.get('/logs', (req, res) => __awaiter(void 0, void 0, void 0, function* () { return yield (0, logsProvider_1.fetchLogs)(req, res); }));
     executionController &&
-        app.post('/execute', (req, res) => __awaiter(void 0, void 0, void 0, function* () { return yield (0, executionProvider_1.handleExecution)(req, res, executionController); }));
+        app.post('/execute', signatureValidationEnabled ? (0, signatureValidationInterceptor_1.signatureValidationInterceptor)(baseUrl) : (req, res, next) => next(), (req, res) => __awaiter(void 0, void 0, void 0, function* () { return yield (0, executionProvider_1.handleExecution)(req, res, executionController); }));
     configureController &&
         app.post('/configure', (req, res) => __awaiter(void 0, void 0, void 0, function* () { return yield (0, configureProvider_1.handleTenantConfigure)(req, res, configureController); }));
     additionalEndpoints && additionalEndpoints(app);

package/lib/services/publicKeyService.d.ts

@@ -0,0 +1 @@
+export declare const getPublicKey: (baseUrl: string, publicKeyId: string, tenantId: string) => Promise<string | undefined>;

package/lib/services/publicKeyService.js

@@ -0,0 +1,59 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getPublicKey = void 0;
+const axios_1 = __importDefault(require("axios"));
+const utils_1 = require("../utils");
+const PUBLIC_KEY_PATH = '/tpa/public-key';
+const EXPIRY_DURATION_MILLIS = 15 * 60 * 1000;
+let publicKeyList = {};
+let lastFetchTime = 0;
+const getCommonHeaders = () => {
+    return {};
+};
+const isExpired = () => {
+    return Date.now() - lastFetchTime > EXPIRY_DURATION_MILLIS;
+};
+const fetchPublicKeys = (baseUrl, tenantId) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, utils_1.logInfo)('Fetching new public keys');
+    try {
+        lastFetchTime = Date.now();
+        const headers = getCommonHeaders();
+        if (tenantId) {
+            headers['Tenantid'] = tenantId;
+        }
+        (0, utils_1.logDebug)(`${baseUrl} - ${JSON.stringify(headers)}`);
+        const response = yield axios_1.default.get(baseUrl + PUBLIC_KEY_PATH, { headers });
+        if (response.data && response.data.publicKeys) {
+            publicKeyList = response.data.publicKeys.reduce((acc, publicKeyEntry) => {
+                acc[publicKeyEntry.keyId] = publicKeyEntry.publicKey;
+                return acc;
+            }, {});
+        }
+        else {
+            throw new Error('No public keys found');
+        }
+    }
+    catch (error) {
+        (0, utils_1.logError)(`Error while fetching/processing public keys: ${error}`);
+        publicKeyList = {};
+    }
+});
+const getPublicKey = (baseUrl, publicKeyId, tenantId) => __awaiter(void 0, void 0, void 0, function* () {
+    if (!publicKeyList[publicKeyId] || Object.keys(publicKeyList).length === 0 || isExpired()) {
+        yield fetchPublicKeys(baseUrl, tenantId);
+    }
+    return publicKeyList[publicKeyId];
+});
+exports.getPublicKey = getPublicKey;

package/lib/services/signatureValidationService.d.ts

@@ -0,0 +1 @@
+export declare const validateSignature: (keyId: string, signature: string, payload: string, tenantId: string, baseUrl: string) => Promise<boolean>;

package/lib/services/signatureValidationService.js

@@ -0,0 +1,31 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateSignature = void 0;
+const crypto_1 = require("crypto");
+const publicKeyService_1 = require("./publicKeyService");
+const utils_1 = require("../utils");
+const validateSignature = (keyId, signature, payload, tenantId, baseUrl) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, utils_1.logDebug)('Validating Signature');
+    try {
+        const publicKeyStr = yield (0, publicKeyService_1.getPublicKey)(baseUrl, keyId, tenantId);
+        if (!publicKeyStr) {
+            throw new Error('Public key not found for key ID: ' + keyId);
+        }
+        const publicKey = (0, crypto_1.createPublicKey)(publicKeyStr);
+        return (0, crypto_1.verify)('RSA-SHA256', Buffer.from(payload), publicKey, Buffer.from(signature, 'base64'));
+    }
+    catch (error) {
+        (0, utils_1.logError)(error.message);
+        return false;
+    }
+});
+exports.validateSignature = validateSignature;

package/lib/utils/appLogger.js

@@ -4,7 +4,6 @@ exports.logDebug = exports.logWarn = exports.logError = exports.logInfo = void 0
 const log4js_1 = require("log4js");
 const constants_1 = require("./constants");
 const USER_LOG_BACKUPS = parseInt(process.env.LOG_BACKUPS + "") || 3;
-const READONLY_MODE_ENABLED = process.env.READONLY_MODE_ENABLED === "true";
 const MAX_BACKUPS = 10;
 (0, log4js_1.configure)({
     appenders: {
@@ -12,7 +11,7 @@ const MAX_BACKUPS = 10;
         dateFile: {
             type: 'dateFile',
             layout: { type: 'basic' },
-            filename: READONLY_MODE_ENABLED ? constants_1.TMP_LOGS_PATH : constants_1.LOGS_PATH,
+            filename: constants_1.LOGS_PATH,
             compress: true,
             numBackups: USER_LOG_BACKUPS > MAX_BACKUPS ? MAX_BACKUPS : USER_LOG_BACKUPS,
             keepFileExt: true,

package/lib/utils/constants.d.ts

@@ -1,2 +1 @@
-export declare const LOGS_PATH = "log/app.log";
-export declare const TMP_LOGS_PATH = "/tmp/log/app.log";
+export declare const LOGS_PATH: string;

package/lib/utils/constants.js

@@ -1,5 +1,4 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TMP_LOGS_PATH = exports.LOGS_PATH = void 0;
-exports.LOGS_PATH = 'log/app.log';
-exports.TMP_LOGS_PATH = '/tmp/log/app.log';
+exports.LOGS_PATH = void 0;
+exports.LOGS_PATH = !!process.env.READONLY_WRITING_PATH ? process.env.READONLY_WRITING_PATH + '/log/app.log' : 'log/app.log';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bigid/apps-infrastructure-node-js",
-  "version": "1.194.0",
+  "version": "1.197.1",
   "description": "",
   "main": "lib/index.js",
   "scripts": {

package/src/abstractProviders/logsProvider.ts

@@ -1,14 +1,10 @@
 import { readFileSync } from 'fs';
 import { Request, Response } from 'express';
-import {LOGS_PATH, TMP_LOGS_PATH} from '../utils/constants';
-
-const READONLY_MODE_ENABLED = process.env.READONLY_MODE_ENABLED === "true";
-
-const logFolder = READONLY_MODE_ENABLED ? TMP_LOGS_PATH : LOGS_PATH
+import {LOGS_PATH} from '../utils/constants';
 
 export const fetchLogs = (req: Request, res: Response) => {
   const tenantId = req.headers.tenantid;
-  const data = readFileSync(logFolder, { encoding: 'utf8' });
+  const data = readFileSync(LOGS_PATH, { encoding: 'utf8' });
   const lines = data.split('\n');
   const tenantLogLines = lines
     .filter(line => line.includes(`[tenantId: ${tenantId}`) || !line.includes('[tenantId: '))

package/src/dto/signatureData.ts

@@ -0,0 +1,6 @@
+import { SignaturePayload } from './signaturePayload';
+
+export interface SignatureData {
+  signaturePayload: SignaturePayload;
+  signature: string;
+}

package/src/dto/signaturePayload.ts

@@ -0,0 +1,4 @@
+export interface SignaturePayload {
+  exp: number;
+  kid: string;
+}

package/src/interceptor/signatureValidationInterceptor.ts

@@ -0,0 +1,60 @@
+import { Request, Response, NextFunction } from 'express';
+import { SignatureData } from '../dto/signatureData';
+import { validateSignature } from '../services/signatureValidationService';
+import { logDebug, logError } from '../utils';
+
+export const signatureValidationInterceptor = (baseUrl: string | undefined) => {
+  return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    if (baseUrl == null) {
+      res.status(500).send({ message: 'Internal server error - Missing base API URL' });
+      return;
+    }
+
+    const signedToken = req.header('X-Signed-Token');
+
+    if (signedToken) {
+      try {
+        const decodedBytes = Buffer.from(signedToken, 'base64');
+        const decodedToken = decodedBytes.toString();
+        const signatureData: SignatureData = JSON.parse(decodedToken);
+
+        logDebug(`Decoded X-Signed-Token: ${decodedToken}`);
+
+        if (!isTokenValid(decodedToken, signatureData.signaturePayload.exp)) {
+          logError('Expired Signature');
+          res.status(401).send({ message: 'Unauthorized: Expired signature' });
+          return;
+        }
+
+        const tenantId = req.header('Tenantid');
+        const isValidSignature = await validateSignature(
+          signatureData.signaturePayload.kid,
+          signatureData.signature,
+          JSON.stringify(signatureData.signaturePayload),
+          <string>tenantId,
+          <string>baseUrl,
+        );
+
+        if (!isValidSignature) {
+          logError('Invalid Signature');
+          res.status(401).send({ message: 'Unauthorized: Invalid signature' });
+          return;
+        }
+
+        next();
+      } catch (error: any) {
+        logError(`Error processing the signed token ${error.message}`);
+        res.status(500).send({ message: `Internal server error - ${error.message}` });
+        return;
+      }
+    } else {
+      logError('Request intercepted: X-Signed-Token header is missing or empty');
+      res.status(403).send({ message: 'Forbidden: Missing or invalid X-Signed-Token' });
+      return;
+    }
+  };
+};
+
+const isTokenValid = (token: string, exp: number): boolean => {
+  return token !== '' && Date.now() < exp * 1000;
+};

package/src/server.ts

@@ -7,6 +7,7 @@ import { ExecutionProvider, handleExecution } from './abstractProviders/executio
 import { fetchLogs } from './abstractProviders/logsProvider';
 import createError from 'http-errors';
 import { ConfigureProvider, handleTenantConfigure } from './abstractProviders/configureProvider';
+import { signatureValidationInterceptor } from './interceptor/signatureValidationInterceptor';
 
 export type ServerInit = {
   manifestController: ManifestProvider;
@@ -16,6 +17,8 @@ export type ServerInit = {
   serverPort?: number;
   additionalEndpoints?: (app: Express) => void;
   expressBodyLimit?: string;
+  signatureValidationEnabled?: boolean;
+  baseUrl?: string;
 };
 
 const app = express();
@@ -28,6 +31,8 @@ export const deployServer = ({
   configureController,
   additionalEndpoints,
   expressBodyLimit,
+  signatureValidationEnabled = false,
+  baseUrl,
 }: ServerInit): void => {
   app.use(express.urlencoded({ extended: false }));
   app.use(bodyParser.json({ limit: expressBodyLimit || '5mb' }));
@@ -38,7 +43,11 @@ export const deployServer = ({
   app.get('/logs', async (req: Request, res: Response) => await fetchLogs(req, res));
 
   executionController &&
-    app.post('/execute', async (req: Request, res: Response) => await handleExecution(req, res, executionController));
+    app.post(
+      '/execute',
+      signatureValidationEnabled ? signatureValidationInterceptor(baseUrl) : (req, res, next) => next(),
+      async (req: Request, res: Response) => await handleExecution(req, res, executionController),
+    );
   configureController &&
     app.post(
       '/configure',

package/src/services/publicKeyService.ts

@@ -0,0 +1,52 @@
+import axios from 'axios';
+import { logDebug, logError, logInfo } from '../utils';
+
+const PUBLIC_KEY_PATH = '/tpa/public-key';
+const EXPIRY_DURATION_MILLIS = 15 * 60 * 1000;
+let publicKeyList: { [keyId: string]: string } = {};
+let lastFetchTime = 0;
+
+const getCommonHeaders = (): { [key: string]: string } => {
+  return {};
+};
+
+const isExpired = (): boolean => {
+  return Date.now() - lastFetchTime > EXPIRY_DURATION_MILLIS;
+};
+
+const fetchPublicKeys = async (baseUrl: string, tenantId: string): Promise<void> => {
+  logInfo('Fetching new public keys');
+  try {
+    lastFetchTime = Date.now();
+    const headers = getCommonHeaders();
+    if (tenantId) {
+      headers['Tenantid'] = tenantId;
+    }
+
+    logDebug(`${baseUrl} - ${JSON.stringify(headers)}`);
+
+    const response = await axios.get(baseUrl + PUBLIC_KEY_PATH, { headers });
+    if (response.data && response.data.publicKeys) {
+      publicKeyList = response.data.publicKeys.reduce((acc: { [key: string]: string }, publicKeyEntry: any) => {
+        acc[publicKeyEntry.keyId] = publicKeyEntry.publicKey;
+        return acc;
+      }, {});
+    } else {
+      throw new Error('No public keys found');
+    }
+  } catch (error) {
+    logError(`Error while fetching/processing public keys: ${error}`);
+    publicKeyList = {};
+  }
+};
+
+export const getPublicKey = async (
+  baseUrl: string,
+  publicKeyId: string,
+  tenantId: string,
+): Promise<string | undefined> => {
+  if (!publicKeyList[publicKeyId] || Object.keys(publicKeyList).length === 0 || isExpired()) {
+    await fetchPublicKeys(baseUrl, tenantId);
+  }
+  return publicKeyList[publicKeyId];
+};

package/src/services/signatureValidationService.ts

@@ -0,0 +1,26 @@
+import { verify as verifySignature, createPublicKey } from 'crypto';
+import { getPublicKey } from './publicKeyService';
+import { logDebug, logError } from '../utils';
+
+export const validateSignature = async (
+  keyId: string,
+  signature: string,
+  payload: string,
+  tenantId: string,
+  baseUrl: string,
+): Promise<boolean> => {
+  logDebug('Validating Signature');
+  try {
+    const publicKeyStr = await getPublicKey(baseUrl, keyId, tenantId);
+    if (!publicKeyStr) {
+      throw new Error('Public key not found for key ID: ' + keyId);
+    }
+
+    const publicKey = createPublicKey(publicKeyStr);
+
+    return verifySignature('RSA-SHA256', Buffer.from(payload), publicKey, Buffer.from(signature, 'base64'));
+  } catch (error: any) {
+    logError(error.message);
+    return false;
+  }
+};

package/src/utils/appLogger.ts

@@ -1,5 +1,5 @@
 import { configure, getLogger } from 'log4js';
-import { LOGS_PATH, TMP_LOGS_PATH } from './constants';
+import { LOGS_PATH } from './constants';
 
 type LogMetadata = {
   tenantId: string;
@@ -8,7 +8,6 @@ type LogMetadata = {
 };
 const USER_LOG_BACKUPS = parseInt(process.env.LOG_BACKUPS + "") || 3;
 
-const READONLY_MODE_ENABLED = process.env.READONLY_MODE_ENABLED === "true";
 const MAX_BACKUPS = 10;
 
 configure({
@@ -17,7 +16,7 @@ configure({
     dateFile: {
       type: 'dateFile',
       layout: { type: 'basic' },
-      filename: READONLY_MODE_ENABLED ? TMP_LOGS_PATH : LOGS_PATH,
+      filename: LOGS_PATH,
       compress: true,
       numBackups: USER_LOG_BACKUPS > MAX_BACKUPS ? MAX_BACKUPS : USER_LOG_BACKUPS,
       keepFileExt: true,

package/src/utils/constants.ts

@@ -1,2 +1 @@
-export const LOGS_PATH = 'log/app.log';
-export const TMP_LOGS_PATH = '/tmp/log/app.log';
+export const LOGS_PATH = !!process.env.READONLY_WRITING_PATH ? process.env.READONLY_WRITING_PATH + '/log/app.log' : 'log/app.log';