kuzzle 2.33.0 → 2.34.0-beta.1

package/lib/core/security/tokenRepository.d.ts

@@ -46,6 +46,7 @@ export declare class TokenRepository extends ObjectRepository<Token> {
         singleUse: boolean;
     }): Promise<Token>;
     verifyToken(token: string): Promise<Token>;
+    _verifyApiKey(decoded: any, token: string): Promise<Token>;
     removeTokenPrefix(token: string): string;
     loadForUser(userId: string, encodedToken: string): Promise<Token>;
     hydrate(userToken: any, data: any): Promise<any>;
@@ -56,10 +57,6 @@ export declare class TokenRepository extends ObjectRepository<Token> {
     deleteByKuid(kuid: string, { keepApiKeys }?: {
         keepApiKeys?: boolean;
     }): Promise<void>;
-    /**
-     * Loads authentication token from API key into Redis
-     */
-    private loadApiKeys;
     /**
      * The repository main class refreshes automatically the TTL
      * of accessed entries, letting only unaccessed entries expire

package/lib/core/security/tokenRepository.js

@@ -55,8 +55,8 @@ const errors_1 = require("../../kerror/errors");
 const token_1 = require("../../model/security/token");
 const apiKey_1 = __importDefault(require("../../model/storage/apiKey"));
 const debug_1 = __importDefault(require("../../util/debug"));
-const mutex_1 = require("../../util/mutex");
 const ObjectRepository_1 = require("../shared/ObjectRepository");
+const crypto_1 = require("../../util/crypto");
 const securityError = kerror.wrap("security", "token");
 const debug = (0, debug_1.default)("kuzzle:bootstrap:tokens");
 const BOOTSTRAP_DONE_KEY = "token/bootstrap";
@@ -72,7 +72,6 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
         this.anonymousToken = new token_1.Token({ userId: "-1" });
     }
     async init() {
-        await this.loadApiKeys();
         /**
          * Assign an existing token to a user. Stores the token in Kuzzle's cache.
          * @param  {String} hash - JWT
@@ -125,6 +124,20 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
          * @returns {Token}
          */
         global.kuzzle.onAsk("core:security:token:verify", (hash) => this.verifyToken(hash));
+        // ? those checks are necessary to detect JWT seed changes and delete existing tokens if necessary
+        const existingTokens = await global.kuzzle.ask("core:cache:internal:searchKeys", "repos/kuzzle/token/*");
+        if (existingTokens.length > 0) {
+            try {
+                const [, token] = existingTokens[0].split("#");
+                await this.verifyToken(token);
+            }
+            catch (e) {
+                // ? seed has changed
+                if (e.id === "security.token.invalid") {
+                    await global.kuzzle.ask("core:cache:internal:del", existingTokens);
+                }
+            }
+        }
     }
     /**
      * Expires the given token immediately
@@ -164,14 +177,17 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
      *
      * @returns {Promise.<Object>} { _id, jwt, userId, ttl, expiresAt }
      */
-    async generateToken(user, { algorithm = global.kuzzle.config.security.jwt.algorithm, expiresIn = global.kuzzle.config.security.jwt.expiresIn, bypassMaxTTL = false, type = "authToken", singleUse = false, } = {}) {
+    async generateToken(user, { algorithm = global.kuzzle.config.security.authToken.algorithm ??
+        global.kuzzle.config.security.jwt.algorithm, expiresIn = global.kuzzle.config.security.authToken.expiresIn ??
+        global.kuzzle.config.security.jwt.expiresIn, bypassMaxTTL = false, type = "authToken", singleUse = false, } = {}) {
         if (!user || user._id === null) {
             throw securityError.get("unknown_user");
         }
         const parsedExpiresIn = parseTimespan(expiresIn);
         const maxTTL = type === "apiKey"
             ? global.kuzzle.config.security.apiKey.maxTTL
-            : global.kuzzle.config.security.jwt.maxTTL;
+            : global.kuzzle.config.security.authToken.maxTTL ??
+                global.kuzzle.config.security.jwt.maxTTL;
         if (!bypassMaxTTL &&
             maxTTL > -1 &&
             (parsedExpiresIn > maxTTL || parsedExpiresIn === -1)) {
@@ -195,10 +211,18 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
         }
         if (type === "apiKey") {
             encodedToken = token_1.Token.APIKEY_PREFIX + encodedToken;
+            // For API keys, we don't persist the token
+            const expiresAt = parsedExpiresIn === -1 ? -1 : Date.now() + parsedExpiresIn;
+            return new token_1.Token({
+                _id: `${user._id}#${encodedToken}`,
+                expiresAt,
+                jwt: encodedToken,
+                ttl: parsedExpiresIn,
+                userId: user._id,
+            });
         }
-        else {
-            encodedToken = token_1.Token.AUTH_PREFIX + encodedToken;
-        }
+        encodedToken = token_1.Token.AUTH_PREFIX + encodedToken;
+        // Persist regular tokens
         return this.persistForUser(encodedToken, user._id, {
             singleUse,
             ttl: parsedExpiresIn,
@@ -233,23 +257,28 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
         if (token === null) {
             return this.anonymousToken;
         }
+        const isApiKey = token.startsWith(token_1.Token.APIKEY_PREFIX);
+        const tokenWithoutPrefix = this.removeTokenPrefix(token);
         let decoded = null;
         try {
-            decoded = jsonwebtoken_1.default.verify(this.removeTokenPrefix(token), global.kuzzle.secret);
+            decoded = jsonwebtoken_1.default.verify(tokenWithoutPrefix, global.kuzzle.secret);
             // probably forged token => throw without providing any information
             if (!decoded._id) {
                 throw new jsonwebtoken_1.default.JsonWebTokenError("Invalid token");
             }
         }
         catch (err) {
-            if (err instanceof jsonwebtoken_1.default.TokenExpiredError) {
-                throw securityError.get("expired");
-            }
             if (err instanceof jsonwebtoken_1.default.JsonWebTokenError) {
                 throw securityError.get("invalid");
             }
+            if (err instanceof jsonwebtoken_1.default.TokenExpiredError) {
+                throw securityError.get("expired");
+            }
             throw securityError.getFrom(err, "verification_error", err.message);
         }
+        if (isApiKey) {
+            return this._verifyApiKey(decoded, token);
+        }
         let userToken;
         try {
             userToken = await this.loadForUser(decoded._id, token);
@@ -268,6 +297,29 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
         }
         return userToken;
     }
+    async _verifyApiKey(decoded, token) {
+        const fingerprint = (0, crypto_1.sha256)(token);
+        const userApiKeys = await apiKey_1.default.search({
+            query: {
+                term: {
+                    userId: decoded._id,
+                },
+            },
+        });
+        const targetApiKey = userApiKeys?.find((apiKey) => apiKey.fingerprint === fingerprint);
+        if (!targetApiKey) {
+            throw securityError.get("invalid");
+        }
+        const apiKey = await apiKey_1.default.load(decoded._id, targetApiKey._id);
+        const userToken = new token_1.Token({
+            _id: `${decoded._id}#${token}`,
+            expiresAt: apiKey.expiresAt,
+            jwt: token,
+            ttl: apiKey.ttl,
+            userId: decoded._id,
+        });
+        return userToken;
+    }
     removeTokenPrefix(token) {
         return token
             .replace(token_1.Token.AUTH_PREFIX, "")
@@ -333,38 +385,6 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
         }
         await Promise.all(promises);
     }
-    /**
-     * Loads authentication token from API key into Redis
-     */
-    async loadApiKeys() {
-        const mutex = new mutex_1.Mutex("ApiKeysBootstrap", {
-            timeout: -1,
-            ttl: 30000,
-        });
-        await mutex.lock();
-        try {
-            const bootstrapped = await global.kuzzle.ask("core:cache:internal:get", BOOTSTRAP_DONE_KEY);
-            if (bootstrapped) {
-                debug("API keys already in cache. Skip.");
-                return;
-            }
-            debug("Loading API keys into Redis");
-            const promises = [];
-            await apiKey_1.default.batchExecute({ match_all: {} }, (documents) => {
-                for (const { _source } of documents) {
-                    promises.push(this.persistForUser(_source.token, _source.userId, {
-                        singleUse: false,
-                        ttl: _source.ttl,
-                    }));
-                }
-            });
-            await Promise.all(promises);
-            await global.kuzzle.ask("core:cache:internal:store", BOOTSTRAP_DONE_KEY, 1);
-        }
-        finally {
-            await mutex.unlock();
-        }
-    }
     /**
      * The repository main class refreshes automatically the TTL
      * of accessed entries, letting only unaccessed entries expire

package/lib/kuzzle/internalIndexHandler.js

@@ -111,6 +111,7 @@ class InternalIndexHandler extends Store {
       const bootstrapped = await this.exists("config", this._BOOTSTRAP_DONE_ID);
 
       if (bootstrapped) {
+        await this._initSecret();
         return;
       }
 
@@ -150,7 +151,7 @@ class InternalIndexHandler extends Store {
     await this.createInitialValidations();
 
     debug("Bootstrapping JWT secret");
-    await this._persistSecret();
+    await this._initSecret();
 
     // Create datamodel version
     await this.create(
@@ -202,24 +203,29 @@ class InternalIndexHandler extends Store {
     await Bluebird.all(promises);
   }
 
-  async getSecret() {
-    const response = await this.get("config", this._JWT_SECRET_ID);
+  async _initSecret() {
+    const { authToken, jwt } = global.kuzzle.config.security;
+    const configSeed = authToken?.secret ?? jwt?.secret;
 
-    return response._source.seed;
-  }
+    let storedSeed = await this.exists("config", this._JWT_SECRET_ID);
 
-  async _persistSecret() {
-    const seed =
-      global.kuzzle.config.security.jwt.secret ||
-      crypto.randomBytes(512).toString("hex");
+    if (!configSeed) {
+      if (!storedSeed) {
+        storedSeed = crypto.randomBytes(512).toString("hex");
+        await this.create(
+          "config",
+          { seed: storedSeed },
+          { id: this._JWT_SECRET_ID },
+        );
+      }
 
-    await this.create(
-      "config",
-      { seed },
-      {
-        id: this._JWT_SECRET_ID,
-      },
-    );
+      global.kuzzle.log.warn(
+        "[!] Kuzzle is using a generated seed for authentication. This is suitable for development but should NEVER be used in production. See https://docs.kuzzle.io/core/2/guides/getting-started/deploy-your-application/",
+      );
+    }
+    global.kuzzle.secret = configSeed
+      ? configSeed
+      : (await this.get("config", this._JWT_SECRET_ID))._source.seed;
   }
 }
 

package/lib/kuzzle/kuzzle.js

@@ -155,8 +155,6 @@ class Kuzzle extends KuzzleEventEmitter_1.default {
             await new security_1.default().init();
             // This will init the cluster module if enabled
             this.id = await this.initKuzzleNode();
-            // Secret used to generate JWTs
-            this.secret = await this.internalIndex.getSecret();
             this.vault = vault_1.default.load(options.vaultKey, options.secretsFile);
             await this.validation.init();
             await this.tokenManager.init();

package/lib/model/storage/apiKey.js

@@ -49,7 +49,7 @@ class ApiKey extends BaseModel {
   serialize({ includeToken = false } = {}) {
     const serialized = super.serialize();
 
-    if (!includeToken) {
+    if (!includeToken && this.token) {
       delete serialized._source.token;
     }
 
@@ -107,15 +107,15 @@ class ApiKey extends BaseModel {
         description,
         expiresAt: token.expiresAt,
         fingerprint,
-        token: token.jwt,
         ttl: token.ttl,
         userId: user._id,
       },
       apiKeyId || fingerprint,
     );
-
     await apiKey.save({ refresh, userId: creatorId });
 
+    apiKey.token = token.jwt;
+
     return apiKey;
   }
 

package/lib/model/storage/baseModel.js

@@ -218,7 +218,6 @@ class BaseModel {
       searchBody,
       options,
     );
-
     return resp.hits.map((hit) => this._instantiateFromDb(hit));
   }
 
@@ -232,7 +231,7 @@ class BaseModel {
   static truncate({ refresh } = {}) {
     return this.deleteByQuery({ match_all: {} }, { refresh });
   }
-
+  // ? This looks not in use anymore ?
   static batchExecute(query, callback) {
     return global.kuzzle.internalIndex.mExecute(
       this.collection,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "kuzzle",
   "author": "The Kuzzle Team <support@kuzzle.io>",
-  "version": "2.33.0",
+  "version": "2.34.0-beta.1",
   "description": "Kuzzle is an open-source solution that handles all the data management through a secured API, with a large choice of protocols.",
   "bin": "bin/start-kuzzle-server",
   "scripts": {
@@ -58,7 +58,7 @@
     "passport": "0.7.0",
     "protobufjs": "7.2.5",
     "rc": "1.2.8",
-    "sdk-es7": "https://github.com/elastic/elasticsearch-js/archive/refs/tags/v7.13.0.tar.gz",
+    "sdk-es7": "npm:@elastic/elasticsearch@7.13.0",
     "sdk-es8": "npm:@elastic/elasticsearch@8.12.1",
     "semver": "7.6.0",
     "sorted-array": "2.0.4",