Recidiviz · terryttsai · May 5, 2022 · May 3, 2022 · May 3, 2022 · May 4, 2022
diff --git a/spotlight-api/.env.example b/spotlight-api/.env.example
@@ -1,2 +1,4 @@
 GOOGLE_APPLICATION_CREDENTIALS={PATH_TO_CREDENTIALS_FILE}
 METRIC_BUCKET={GCS_BUCKET_NAME}
+AUTH_ENABLED={AUTH_ENABLED}
+AUTH0_APP_METADATA_KEY={AUTH0_APP_METADATA_KEY}
diff --git a/spotlight-api/README.md b/spotlight-api/README.md
@@ -44,6 +44,8 @@ Expected backend environment variables include:
 
 - `GOOGLE_APPLICATION_CREDENTIALS` - a relative path pointing to the JSON file containing the credentials of the service account used to communicate with Google Cloud Storage, for metric retrieval.
 - `METRIC_BUCKET` - the name of the Google Cloud Storage bucket where the metrics reside.
+- `AUTH_ENABLED` - whether or not we should require authentication to access our endpoints. Currently only used in staging to make the entire site private. No need to enable this locally unless you are developing or testing something auth-related. If set to `true` then `AUTH0_APP_METADATA_KEY` **must** be set to a supported value.
+- `AUTH0_APP_METADATA_KEY` - a string that corresponds to the namespace set in the Auth0 custom action to add app_metadata to id tokens. Unless something has changed this should be set to `https://recidiviz.org/app_metadata`. This is only required when auth is enabled.
 - `IS_DEMO` (OPTIONAL) - whether or not to run the backend in demo mode, which will retrieve static fixture data from the `core/demo_data` directory instead of pulling data from dynamic, live sources. This should only be set when running locally and should be provided through the command line.
 
 ### Running the application locally

diff --git a/spotlight-api/app.js b/spotlight-api/app.js
@@ -19,6 +19,8 @@ const express = require("express");
 const cors = require("cors");
 const morgan = require("morgan");
 const helmet = require("helmet");
+const jwt = require("express-jwt");
+const jwks = require("jwks-rsa");
 const zip = require("express-easy-zip");
 const api = require("./routes/api");
 
@@ -33,6 +35,22 @@ app.use(morgan("dev"));
 app.use(helmet());
 app.use(zip());
 
+if (process.env.AUTH_ENABLED === "true") {
+  const checkJwt = jwt({
+    secret: jwks.expressJwtSecret({
+      cache: true,
+      rateLimit: true,
+      jwksRequestsPerMinute: 5,
+      jwksUri:
+        "https://recidiviz-spotlight-staging.us.auth0.com/.well-known/jwks.json",
+    }),
+    audience: "recidiviz-spotlight-staging",
+    issuer: "https://spotlight-login-staging.recidiviz.org/",
+    algorithms: ["RS256"],
+  });
+  app.use(checkJwt);
+}
+
 app.post("/api/:tenantId/public", express.json(), api.metricsByName);
 
 // uptime check endpoint

diff --git a/spotlight-api/package.json b/spotlight-api/package.json
@@ -24,7 +24,9 @@
     "dotenv": "^8.2.0",
     "express": "^4.17.1",
     "express-easy-zip": "^1.1.5",
+    "express-jwt": "^6.0.0",
     "helmet": "^3.23.3",
+    "jwks-rsa": "^1.4.0",
     "morgan": "^1.10.0"
   },
   "devDependencies": {

diff --git a/spotlight-api/routes/api.js b/spotlight-api/routes/api.js
@@ -39,14 +39,27 @@ function responder(res) {
 }
 
 function metricsByName(req, res) {
+  const { AUTH_ENABLED, AUTH0_APP_METADATA_KEY } = process.env;
+  const { tenantId } = req.params;
   const { metrics } = req.body;
+  const stateCode =
+    AUTH0_APP_METADATA_KEY &&
+    req.user?.[AUTH0_APP_METADATA_KEY]?.state_code?.toLowerCase();
   if (!Array.isArray(metrics)) {
     res
       .status(400)
       .json({ error: "request is missing metrics array parameter" });
+  } else if (
+    AUTH_ENABLED === "true" &&
+    stateCode !== tenantId.toLowerCase() &&
+    stateCode !== "recidiviz"
+  ) {
+    res.status(401).json({
+      error: `User is not a member of the requested tenant ${tenantId}`,
+    });
   } else {
     metricsApi.fetchMetricsByName(
-      req.params.tenantId,
+      tenantId,
       metrics,
       isDemoMode,
       responder(res)

diff --git a/spotlight-api/routes/api.test.js b/spotlight-api/routes/api.test.js
@@ -0,0 +1,150 @@
+// Recidiviz - a data platform for criminal justice reform
+// Copyright (C) 2020 Recidiviz, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// =============================================================================
+
+const { fetchMetricsByName } = require("../core/metricsApi");
+const { metricsByName } = require("./api");
+
+jest.mock("../core/metricsApi");
+
+beforeEach(() => {
+  fetchMetricsByName.mockImplementation(
+    (tenantId, metrics, isDemoMode, responder) => {
+      responder(undefined, "passed");
+    }
+  );
+});
+
+test("retrieves metrics if auth is disabled", async () => {
+  process.env.AUTH_ENABLED = "false";
+  const mockFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+    },
+    {
+      send: mockFn,
+    }
+  );
+  expect(mockFn).toHaveBeenCalledWith("passed");
+});
+
+test("returns 401 if there is no metrics array in the request body", async () => {
+  process.env.AUTH_ENABLED = "false";
+  const mockSendFn = jest.fn();
+  const mockStatusFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {},
+    },
+    {
+      status: () => ({ json: mockStatusFn }),
+      send: mockSendFn,
+    }
+  );
+  expect(mockSendFn).not.toHaveBeenCalled();
+  expect(mockStatusFn).toHaveBeenCalledWith({
+    error: "request is missing metrics array parameter",
+  });
+});
+
+test("retrieves metrics if auth is enabled and user state code is 'recidiviz'", async () => {
+  process.env.AUTH_ENABLED = "true";
+  process.env.AUTH0_APP_METADATA_KEY = "TEST_KEY";
+  const mockFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+      user: {
+        [process.env.AUTH0_APP_METADATA_KEY]: {
+          state_code: "recidiviz",
+        },
+      },
+    },
+    {
+      send: mockFn,
+    }
+  );
+  expect(mockFn).toHaveBeenCalledWith("passed");
+});
+
+test("retrieves metrics if auth is enabled and user state code matches the request param", async () => {
+  process.env.AUTH_ENABLED = "true";
+  process.env.AUTH0_APP_METADATA_KEY = "TEST_KEY";
+  const mockFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_ND",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+      user: {
+        [process.env.AUTH0_APP_METADATA_KEY]: {
+          state_code: "us_nd",
+        },
+      },
+    },
+    {
+      send: mockFn,
+    }
+  );
+  expect(mockFn).toHaveBeenCalledWith("passed");
+});
+
+test("returns 401 if auth is enabled and user state code doesn't match the request param", async () => {
+  process.env.AUTH_ENABLED = "true";
+  process.env.AUTH0_APP_METADATA_KEY = "TEST_KEY";
+  const mockStatusFn = jest.fn();
+  const mockSendFn = jest.fn();
+  metricsByName(
+    {
+      params: {
+        tenantId: "US_PA",
+      },
+      body: {
+        metrics: ["test_metric"],
+      },
+      user: {
+        [process.env.AUTH0_APP_METADATA_KEY]: {
+          state_code: "us_nd",
+        },
+      },
+    },
+    {
+      status: () => ({ json: mockStatusFn }),
+      send: mockSendFn,
+    }
+  );
+  expect(mockSendFn).not.toHaveBeenCalled();
+  expect(mockStatusFn).toHaveBeenCalledWith({
+    error: "User is not a member of the requested tenant US_PA",
+  });
+});