Accept both api key and JWT from API

automation/test.sh

@@ -22,6 +22,7 @@ test_id=$(docker run \
 	-e VPN_API_PORT=80 \
 	-e VPN_CONNECT_PROXY_PORT=3128 \
 	-e BLUEBIRD_DEBUG=1 \
+	-e JSON_WEB_TOKEN_SECRET=jwtsecret \
 	-e API_SERVICE_API_KEY=test_api_service_key \
 	-v $DIR/env-backend.conf:/etc/systemd/system/confd.service.d/env-backend.conf \
 	$IMAGE_NAME)

config/confd/conf.d/env.toml

@@ -6,4 +6,5 @@ keys = [
   "/resin/api/api-key",
   "/resin/vpn/api-key",
   "/resin/proxy/api-key",
+  "/resin/api/jwt/secret",
 ]

config/confd/templates/env.tmpl

@@ -9,6 +9,8 @@ VPN_RESET_DELAY_MS=60000
 VPN_HOST=127.0.0.1
 CURL_EXTRA_FLAGS="--retry 5 --retry-delay 2 --retry-max-time 30"
 
+JSON_WEB_TOKEN_SECRET={{getv "/resin/api/jwt/secret"}}
+
 API_SERVICE_API_KEY={{getv "/resin/api/api-key"}}
 PROXY_SERVICE_API_KEY={{getv "/resin/proxy/api-key"}}
 

package.json

@@ -21,12 +21,14 @@
     "event-stream": "^3.1.7",
     "express": "^4.10.6",
     "generic-pool": "^3.1.6",
+    "jsonwebtoken": "^7.4.0",
     "lodash": "^4.0.0",
     "middleware-handler": "~0.2.0",
     "morgan": "^1.5.1",
     "node-tunnel": "0.2.2",
     "passport": "~0.2.2",
     "passport-http-bearer": "^1.0.1",
+    "passport-jwt": "^2.2.1",
     "pinejs-client": "^2.1.1",
     "request": "^2.51.0",
     "tmp": "~0.0.25",

src/api.coffee

@@ -5,6 +5,20 @@ request = Promise.promisify(require('request'), multiArgs: true)
 _ = require 'lodash'
 passport = require 'passport'
 BearerStrategy = require 'passport-http-bearer'
+JWTStrategy = require('passport-jwt').Strategy
+ExtractJwt = require('passport-jwt').ExtractJwt
+
+passport.use new JWTStrategy
+	secretOrKey: process.env.JSON_WEB_TOKEN_SECRET
+	jwtFromRequest: ExtractJwt.fromAuthHeaderWithScheme('Bearer')
+	(jwtPayload, done) ->
+		if not jwtPayload?
+			return done(null, false)
+
+		# jwt should have a service property with value 'api'
+		if jwtPayload.service is 'api'
+			return done(null, true)
+		done(null, false)
 
 passport.use new BearerStrategy (token, done) ->
 	if token is process.env.API_SERVICE_API_KEY
@@ -27,7 +41,7 @@ module.exports = (vpn) ->
 	api.use(passport.initialize())
 	api.use(bodyParser.json())
 
-	api.get '/api/v1/clients/', passport.authenticate('bearer', session: false), (req, res) ->
+	api.get '/api/v1/clients/', passport.authenticate(['jwt', 'bearer'], session: false), (req, res) ->
 		vpn.getStatus()
 		.then (results) ->
 			res.send(_.values(results.client_list))

test/app.coffee

@@ -7,6 +7,10 @@ http = require 'http'
 requestAsync = Promise.promisify(require('request'), multiArgs: true)
 path = require 'path'
 vpnClient = require 'openvpn-client'
+jsonwebtoken = require 'jsonwebtoken'
+
+createJwt = (payload, secret = process.env.JSON_WEB_TOKEN_SECRET) ->
+	jsonwebtoken.sign(payload, secret)
 
 vpnHost = process.env.VPN_HOST ? '127.0.0.1'
 vpnPort = process.env.VPN_PORT ? '443'
@@ -61,12 +65,19 @@ describe '/api/v1/clients/', ->
 			.expect(401, done)
 
 	describe 'When no clients are connected', ->
-		it 'should return empty client list', (done) ->
+		it 'should return empty client list with api key-based API service authentication', (done) ->
 			supertest('http://localhost')
 			.get('/api/v1/clients/')
 			.set('Authorization', "Bearer #{process.env.API_SERVICE_API_KEY}")
 			.expect(200, '[]', done)
 
+	describe 'When no clients are connected', ->
+		it 'should return empty client list with JWT-based API service authentication', (done) ->
+			supertest('http://localhost')
+			.get('/api/v1/clients/')
+			.set('Authorization', 'Bearer ' + createJwt({ service: 'api' }))
+			.expect(200, '[]', done)
+
 	describe 'When a client connects and disconnects', ->
 		it 'should send the correct data', (done) ->
 			Promise.using vpnClient.connect({ user: 'user1', pass: 'pass' }), ->