diff --git a/apps/services/auth/admin-api/src/app/app.module.ts b/apps/services/auth/admin-api/src/app/app.module.ts index 982ab803273f..305deb6362b6 100644 --- a/apps/services/auth/admin-api/src/app/app.module.ts +++ b/apps/services/auth/admin-api/src/app/app.module.ts @@ -3,7 +3,6 @@ import { ConfigModule } from '@nestjs/config' import { SequelizeModule } from '@nestjs/sequelize' import { - DelegationApiUserSystemNotificationConfig, DelegationConfig, SequelizeConfigService, } from '@island.is/auth-api-lib' diff --git a/apps/services/auth/admin-api/src/app/v2/delegations/delegation-admin.controller.ts b/apps/services/auth/admin-api/src/app/v2/delegations/delegation-admin.controller.ts index c79876adf6f3..ddbd8359d273 100644 --- a/apps/services/auth/admin-api/src/app/v2/delegations/delegation-admin.controller.ts +++ b/apps/services/auth/admin-api/src/app/v2/delegations/delegation-admin.controller.ts @@ -32,20 +32,9 @@ import { Audit, AuditService } from '@island.is/nest/audit' import { DelegationAdminScopes } from '@island.is/auth/scopes' import { isDefined } from '@island.is/shared/utils' -const namespace = '@island.is/auth/delegation-admin' - -const ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE = - process.env.ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE +import env from '../../../environments/environment' -if (!ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE) { - throw new Error( - 'Environment variable ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE must be set', - ) -} - -const ZendeskAuthGuardInstance = new ZendeskAuthGuard( - ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE, -) +const namespace = '@island.is/auth/delegation-admin' @UseGuards(IdsUserGuard, ScopesGuard) @ApiTags('delegation-admin') @@ -108,7 +97,7 @@ export class DelegationAdminController { } @BypassAuth() - @UseGuards(ZendeskAuthGuardInstance) + @UseGuards(new ZendeskAuthGuard(env.zendeskGeneralMandateWebhookSecret)) @Post('/zendesk') @Documentation({ response: { status: 200 }, diff --git a/apps/services/auth/admin-api/src/environments/environment.ts b/apps/services/auth/admin-api/src/environments/environment.ts index 4dd0c52c607b..dea28fd4ba37 100644 --- a/apps/services/auth/admin-api/src/environments/environment.ts +++ b/apps/services/auth/admin-api/src/environments/environment.ts @@ -12,6 +12,9 @@ const devConfig = { port: 6333, clientSecretEncryptionKey: process.env.CLIENT_SECRET_ENCRYPTION_KEY ?? 'secret', + zendeskGeneralMandateWebhookSecret: + process.env.ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE ?? + 'dGhpc19zZWNyZXRfaXNfZm9yX3Rlc3Rpbmdfb25seQ==', } const prodConfig = { @@ -27,6 +30,8 @@ const prodConfig = { }, port: 3333, clientSecretEncryptionKey: process.env.CLIENT_SECRET_ENCRYPTION_KEY, + zendeskGeneralMandateWebhookSecret: + process.env.ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE, } export default process.env.NODE_ENV === 'production' ? prodConfig : devConfig diff --git a/libs/auth-nest-tools/src/lib/zendeskAuth.guard.ts b/libs/auth-nest-tools/src/lib/zendeskAuth.guard.ts index 9f82412c0df9..2291e24db0c9 100644 --- a/libs/auth-nest-tools/src/lib/zendeskAuth.guard.ts +++ b/libs/auth-nest-tools/src/lib/zendeskAuth.guard.ts @@ -7,14 +7,10 @@ const SIGNING_SECRET_ALGORITHM = 'sha256' @Injectable() export class ZendeskAuthGuard implements CanActivate { - private readonly signingSecret: string - - constructor(signingSecret: string | undefined) { - if (!signingSecret) { - throw new Error('No signing secret provided') + constructor(private secret: string | undefined) { + if (!secret) { + throw new Error('ZendeskAuthGuard: secret is required') } - - this.signingSecret = signingSecret } canActivate(context: ExecutionContext): boolean { @@ -34,7 +30,10 @@ export class ZendeskAuthGuard implements CanActivate { body: string, timestamp: string, ): boolean { - const hmac = crypto.createHmac(SIGNING_SECRET_ALGORITHM, this.signingSecret) + const hmac = crypto.createHmac( + SIGNING_SECRET_ALGORITHM, + this.secret as string, + ) const sig = hmac.update(timestamp + body).digest('base64') return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(sig))