@optimizely-opal/opal-tool-ocp-sdk 0.0.0-beta.11 → 0.0.0-beta.13

package/src/auth/AuthUtils.ts

@@ -0,0 +1,117 @@
+import { getAppContext, logger } from '@zaiusinc/app-sdk';
+import { getTokenVerifier } from './TokenVerifier';
+import { OptiIdAuthData } from '../types/Models';
+
+/**
+ * Validate the OptiID access token
+ *
+ * @param accessToken - The access token to validate
+ * @returns true if the token is valid
+ */
+async function validateAccessToken(accessToken: string | undefined): Promise<boolean> {
+  try {
+    if (!accessToken) {
+      return false;
+    }
+    const tokenVerifier = await getTokenVerifier();
+    return await tokenVerifier.verify(accessToken);
+  } catch (error) {
+    logger.error('OptiID token validation failed:', error);
+    return false;
+  }
+}
+
+/**
+ * Extract and validate basic OptiID authentication data from request
+ *
+ * @param request - The incoming request
+ * @returns object with authData and accessToken, or null if invalid
+ */
+export function extractAuthData(request: any): { authData: OptiIdAuthData; accessToken: string } | null {
+  const authData = request?.bodyJSON?.auth as OptiIdAuthData;
+  const accessToken = authData?.credentials?.access_token;
+  if (!accessToken || authData?.provider?.toLowerCase() !== 'optiid') {
+    logger.error('OptiID token is required but not provided');
+    return null;
+  }
+
+  return { authData, accessToken };
+}
+
+/**
+ * Validate organization ID matches the app context
+ *
+ * @param customerId - The customer ID from the auth data
+ * @returns true if the organization ID is valid
+ */
+function validateOrganizationId(customerId: string | undefined): boolean {
+  if (!customerId) {
+    logger.error('Organisation ID is required but not provided');
+    return false;
+  }
+
+  const appOrganisationId = getAppContext()?.account?.organizationId;
+  if (customerId !== appOrganisationId) {
+    logger.error(`Invalid organisation ID: expected ${appOrganisationId}, received ${customerId}`);
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * Check if a request should skip authentication (discovery/ready endpoints)
+ *
+ * @param request - The incoming request
+ * @returns true if auth should be skipped
+ */
+function shouldSkipAuth(request: any): boolean {
+  return request.path === '/discovery' || request.path === '/ready';
+}
+
+/**
+ * Core authentication flow - extracts auth data and validates token
+ *
+ * @param request - The incoming request
+ * @param validateOrg - Whether to validate organization ID
+ * @returns true if authentication succeeds
+ */
+async function authenticateRequest(request: any, validateOrg: boolean): Promise<boolean> {
+  if (shouldSkipAuth(request)) {
+    return true;
+  }
+
+  const authInfo = extractAuthData(request);
+  if (!authInfo) {
+    return false;
+  }
+
+  const { authData, accessToken } = authInfo;
+
+  // Validate organization ID if required
+  if (validateOrg && !validateOrganizationId(authData.credentials?.customer_id)) {
+    return false;
+  }
+
+  return await validateAccessToken(accessToken);
+}
+
+/**
+ * Authenticate a request for regular functions (with organization validation)
+ *
+ * @param request - The incoming request
+ * @returns true if authentication and authorization succeed
+ */
+export async function authenticateRegularRequest(request: any): Promise<boolean> {
+  return await authenticateRequest(request, true);
+}
+
+/**
+ * Authenticate a request for global functions (without organization validation)
+ *
+ * @param request - The incoming request
+ * @returns true if authentication succeeds
+ */
+export async function authenticateGlobalRequest(request: any): Promise<boolean> {
+  return await authenticateRequest(request, false);
+}

package/src/auth/TokenVerifier.test.ts

@@ -0,0 +1,165 @@
+
+// Mock the app-sdk module
+jest.mock('@zaiusinc/app-sdk', () => ({
+  logger: {
+    info: jest.fn(),
+    error: jest.fn(),
+    warn: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+import { TokenVerifier } from './TokenVerifier';
+
+// Test constants
+const TEST_ISSUER = 'https://prep.login.optimizely.com/oauth2/default';
+const TEST_JWKS_URI = 'https://prep.login.optimizely.com/oauth2/v1/keys';
+
+// Mock fetch globally
+global.fetch = jest.fn();
+
+describe('TokenVerifier', () => {
+  beforeEach(() => {
+    // Reset fetch mock
+    (global.fetch as jest.Mock).mockReset();
+
+    // Reset singleton instance for each test
+    (TokenVerifier as any).instance = null;
+  });
+
+  describe('getInitializedInstance', () => {
+    it('should initialize successfully', async () => {
+      // Mock fetch for OAuth2 authorization server discovery
+      (global.fetch as jest.Mock).mockResolvedValue({
+        ok: true,
+        json: jest.fn().mockResolvedValue({
+          issuer: TEST_ISSUER,
+          jwks_uri: TEST_JWKS_URI
+        })
+      });
+
+      const tokenVerifier = await TokenVerifier.getInitializedInstance();
+      expect(tokenVerifier).toBeInstanceOf(TokenVerifier);
+    });
+
+    it('should throw error when discovery document is invalid', async () => {
+      (global.fetch as jest.Mock).mockResolvedValue({
+        ok: true,
+        json: jest.fn().mockResolvedValue({
+          // Missing issuer and jwks_uri
+        })
+      });
+
+      await expect(TokenVerifier.getInitializedInstance()).rejects.toThrow(
+        'Invalid discovery document: missing issuer or jwks_uri'
+      );
+    });
+
+    it('should throw error when discovery endpoint is unreachable', async () => {
+      (global.fetch as jest.Mock).mockResolvedValue({
+        ok: false,
+        status: 404,
+        statusText: 'Not Found'
+      });
+
+      await expect(TokenVerifier.getInitializedInstance()).rejects.toThrow(
+        'Failed to fetch discovery document: 404 Not Found'
+      );
+    });
+  });
+
+  describe('token verification', () => {
+    let tokenVerifier: TokenVerifier;
+
+    beforeEach(async () => {
+      // Mock successful initialization
+      (global.fetch as jest.Mock).mockResolvedValue({
+        ok: true,
+        json: jest.fn().mockResolvedValue({
+          issuer: TEST_ISSUER,
+          jwks_uri: TEST_JWKS_URI
+        })
+      });
+
+      tokenVerifier = await TokenVerifier.getInitializedInstance();
+    });
+
+    it('should throw error for empty token', async () => {
+      await expect(tokenVerifier.verify('')).rejects.toThrow(
+        'Token cannot be null or empty'
+      );
+    });
+
+    it('should throw error for undefined token', async () => {
+      await expect(tokenVerifier.verify(undefined)).rejects.toThrow(
+        'Token cannot be null or empty'
+      );
+    });
+
+    it('should throw error for whitespace-only token', async () => {
+      await expect(tokenVerifier.verify('   ')).rejects.toThrow(
+        'Token cannot be null or empty'
+      );
+    });
+
+    it('should return false for invalid token format', async () => {
+      const result = await tokenVerifier.verify('invalid.jwt.token');
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('singleton pattern', () => {
+    it('should return same instance when called multiple times', async () => {
+      // Mock successful initialization
+      (global.fetch as jest.Mock).mockResolvedValue({
+        ok: true,
+        json: jest.fn().mockResolvedValue({
+          issuer: TEST_ISSUER,
+          jwks_uri: TEST_JWKS_URI
+        })
+      });
+
+      const instance1 = await TokenVerifier.getInitializedInstance();
+      const instance2 = await TokenVerifier.getInitializedInstance();
+      expect(instance1).toBe(instance2);
+    });
+    it('should call correct prod OAuth2 authorization server discovery URL', async () => {
+      const fetchSpy = jest.spyOn(global, 'fetch').mockResolvedValue({
+        ok: true,
+        json: jest.fn().mockResolvedValue({
+          issuer: TEST_ISSUER,
+          jwks_uri: TEST_JWKS_URI
+        })
+      } as unknown as Response);
+
+      await TokenVerifier.getInitializedInstance();
+
+      expect(fetchSpy).toHaveBeenCalledWith(
+        'https://login.optimizely.com/oauth2/default/.well-known/oauth-authorization-server'
+      );
+    });
+
+    it('should call correct prep OAuth2 authorization server discovery URL', async () => {
+      // Set environment variable to staging
+      process.env.ENVIRONMENT = 'staging';
+
+      const fetchSpy = jest.spyOn(global, 'fetch').mockResolvedValue({
+        ok: true,
+        json: jest.fn().mockResolvedValue({
+          issuer: TEST_ISSUER,
+          jwks_uri: TEST_JWKS_URI
+        })
+      } as unknown as Response);
+
+      await TokenVerifier.getInitializedInstance();
+
+      expect(fetchSpy).toHaveBeenCalledWith(
+        'https://prep.login.optimizely.com/oauth2/default/.well-known/oauth-authorization-server'
+      );
+
+      // Clean up environment variable
+      delete process.env.ENVIRONMENT;
+    });
+  });
+
+});

package/src/auth/TokenVerifier.ts

@@ -0,0 +1,145 @@
+import { jwtVerify, createRemoteJWKSet } from 'jose';
+import { logger } from '@zaiusinc/app-sdk';
+
+/**
+ * Default JWKS cache expiration time in milliseconds (1 hour)
+ */
+const DEFAULT_JWKS_EXPIRES_IN = 60 * 60 * 1000;
+
+/**
+ * Default clock skew tolerance in seconds
+ */
+const DEFAULT_LEEWAY = 30;
+
+/**
+ * Expected JWT audience for token validation
+ */
+const AUDIENCE = 'api://default';
+
+/**
+ * Prep Base URL for Optimizely OAuth2 endpoints
+ */
+const PREP_BASE_URL = 'https://prep.login.optimizely.com/oauth2/default';
+
+/**
+ * Prod Base URL for Optimizely OAuth2 endpoints
+ */
+const PROD_BASE_URL = 'https://login.optimizely.com/oauth2/default';
+
+interface DiscoveryDocument {
+  issuer: string;
+  jwks_uri: string;
+  [key: string]: any;
+}
+
+export class TokenVerifier {
+  private static instance: TokenVerifier | null = null;
+  private jwksUri?: string;
+  private issuer?: string;
+  private jwks?: ReturnType<typeof createRemoteJWKSet>;
+  private initialized: boolean = false;
+
+  /**
+   * Verify the provided Optimizely JWT token string
+   * @param token JWT token string to verify
+   * @returns boolean true if verification successful, false otherwise
+   * @throws Error if token is null, empty, or verifier is not properly configured
+   */
+  public async verify(token: string | undefined): Promise<boolean> {
+    if (!token || token.trim().length === 0) {
+      throw new Error('Token cannot be null or empty');
+    }
+
+    return this.verifyToken(token);
+  }
+
+  private static getInstance(): TokenVerifier {
+    if (!TokenVerifier.instance) {
+      TokenVerifier.instance = new TokenVerifier();
+    }
+    return TokenVerifier.instance;
+  }
+
+  /**
+   * Get singleton instance of TokenVerifier and ensure it's initialized
+   * @returns Promise<TokenVerifier> - initialized singleton instance
+   */
+  public static async getInitializedInstance(): Promise<TokenVerifier> {
+    const instance = TokenVerifier.getInstance();
+    if (!instance.initialized) {
+      await instance.initialize();
+    }
+    return instance;
+  }
+
+  /**
+   * Initialize the TokenVerifier with discovery document from well-known endpoint
+   */
+  private async initialize(): Promise<void> {
+    if (this.initialized) {
+      return;
+    }
+
+    try {
+      // Use prep URL when environment variable is set to 'staging', otherwise use prod
+      const environment = process.env.ENVIRONMENT || 'production';
+      const baseUrl = environment === 'staging' ? PREP_BASE_URL : PROD_BASE_URL;
+      const discoveryDocument = await this.fetchDiscoveryDocument(baseUrl);
+      this.issuer = discoveryDocument.issuer;
+      this.jwksUri = discoveryDocument.jwks_uri;
+      this.jwks = createRemoteJWKSet(new URL(this.jwksUri), {
+        cacheMaxAge: DEFAULT_JWKS_EXPIRES_IN,
+        cooldownDuration: DEFAULT_JWKS_EXPIRES_IN
+      });
+      this.initialized = true;
+      logger.info(`TokenVerifier initialized with issuer: ${this.issuer} (environment: ${environment})`);
+    } catch (error) {
+      logger.error('Failed to initialize TokenVerifier', error);
+      // Re-throw the original error to preserve specific error messages for tests
+      throw error;
+    }
+  }
+
+  /**
+   * Fetch discovery document from well-known endpoint
+   */
+  private async fetchDiscoveryDocument(baseUrl: string): Promise<DiscoveryDocument> {
+    const wellKnownUrl = `${baseUrl}/.well-known/oauth-authorization-server`;
+
+    const response = await fetch(wellKnownUrl);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch discovery document: ${response.status} ${response.statusText}`);
+    }
+    const discoveryDocument = await response.json() as DiscoveryDocument;
+    if (!discoveryDocument.issuer || !discoveryDocument.jwks_uri) {
+      throw new Error('Invalid discovery document: missing issuer or jwks_uri');
+    }
+
+    return discoveryDocument;
+  }
+
+  private async verifyToken(token: string): Promise<boolean> {
+    if (!this.initialized) {
+      throw new Error('TokenVerifier not initialized. Call initialize() first.');
+    }
+
+    if (!this.jwks || !this.issuer) {
+      throw new Error('TokenVerifier not properly configured.');
+    }
+
+    try {
+      await jwtVerify(token, this.jwks, {
+        issuer: this.issuer,
+        audience: AUDIENCE,
+        clockTolerance: DEFAULT_LEEWAY,
+      });
+      return true;
+    } catch (error) {
+      logger.error('Token verification failed:', error);
+      return false;
+    }
+  }
+
+}
+
+export const getTokenVerifier = async (): Promise<TokenVerifier> => TokenVerifier.getInitializedInstance();