Authenticate endpoints and validate user state_code in metrics requests

spotlight-api/.env.example

@@ -1,2 +1,3 @@
 GOOGLE_APPLICATION_CREDENTIALS={PATH_TO_CREDENTIALS_FILE}
 METRIC_BUCKET={GCS_BUCKET_NAME}
+AUTH_ENABLED={AUTH_ENABLED}

spotlight-api/README.md

@@ -44,6 +44,7 @@ Expected backend environment variables include:
 
 - `GOOGLE_APPLICATION_CREDENTIALS` - a relative path pointing to the JSON file containing the credentials of the service account used to communicate with Google Cloud Storage, for metric retrieval.
 - `METRIC_BUCKET` - the name of the Google Cloud Storage bucket where the metrics reside.
+- `AUTH_ENABLED` - whether or not we should require authentication to access our endpoints. Currently only used in staging to make the entire site private. No need to enable this locally unless you are developing or testing something auth-related.
 - `IS_DEMO` (OPTIONAL) - whether or not to run the backend in demo mode, which will retrieve static fixture data from the `core/demo_data` directory instead of pulling data from dynamic, live sources. This should only be set when running locally and should be provided through the command line.
 
 ### Running the application locally

spotlight-api/app.js

@@ -19,6 +19,8 @@ const express = require("express");
 const cors = require("cors");
 const morgan = require("morgan");
 const helmet = require("helmet");
+const jwt = require("express-jwt");
+const jwks = require("jwks-rsa");
 const zip = require("express-easy-zip");
 const api = require("./routes/api");
 
@@ -33,6 +35,22 @@ app.use(morgan("dev"));
 app.use(helmet());
 app.use(zip());
 
+if (process.env.AUTH_ENABLED === "true") {
+  const checkJwt = jwt({
+    secret: jwks.expressJwtSecret({
+      cache: true,
+      rateLimit: true,
+      jwksRequestsPerMinute: 5,
+      jwksUri:
+        "https://recidiviz-spotlight-staging.us.auth0.com/.well-known/jwks.json",
+    }),
+    audience: "recidiviz-spotlight-staging",
+    issuer: "https://spotlight-login-staging.recidiviz.org/",
+    algorithms: ["RS256"],
+  });
+  app.use(checkJwt);
+}
+
 app.post("/api/:tenantId/public", express.json(), api.metricsByName);
 
 // uptime check endpoint

spotlight-api/package.json

@@ -24,7 +24,9 @@
     "dotenv": "^8.2.0",
     "express": "^4.17.1",
     "express-easy-zip": "^1.1.5",
+    "express-jwt": "^6.0.0",
     "helmet": "^3.23.3",
+    "jwks-rsa": "^1.4.0",
     "morgan": "^1.10.0"
   },
   "devDependencies": {

spotlight-api/routes/api.js

@@ -21,6 +21,7 @@
  */
 
 const metricsApi = require("../core/metricsApi");
+const { AUTH0_APP_METADATA_KEY } = require("../utils/constants");
 const demoMode = require("../utils/demoMode");
 
 const isDemoMode = demoMode.isDemoMode();
@@ -39,14 +40,27 @@ function responder(res) {
 }
 
 function metricsByName(req, res) {
+  const { AUTH_ENABLED } = process.env;
+  const { tenantId } = req.params;
   const { metrics } = req.body;
+  const stateCode = req.user?.[
+    AUTH0_APP_METADATA_KEY
+  ]?.state_code?.toLowerCase();
   if (!Array.isArray(metrics)) {
     res
       .status(400)
       .json({ error: "request is missing metrics array parameter" });
+  } else if (
+    AUTH_ENABLED === "true" &&
+    stateCode !== tenantId.toLowerCase() &&
+    stateCode !== "recidiviz"
+  ) {
+    res.status(401).json({
+      error: `User is not a member of the requested tenant ${tenantId}`,
+    });
   } else {
     metricsApi.fetchMetricsByName(
-      req.params.tenantId,
+      tenantId,
       metrics,
       isDemoMode,
       responder(res)

spotlight-api/routes/api.test.js

@@ -0,0 +1,155 @@
+// Recidiviz - a data platform for criminal justice reform
+// Copyright (C) 2020 Recidiviz, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// =============================================================================
+
+const { fetchMetricsByName } = require("../core/metricsApi");
+const { AUTH0_APP_METADATA_KEY } = require("../utils/constants");
+const { metricsByName } = require("./api");
+
+jest.mock("../core/metricsApi");
+
+// mocking the node env is esoteric, see https://stackoverflow.com/a/48042799
+const ORIGINAL_ENV = process.env;
+
+beforeEach(() => {
+  fetchMetricsByName.mockImplementation(
+    (tenantId, metrics, isDemoMode, responder) => {
+      responder(undefined, "passed");
+    }
+  );
+});
+
+afterEach(() => {
+  process.env = ORIGINAL_ENV;
+});
+
+test("retrieves metrics if auth is disabled", async () => {
+  process.env.AUTH_ENABLED = "false";
+  const mockFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+    },
+    {
+      send: mockFn,
+    }
+  );
+  expect(mockFn).toHaveBeenCalledWith("passed");
+});
+
+test("returns 401 if there is no metrics array in the request body", async () => {
+  process.env.AUTH_ENABLED = "false";
+  const mockSendFn = jest.fn();
+  const mockStatusFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {},
+    },
+    {
+      status: () => ({ json: mockStatusFn }),
+      send: mockSendFn,
+    }
+  );
+  expect(mockSendFn).not.toHaveBeenCalled();
+  expect(mockStatusFn).toHaveBeenCalledWith({
+    error: "request is missing metrics array parameter",
+  });
+});
+
+test("retrieves metrics if auth is enabled and user state code is 'recidiviz'", async () => {
+  process.env.AUTH_ENABLED = "true";
+  const mockFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+      user: {
+        [AUTH0_APP_METADATA_KEY]: {
+          state_code: "recidiviz",
+        },
+      },
+    },
+    {
+      send: mockFn,
+    }
+  );
+  expect(mockFn).toHaveBeenCalledWith("passed");
+});
+
+test("retrieves metrics if auth is enabled and user state code matches the request param", async () => {
+  process.env.AUTH_ENABLED = "true";
+  const mockFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+      user: {
+        [AUTH0_APP_METADATA_KEY]: {
+          state_code: "us_nd",
+        },
+      },
+    },
+    {
+      send: mockFn,
+    }
+  );
+  expect(mockFn).toHaveBeenCalledWith("passed");
+});
+
+test("returns 401 if auth is enabled and user state code doesn't match the request param", async () => {
+  process.env.AUTH_ENABLED = "true";
+  const mockStatusFn = jest.fn();
+  const mockSendFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_PA",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+      user: {
+        [AUTH0_APP_METADATA_KEY]: {
+          state_code: "us_nd",
+        },
+      },
+    },
+    {
+      status: () => ({ json: mockStatusFn }),
+      send: mockSendFn,
+    }
+  );
+  expect(mockSendFn).not.toHaveBeenCalled();
+  expect(mockStatusFn).toHaveBeenCalledWith({
+    error: "User is not a member of the requested tenant US_PA",
+  });
+});

spotlight-api/utils/constants.js

@@ -0,0 +1,5 @@
+const AUTH0_APP_METADATA_KEY = "https://recidiviz.org/app_metadata";
+
+module.exports = {
+  AUTH0_APP_METADATA_KEY,
+};