@semapps/auth 1.1.1 → 1.1.3

package/index.js

@@ -3,7 +3,6 @@ module.exports = {
   AuthLocalService: require('./services/auth.local'),
   AuthOIDCService: require('./services/auth.oidc'),
   AuthAccountService: require('./services/account'),
-  AuthCapabilitiesService: require('./services/capabilities'),
   AuthJWTService: require('./services/jwt'),
   AuthMigrationService: require('./services/migration'),
   AuthMailService: require('./services/mail')

package/mixins/auth.js

@@ -1,12 +1,62 @@
 const passport = require('passport');
 const { Errors: E } = require('moleculer-web');
 const { TripleStoreAdapter } = require('@semapps/triplestore');
-const urlJoin = require('url-join');
 const AuthAccountService = require('../services/account');
 const AuthJWTService = require('../services/jwt');
-const CapabilitiesService = require('../services/capabilities');
 
-/** @type {import('moleculer').ServiceSchema} */
+/**
+ * Auth Mixin that handles authentication and authorization for routes
+ * that requested this.
+ *
+ * The authorization and authentication actions check for a valid `authorization` header.
+ * If the bearer token is a server-signed JWT identifying the user, `ctx.meta.tokenPayload` and
+ * `ctx.meta.webId` are set. Setting either `authorization` or `authentication` suffices.
+ *
+ * # Authentication
+ * In the `authenticate` action, the webId is set to `anon`, if no `authorization` header is present.
+ *
+ * # Authorization
+ * In contrast, the `authorize` action throws an unauthorized error,
+ * if no `authorization` header is present.
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authentication
+ *
+ * ## Capability Authorization
+ * Additionally, the `authorize` action supports capability authorization based on
+ * Verifiable Credentials (VCs), if `opts.authorizeWithCapability` is set to `true`.
+ *
+ * **WARNING**: This does not make any assertions about the validity of the capabilities'
+ * content (`credentialSubject`). What *is* checked:
+ * - the delegation chain was correct
+ * - all signatures are valid
+ * - the `controller`s of the keys (`verificationMethod`) used in the proofs to sign
+ *   the VC capabilities and presentation are correct. I.e. the controller resolves to
+ *   the WebId/controller identifier document (CID) which lists the key.\
+ *   This means that *you know who signed the presentation and capabilities* on the way.
+ *
+ * NO BUSINESS LOGIC IS CHECKED.\
+ * It is still necessary to verify if the request itself is valid.
+ * There would be no error when the `credentialSubject` says: "A is allowed to read B"
+ * while the statement is actually made by "C" and not by "B".\
+ *
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
+ *
+ * @example Configuration for a new route
+ * ```js
+ * ctx.call('api.addRoute', {
+ *   path: path.join(basePath, '/your/route'),
+ *   name: 'your-route-name',
+ *   aliases: {
+ *     'GET /': 'your.action.here',
+ *   },
+ *   // Set to true, to run authorization action.
+ *   authorization: true,
+ *   // Set to true, to run authenticate action.
+ *   authentication: false,
+ * });
+ * ```
+ *
+ * @type {import('moleculer').ServiceSchema}
+ */
 const AuthMixin = {
   settings: {
     baseUrl: null,
@@ -36,10 +86,6 @@ const AuthMixin = {
       settings: { reservedUsernames, minPasswordLength, minUsernameLength },
       adapter: new TripleStoreAdapter({ type: 'AuthAccount', dataset: accountsDataset })
     });
-
-    if (podProvider) {
-      this.broker.createService({ mixins: [CapabilitiesService], settings: { path: this.settings.capabilitiesPath } });
-    }
   },
   async started() {
     if (!this.passportId) throw new Error('this.passportId must be set in the service creation.');
@@ -76,33 +122,28 @@ const AuthMixin = {
       }
 
       if (method === 'Bearer') {
-        const payload = await ctx.call('auth.jwt.verifyToken', { token });
+        const payload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
         if (payload) {
           ctx.meta.tokenPayload = payload;
           ctx.meta.webId = payload.webId;
           return Promise.resolve(payload);
         }
+
+        // Check if token is a capability.
+        if (route.opts.authorizeWithCapability) {
+          return this.validateCapability(ctx, token);
+        }
+
         // Invalid token
         // TODO make sure token is deleted client-side
-        ctx.meta.webId = 'anon';
         return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
-      } else if ((method === 'Capability' || req.$params.capability) && this.settings.podProvider) {
-        const capabilityUri = token || req.$params.capability;
-        const capability = await this.actions.getValidateCapability({
-          capabilityUri,
-          username: req.parsedUrl.match(/[^/]+/)[0]
-        });
-
-        ctx.meta.webId = 'anon';
-        req.$ctx.meta.webId = 'anon';
-        req.$ctx.meta.authorization = { capability };
-        return Promise.resolve(null);
       }
 
       // No valid auth method given.
       ctx.meta.webId = 'anon';
       return Promise.resolve(null);
     },
+
     // See https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
     async authorize(ctx) {
       const { route, req, res } = ctx.params;
@@ -111,97 +152,31 @@ const AuthMixin = {
       const [method, token] = req.headers.authorization && req.headers.authorization.split(' ');
 
       if (!token) {
-        ctx.meta.webId = 'anon';
         return Promise.reject(new E.UnAuthorizedError(E.ERR_NO_TOKEN));
       }
+      if (method !== 'Bearer') {
+        return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+      }
 
-      if (method === 'Bearer') {
-        const payload = await ctx.call('auth.jwt.verifyToken', { token });
-        if (payload) {
-          ctx.meta.tokenPayload = payload;
-          ctx.meta.webId = payload.webId;
-          return Promise.resolve(payload);
-        }
-      } else if ((method === 'Capability' || req.$params.capability) && this.settings.podProvider) {
-        const capabilityUri = token || req.$params.capability;
-        const capability = await this.actions.getValidateCapability({
-          capabilityUri,
-          username: req.parsedUrl.match(/[^/]+/)[0]
-        });
-
-        ctx.meta.webId = 'anon';
+      // Validate if the token was signed by server (registered user).
+      const serverSignedPayload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
+      if (serverSignedPayload) {
+        ctx.meta.tokenPayload = serverSignedPayload;
+        ctx.meta.webId = serverSignedPayload.webId;
+        return Promise.resolve(serverSignedPayload);
+      }
 
-        req.$ctx.meta.webId = 'anon';
-        req.$ctx.meta.authorization = { capability };
-        if (capability) {
-          return Promise.resolve(null);
-        }
+      // Check if token is a capability.
+      if (route.opts.authorizeWithCapability) {
+        return this.validateCapability(ctx, token);
       }
 
       return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
     },
-    getValidateCapability: {
-      params: {
-        capabilityUri: {
-          type: 'string',
-          required: true
-        },
-        webId: {
-          type: 'string',
-          optional: true
-        },
-        username: {
-          type: 'string',
-          optional: true
-        }
-      },
-      /**
-       * Checks, if the provided capabilityUri is a valid URI and within the resource owner's cap container.
-       * @returns {Promise<object>} The stored capability object or undefined, if the capability is not valid.
-       */
-      async handler(ctx) {
-        let { capabilityUri, webId, username } = ctx.params;
-        /** @type {string} */
-        const baseUrlTrailing = urlJoin(this.settings.baseUrl, '/');
-        webId = webId || baseUrlTrailing + username;
-
-        const podUrl = await ctx.call('solid-storage.getUrl', { webId });
-
-        // Check if capabilityUri is within the resource owner's pod
-        if (!webId?.startsWith(baseUrlTrailing) || !capabilityUri?.startsWith(podUrl)) {
-          return undefined;
-        }
-
-        // Check, if capUri is a valid URI.
-        try {
-          // eslint-disable-next-line no-new
-          new URL(capabilityUri);
-        } catch {
-          return undefined;
-        }
-
-        // Check if capabilityUri is within the resource owner's cap container.
-        const resourceCapContainerUri = await ctx.call('capabilities.getContainerUri', {
-          webId
-        });
-
-        if (
-          !(await ctx.call('ldp.container.includes', {
-            containerUri: resourceCapContainerUri,
-            resourceUri: capabilityUri,
-            webId: 'system'
-          }))
-        ) {
-          return undefined;
-        }
-
-        return await ctx.call('capabilities.get', { resourceUri: capabilityUri });
-      }
-    },
 
     async impersonate(ctx) {
       const { webId } = ctx.params;
-      return await ctx.call('auth.jwt.generateToken', {
+      return await ctx.call('auth.jwt.generateServerSignedToken', {
         payload: {
           webId
         }
@@ -209,6 +184,34 @@ const AuthMixin = {
     }
   },
   methods: {
+    async validateCapability(ctx, token) {
+      // We accept VC Presentations to invoke capabilities here. It must be encoded as JWT.
+      // We do not use the VC-JOSE spec to sign and envelop presentations. Instead we go
+      // with embedded signatures. This way, the signature persists within the resource.
+
+      // Decode JTW to JSON.
+      const decodedToken = await ctx.call('auth.jwt.decodeToken', { token });
+      if (!decodedToken) return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+
+      // Verify that decoded JSON token is a valid VC presentation.
+      const {
+        verified: isCapSignatureVerified,
+        presentation: verifiedPresentation,
+        presentationResult
+      } = await ctx.call('crypto.vc.verifier.verifyCapabilityPresentation', {
+        verifiablePresentation: decodedToken,
+        options: {
+          maxChainLength: ctx.params.route.opts.maxChainLength
+        }
+      });
+      if (!isCapSignatureVerified) return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+
+      // VC Capability is verified.
+      ctx.meta.webId = presentationResult?.results?.[0]?.purposeResult?.holder || 'anon';
+      ctx.meta.authorization = { capabilityPresentation: verifiedPresentation };
+
+      return Promise.resolve(verifiedPresentation);
+    },
     getStrategy() {
       throw new Error('getStrategy must be implemented by the service');
     },

package/mixins/auth.sso.js

@@ -60,7 +60,7 @@ const AuthSSOMixin = {
         );
       }
 
-      const token = await ctx.call('auth.jwt.generateToken', { payload: { webId } });
+      const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
 
       return { token, newUser };
     }

package/package.json

@@ -1,14 +1,14 @@
 {
   "name": "@semapps/auth",
-  "version": "1.1.1",
+  "version": "1.1.3",
   "description": "Authentification module for SemApps",
   "license": "Apache-2.0",
   "author": "Virtual Assembly",
   "dependencies": {
-    "@semapps/ldp": "1.1.1",
-    "@semapps/middlewares": "1.1.1",
-    "@semapps/mime-types": "1.1.1",
-    "@semapps/triplestore": "1.1.1",
+    "@semapps/ldp": "1.1.3",
+    "@semapps/middlewares": "1.1.3",
+    "@semapps/mime-types": "1.1.3",
+    "@semapps/triplestore": "1.1.3",
     "bcrypt": "^5.0.1",
     "express-session": "^1.17.0",
     "jsonwebtoken": "^8.5.1",
@@ -30,5 +30,5 @@
   "engines": {
     "node": ">=14"
   },
-  "gitHead": "5782cd74389aea502368e292be5b827ddf3d123d"
+  "gitHead": "cc54d6fb548a7c34d3007d159b31145a5f509898"
 }

package/services/account.js

@@ -186,7 +186,8 @@ module.exports = {
       return account?.username;
     },
     async findSettingsByWebId(ctx) {
-      const webId = ctx.params.webId || ctx.meta.webId;
+      const webId = ctx.meta.webId;
+
       const account = await ctx.call('auth.account.findByWebId', { webId });
 
       return {

package/services/auth.local.js

@@ -73,7 +73,7 @@ const AuthLocalService = {
 
         ctx.emit('auth.registered', { webId, profileData, accountData });
 
-        const token = await ctx.call('auth.jwt.generateToken', { payload: { webId } });
+        const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
 
         return { token, webId, newUser: true };
       } catch (e) {
@@ -89,7 +89,7 @@ const AuthLocalService = {
 
       ctx.emit('auth.connected', { webId: accountData.webId, accountData }, { meta: { webId: null, dataset: null } });
 
-      const token = await ctx.call('auth.jwt.generateToken', { payload: { webId: accountData.webId } });
+      const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId: accountData.webId } });
 
       return { token, webId: accountData.webId, newUser: false };
     },

package/services/jwt.js

@@ -3,6 +3,13 @@ const path = require('path');
 const jwt = require('jsonwebtoken');
 const crypto = require('crypto');
 
+/**
+ * Service that creates and validates JSON web tokens(JWT).
+ * Tokens are signed against this server's keys.
+ * This is useful for generating/validating authentication tokens.
+ *
+ * TODO: Tokens do not expire.
+ */
 module.exports = {
   name: 'auth.jwt',
   settings: {
@@ -63,11 +70,12 @@ module.exports = {
         );
       });
     },
-    async generateToken(ctx) {
+    async generateServerSignedToken(ctx) {
       const { payload } = ctx.params;
       return jwt.sign(payload, this.privateKey, { algorithm: 'RS256' });
     },
-    async verifyToken(ctx) {
+    /** Verifies that the token was signed by this server. */
+    async verifyServerSignedToken(ctx) {
       const { token } = ctx.params;
       try {
         return jwt.verify(token, this.publicKey, { algorithms: ['RS256'] });
@@ -75,6 +83,11 @@ module.exports = {
         return false;
       }
     },
+    async generateUnsignedToken(ctx) {
+      const { payload } = ctx.params;
+      const token = jwt.sign(payload, null, { algorithm: 'none' });
+      return token;
+    },
     // Warning, this does NOT verify if signature is valid
     async decodeToken(ctx) {
       const { token } = ctx.params;

package/services/capabilities.js

@@ -1,69 +0,0 @@
-const { ControlledContainerMixin } = require('@semapps/ldp');
-const { MIME_TYPES } = require('@semapps/mime-types');
-
-const CAPABILITIES_ROUTE = '/capabilities';
-
-/**
- * Service to host the capabilities container.
- * @type {import('moleculer').ServiceSchema}
- */
-const CapabilitiesService = {
-  name: 'capabilities',
-  mixins: [ControlledContainerMixin],
-  settings: {
-    path: CAPABILITIES_ROUTE,
-    acceptedTypes: ['acl:Authorization'],
-    excludeFromMirror: true,
-    activateTombstones: false,
-    permissions: {},
-    newResourcesPermissions: {},
-    typeIndex: 'private'
-  },
-  hooks: {
-    before: {
-      /**
-       * Bypass authorization when getting the resource.
-       *
-       * The URI itself is considered the secret. So no more
-       * authorization is necessary at this point.
-       * If we decide to support capabilities with multiple
-       * authorization factors, this will have to change in
-       * the future.
-       */
-      get: ctx => {
-        ctx.params.webId = 'system';
-      }
-    }
-  },
-  actions: {
-    createCapability: {
-      params: {
-        webId: { type: 'string', optional: false },
-        accessTo: { type: 'string', optional: false },
-        mode: { type: 'string', optional: false }
-      },
-      async handler(ctx) {
-        const { accessTo, mode, webId } = ctx.params;
-
-        const capContainerUri = await this.actions.getContainerUri({ webId }, { parentCtx: ctx });
-
-        const capUri = await this.actions.post(
-          {
-            containerUri: capContainerUri,
-            resource: {
-              '@type': 'acl:Authorization',
-              'acl:accessTo': accessTo,
-              'acl:mode': mode
-            },
-            contentType: MIME_TYPES.JSON,
-            webId
-          },
-          { parentCtx: ctx }
-        );
-        return capUri;
-      }
-    }
-  }
-};
-
-module.exports = CapabilitiesService;