fastify-txstate 3.6.9 → 4.0.1

package/lib/server.js

@@ -0,0 +1,441 @@
+import { Ajv } from 'ajv';
+import swagger from '@fastify/swagger';
+import swaggerUI from '@fastify/swagger-ui';
+import { validatedResponse } from '@txstate-mws/fastify-shared';
+import ajvErrors from 'ajv-errors';
+import ajvFormats from 'ajv-formats';
+import { fastify } from 'fastify';
+import fs from 'node:fs';
+import pino from 'pino';
+import http from 'node:http';
+import { Writable } from 'node:stream';
+import { clone, destroyNulls, isBlank, isNotBlank, omit, set, sleep, stringifyDates, toArray } from 'txstate-utils';
+import { HttpError, ValidationError, ValidationErrors, fstValidationToMessage } from "./error.js";
+/**
+ * Get the base URL for this API. Uses PUBLIC_URL if set, otherwise derives
+ * from the request's protocol and hostname.
+ */
+export function apiBaseUrl(req) {
+    if (isNotBlank(process.env.PUBLIC_URL))
+        return process.env.PUBLIC_URL.replace(/\/$/v, '');
+    return req.protocol + '://' + req.hostname;
+}
+/**
+ * Get the base URL for the UI that this API serves. Uses UI_URL if set,
+ * otherwise assumes the API lives at a subpath (e.g. /api) and the UI is
+ * one level up. Falls back to the API base URL if there's no parent path.
+ */
+export function uiBaseUrl(req) {
+    if (isNotBlank(process.env.UI_URL))
+        return process.env.UI_URL.replace(/\/$/v, '');
+    const base = apiBaseUrl(req);
+    return new URL('..', base + '/').toString().replace(/\/$/v, '');
+}
+/* eslint-disable no-console -- devLogger intentionally writes to console */
+export const devLogger = pino({
+    level: 'info'
+}, new Writable({
+    write(chunk, _encoding, callback) {
+        const obj = JSON.parse(String(chunk));
+        if (obj.req)
+            console.info(`${obj.req.method} ${obj.req.url}`);
+        else if (obj.res)
+            console.info(`${obj.res.statusCode} - ${obj.responseTime}`);
+        else if (obj.err)
+            console.error(obj.err);
+        else
+            console.info(obj.msg || obj);
+        callback();
+    }
+}));
+/* eslint-enable no-console */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call -- pino serializer params are typed as any */
+export const prodLogger = pino({
+    level: 'info',
+    serializers: {
+        req(req) {
+            return {
+                method: req.method,
+                url: req.url.replace(/(?<param>token|unifiedJwt)=[\w.]+/iv, '$<param>=redacted'),
+                remoteAddress: req.ip,
+                traceparent: req.headers.traceparent
+            };
+        },
+        res(res) {
+            return {
+                statusCode: res.statusCode,
+                url: res.request?.url.replace(/(?<param>token|unifiedJwt)=[\w.]+/iv, '$<param>=redacted'),
+                length: Number(toArray(res.getHeader?.('content-length'))[0]),
+                ...omit(res.extraLogInfo, 'auth'),
+                auth: omit(res.request?.auth ?? res.extraLogInfo?.auth ?? {}, 'token', 'accessToken', 'issuerConfig')
+            };
+        }
+    }
+});
+export class OriginChecker {
+    validOrigins = {};
+    validOriginHosts = {};
+    validOriginSuffixes = new Set();
+    setValidOrigins(origins) {
+        this.validOrigins = origins.reduce((acc, origin) => ({ ...acc, [origin]: true }), {});
+    }
+    setValidOriginHosts(hosts) {
+        this.validOriginHosts = hosts.reduce((acc, host) => ({ ...acc, [host]: true }), {});
+    }
+    setValidOriginSuffixes(suffixes) {
+        this.validOriginSuffixes.clear();
+        for (const s of suffixes)
+            this.validOriginSuffixes.add(s.replace(/^\./v, ''));
+    }
+    check(hostname, requestHostname) {
+        try {
+            const parsed = new URL(hostname.includes('://') ? hostname : 'https://' + hostname);
+            if (this.validOrigins[parsed.origin])
+                return true;
+            if (requestHostname && parsed.hostname === requestHostname)
+                return true;
+            if (this.validOriginHosts[parsed.hostname])
+                return true;
+            const parts = parsed.hostname.split('.');
+            for (let i = 0; i < parts.length; i++) {
+                if (this.validOriginSuffixes.has(parts.slice(i).join('.')))
+                    return true;
+            }
+            return false;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export default class Server {
+    config;
+    https = false;
+    errorHandlers = [];
+    healthMessage;
+    healthCallback;
+    shuttingDown = false;
+    sigHandler;
+    originChecker = new OriginChecker();
+    swaggerEndpoint;
+    app;
+    constructor(config = {}) {
+        this.config = config;
+        try {
+            const key = fs.readFileSync('/securekeys/private.key');
+            const cert = fs.readFileSync('/securekeys/cert.pem');
+            config.https = {
+                ...config.https,
+                allowHTTP1: true,
+                key,
+                cert,
+                minVersion: 'TLSv1.2'
+            };
+            config.http2 = true;
+            this.https = true;
+        }
+        catch (e) {
+            this.https = false;
+            delete config.https;
+        }
+        if (typeof config.logger === 'undefined' && !config.loggerInstance) {
+            config.loggerInstance = process.env.NODE_ENV === 'development'
+                ? devLogger
+                : prodLogger;
+        }
+        if (process.env.TRUST_PROXY != null) {
+            if (['true', '1'].includes(process.env.TRUST_PROXY))
+                config.trustProxy = true;
+            else
+                config.trustProxy = process.env.TRUST_PROXY;
+        }
+        // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion -- ajvFormats cast is required by tsc even though eslint thinks otherwise
+        config.ajv = { ...config.ajv, mode: undefined, plugins: [...(config.ajv?.plugins ?? []), ajvErrors, [ajvFormats, { mode: 'fast' }]], customOptions: { ...config.ajv?.customOptions, allErrors: true, strictSchema: false, coerceTypes: true } };
+        this.healthCallback = config.checkHealth;
+        this.app = fastify(config);
+        this.app.addHook('onRoute', route => {
+            if (!route.schema?.body)
+                return;
+            const missingResponse = route.schema.response == null;
+            const response400 = set(validatedResponse.properties.messages, 'description', 'Basic validation failure. This means that the UI provided input that failed validation as defined in the openapi specification published by the API. The UI is at fault and should be re-coded to avoid sending invalid data.');
+            let newSchema = set(route.schema ?? {}, 'response.400', response400);
+            const response422 = set(validatedResponse, 'description', 'Validation failure. This means that the user provided an invalid object. The user should be shown their error so that they can correct it.');
+            newSchema = set(newSchema, 'response.422', response422);
+            if (missingResponse) {
+                newSchema.response['200'] = {
+                    description: 'Success. Return type has not been specified.',
+                    type: 'object'
+                };
+            }
+            route.schema = newSchema;
+        });
+        this.app.addHook('preValidation', (req, res, done) => {
+            if (req.body != null && req.routeOptions.schema?.body)
+                destroyNulls(req.body);
+            done();
+        });
+        // use Ajv to validate responses instead of @fastify/json-fast-stringify since ajv does
+        // a better job with recursive types and we don't want to have different behavior between
+        // input and output validation
+        const ajv = new Ajv(config.ajv.customOptions);
+        for (const pluginConfig of config.ajv.plugins ?? []) {
+            const [plugin, opts] = toArray(pluginConfig);
+            plugin(ajv, opts); // eslint-disable-line @typescript-eslint/no-unsafe-call -- plugin type comes from fastify's ajv config
+        }
+        this.app.setSerializerCompiler(route => {
+            const schema = route.schema;
+            const validate = schema == null ? ajv.compile({ type: 'object' }) : ajv.compile(schema); // eslint-disable-line @typescript-eslint/no-unnecessary-condition -- schema can be undefined at runtime
+            return data => {
+                /**
+                 * Ajv unfortunately treats optional properties as non-nullable, so they're allowed to
+                 * be undefined but not allowed to be null. Worse, with `coerceTypes`, null will be converted
+                 * to empty string or 0 or false. This is silly behavior, so we're converting all nulls to
+                 * undefined before we validate.
+                 */
+                if (schema != null)
+                    destroyNulls(stringifyDates(data)); // eslint-disable-line @typescript-eslint/no-unnecessary-condition -- schema can be undefined at runtime
+                if (!validate(data))
+                    throw new Error('Output validation failed. ' + validate.errors?.[0].instancePath + ': ' + validate.errors?.[0].message);
+                return JSON.stringify(data);
+            };
+        });
+        this.app.addHook('onRequest', (req, res, done) => {
+            res.extraLogInfo = {};
+            req.originChecker = this.originChecker;
+            done();
+        });
+        if (!config.skipOriginCheck && !process.env.SKIP_ORIGIN_CHECK) {
+            this.originChecker.setValidOrigins([...(config.validOrigins ?? []), ...(process.env.VALID_ORIGINS?.split(',') ?? [])]);
+            this.originChecker.setValidOriginHosts([...(config.validOriginHosts ?? []), ...(process.env.VALID_ORIGIN_HOSTS?.split(',') ?? [])]);
+            this.originChecker.setValidOriginSuffixes([...(config.validOriginSuffixes ?? []), ...(process.env.VALID_ORIGIN_SUFFIXES?.split(',') ?? [])]);
+            this.app.addHook('onRequest', async (req, res) => {
+                if (!req.headers.origin)
+                    return;
+                const passed = (req.headers.origin === 'null'
+                    ? process.env.NODE_ENV === 'development'
+                    : this.originChecker.check(req.headers.origin, req.hostname)) || !!config.checkOrigin?.(req);
+                if (!passed) {
+                    await res.status(403).send('Origin check failed. Suspected XSRF attack.');
+                    return await res;
+                }
+                else {
+                    void res.header('Access-Control-Allow-Origin', req.headers.origin);
+                    void res.header('Access-Control-Max-Age', '600'); // ask browser to skip pre-flights for 10 minutes after a yes
+                    if (req.headers['access-control-request-method'])
+                        void res.header('access-control-allow-methods', req.headers['access-control-request-method']);
+                    if (req.headers['access-control-request-headers'])
+                        void res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
+                }
+            });
+            this.app.options('*', async (req, res) => {
+                await res.send();
+            });
+        }
+        if (config.authenticate) {
+            const authenticatedMethods = {
+                GET: true,
+                POST: true,
+                PUT: true,
+                PATCH: true,
+                DELETE: true
+            };
+            this.app.addHook('onRequest', async (req, res) => {
+                if (!authenticatedMethods[req.method] || isBlank(req.routeOptions.url) || req.routeOptions.url === '/health' || req.routeOptions.url === '/.uaService' || (this.swaggerEndpoint && req.routeOptions.url.startsWith(this.swaggerEndpoint)))
+                    return;
+                try {
+                    req.auth = await config.authenticate(req);
+                }
+                catch (e) {
+                    await res.status(401).send('Failed to authenticate.');
+                    return await res;
+                }
+            });
+        }
+        this.app.addHook('onSend', this.https && process.env.NODE_ENV !== 'development'
+            ? async (_, resp) => {
+                void resp.removeHeader('X-Powered-By');
+                void resp.header('Strict-Transport-Security', 'max-age=31536000');
+                if (resp.getHeader('content-type') === 'text/html')
+                    void resp.type('text/html; charset=utf-8');
+            }
+            : async (_, resp) => {
+                void resp.removeHeader('X-Powered-By');
+                if (resp.getHeader('content-type') === 'text/html')
+                    void resp.type('text/html; charset=utf-8');
+            });
+        this.app.setNotFoundHandler((req, res) => { void res.status(404).send('Not Found.'); });
+        this.app.setErrorHandler(async (err, req, res) => {
+            req.log.warn(err);
+            for (const errorHandler of this.errorHandlers) {
+                if (!res.sent)
+                    await errorHandler(err, req, res);
+            }
+            if (!res.sent) {
+                if (err instanceof ValidationError) {
+                    await res.status(err.statusCode).send({ success: false, messages: [{ message: err.message, path: err.path, type: err.type ?? 'error' }] });
+                }
+                else if (err instanceof ValidationErrors) {
+                    await res.status(err.statusCode).send({ success: false, messages: err.errors });
+                }
+                else if (err instanceof HttpError) {
+                    await res.status(err.statusCode).send(err.message);
+                }
+                else if (err.code === 'FST_ERR_VALIDATION') {
+                    const developerErrors = [];
+                    const userErrors = [];
+                    for (const v of err.validation ?? []) {
+                        if (v.keyword === 'errorMessage') {
+                            for (const ov of v.params.errors) {
+                                if (['type', 'additionalProperties', 'minProperties'].includes(ov.keyword))
+                                    developerErrors.push({ ...ov, message: v.message });
+                                else if (ov.keyword === 'required')
+                                    userErrors.push({ ...ov, message: 'This field is required.' });
+                                else
+                                    userErrors.push({ ...ov, message: v.message });
+                            }
+                        }
+                        else if (['type', 'additionalProperties', 'minProperties'].includes(v.keyword))
+                            developerErrors.push(v);
+                        else if (v.keyword === 'required')
+                            userErrors.push({ ...v, message: 'This field is required.' });
+                        else
+                            userErrors.push(v);
+                    }
+                    if (userErrors.length)
+                        await res.status(422).send({ success: false, messages: userErrors.map(fstValidationToMessage) });
+                    else
+                        await res.status(400).send(developerErrors.map(fstValidationToMessage));
+                }
+                else if (err.statusCode) {
+                    await res.status(err.statusCode).send(new HttpError(err.statusCode).message);
+                }
+                else {
+                    await res.status(500).send('Internal Server Error.');
+                }
+            }
+        });
+        this.app.get('/health', { logLevel: 'warn' }, async (req, res) => {
+            if (this.shuttingDown) {
+                res.log.warn('Returning 503 on /health because we are shutting down/restarting.');
+                void res.status(503);
+                return 'MAINTENANCE';
+            }
+            else if (this.healthMessage) {
+                res.log.error(this.healthMessage);
+                void res.status(500);
+                return this.healthMessage;
+            }
+            else if (this.healthCallback) {
+                const resp = await this.healthCallback();
+                const [status, msg] = typeof resp === 'string' ? [500, resp] : [resp?.status, resp?.message];
+                if (!!msg || !!status) {
+                    res.log.error(resp, 'Health check callback failed.');
+                    void res.status(status ?? 500);
+                    return msg ?? 'FAIL';
+                }
+            }
+            return 'OK';
+        });
+        this.sigHandler = () => {
+            this.close().then(() => {
+                process.exit();
+            }).catch((e) => { this.app.log.error(e, 'Error during shutdown'); });
+        };
+        process.on('SIGTERM', this.sigHandler);
+        process.on('SIGINT', this.sigHandler);
+    }
+    async start(port) {
+        const customPort = port ?? parseInt(process.env.PORT ?? '0', 10);
+        await this.app.ready();
+        if (this.swaggerEndpoint)
+            this.app.swagger();
+        if (customPort) {
+            await this.app.listen({ port: customPort, host: '0.0.0.0' });
+        }
+        else if (this.https) {
+            // redirect 80 to 443
+            http.createServer((req, res) => {
+                res.writeHead(301, { Location: 'https://' + (req.headers.host?.replace(/:\d+$/v, '') ?? '') + (req.url ?? '') });
+                res.end();
+            }).listen(80);
+            await this.app.listen({ port: 443, host: '0.0.0.0' });
+        }
+        else {
+            await this.app.listen({ port: 80, host: '0.0.0.0' });
+        }
+    }
+    addErrorHandler(handler) {
+        this.errorHandlers.push(handler);
+    }
+    setUnhealthy(message) {
+        this.healthMessage = message;
+    }
+    setHealthy() {
+        this.healthMessage = undefined;
+    }
+    setValidOrigins(origins) {
+        this.originChecker.setValidOrigins(origins);
+    }
+    setValidOriginHosts(hosts) {
+        this.originChecker.setValidOriginHosts(hosts);
+    }
+    setValidOriginSuffixes(suffixes) {
+        this.originChecker.setValidOriginSuffixes(suffixes);
+    }
+    async swagger(opts) {
+        let openapi = opts?.openapi ?? {};
+        if (this.config.authenticate != null) {
+            openapi = set(openapi, 'components.securitySchemes', {
+                unifiedAuth: {
+                    type: 'http',
+                    scheme: 'bearer',
+                    bearerFormat: 'JWT',
+                    description: `Enter a token obtained from the TxState Unified Authentication service. An easy way to do
+this is log into this application and use dev tools to pull your token from the Authorization header.`
+                }
+            });
+            // Apply the security globally to all operations
+            openapi.security = [{ unifiedAuth: [] }];
+        }
+        /* eslint-disable @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-return -- findRefs traverses arbitrary JSON schema objects */
+        function findRefs(obj, id) {
+            if (obj == null)
+                return undefined;
+            if (obj.$id?.length)
+                id = obj.$id;
+            if (obj.$ref === '#' && id?.length) {
+                obj.type = 'string';
+                obj.enum = [id];
+                delete obj.$ref;
+            }
+            else {
+                for (const val of Object.values(obj)) {
+                    if (typeof val === 'object' && !(val instanceof Date))
+                        findRefs(val, id);
+                }
+            }
+            return obj;
+        }
+        await this.app.register(swagger, {
+            openapi,
+            transform(transformArgs) {
+                const newSchema = findRefs(clone(transformArgs.schema));
+                return { ...transformArgs, schema: newSchema };
+            }
+        });
+        /* eslint-enable @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-return */
+        this.swaggerEndpoint = opts?.path ?? opts?.ui?.routePrefix ?? '/docs';
+        await this.app.register(swaggerUI, { ...opts?.ui, routePrefix: this.swaggerEndpoint });
+    }
+    async close(softSeconds) {
+        if (typeof softSeconds === 'undefined')
+            softSeconds = parseInt(process.env.LOAD_BALANCE_TIMEOUT ?? '0', 10);
+        process.removeListener('SIGTERM', this.sigHandler);
+        process.removeListener('SIGINT', this.sigHandler);
+        if (softSeconds) {
+            this.shuttingDown = true;
+            await sleep(softSeconds);
+        }
+        await this.app.close();
+    }
+}

package/lib/unified-auth.d.ts

@@ -1,9 +1,11 @@
-import { type FastifyReply, type FastifyRequest } from 'fastify';
-import { type IssuerConfig, type FastifyInstanceTyped, type FastifyTxStateAuthInfo } from '.';
-export interface IssuerConfigRaw extends Omit<IssuerConfig, 'validateUrl' | 'logoutUrl'> {
-    validateUrl?: string;
-    logoutUrl?: string;
-}
+import type { FastifyReply, FastifyRequest } from 'fastify';
+import { type FastifyInstanceTyped, type FastifyTxStateAuthInfo } from './server.ts';
+/**
+ * @deprecated Use `jwtAuthenticate(options)` instead. Note the new shape: `jwtAuthenticate`
+ * is now a factory that takes options up front and returns the authenticator function
+ * (`authenticate: jwtAuthenticate({ authenticateAll: true })`), so the options actually
+ * take effect when wired into `new Server({ authenticate })`.
+ */
 export declare function unifiedAuthenticate(req: FastifyRequest, options?: {
     authenticateAll?: boolean;
     exceptRoutes?: Set<string>;
@@ -11,7 +13,7 @@ export declare function unifiedAuthenticate(req: FastifyRequest, options?: {
     usingUaCookieRoutes?: boolean;
 }): Promise<FastifyTxStateAuthInfo | undefined>;
 /**
- * @deprecated Use unifiedAuthenticateWithOptions with { authenticateAll: true } instead.
+ * @deprecated Use `jwtAuthenticate({ authenticateAll: true })` instead.
  */
 export declare function unifiedAuthenticateAll(req: FastifyRequest): Promise<FastifyTxStateAuthInfo>;
 /**
@@ -19,5 +21,9 @@ export declare function unifiedAuthenticateAll(req: FastifyRequest): Promise<Fas
  * using a framework. It will automatically redirect the user to the Unified Auth login page
  * and return true if they are not authenticated. Otherwise it simply returns false.
  */
+export declare function requireCookieAuthUa(req: FastifyRequest, res: FastifyReply): Promise<boolean>;
+/**
+ * @deprecated Use requireCookieAuthUa instead.
+ */
 export declare function requireCookieAuth(req: FastifyRequest, res: FastifyReply): Promise<boolean>;
 export declare function registerUaCookieRoutes(app: FastifyInstanceTyped): void;