feat: Add API guarding [DEV-2621] (#249)

* Add API guarding * small fixes * review comments and small fixes * Fix authentication middleware (#2) * build: Remove express-jwt * Get rid of unused parameter in function --------- Co-authored-by: DaevMithran <daevmithran1999@gmail.com>
cheqd · Jun 8, 2023 · 3706b4c · 3706b4c
1 parent f3ef100
commit 3706b4c
Show file tree

Hide file tree

Showing 13 changed files with 495 additions and 98 deletions.
diff --git a/.env.example b/.env.example
@@ -2,6 +2,7 @@ MAINNET_RPC_URL=https://rpc.cheqd.net:443
 TESTNET_RPC_URL=https://rpc.cheqd.network:443
 RESOLVER_URL="https://resolver.cheqd.net/1.0/identifiers/"
 ALLOWED_ORIGINS="http://localhost:8787"
+APPLICATION_BASE_URL="http://localhost:8787"
 
 # Database
 ENABLE_EXTERNAL_DB="false"
@@ -10,13 +11,18 @@ EXTERNAL_DB_ENCRYPTION_KEY="<db-encryption-key>"
 # EXTERNAL_DB_CERT="certs/issuer.crt"
 
 # OpenId
-OIDC_JWKS_ENDPOINT='http://localhost:3001/oidc/jwks'
-OIDC_ISSUER='http://localhost:3001/oidc'
-LOGTO_RESOURCE_URL='http://localhost:8787/1.0/api/'
+LOGTO_RESOURCE_URL='http://localhost:8787'
+
+# LogTo
+LOGTO_ENDPOINT='http://localhost:3001'
+LOGTO_APP_ID='ldfsr...rq432'
+LOGTO_APP_SECRET='sdf...sdf'
 
 # Authentication
-ENABLE_AUTHENTICATION="string,default:false"
+ENABLE_AUTHENTICATION="boolean,default:false"
 DEFAULT_CUSTOMER_ID="default customer id"
+ALL_SCOPES="account:create did:create credential:issue"
+
 
 # verida
 ENABLE_VERIDA_CONNECTOR="string,default:false"

diff --git a/Dockerfile b/Dockerfile
@@ -62,6 +62,8 @@ ARG LOGTO_APP_ID
 ARG LOGTO_APP_SECRET
 ARG ALLOWED_ORIGINS
 ARG DEFAULT_CUSTOMER_ID
+ARG ALL_SCOPES
+ARG COOKIE_SECRET
 
 # Verida connector: build-time
 ARG ENABLE_VERIDA_CONNECTOR=false
@@ -78,6 +80,7 @@ ENV PORT ${PORT}
 ENV MAINNET_RPC_URL ${MAINNET_RPC_URL}
 ENV TESTNET_RPC_URL ${TESTNET_RPC_URL}
 ENV RESOLVER_URL ${RESOLVER_URL}
+ENV APPLICATION_BASE_URL ${APPLICATION_BASE_URL}
 
 # Environment variables: Veramo Database configuration
 ENV DB_CONNECTION_URL ${DB_CONNECTION_URL}
@@ -92,6 +95,8 @@ ENV LOGTO_RESOURCE_URL ${LOGTO_RESOURCE_URL}
 ENV LOGTO_APP_ID ${LOGTO_APP_ID}
 ENV LOGTO_APP_SECRET ${LOGTO_APP_SECRET}
 ENV ALLOWED_ORIGINS ${ALLOWED_ORIGINS}
+ENV ALL_SCOPES ${ALL_SCOPES}
+ENV COOKIE_SECRET ${COOKIE_SECRET}
 
 # Environment variables: Verida connector
 ENV ENABLE_VERIDA_CONNECTOR ${ENABLE_VERIDA_CONNECTOR}

diff --git a/README.md b/README.md
@@ -53,6 +53,7 @@ The application allows configuring the following parameters using environment va
 1. `MAINNET_RPC_URL`: RPC endpoint for cheqd mainnet. (Default: `https://rpc.cheqd.net:443`)
 2. `TESTNET_RPC_URL`: RPC endpoint for cheqd testnet. (`https://rpc.cheqd.network:443`)
 3. `RESOLVER_URL`: API endpoint for a [DID Resolver](https://github.com/cheqd/did-resolver) endpoint that supports `did:cheqd`.
+4. `APPLICATION_BASE_URL`: URL of the application (external domain name)
 
 #### Veramo KMS Database
 
@@ -70,8 +71,13 @@ We use a self-hosted version of [LogTo](https://logto.io/), which supports OpenI
 
 1. `ENABLE_AUTHENTICATION`: Turns API authentication guards on/off. (Default: `false`)
 2. `LOGTO_ENDPOINT`: API endpoint for LogTo server
-3. `ALLOWED_ORIGINS`: CORS allowed origins used in the app
-4. `DEFAULT_CUSTOMER_ID`: Customer/user in LogTo to use for unauthenticated users.
+3. `LOGTO_RESOURCE_URL`: API resource associated with application
+4. `LOGTO_APP_ID`: Application ID from LogTo. For now, Application is supposed to be a TraditionalWeb
+5. `LOGTO_APP_SECRET`: Application secret. Also should encrypted in deployment
+6. `ALLOWED_ORIGINS`: CORS allowed origins used in the app
+7. `DEFAULT_CUSTOMER_ID`: Customer/user in LogTo to use for unauthenticated users
+8. `ALL_SCOPES`: List of all scopes. Should be a string with scopes divided by whitespace, like `account:create account:read did:create`
+9. `COOKIE_SECRET`: Secret for cookie encryption.
 
 ### 3rd Party Connectors