@canmingir/link-express 1.7.9 → 1.7.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@canmingir/link-express",
-  "version": "1.7.9",
+  "version": "1.7.11",
   "description": "",
   "main": "index.ts",
   "types": "index.ts",
@@ -57,6 +57,7 @@
     "@aws-sdk/client-dynamodb": "^3.614.0",
     "@aws-sdk/lib-dynamodb": "^3.614.0",
     "@elastic/ecs-pino-format": "^1.5.0",
+    "aws-jwt-verify": "^5.1.1",
     "axios": "^1.7.2",
     "cors": "^2.8.5",
     "dotenv": "^16.4.5",

package/src/event/client/metrics.ts

@@ -158,8 +158,6 @@ export class EventMetrics {
       if (!response.ok) {
         throw new Error(`HTTP ${response.status}: ${response.statusText}`);
       }
-
-      console.log("Metrics pushed to Pushgateway successfully");
     } catch (err) {
       console.error("Failed to push metrics to Pushgateway:", err);
     }

package/src/lib/cognitoVerifier.ts

@@ -0,0 +1,11 @@
+import { CognitoJwtVerifier } from "aws-jwt-verify";
+
+export const cognitoAccessTokenVerifier = CognitoJwtVerifier.create({
+  userPoolId: process.env.COGNITO_USER_POOL_ID!,
+  tokenUse: "access",
+  clientId: process.env.COGNITO_CLIENT_ID!,
+});
+
+export async function verifyCognitoAccessToken(token: string) {
+  return cognitoAccessTokenVerifier.verify(token);
+}

package/src/metrics/dbMetrics.ts

@@ -118,7 +118,6 @@ class DBMetrics {
         throw new Error(`HTTP ${response.status}: ${response.statusText}`);
       }
 
-      console.log("[DBMetrics] Metrics pushed to Pushgateway successfully");
     } catch (err) {
       console.error("[DBMetrics] Failed to push metrics to Pushgateway:", err);
     }

package/src/routes/oauth.ts

@@ -6,6 +6,7 @@ import Permission from "../models/Permission.model";
 import axios from "axios";
 import config from "../config";
 import jwt from "jsonwebtoken";
+import { verifyCognitoAccessToken } from "../lib/cognitoVerifier";
 
 const router = express.Router();
 
@@ -15,6 +16,26 @@ if (!project) {
   throw new Error("Project configuration is required");
 }
 
+const providers = project?.oauth?.providers || {};
+
+const identityProviders: Record<string, typeof providers[string]> = {};
+
+for (const [key, value] of Object.entries(providers)) {
+  const identityProviderKey = key.toLowerCase();
+
+  if (identityProviders[identityProviderKey]) {
+    throw new Error(
+      `Duplicate OAuth provider configuration detected for key "${key}". Provider keys must be unique in a case-insensitive manner.`,
+    );
+  }
+
+  identityProviders[identityProviderKey] = value;
+}
+
+function getProviderConfig(identityProvider: string) {
+  return identityProviders[identityProvider.toLowerCase()];
+}
+
 router.post(
   "/",
   async (req: Request, res: Response): Promise<Response | void> => {
@@ -25,6 +46,8 @@ router.post(
       refreshToken,
       redirectUri,
       identityProvider,
+      username,
+      password,
     } = Joi.attempt(
       req.body,
       Joi.object({
@@ -34,9 +57,11 @@ router.post(
         refreshToken: Joi.string().optional(),
         redirectUri: Joi.string().optional(),
         identityProvider: Joi.string().required(),
+        username: Joi.string().optional().allow("admin"),
+        password: Joi.string().optional().allow("admin"),
       })
         .required()
-        .options({ stripUnknown: true })
+        .options({ stripUnknown: true }),
     ) as {
       appId: string;
       projectId?: string;
@@ -44,13 +69,246 @@ router.post(
       refreshToken?: string;
       redirectUri?: string;
       identityProvider: string;
+      username?: string;
+      password?: string;
     };
 
+    if (username && password && identityProvider.toUpperCase() === "DEMO") {
+      if (username !== "admin" || password !== "admin") {
+        throw new AuthenticationError("Invalid demo credentials");
+      }
+
+      const userId = "1001";
+
+      let accessToken: string;
+
+      if (projectId) {
+        const permissions = await Permission.findAll({
+          where: { userId, projectId, appId },
+        });
+
+        if (!permissions.length) {
+          accessToken = jwt.sign(
+            {
+              sub: userId,
+              iss: "nuc",
+              aid: appId,
+              aud: projectId,
+              oid: "dfb990bb-81dd-4584-82ce-050eb8f6a12f",
+              rls: ["OWNER"],
+              identityProvider: "DEMO",
+              iat: Math.floor(Date.now() / 1000),
+            },
+            process.env.JWT_SECRET as string,
+            { expiresIn: "12h" },
+          );
+        } else {
+          accessToken = jwt.sign(
+            {
+              sub: userId,
+              iss: "nuc",
+              aud: projectId,
+              oid: permissions[0].organizationId,
+              aid: appId,
+              rls: permissions.map((p) => p.role),
+              identityProvider: "DEMO",
+              iat: Math.floor(Date.now() / 1000),
+            },
+            process.env.JWT_SECRET as string,
+            { expiresIn: "12h" },
+          );
+        }
+      } else {
+        accessToken = jwt.sign(
+          {
+            sub: userId,
+            iss: "nuc",
+            aid: appId,
+            identityProvider: "DEMO",
+            iat: Math.floor(Date.now() / 1000),
+          },
+          process.env.JWT_SECRET as string,
+          { expiresIn: "12h" },
+        );
+      }
+
+      const refreshToken = jwt.sign(
+        {
+          sub: userId,
+          type: "refresh",
+          identityProvider: "DEMO",
+          iat: Math.floor(Date.now() / 1000),
+        },
+        process.env.JWT_SECRET as string,
+        { expiresIn: "30d" },
+      );
+
+      return res.status(200).json({
+        accessToken,
+        refreshToken,
+      });
+    }
+
+    if (identityProvider.toUpperCase() === "COGNITO") {
+      if (!refreshToken) {
+        throw new AuthenticationError("Missing token");
+      }
+
+      const maybeInternal = jwt.decode(refreshToken) as any;
+
+      const isInternalRefresh =
+        maybeInternal?.type === "refresh" &&
+        (maybeInternal?.identityProvider || "").toUpperCase() === "COGNITO";
+
+      if (isInternalRefresh) {
+        const verified = jwt.verify(
+          refreshToken,
+          process.env.JWT_SECRET as string,
+        ) as { sub: string; type: string; identityProvider: string };
+
+        const userId = verified.sub;
+
+        let accessToken: string;
+
+        if (projectId) {
+          const permissions = await Permission.findAll({
+            where: { userId, projectId, appId },
+          });
+
+          if (!permissions.length) {
+            accessToken = jwt.sign(
+              {
+                sub: userId,
+                iss: "nuc",
+                aid: appId,
+                aud: projectId,
+                oid: "dfb990bb-81dd-4584-82ce-050eb8f6a12f",
+                rls: ["OWNER"],
+                identityProvider: "COGNITO",
+                iat: Math.floor(Date.now() / 1000),
+              },
+              process.env.JWT_SECRET as string,
+              { expiresIn: "12h" },
+            );
+          } else {
+            accessToken = jwt.sign(
+              {
+                sub: userId,
+                iss: "nuc",
+                aud: projectId,
+                oid: permissions[0].organizationId,
+                aid: appId,
+                rls: permissions.map((p) => p.role),
+                identityProvider: "COGNITO",
+                iat: Math.floor(Date.now() / 1000),
+              },
+              process.env.JWT_SECRET as string,
+              { expiresIn: "12h" },
+            );
+          }
+        } else {
+          accessToken = jwt.sign(
+            {
+              sub: userId,
+              iss: "nuc",
+              aid: appId,
+              identityProvider: "COGNITO",
+              iat: Math.floor(Date.now() / 1000),
+            },
+            process.env.JWT_SECRET as string,
+            { expiresIn: "12h" },
+          );
+        }
+
+        return res.status(200).json({
+          accessToken,
+          refreshToken,
+        });
+      }
+
+      if (refreshToken.split(".").length !== 3) {
+        throw new AuthenticationError(
+          "Expected Cognito access token (JWT) but received a non-JWT token",
+        );
+      }
+
+      const decodedCognito = await verifyCognitoAccessToken(refreshToken);
+      const userId = decodedCognito.sub;
+
+      let accessToken: string;
+
+      if (projectId) {
+        const permissions = await Permission.findAll({
+          where: { userId, projectId, appId },
+        });
+
+        if (!permissions.length) {
+          accessToken = jwt.sign(
+            {
+              sub: userId,
+              iss: "nuc",
+              aid: appId,
+              aud: projectId,
+              oid: "dfb990bb-81dd-4584-82ce-050eb8f6a12f",
+              rls: ["OWNER"],
+              identityProvider: "COGNITO",
+              iat: Math.floor(Date.now() / 1000),
+            },
+            process.env.JWT_SECRET as string,
+            { expiresIn: "12h" },
+          );
+        } else {
+          accessToken = jwt.sign(
+            {
+              sub: userId,
+              iss: "nuc",
+              aud: projectId,
+              oid: permissions[0].organizationId,
+              aid: appId,
+              rls: permissions.map((p) => p.role),
+              identityProvider: "COGNITO",
+              iat: Math.floor(Date.now() / 1000),
+            },
+            process.env.JWT_SECRET as string,
+            { expiresIn: "12h" },
+          );
+        }
+      } else {
+        accessToken = jwt.sign(
+          {
+            sub: userId,
+            iss: "nuc",
+            aid: appId,
+            identityProvider: "COGNITO",
+            iat: Math.floor(Date.now() / 1000),
+          },
+          process.env.JWT_SECRET as string,
+          { expiresIn: "12h" },
+        );
+      }
+
+      const internalRefreshToken = jwt.sign(
+        {
+          sub: userId,
+          type: "refresh",
+          identityProvider: "COGNITO",
+          iat: Math.floor(Date.now() / 1000),
+        },
+        process.env.JWT_SECRET as string,
+        { expiresIn: "30d" },
+      );
+
+      return res.status(200).json({
+        accessToken,
+        refreshToken: internalRefreshToken,
+      });
+    }
+
     if (!code && !refreshToken) {
       return res.status(400).send("Missing OAuth Code and Refresh Token");
     }
 
-    const providerConfig = project.oauth?.providers[identityProvider] as {
+    const providerConfig = getProviderConfig(identityProvider) as {
       clientId: string;
       tokenUrl: string;
       userUrl: string;
@@ -75,7 +333,9 @@ router.post(
       params.append("client_id", providerConfig.clientId);
       params.append(
         "client_secret",
-        process.env[`${identityProvider.toUpperCase()}_CLIENT_SECRET`] as string
+        process.env[
+          `${identityProvider.toUpperCase()}_CLIENT_SECRET`
+        ] as string,
       );
       params.append("code", code);
       params.append("redirect_uri", redirectUri);
@@ -95,13 +355,13 @@ router.post(
 
       if (tokenResponse.data.error) {
         throw new AuthorizationError(
-          tokenResponse.data.error_description || tokenResponse.data.error
+          tokenResponse.data.error_description || tokenResponse.data.error,
         );
       }
 
       if (!tokenResponse.data.access_token) {
         throw new AuthenticationError(
-          "No access token received from OAuth provider"
+          "No access token received from OAuth provider",
         );
       }
 
@@ -120,7 +380,7 @@ router.post(
           Accept: "application/json",
         },
         timeout: 10000,
-      }
+      },
     );
 
     console.log("User info response:", userResponse.data);
@@ -143,7 +403,7 @@ router.post(
         fallbackField: project.oauth?.jwt.identifier,
       });
       throw new Error(
-        `Cannot find user identifier in ${identityProvider} OAuth response`
+        `Cannot find user identifier in ${identityProvider} OAuth response`,
       );
     }
 
@@ -164,7 +424,7 @@ router.post(
             iat: Math.floor(Date.now() / 1000),
           },
           process.env.JWT_SECRET as string,
-          { expiresIn: "12h" }
+          { expiresIn: "12h" },
         );
       } else {
         accessToken = jwt.sign(
@@ -179,7 +439,7 @@ router.post(
             iat: Math.floor(Date.now() / 1000),
           },
           process.env.JWT_SECRET as string,
-          { expiresIn: "12h" }
+          { expiresIn: "12h" },
         );
       }
     } else {
@@ -192,7 +452,7 @@ router.post(
           iat: Math.floor(Date.now() / 1000),
         },
         process.env.JWT_SECRET as string,
-        { expiresIn: "12h" }
+        { expiresIn: "12h" },
       );
     }
 
@@ -200,7 +460,7 @@ router.post(
       accessToken,
       refreshToken: newRefreshToken,
     });
-  }
+  },
 );
 
 router.get("/user", async (req: Request, res: Response): Promise<Response> => {
@@ -246,7 +506,22 @@ router.get("/user", async (req: Request, res: Response): Promise<Response> => {
     });
   }
 
-  const providerConfig = project.oauth?.providers[identityProvider] as {
+  if (identityProvider.toUpperCase() === "COGNITO") {
+    const avatarSeed = userId;
+    const avatarUrl = `https://api.dicebear.com/7.x/bottts/svg?seed=${avatarSeed}`;
+
+    return res.status(200).json({
+      user: {
+        id: userId,
+        identityProvider: "COGNITO",
+        name: "Cognito",
+        displayName: "Cognito Admin",
+        avatarUrl,
+      },
+    });
+  }
+
+  const providerConfig = getProviderConfig(identityProvider) as {
     userUrl: string;
     userFields: {
       name: string;
@@ -267,7 +542,7 @@ router.get("/user", async (req: Request, res: Response): Promise<Response> => {
         Accept: "application/json",
       },
       timeout: 10000,
-    }
+    },
   );
 
   const userFieldMapping = providerConfig.userFields;
@@ -287,97 +562,4 @@ router.get("/user", async (req: Request, res: Response): Promise<Response> => {
   });
 });
 
-router.post("/demo", async (req: Request, res: Response): Promise<Response> => {
-  const { appId, projectId, username, password } = Joi.attempt(
-    req.body,
-    Joi.object({
-      appId: Joi.string().required(),
-      projectId: Joi.string().optional(),
-      username: Joi.string().required(),
-      password: Joi.string().required(),
-    })
-      .required()
-      .options({ stripUnknown: true })
-  ) as {
-    appId: string;
-    projectId?: string;
-    username: string;
-    password: string;
-  };
-
-  if (username !== "admin" || password !== "admin") {
-    throw new AuthenticationError("Invalid demo credentials");
-  }
-
-  const userId = "1001";
-
-  let accessToken: string;
-
-  if (projectId) {
-    const permissions = await Permission.findAll({
-      where: { userId, projectId, appId },
-    });
-
-    if (!permissions.length) {
-      accessToken = jwt.sign(
-        {
-          sub: userId,
-          iss: "nuc",
-          aid: appId,
-          aud: projectId,
-          oid: "dfb990bb-81dd-4584-82ce-050eb8f6a12f",
-          rls: "OWNER",
-          identityProvider: "DEMO",
-          iat: Math.floor(Date.now() / 1000),
-        },
-        process.env.JWT_SECRET as string,
-        { expiresIn: "12h" }
-      );
-    } else {
-      accessToken = jwt.sign(
-        {
-          sub: userId,
-          iss: "nuc",
-          aud: projectId,
-          oid: permissions[0].organizationId,
-          aid: appId,
-          rls: permissions.map((p) => p.role),
-          identityProvider: "DEMO",
-          iat: Math.floor(Date.now() / 1000),
-        },
-        process.env.JWT_SECRET as string,
-        { expiresIn: "12h" }
-      );
-    }
-  } else {
-    accessToken = jwt.sign(
-      {
-        sub: userId,
-        iss: "nuc",
-        aid: appId,
-        identityProvider: "DEMO",
-        iat: Math.floor(Date.now() / 1000),
-      },
-      process.env.JWT_SECRET as string,
-      { expiresIn: "12h" }
-    );
-  }
-
-  const refreshToken = jwt.sign(
-    {
-      sub: userId,
-      type: "refresh",
-      identityProvider: "DEMO",
-      iat: Math.floor(Date.now() / 1000),
-    },
-    process.env.JWT_SECRET as string,
-    { expiresIn: "30d" }
-  );
-
-  return res.status(200).json({
-    accessToken,
-    refreshToken,
-  });
-});
-
 export default router;

package/src/seeds/Permission.json

@@ -160,6 +160,46 @@
       "projectId": "21d2530b-4657-4ac0-b8cd-1a9f82786e32",
       "userId": "90180086",
       "role": "OWNER"
+    },
+    {
+      "id": "0baa8c53-532f-4b16-b049-34694ba0c088",
+      "appId": "977f5f57-8936-4388-8eb0-00a512cf01cc",
+      "organizationId": "dfb990bb-81dd-4584-82ce-050eb8f6a12f",
+      "projectId": "cb16e069-6214-47f1-9922-1f7fe7629525",
+      "userId": "64a8f4b8-5081-70c4-71f4-de20c302da12",
+      "role": "OWNER"
+    },
+    {
+      "id": "dcec22f6-881e-4c52-ac4b-5177b92375a2",
+      "appId": "10b7bc8c-a49c-4002-b0ec-63599e4b5210",
+      "organizationId": "dfb990bb-81dd-4584-82ce-050eb8f6a12f",
+      "projectId": "add6dfa4-45ba-4da2-bc5c-5a529610b52f",
+      "userId": "64a8f4b8-5081-70c4-71f4-de20c302da12",
+      "role": "OWNER"
+    },
+    {
+      "id": "58cc2585-fe2f-4a83-a257-17cda12a2dee",
+      "appId": "977f5f57-8936-4388-8eb0-00a512cf01cc",
+      "organizationId": "1c063446-7e78-432a-a273-34f481d0f0c3",
+      "projectId": "0c756054-2d28-4f87-9b12-8023a79136a5",
+      "userId": "64a8f4b8-5081-70c4-71f4-de20c302da12",
+      "role": "OWNER"
+    },
+    {
+      "id": "0fbcba2b-c988-4ac9-b896-1704fcb59909",
+      "appId": "10b7bc8c-a49c-4002-b0ec-63599e4b5210",
+      "organizationId": "1c063446-7e78-432a-a273-34f481d0f0c3",
+      "projectId": "e6d4744d-a11b-4c75-acad-e24a02903729",
+      "userId": "64a8f4b8-5081-70c4-71f4-de20c302da12",
+      "role": "OWNER"
+    },
+    {
+      "id": "121112c3-282b-4127-9314-20d0053d998f",
+      "appId": "977f5f57-8936-4388-8eb0-00a512cf01cc",
+      "organizationId": "5459ab03-204a-4627-bdde-667b7802cb35",
+      "projectId": "21d2530b-4657-4ac0-b8cd-1a9f82786e32",
+      "userId": "64a8f4b8-5081-70c4-71f4-de20c302da12",
+      "role": "OWNER"
     }
   ]
 }