@culturefy/shared 1.0.33 → 1.0.34

package/src/middlewares/token-validation.ts

@@ -1,10 +1,8 @@
 
 import IUser from "../models/user.model";
 import { AzureSecretKeysEnum } from "../enums";
-import { UserService } from "../service/user.service";
+import { getAzureVaultSecretByKey } from "../utils";
 import { HttpRequest, InvocationContext } from "@azure/functions";
-import { KeycloakAdminService } from "../service/keycloak.service";
-import { getAzureVaultSecretByKey, parseCookies, verifyJsonWebToken } from "../utils";
 
 interface TokenValidationResult {
     status: boolean;
@@ -20,439 +18,26 @@ interface TokenValidationResult {
     };
 }
 
-interface TokenClaims {
-    iat?: number;
-    exp?: number;
-    sub: string;
-    azp: string;
-    iss: string;
-    email: string;
-}
-
-export async function tokenValidation(request: HttpRequest, domain: string, context: InvocationContext): Promise<TokenValidationResult> {
-    try {
-        let cookies = parseCookies(request, context);
-        let accessToken = cookies["culturefy-auth-token"];
-        let refreshToken = cookies["culturefy-refresh-token"];
-
-        let expiresIn, refreshExpiresIn;
-
-        if (!accessToken) return { status: false, message: "Access token is required" };
-
-        const keycloakService = await initializeKeycloakService(context);
-
-        const tokenValidation = await validateToken(accessToken, context);
-
-        if (!tokenValidation.success) {
-            if (tokenValidation.expired) {
-                const { data } = tokenValidation;
-                if (!data) return { status: false, message: "Invalid access token." };
-
-                let { userId, clientId, realm, email } = data;
-
-                if (!clientId) return { status: false, message: "Invalid access token provided" };
-                if (!userId) return { status: false, message: "Invalid access token provided" };
-                if (!realm) return { status: false, message: "Invalid access token provided" };
-
-                context.log("Refreshing token for user:", JSON.stringify({ userId, clientId, realm, email }));
-
-                const refreshTokenResponse = await handleTokenRefresh(keycloakService, refreshToken, userId, clientId, realm, email, domain, context);
-                if (!refreshTokenResponse.success) return { status: false, message: refreshTokenResponse.message };
-
-                const { data: refreshTokenData } = refreshTokenResponse;
-                if (!refreshTokenData) return { status: false, message: "Invalid refresh token." };
-                
-                context.log("Refreshed token for user:", JSON.stringify({ userId, clientId, realm, email }));
-
-                accessToken = refreshTokenData.access_token;
-                refreshToken = refreshTokenData.refresh_token;
-                expiresIn = refreshTokenData.expires_in;
-                refreshExpiresIn = refreshTokenData.refresh_expires_in;
-
-            } else {
-                return { status: false, message: tokenValidation.message };
-            }
-        }
-
-        const { data } = tokenValidation;
-
-        if (!data) return { status: false, message: "Invalid access token." };
-
-        let { userId, clientId, realm, email } = data;
-
-        if (!clientId) return { status: false, message: "Invalid access token provided" };
-        if (!userId) return { status: false, message: "Invalid access token provided" };
-        if (!realm) return { status: false, message: "Invalid access token provided" };
-        if (!email) return { status: false, message: "Invalid access token provided" };
-
-        context.log("Validating user:", JSON.stringify({ userId, clientId, realm, email }));
-
-        let verifyFromDb;
-        let userInfo;
-
-        if(domain === "accounts.culturefy.app") {
-            const introspectionValid = await validateTokenIntrospection(
-                keycloakService,
-                accessToken,
-                realm,
-                clientId,
-                domain,
-                context
-            );
-    
-            if (!introspectionValid) return { status: false, message: "Token introspection failed" };
-            context.log("Token introspection successful");
-    
-            realm = "superadmin";
-            clientId = "cfy-superadmin-web";
-    
-            userInfo = await keycloakService.getUserByToken(realm, accessToken);
-            context.log("User info-1:", JSON.stringify(userInfo));
-
-            if(!userInfo.email) return { status: false, message: "User email not found" };
-            if(userInfo.email !== email) return { status: false, message: "User email does not match" };
-            email = userInfo.email;
-            verifyFromDb = await validateUserByEmail(email, context);
-            if (!verifyFromDb.success) return { status: false, message: verifyFromDb.message };
-        } else {
-            clientId = "cfy-web";
-            verifyFromDb = await validateUserByRealm(realm, email, context);
-        }
-
-        if (!verifyFromDb.success) return { status: false, message: verifyFromDb.message };
-
-        const user = verifyFromDb.user;
-
-        if (!user) return { status: false, message: "User not found." };
-        context.log("User:", JSON.stringify(user));
-
-        const introspectionValid = await validateTokenIntrospection(
-            keycloakService,
-            accessToken,
-            realm,
-            clientId,
-            domain,
-            context
-        );
-
-        if (!introspectionValid) return { status: false, message: "Token introspection failed" };
-        context.log("Token introspection successful");
-
-        if (domain === "accounts.culturefy.app") {
-            realm = "superadmin";
-            clientId = "cfy-superadmin-web";
-        } else {
-            if(!user.businessId) return { status: false, message: "User not found" };
-            realm = user.businessId.toString();
-            clientId = "cfy-web";
-        }
-
-        if(!userInfo) {
-            userInfo = await keycloakService.getUserByToken(realm, accessToken);
-            context.log("User info-2:", JSON.stringify(userInfo));
-        }
-
-        if(!userInfo) return { status: false, message: "User info not found" };
-
-        let updatedCookies: {
-            access_token: string;
-            refresh_token: string;
-            expires_in?: number;
-            refresh_expires_in?: number;
-        } = {
-            access_token: accessToken,
-            refresh_token: refreshToken,
-        };
-
-        if(expiresIn) updatedCookies.expires_in = expiresIn;
-        if(refreshExpiresIn) updatedCookies.refresh_expires_in = refreshExpiresIn;
-
-        return {
-            status: true,
-            message: "Token is valid",
-            data: {
-                cookies: updatedCookies,
-                user: user
-            }
-        };
-
-    } catch (error) {
-        context.error("Culturefy token validation error:", error);
-        return { status: false, message: "Internal server error during culturefy token validation" };
-    }
-}
-
-async function initializeKeycloakService(context: InvocationContext): Promise<KeycloakAdminService> {
-    const [keycloakBaseUrl, keycloakAdminClientId, keycloakAdminClientSecret] = await Promise.all([
-        getAzureVaultSecretByKey(
-            context,
-            process.env.AZURE_KEY_VAULT_NAME || "",
-            AzureSecretKeysEnum.KEYCLOAK_BASE_URL
-        ),
-        getAzureVaultSecretByKey(
-            context,
-            process.env.AZURE_KEY_VAULT_NAME || "",
-            AzureSecretKeysEnum.KEYCLOAK_ADMIN_CLIENT_ID
-        ),
-        getAzureVaultSecretByKey(
-            context,
-            process.env.AZURE_KEY_VAULT_NAME || "",
-            AzureSecretKeysEnum.KEYCLOAK_ADMIN_CLIENT_SECRET
-        )
-    ]);
-
-    return new KeycloakAdminService(context, {
-        baseUrl: keycloakBaseUrl as string,
-        adminClientId: keycloakAdminClientId as string,
-        adminClientSecret: keycloakAdminClientSecret as string
-    });
-}
-
-async function validateToken(
-    accessToken: string,
-    context: InvocationContext
-): Promise<{
-    success: boolean;
-    message: string;
-    expired?: boolean;
-    data?: {
-        userId: string;
-        clientId: string;
-        realm: string;
-        email: string;
-    };
-}> {
-    const currentTime = Math.floor(Date.now() / 1000);
-
-    const decoded = verifyJsonWebToken(accessToken);
-
-    if (!decoded) return { success: false, message: "Invalid access token format" };
-
-    let { iat, exp, sub: userId, azp: clientId, iss, email } = decoded as TokenClaims;
-    
-    if (!userId || !clientId || !iss) return { success: false, message: "Access token missing required claims (sub or azp or iss)" };
-    context.log("Access token claims:", JSON.stringify(decoded));
-    
-    let realm = iss.split("/")[iss.split("/").length - 1];
-    if(!realm) return { success: false, message: "Access token missing required claims (iss)" };
-
-    if (exp && exp < currentTime) return { success: false, message: "Access token expired and refresh token not provided", expired: true, data: { userId, clientId, realm, email } };
-    
-    if (iat && iat > currentTime) return { success: false, message: "Invalid token issuance time" };
-
-    return {
-        success: true,
-        message: "Token is valid",
-        data: { userId, clientId, realm, email }
-    };
-}
-
-async function handleTokenRefresh(
-    keycloakService: KeycloakAdminService,
-    refreshToken: string,
-    userId: string,
-    clientId: string,
-    realm: string,
-    email: string,
-    domain: string,
-    context: InvocationContext
-): Promise<{
-    success: boolean;
-    message: string;
-    data?: {
-        access_token: string;
-        expires_in: number;
-        refresh_token: string;
-        refresh_expires_in: number;
-    };
-}> {
-    const currentTime = Math.floor(Date.now() / 1000);
-
-    if(!clientId) return { success: false, message: "Client ID is missing" };
-    if(!userId) return { success: false, message: "User ID is missing" };
-    if(!realm) return { success: false, message: "Realm is missing" };
-    if(!refreshToken) return { success: false, message: "Refresh token is missing" };
-    if(!email) return { success: false, message: "Email is missing" };
-    if(!domain) return { success: false, message: "Domain is missing" };
-
-    context.info("values:", {clientId, userId, realm, email, domain});
-
-    const refreshTokenDecoded = verifyJsonWebToken(refreshToken);
-    if (!refreshTokenDecoded) return { success: false, message: "Invalid refresh token format" };
-
-    let { iss: refreshIss } = refreshTokenDecoded as TokenClaims;
-    refreshIss = refreshIss.split("/")[refreshIss.split("/").length - 1];
-
-    const { iat: refreshIat, exp: refreshExp, sub: refreshUserId, azp: refreshClientId, email: refreshEmail } = refreshTokenDecoded as TokenClaims;
-
-    context.info("refreshTokenDecoded:", JSON.stringify({refreshUserId, refreshClientId, refreshIss, refreshEmail}));
-
-    if (!refreshUserId || !refreshClientId || !refreshIss) return { success: false, message: "Refresh token missing required claims (sub or azp or iss)" };
-
-    if (refreshExp && refreshExp < currentTime) return { success: false, message: "Refresh token has expired" };
-
-    if (refreshIat && refreshIat > currentTime) return { success: false, message: "Invalid refresh token issuance time" };
-
-    if (refreshUserId !== userId || refreshClientId !== clientId || refreshIss !== realm || refreshEmail !== email) return { success: false, message: "Refresh token does not match access token user" };
-
-    if(domain === "accounts.culturefy.app") {
-        realm = "superadmin";
-        clientId = "cfy-superadmin-web";
-    } else {
-        realm = realm;
-        clientId = "cfy-web";
-    }
-
-    const newToken = await keycloakService.refreshToken(realm, clientId, refreshToken);
-    if (!newToken) return { success: false, message: "Failed to refresh access token" };
-
-    const newTokenDecoded = verifyJsonWebToken(newToken.access_token);
-    if (!newTokenDecoded) return { success: false, message: "Invalid new token format" };
-
-    const { iat: newIat, exp: newExp, sub: newUserId, azp: newClientId, iss: newIss, email: newEmail } = newTokenDecoded as TokenClaims;
-
-    if (!newUserId || !newClientId || !newIss || !newEmail) return { success: false, message: "New token missing required claims (sub or azp or iss or email)" };
-
-    if (newExp && newExp < currentTime) return { success: false, message: "New token has expired" };
-
-    if (newIat && newIat > currentTime) return { success: false, message: "Invalid new token issuance time" };
-
-    context.info("Token refreshed successfully for user:", userId);
-
-    return {
-        success: true,
-        message: "Token refreshed successfully",
-        data: {
-            access_token: newToken.access_token, expires_in: newToken.expires_in,
-            refresh_token: newToken.refresh_token, refresh_expires_in: newToken.refresh_expires_in
-        }
-    };
-}
-
-async function validateUserByRealm(
-    realm: string,
-    email: string,
-    context: InvocationContext
-): Promise<{
-    success: boolean;
-    message: string;
-    user?: any;
-}> {
-    try {
-        const authDbUrl = await getAzureVaultSecretByKey(
-            context,
-            process.env.AZURE_KEY_VAULT_NAME || "",
-            AzureSecretKeysEnum.DB_CONNECTING_STRING_USER
-        );
-
-        const userService = new UserService(context, authDbUrl);
-
-        let user = null;
-        context.log("Getting user by realm:", realm);
-        try {
-            // user = await userService.getUserByBusinessId(realm, email);
-            user = '';
-        } catch (err: any) {
-            context.error(`Failed to get user by realm:`, err);
-            return { success: false, message: "User not found.." };
-        }
-        context.log("User:", JSON.stringify(user));
-
-        if (!user) return { success: false, message: "User not found..." };
-
-        await userService.disconnect();
-
-        return { success: true, message: "User validation successful", user };
-
-    } catch (error) {
-        context.error("User validation error:", error);
-        return { success: false, message: "Error validating user information" };
-    }
-}
-
-async function validateUserByEmail(
-    email: string,
-    context: InvocationContext
-): Promise<{
-    success: boolean;
-    message: string;
-    user?: any;
-}> {
+export async function tokenValidation(request: HttpRequest, context: InvocationContext): Promise<TokenValidationResult> {
     try {
-        const authDbUrl = await getAzureVaultSecretByKey(
-            context,
-            process.env.AZURE_KEY_VAULT_NAME || "",
-            AzureSecretKeysEnum.DB_CONNECTING_STRING_USER
-        );
-
-        const userService = new UserService(context, authDbUrl);
-
-        let user = null;
-        context.log("Getting user by email:", email);
-        try {
-            // user = await userService.getUserByEmail(email);
-            user = '';
-        } catch (err: any) {
-            context.error(`Failed to get user by email:`, err);
-            return { success: false, message: "User not found.." };
+        const url = await getAzureVaultSecretByKey(context, process.env.AZURE_KEY_VAULT_NAME || "", AzureSecretKeysEnum.AUTH_SERVICE_AUTHENTICATION_URL);
+        if(!url) {
+            return { status: false, message: "Auth service authenticaion API url not found" };
         }
-        context.log("User:", JSON.stringify(user));
-
-        if (!user) return { success: false, message: "User not found..." };
-
-        await userService.disconnect();
-
-        return { success: true, message: "User validation successful", user };
-
-    } catch (error) {
-        context.error("User validation error:", error);
-        return { success: false, message: "Error validating user information" };
-    }
-}
-
-async function validateTokenIntrospection(
-    keycloakService: KeycloakAdminService,
-    token: string,
-    realm: string,
-    clientId: string,
-    domain: string,
-    context: InvocationContext
-): Promise<boolean> {
-    try {
-        if(!realm) return false;
-        if(!clientId) return false;
-        if(!token) return false;
+        context.log(`Auth service authentication API url: ${url}`);
         
-        if (domain === "accounts.culturefy.app") {
-            realm = "superadmin";
-            clientId = "cfy-superadmin-web";
-        } else {
-            realm = realm;
-            clientId = "cfy-web";
-        }
-
-        context.info("Validating token with Keycloak introspection");
-        const introspection = await keycloakService.introspectToken(realm, clientId, token);
-
-        if (!introspection.active) {
-            context.warn("Token introspection returned inactive token");
-            return false;
-        }
-
-        context.info("Token introspection successful - token is active");
-        return true;
-    } catch (error: any) {
-        context.error("Token introspection error:", error);
-
-        if (error.message?.includes('Client not allowed')) {
-            context.warn("Admin-cli client does not have introspection permissions - this is expected");
-            return true;
-        }
-
-        if (error.message?.includes('Invalid token')) return false;
-
-        if (error.message?.includes('Token is not active')) return false;
-
-        return false;
+        const response = await fetch(url, {
+            method: "GET",
+            headers: request.headers
+        });
+        const data = await response.json();
+        return { status: true, message: "Token validation successful", data: {
+            cookies: data.cookies,
+            user: data.user
+        } };
+
+    } catch (error:any) {
+        context.error("Culturefy token validation error:", error);
+        return { status: false, message: error.message || "Internal server error during culturefy token validation" };
     }
 }