npm - @discover-cloud/shared - Versions diffs - 1.2.2 → 1.2.3 - Mend

@discover-cloud/shared 1.2.2 → 1.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/jwt/index.d.ts +1 -0
package/dist/jwt/index.js +1 -0
package/dist/jwt/machine-token-client.d.ts +12 -0
package/dist/jwt/machine-token-client.js +55 -0
package/dist/middleware/authorize.middleware.js +6 -4
package/dist/middleware/index.d.ts +1 -0
package/dist/middleware/index.js +1 -0
package/dist/middleware/require-internal.middleware.d.ts +18 -0
package/dist/middleware/require-internal.middleware.js +175 -0
package/dist/types/express.types.d.ts +6 -1
package/package.json +1 -1

package/dist/jwt/index.d.ts CHANGED Viewed

	@@ -1 +1,2 @@
1 1	export * from "./internal-jwt-verifier";
2	+ export * from "./machine-token-client";

package/dist/jwt/index.js CHANGED Viewed

@@ -15,3 +15,4 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./internal-jwt-verifier"), exports);
+__exportStar(require("./machine-token-client"), exports);

package/dist/jwt/machine-token-client.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { ILogger } from "../utils";
+export declare class MachineTokenClient {
+    private readonly gatewayUrl;
+    private readonly serviceId;
+    private readonly logger;
+    private cache;
+    private fetchPromise;
+    constructor(gatewayUrl: string, serviceId: string, logger?: ILogger);
+    getToken(requestId?: string): Promise<string>;
+    private isValid;
+    private fetchToken;
+}

package/dist/jwt/machine-token-client.js ADDED Viewed

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MachineTokenClient = void 0;
+const utils_1 = require("../utils");
+const REFRESH_BUFFER_S = 10;
+class MachineTokenClient {
+    constructor(gatewayUrl, serviceId, logger = utils_1.noopLogger) {
+        this.gatewayUrl = gatewayUrl;
+        this.serviceId = serviceId;
+        this.logger = logger;
+        this.cache = null;
+        this.fetchPromise = null;
+    }
+    async getToken(requestId) {
+        if (this.isValid()) {
+            return this.cache.token;
+        }
+        if (!this.fetchPromise) {
+            this.fetchPromise = this.fetchToken(requestId).finally(() => {
+                this.fetchPromise = null;
+            });
+        }
+        return this.fetchPromise;
+    }
+    isValid() {
+        if (!this.cache)
+            return false;
+        const nowS = Math.floor(Date.now() / 1000);
+        return this.cache.expiresAt - REFRESH_BUFFER_S > nowS;
+    }
+    async fetchToken(requestId) {
+        const url = `${this.gatewayUrl}/internal/machine-token`;
+        this.logger.debug({ serviceId: this.serviceId, requestId }, "Fetching machine token");
+        const response = await fetch(url, {
+            method: "POST",
+            headers: {
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ serviceId: this.serviceId, requestId }),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => "(unreadable)");
+            throw new Error(`MachineTokenClient: gateway returned ${response.status} fetching machine token: ${text}`);
+        }
+        const body = (await response.json());
+        const nowS = Math.floor(Date.now() / 1000);
+        this.cache = {
+            token: body.data.token,
+            expiresAt: nowS + body.data.expiresIn,
+        };
+        this.logger.info({ serviceId: this.serviceId, expiresAt: this.cache.expiresAt }, "Machine token cached");
+        return this.cache.token;
+    }
+}
+exports.MachineTokenClient = MachineTokenClient;

package/dist/middleware/authorize.middleware.js CHANGED Viewed

@@ -58,11 +58,12 @@ exports.authorize = authorize;
  */
 const authorizeAny = (...permissions) => {
     return (req, res, next) => {
-        if (!req.accessContext) {
+        const ctx = req.accessContext;
+        if (!ctx) {
             (0, utils_1.failure)(res, req, "Unauthorized: No access context", "UNAUTHORIZED", 401);
             return;
         }
-        const hasAny = permissions.some((p) => internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(req.accessContext, p));
+        const hasAny = permissions.some((p) => internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(ctx, p));
         if (!hasAny) {
             (0, utils_1.failure)(res, req, `Forbidden: Missing one of [${permissions.join(", ")}]`, "FORBIDDEN", 403);
             return;
@@ -87,11 +88,12 @@ exports.authorizeAny = authorizeAny;
  */
 const authorizeAll = (...permissions) => {
     return (req, res, next) => {
-        if (!req.accessContext) {
+        const ctx = req.accessContext;
+        if (!ctx) {
             (0, utils_1.failure)(res, req, "Unauthorized: No access context", "UNAUTHORIZED", 401);
             return;
         }
-        const missingPermissions = permissions.filter((p) => !internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(req.accessContext, p));
+        const missingPermissions = permissions.filter((p) => !internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(ctx, p));
         if (missingPermissions.length > 0) {
             (0, utils_1.failure)(res, req, `Forbidden: Missing permissions [${missingPermissions.join(", ")}]`, "FORBIDDEN", 403);
             return;

package/dist/middleware/index.d.ts CHANGED Viewed

@@ -3,3 +3,4 @@ export * from "./validate.middleware";
 export * from "./request-id.middleware";
 export * from "./authorize.middleware";
 export * from "./validated-merge.middleware";
+export * from "./require-internal.middleware";

package/dist/middleware/index.js CHANGED Viewed

@@ -19,3 +19,4 @@ __exportStar(require("./validate.middleware"), exports);
 __exportStar(require("./request-id.middleware"), exports);
 __exportStar(require("./authorize.middleware"), exports);
 __exportStar(require("./validated-merge.middleware"), exports);
+__exportStar(require("./require-internal.middleware"), exports);

package/dist/middleware/require-internal.middleware.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { Request, Response, NextFunction } from "express";
+import { ILogger } from "../utils/logger.utils";
+export interface RequireInternalOptions {
+    /**
+     * Gateway JWKS URI.
+     * Defaults to GATEWAY_JWKS_URI env var, then the docker-compose default.
+     * Must point to the gateway, not any individual service.
+     */
+    gatewayJwksUri?: string;
+    /**
+     * Permitted serviceIds. Reject any machine token whose serviceId is
+     * not in this list, even if the signature is valid.
+     * Omit to accept any valid machine token (not recommended in production).
+     */
+    allowedServices?: string[];
+    logger?: ILogger;
+}
+export declare function requireInternal(options?: RequireInternalOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;

package/dist/middleware/require-internal.middleware.js ADDED Viewed

@@ -0,0 +1,175 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireInternal = requireInternal;
+const jose = __importStar(require("jose"));
+const logger_utils_1 = require("../utils/logger.utils");
+/**
+ * REQUIRE INTERNAL MIDDLEWARE  (@discover-cloud/shared)
+ * ─────────────────────────────────────────────────────────────────────────
+ * Protects /internal/* routes by verifying a gateway-signed machine JWT.
+ * Replaces X-Internal-Secret on all service-to-service endpoints.
+ *
+ * Trust model:
+ *   All machine tokens are signed by the gateway's private key and verified
+ *   against the gateway's JWKS endpoint — the same trust root used for
+ *   human tokens. There is exactly one signing authority in the system.
+ *
+ * Verification:
+ *   1. Extract Bearer token from Authorization header
+ *   2. Verify RS256 signature against gateway JWKS
+ *   3. Assert typ === "internal" (token confusion defence)
+ *   4. Assert isMachine === true (rejects human tokens on internal routes)
+ *   5. Assert serviceId is in the allowlist (optional but recommended)
+ *   6. Attach MachineAccessContext to req.accessContext
+ *
+ * JWKS caching:
+ *   One RemoteJWKSet instance is created per middleware instance (i.e. per
+ *   service process), cached internally by jose for JWKS_CACHE_MAX_AGE_MS.
+ *   No per-request network call under normal operation.
+ *
+ * Allowlist:
+ *   Pass allowedServices to restrict which services can call this endpoint.
+ *   Example: requireInternal({ allowedServices: ["cloud-service"] })
+ *   Defaults to accepting any valid machine token if omitted.
+ *   Always set this in production — it limits blast radius if a service
+ *   is compromised.
+ *
+ * Usage:
+ *   // insights-service internal routes
+ *   router.use("/internal", requireInternal({
+ *     gatewayJwksUri: process.env.GATEWAY_JWKS_URI,
+ *     allowedServices: ["cloud-service"],
+ *     logger,
+ *   }));
+ */
+const CLOCK_TOLERANCE_S = 30;
+const JWKS_CACHE_MAX_AGE_MS = 10 * 60 * 1000;
+const JWKS_FETCH_TIMEOUT_MS = 5000;
+function requireInternal(options = {}) {
+    const logger = options.logger ?? logger_utils_1.noopLogger;
+    const jwksUri = options.gatewayJwksUri ??
+        process.env["GATEWAY_JWKS_URI"] ??
+        "http://api-gateway:3000/.well-known/jwks.json";
+    const issuer = process.env["INTERNAL_JWT_ISSUER"] ?? "discover-cloud:api-gateway";
+    const audience = process.env["INTERNAL_JWT_AUDIENCE"] ?? "discover-cloud:internal";
+    // One JWKS instance per middleware — jose caches the key set internally
+    const jwks = jose.createRemoteJWKSet(new URL(jwksUri), {
+        cacheMaxAge: JWKS_CACHE_MAX_AGE_MS,
+        timeoutDuration: JWKS_FETCH_TIMEOUT_MS,
+    });
+    const { allowedServices } = options;
+    return async (req, res, next) => {
+        const header = req.headers.authorization;
+        if (!header?.startsWith("Bearer ")) {
+            res.status(401).json({
+                success: false,
+                error: { code: "UNAUTHORIZED", message: "Missing Authorization header" },
+            });
+            return;
+        }
+        const token = header.slice(7);
+        try {
+            const { payload } = await jose.jwtVerify(token, jwks, {
+                issuer,
+                audience,
+                algorithms: ["RS256"],
+                clockTolerance: CLOCK_TOLERANCE_S,
+            });
+            // Token confusion defence — reject human tokens that somehow
+            // reach an internal route (wrong header forwarded by caller)
+            if (payload["typ"] !== "internal") {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "INVALID_TOKEN", message: "Token type must be 'internal'" },
+                });
+                return;
+            }
+            // Machine guard — reject human internal tokens on machine-only routes
+            if (payload["isMachine"] !== true) {
+                res.status(403).json({
+                    success: false,
+                    error: { code: "FORBIDDEN", message: "Machine token required for internal routes" },
+                });
+                return;
+            }
+            const serviceId = payload["serviceId"];
+            if (typeof serviceId !== "string") {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "INVALID_TOKEN", message: "Token missing serviceId" },
+                });
+                return;
+            }
+            // Allowlist — tightest possible scope per endpoint
+            if (allowedServices && !allowedServices.includes(serviceId)) {
+                logger.warn({ requestId: req.id, serviceId }, "[requireInternal] serviceId not in allowlist");
+                res.status(403).json({
+                    success: false,
+                    error: { code: "FORBIDDEN", message: "Service not permitted to call this endpoint" },
+                });
+                return;
+            }
+            const context = { kind: "machine", serviceId };
+            req.accessContext = context;
+            logger.debug({ requestId: req.id, serviceId, jti: payload.jti }, "[requireInternal] Machine token verified");
+            next();
+        }
+        catch (err) {
+            if (err instanceof jose.errors.JWTExpired) {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "TOKEN_EXPIRED", message: "Machine token has expired" },
+                });
+                return;
+            }
+            if (err instanceof jose.errors.JWSSignatureVerificationFailed ||
+                err instanceof jose.errors.JWTClaimValidationFailed ||
+                err instanceof jose.errors.JWSInvalid ||
+                err instanceof jose.errors.JWTInvalid) {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "INVALID_TOKEN", message: "Machine token is invalid" },
+                });
+                return;
+            }
+            logger.error({ err, requestId: req.id }, "[requireInternal] Unexpected error verifying machine token");
+            res.status(503).json({
+                success: false,
+                error: { code: "SERVICE_UNAVAILABLE", message: "Authentication temporarily unavailable" },
+            });
+        }
+    };
+}

package/dist/types/express.types.d.ts CHANGED Viewed

@@ -60,7 +60,8 @@ export interface HumanInternalJwtPayload extends BaseInternalJwtPayload {
     isMachine: false;
     accountId: string;
     accountRole: AccountRole;
-    externalJti?: string;
+    externalJti: string;
+    externalExp: number;
 }
 /**
  * MachineInternalJwtPayload
@@ -73,6 +74,10 @@ export interface MachineInternalJwtPayload extends BaseInternalJwtPayload {
 }
 /** Full internal JWT payload union — use in verifiers and auth middleware */
 export type InternalJwtPayload = HumanInternalJwtPayload | MachineInternalJwtPayload;
+export interface TokenRevocationContext {
+    jti: string;
+    exp: number;
+}
 export interface HumanAccessContext {
     kind: "human";
     accountId: string;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@discover-cloud/shared",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "private": false,
   "type": "commonjs",
   "main": "dist/index.js",