Merge pull request #556 from dreammall-earth/better-token-validation

refactor(backend): better token validation

.github/workflows/backend.test.unit.code.yml

@@ -44,5 +44,5 @@ jobs:
         run: docker-compose -f docker-compose.yml up --detach --no-deps database
 
       - name: Backend | Unit
-        run: npm install && npm run db:migrate && npm run test:unit
+        run: npm install && cp src/auth/public.pem . && npm run db:migrate && npm run test:unit
         working-directory: ${{env.WORKING_DIRECTORY}}

backend/.gitignore

@@ -5,6 +5,7 @@ coverage/
 .vuepress/.temp/
 .vuepress/.cache/
 .env
+public.pem
 
 # emacs
 *~

backend/README.md

@@ -113,6 +113,14 @@ docker-compose up database
 ```
 in the main folder to run the database inside docker. You need to copy the `.env.dist` file to `.env`.  Run `npm run db:migrate` to generate the database. It might be required to delete the migration folder beforehand.
 
+## Token validation
+
+If you use the authentik database from the zip file, link the `src/auth/public.pem` to the main folder:
+```bash
+ln -s src/auth/public.pem public.pem
+```
+Otherwise place the according certificate in the main folder with the name `public.pem`
+
 ## License
 
 [Apache 2.0](./LICENSE)

backend/src/auth/authChecker.ts

@@ -5,17 +5,24 @@ import { AuthChecker } from 'type-graphql'
 
 import { Context } from '#src/server/context'
 
+let cert: Buffer
+
+export const getCert = (): Buffer => {
+  if (!cert) {
+    // eslint-disable-next-line n/no-sync
+    cert = fs.readFileSync('public.pem')
+  }
+  return cert
+}
+
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 export const authChecker: AuthChecker<Context> = ({ root, args, context, info }, roles) => {
   const { token } = context
 
   if (!token) return false
 
-  // eslint-disable-next-line n/no-sync
-  const cert = fs.readFileSync('public.pem')
-
   try {
-    const decoded = verify(token, cert)
+    const decoded = verify(token, getCert())
     if (decoded) {
       return true
     }

backend/src/graphql/resolvers/ContactFormResolver.spec.ts

@@ -219,20 +219,4 @@ weils nach Datum, Medium, Anlass und Kosten auflisten)?`,
       })
     })
   })
-
-  describe('contactForm query', () => {
-    it('returns true', async () => {
-      const response = await testServer.executeOperation({
-        query: `query { contactForm }`,
-      })
-      expect(response.body).toMatchObject({
-        kind: 'single',
-        singleResult: {
-          data: {
-            contactForm: true,
-          },
-        },
-      })
-    })
-  })
 })

backend/src/graphql/resolvers/ContactFormResolver.ts

@@ -1,4 +1,4 @@
-import { Resolver, Mutation, Query, Arg } from 'type-graphql'
+import { Resolver, Mutation, Arg } from 'type-graphql'
 
 import { sendContactEmails } from '#api/Brevo'
 import { ContactFormInput } from '#inputs/ContactFormInput'
@@ -12,11 +12,4 @@ export class ContactFormResolver {
     void EVENT_CONTACTFORM_SEND(contactFormData.email)
     return true
   }
-
-  // TODO: remove - see https://github.com/MichalLytek/type-graphql/issues/301#issuecomment-480046611
-  // needed to avoid: GraphQLError: Type Query must define one or more fields
-  @Query(() => Boolean)
-  contactForm(): boolean {
-    return true
-  }
 }

backend/test/testSetup.ts

@@ -6,6 +6,8 @@ import { config } from 'dotenv'
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 import { verify } from 'jsonwebtoken'
 
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+import { getCert } from '#src/auth/authChecker'
 import logger from '#src/logger'
 
 config({
@@ -40,3 +42,17 @@ jest.mock('jsonwebtoken', () => {
     verify: verifyTokenMock,
   }
 })
+
+export const getCertMock = jest.fn().mockImplementation(() => {
+  return Buffer.from('token', 'hex')
+})
+
+jest.mock('#src/auth/authChecker', () => {
+  const originalModule =
+    jest.requireActual<typeof import('#src/auth/authChecker')>('#src/auth/authChecker')
+  return {
+    __esModule: true,
+    ...originalModule,
+    getCert: getCertMock,
+  }
+})