npm - @velocitycareerlabs/server-careerwallet - Versions diffs - 1.25.0-dev-build.12642c864 - Mend

@velocitycareerlabs/server-careerwallet 1.25.0-dev-build.12642c864

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/src/entities/oauth/domain/build-access-token.js ADDED Viewed

@@ -0,0 +1,14 @@
+const { generateDocJwt } = require('@velocitycareerlabs/jwt');
+const { nanoid } = require('nanoid');
+const initBuildAccessToken =
+  (signingKey, issuer, expiresIn) => async (scope, accountId) =>
+    generateDocJwt({ scope, nonce: nanoid(8) }, signingKey, {
+      issuer,
+      expiresIn,
+      subject: accountId,
+    });
+module.exports = {
+  initBuildAccessToken,
+};

package/src/entities/oauth/domain/index.js ADDED Viewed

@@ -0,0 +1,10 @@
+module.exports = {
+  ...require('./build-access-token'),
+  ...require('./validate-scope'),
+  ...require('./validate-client-id'),
+  ...require('./validate-audience'),
+  ...require('./validate-refresh-token'),
+  ...require('./validate-presentation'),
+  ...require('./validate-credential'),
+  ...require('./verify-presentation'),
+};

package/src/entities/oauth/domain/validate-audience.js ADDED Viewed

@@ -0,0 +1,13 @@
+const newError = require('http-errors');
+const initValidateAudience = (_audience) => {
+  return (audience) => {
+    if (audience !== _audience) {
+      throw newError.Unauthorized(`Unknown audience: ${audience}`);
+    }
+  };
+};
+module.exports = {
+  initValidateAudience,
+};

package/src/entities/oauth/domain/validate-client-id.js ADDED Viewed

@@ -0,0 +1,13 @@
+const newError = require('http-errors');
+const initValidateClientId = (_clientId) => {
+  return (clientId) => {
+    if (clientId !== _clientId) {
+      throw newError.Unauthorized(`Unknown client id: ${clientId}`);
+    }
+  };
+};
+module.exports = {
+  initValidateClientId,
+};

package/src/entities/oauth/domain/validate-credential.js ADDED Viewed

@@ -0,0 +1,16 @@
+const { includes } = require('lodash/fp');
+const newError = require('http-errors');
+const validateCredential = (credential) => {
+  const { payload } = credential;
+  const { vc } = payload;
+  const { type } = vc;
+  const includesCorrectCredential = includes('PhoneV1.0', type);
+  if (!includesCorrectCredential) {
+    throw newError.Unauthorized('Credential is not of type PhoneV1.0');
+  }
+};
+module.exports = {
+  validateCredential,
+};

package/src/entities/oauth/domain/validate-presentation.js ADDED Viewed

@@ -0,0 +1,17 @@
+const newError = require('http-errors');
+const { GrantTypes } = require('../constants');
+const validatePresentation = (grantType, presentation) => {
+  if (grantType !== GrantTypes.VNF_PRESENTATION) {
+    return;
+  }
+  if (!presentation) {
+    throw newError.BadRequest(
+      `Presentation required with grant type "${GrantTypes.VNF_PRESENTATION}"`
+    );
+  }
+};
+module.exports = {
+  validatePresentation,
+};

package/src/entities/oauth/domain/validate-refresh-token.js ADDED Viewed

@@ -0,0 +1,17 @@
+const newError = require('http-errors');
+const { GrantTypes } = require('../constants');
+const validateRefreshToken = (grantType, refreshToken) => {
+  if (grantType !== GrantTypes.REFRESH_TOKEN) {
+    return;
+  }
+  if (!refreshToken) {
+    throw newError.BadRequest(
+      `Refresh token required with grant type "${GrantTypes.REFRESH_TOKEN}"`
+    );
+  }
+};
+module.exports = {
+  validateRefreshToken,
+};

package/src/entities/oauth/domain/validate-scope.js ADDED Viewed

@@ -0,0 +1,30 @@
+const { reduce, split, partition, isEmpty } = require('lodash/fp');
+const newError = require('http-errors');
+const validateScope = (scopes) =>
+  reduce(
+    (accumulator, current) => ({ ...accumulator, [current]: true }),
+    {},
+    split(' ', scopes)
+  );
+const initValidateScopes = (scopes) => {
+  const scopesMap = validateScope(scopes);
+  return (scopeStr) => {
+    const scopeArr = split(' ', scopeStr);
+    const [recognizedScopes, unrecognizedScopes] = partition(
+      (scope) => scopesMap[scope],
+      scopeArr
+    );
+    if (!isEmpty(unrecognizedScopes)) {
+      throw newError.Unauthorized(
+        `Unrecognized scopes: ${JSON.stringify(unrecognizedScopes)}`
+      );
+    }
+    return recognizedScopes;
+  };
+};
+module.exports = {
+  initValidateScopes,
+};

package/src/entities/oauth/domain/verify-presentation.js ADDED Viewed

@@ -0,0 +1,24 @@
+const { verifyPresentationJwt, jwtVerify } = require('@velocitycareerlabs/jwt');
+const { reject, isNil, first } = require('lodash/fp');
+const newError = require('http-errors');
+const initVerifyPresentation = (jwk) => async (presentation) => {
+  const decodedAndVerifiedPresentation = await verifyPresentationJwt(
+    presentation
+  );
+  const vcJwts = reject(
+    isNil,
+    decodedAndVerifiedPresentation.verifiableCredential
+  );
+  const vc = first(vcJwts);
+  try {
+    const decodedJwt = await jwtVerify(vc, jwk);
+    return decodedJwt;
+  } catch (e) {
+    throw newError.Unauthorized('Credential verification failed');
+  }
+};
+module.exports = {
+  initVerifyPresentation,
+};

package/src/entities/oauth/index.js ADDED Viewed

@@ -0,0 +1,4 @@
+module.exports = {
+  ...require('./domain'),
+  ...require('./constants'),
+};

package/src/entities/pushes/domains/errors.js ADDED Viewed

@@ -0,0 +1,11 @@
+const ErrorsUnauthorizedPushes = {
+  INVALID_ISSUING_TIME: 'Invalid issue time',
+  INVALID_AUDIENCE: 'Invalid audience',
+  INVALID_HASH: 'Invalid hash',
+  MISSED_CLAIMS: 'Missed claims in a token',
+  INVALID_ORG_ERROR_TEMPLATE: ({ reason }) =>
+    `Invalid organization profile due to ${reason}`,
+};
+module.exports = {
+  ErrorsUnauthorizedPushes,
+};

package/src/entities/pushes/domains/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+module.exports = {
+  ...require('./errors'),
+};

package/src/entities/pushes/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+module.exports = {
+  ...require('./domains'),
+};

package/src/entities/verification-code-attempts/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+module.exports = {
+  ...require('./orchestrators'),
+};

package/src/entities/verification-code-attempts/orchestrators/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+module.exports = {
+  ...require('./validate-verification-code-attempts'),
+};

package/src/entities/verification-code-attempts/orchestrators/validate-verification-code-attempts.js ADDED Viewed

@@ -0,0 +1,79 @@
+const { subMinutes, addHours } = require('date-fns/fp');
+const { size, map, filter, partition, startsWith, some } = require('lodash/fp');
+const createError = require('http-errors');
+const { mapWithIndex } = require('@velocitycareerlabs/common-functions');
+const validateVerificationCodeAttempts = async (key, ctx) => {
+  const { repos } = ctx;
+  const timestamp = new Date();
+  await repos.verificationCodeAttempts.insertAttempt(key, timestamp);
+  await applyRules({ key, timestamp }, ctx);
+};
+const applyRules = async ({ key, timestamp }, ctx) => {
+  const { repos } = ctx;
+  validateIsPrefixAllowed(key, ctx);
+  const loadedAttempts =
+    await repos.verificationCodeAttempts.loadPreviousAttempts(
+      key,
+      timestamp,
+      subMinutes(60, timestamp)
+    );
+  if (size(loadedAttempts) >= 10) {
+    const idsWithReleaseAt = map(
+      (attempt) => ({
+        id: attempt._id,
+        releaseAt: addHours(480, timestamp),
+      }),
+      loadedAttempts
+    );
+    await repos.verificationCodeAttempts.setReleaseAtById(idsWithReleaseAt);
+    throwAttemptBlockedError();
+  }
+  const [futureReleases, previousAttempts] = partition(
+    (attempt) => !!attempt.releaseAt,
+    loadedAttempts
+  );
+  const previousAttempts60Min = filter(
+    (attempt) => attempt.attemptedAt >= subMinutes(60, timestamp),
+    previousAttempts
+  );
+  const futureReleasesAnd60Min = [...futureReleases, ...previousAttempts60Min];
+  if (size(futureReleasesAnd60Min) >= 3) {
+    const idsWithReleaseAt = mapWithIndex(
+      (attempt, idx) => ({
+        id: attempt._id,
+        releaseAt: addHours(idx + 1, timestamp),
+      }),
+      futureReleasesAnd60Min
+    );
+    await repos.verificationCodeAttempts.setReleaseAtById(idsWithReleaseAt);
+    throwAttemptBlockedError();
+  }
+};
+const validateIsPrefixAllowed = (phoneNumber, ctx) => {
+  const {
+    config: { phonePrefixesToBlock },
+  } = ctx;
+  const isPrefixBlocked = some((phonePrefix) => {
+    return startsWith(phonePrefix, phoneNumber);
+  }, phonePrefixesToBlock);
+  if (isPrefixBlocked) {
+    throwAttemptBlockedError();
+  }
+};
+const throwAttemptBlockedError = () => {
+  throw createError(400, 'Attempt Blocked', {
+    errorCode: 'attempt_blocked',
+  });
+};
+module.exports = {
+  validateVerificationCodeAttempts,
+};

package/src/entities/verification-code-attempts/repo.js ADDED Viewed

@@ -0,0 +1,99 @@
+const {
+  repoFactory,
+  autoboxIdsExtension,
+} = require('@spencejs/spence-mongo-repos');
+const { map } = require('lodash/fp');
+const { hashAndEncodeHex } = require('@velocitycareerlabs/crypto');
+module.exports = (app, options, next = () => {}) => {
+  next();
+  return repoFactory(
+    {
+      name: 'verificationCodeAttempts',
+      entityName: 'verificationCodeAttempt',
+      defaultProjection: {
+        _id: 1,
+        attemptedAt: 1,
+        releaseAt: 1,
+      },
+      extensions: [
+        autoboxIdsExtension,
+        hashKeyModificationExtension,
+        hashKeyFilterExtension,
+        insertAttemptExtension,
+        loadPreviousAttemptsExtension,
+        setReleaseAtByIdExtension,
+      ],
+    },
+    app
+  );
+};
+const hashKeyModificationExtension = (parent) => {
+  return {
+    prepModification: (val, ...args) => {
+      return parent.prepModification(
+        { ...val, key: val.key && hashAndEncodeHex(val.key) },
+        ...args
+      );
+    },
+    extensions: parent.extensions.concat(['hashKeyModificationExtension']),
+  };
+};
+const hashKeyFilterExtension = (parent) => {
+  return {
+    prepFilter: (filter) => {
+      return parent.prepFilter({
+        ...filter,
+        key: filter.key && hashAndEncodeHex(filter.key),
+      });
+    },
+    extensions: parent.extensions.concat(['hashKeyFilterExtension']),
+  };
+};
+const insertAttemptExtension = (parent) => ({
+  insertAttempt: async (key, timestamp) => {
+    return parent.insert({
+      key,
+      attemptedAt: timestamp,
+    });
+  },
+  extensions: parent.extensions.concat(['insertAttempt']),
+});
+const loadPreviousAttemptsExtension = (parent) => ({
+  loadPreviousAttempts: async (key, timestamp, offsetTimestamp) => {
+    return parent.find({
+      filter: {
+        $or: [
+          { releaseAt: { $gt: timestamp } },
+          { attemptedAt: { $gte: offsetTimestamp } },
+        ],
+        key,
+      },
+      sort: {
+        attemptedAt: 1,
+      },
+    });
+  },
+  extensions: parent.extensions.concat(['loadPreviousAttempts']),
+});
+const setReleaseAtByIdExtension = (parent) => ({
+  setReleaseAtById: async (idsWithReleaseAt) => {
+    const operations = map(
+      ({ id, releaseAt }) => ({
+        updateOne: {
+          filter: { _id: id },
+          update: {
+            $set: { releaseAt },
+          },
+        },
+      }),
+      idsWithReleaseAt
+    );
+    return parent.collection().bulkWrite(operations);
+  },
+  extensions: parent.extensions.concat(['setReleaseAtById']),
+});

package/src/entities/verifications/constants.js ADDED Viewed

@@ -0,0 +1,8 @@
+const VerificationValueTypes = Object.freeze({
+  Phone: 'phone',
+  Email: 'email',
+});
+module.exports = {
+  VerificationValueTypes,
+};

package/src/entities/verifications/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+module.exports = {
+  ...require('./constants'),
+};

package/src/helpers/caching-constants.js ADDED Viewed

@@ -0,0 +1,6 @@
+const CachingConstants = {
+  CACHE_CONTROL_HEADER: 'Cache-control',
+  MAX_AGE_CACHE_CONTROL: 'public,max-age=31536000,immutable',
+};
+module.exports = { CachingConstants };

package/src/helpers/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+module.exports = {
+  ...require('./caching-constants'),
+};

package/src/index.js ADDED Viewed

@@ -0,0 +1,15 @@
+const {
+  createServer,
+  listenServer,
+} = require('@velocitycareerlabs/server-provider');
+const { flow } = require('lodash/fp');
+const config = require('./config/config');
+const { initServer } = require('./init-server');
+/* istanbul ignore next */
+process.on('unhandledRejection', (error) => {
+  console.error(error);
+  process.exit(1);
+});
+flow(createServer, initServer, listenServer)(config);

package/src/init-server.js ADDED Viewed

@@ -0,0 +1,88 @@
+const { corsPlugin } = require('@velocitycareerlabs/fastify-plugins');
+const {
+  sendEmailPlugin,
+  sendSmsPlugin,
+} = require('@velocitycareerlabs/aws-clients');
+const initRequest = require('@velocitycareerlabs/request');
+const Static = require('@fastify/static');
+const AutoLoad = require('@fastify/autoload');
+const path = require('path');
+const {
+  yotiIntegrationPlugin,
+} = require('@velocitycareerlabs/yoti-integration-plugin');
+const { pick } = require('lodash/fp');
+const { vclVerificationVersionPlugin } = require('./plugins');
+const initServer = (server) => {
+  return server
+    .register(corsPlugin)
+    .register(sendSmsPlugin)
+    .register(sendEmailPlugin)
+    .register(vclVerificationVersionPlugin)
+    .register(yotiIntegrationPlugin)
+    .register(AutoLoad, {
+      dir: path.join(__dirname, 'controllers'),
+      indexPattern: /.*repo(\.ts|\.js|\.cjs|\.mjs)$/,
+      scriptPattern: /.*repo(\.ts|\.js|\.cjs|\.mjs)$/,
+    })
+    .register(AutoLoad, {
+      dir: path.join(__dirname, 'entities'),
+      indexPattern: /.*repo(\.ts|\.js|\.cjs|\.mjs)$/,
+      scriptPattern: /.*repo(\.ts|\.js|\.cjs|\.mjs)$/,
+    })
+    .register(AutoLoad, {
+      dir: path.join(__dirname, 'controllers'),
+      indexPattern: /^.*controller(\.ts|\.js|\.cjs|\.mjs)$/,
+      scriptPattern: /.*controller(\.ts|\.js|\.cjs|\.mjs)$/,
+      routeParams: true,
+      autoHooks: true,
+      cascadeHooks: true,
+    })
+    .decorate(
+      'baseAgentFetch',
+      initRequest({
+        ...server.config,
+        prefixUrl: server.config.agentUrl,
+      })
+    )
+    .decorateRequest('agentFetch', null)
+    .addHook('preValidation', async (req) => {
+      req.agentFetch = server.baseAgentFetch(req);
+    })
+    .decorate(
+      'baseRegistrarFetch',
+      initRequest({
+        ...server.config,
+        prefixUrl: server.config.registrarUrl,
+      })
+    )
+    .decorateRequest('registrarFetch', null)
+    .addHook('preValidation', async (req) => {
+      req.registrarFetch = server.baseRegistrarFetch(req);
+    })
+    .decorate(
+      'baseLibFetch',
+      initRequest({
+        ...pick(['nodeEnv', 'requestTimeout', 'traceIdHeader'], server.config),
+        prefixUrl: server.config.libUrl,
+      })
+    )
+    .decorateRequest('libFetch', null)
+    .addHook('preValidation', async (req) => {
+      req.libFetch = server.baseLibFetch(req);
+    })
+    .register(Static, {
+      root: path.join(__dirname, 'assets'),
+      wildcard: false,
+    })
+    .register(Static, {
+      root: path.join(__dirname, 'assets/category-icons'),
+      prefix: '/category-icons',
+      setHeaders: (res) => {
+        res.setHeader('contentType', 'image/png');
+      },
+      decorateReply: false,
+    });
+};
+module.exports = { initServer };

package/src/plugins/index.js ADDED Viewed

@@ -0,0 +1,4 @@
+module.exports = {
+  ...require('./vcl-verification-version-plugin'),
+  ...require('./verify-access-token-plugin'),
+};

package/src/plugins/vcl-verification-version-plugin.js ADDED Viewed

@@ -0,0 +1,10 @@
+const {
+  fastifyVersionPluginFactory,
+} = require('@velocitycareerlabs/fastify-plugins');
+const vclVerificationVersionPlugin = fastifyVersionPluginFactory(
+  'x-vcl-verif-version',
+  'vclVerificationVersion'
+);
+module.exports = { vclVerificationVersionPlugin };

package/src/plugins/verify-access-token-plugin.js ADDED Viewed

@@ -0,0 +1,116 @@
+const fp = require('fastify-plugin');
+const { isEmpty, some, trim, values } = require('lodash/fp');
+const newError = require('http-errors');
+const bearerAuthPlugin = require('@fastify/bearer-auth');
+const { jwtVerify } = require('@velocitycareerlabs/jwt');
+const { promisify } = require('@velocitycareerlabs/common-functions');
+const { adminScopes } = require('../entities');
+const initAuth = (context) => async (jwt, request) => {
+  const { config, log } = context;
+  const { holderAppServerAccessTokenPublicKey } = config;
+  try {
+    const { header, payload } = await jwtVerify(
+      jwt,
+      holderAppServerAccessTokenPublicKey
+    );
+    const hasAdminScope = initHasMatchingScope(values(adminScopes));
+    log.info(
+      `velocity-access-token-plugin: ${JSON.stringify({
+        payload,
+        header,
+      })}`
+    );
+    if (isEmpty(payload.sub)) {
+      throw new newError.Unauthorized();
+    }
+    if (hasAdminScope(payload)) {
+      // eslint-disable-next-line better-mutation/no-mutation
+      request.isServerUser = true;
+    }
+    // eslint-disable-next-line better-mutation/no-mutation
+    request.user = payload;
+    return true;
+  } catch (error) {
+    log.info(
+      `velocity-access-token-plugin-error: ${JSON.stringify({
+        error,
+      })}`
+    );
+    return false;
+  }
+};
+const initHasMatchingScope = (targetScopes) => (user) => {
+  const { scope = '' } = user;
+  const userScopes = scope.split(' ');
+  return some(
+    (userScope) => targetScopes.includes(trim(userScope)),
+    userScopes
+  );
+};
+const initVerifyAccessToken =
+  (fastify) =>
+  (requiredScopes = []) => {
+    const hasMatchingScope = initHasMatchingScope(requiredScopes);
+    return async (req, reply) => {
+      if (isDisabledApiEndpoint(req)) {
+        return;
+      }
+      await promisify(fastify.verifyBearerAuth)(req, reply);
+      if (isEmpty(requiredScopes)) {
+        return;
+      }
+      if (!hasMatchingScope(req.user)) {
+        throw new newError.Forbidden(
+          `User must have one of the following scopes: ${JSON.stringify(
+            requiredScopes
+          )}`
+        );
+      }
+    };
+  };
+const isDisabledApiEndpoint = (req) => {
+  const {
+    routeOptions: { url, method },
+  } = req;
+  return (
+    !isEmpty(req.config.oauthVerificationDisabledEndpoints) &&
+    req.config.oauthVerificationDisabledEndpoints.includes(`${method}:${url}`)
+  );
+};
+const verifyAccessTokenPlugin = (fastify, options, next) => {
+  fastify
+    .register(bearerAuthPlugin, {
+      auth: initAuth(fastify),
+      addHook: false,
+    })
+    .decorate('verifyCareerWalletAccessToken', initVerifyAccessToken(fastify))
+    .decorateRequest(
+      'verifyUserAdminScope',
+      initHasMatchingScope(values(adminScopes))
+    );
+  next();
+};
+module.exports = {
+  verifyAccessTokenPlugin: fp(verifyAccessTokenPlugin, {
+    fastify: '>=2.0.0',
+    name: 'velocity-access-token-plugin',
+  }),
+};

package/src/standalone.js ADDED Viewed

@@ -0,0 +1,8 @@
+/* istanbul ignore file */
+// eslint-disable-next-line import/no-extraneous-dependencies
+const dotenv = require('dotenv');
+dotenv.config({ path: '.standalone.env' });
+dotenv.config({ path: '.localdev.env' });
+require('./index');