Add token support

[DerMolly]

Component/Part

private api

Description

This PR adds the private api and the token routes.

This can be merged after #733 was merged.

Steps

• Added implementation
• I read the contribution documentation and
  signed-off my commits to accept the DCO.

[codecov]

Codecov Report

Merging #738 (2c38bd5) into develop (b586b9f) will decrease coverage by 0.33%.
The diff coverage is 82.24%.

@@             Coverage Diff             @@
##           develop     #738      +/-   ##
===========================================
- Coverage    82.30%   81.96%   -0.34%     
===========================================
  Files           58       65       +7     
  Lines         1000     1181     +181     
  Branches        57       74      +17     
===========================================
+ Hits           823      968     +145     
- Misses         175      211      +36     
  Partials         2        2              

Flag	Coverage Δ
e2e-tests	72.26% <50.46%> (-5.40%)	⬇️
integration-tests	58.51% <77.38%> (+3.89%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/revisions/authorship.entity.ts	100.00% <ø> (ø)
src/users/identity.entity.ts	100.00% <ø> (ø)
src/users/users.module.ts	100.00% <ø> (ø)
src/errors/errors.ts	60.00% <50.00%> (-6.67%)	⬇️
src/auth/token.strategy.ts	58.33% <58.33%> (ø)
src/api/private/tokens/tokens.controller.ts	66.66% <66.66%> (ø)
src/api/public/me/me.controller.ts	71.42% <75.00%> (+2.19%)	⬆️
src/auth/auth.service.ts	75.25% <75.25%> (ø)
src/api/private/private-api.module.ts	100.00% <100.00%> (ø)
src/api/public/media/media.controller.ts	73.33% <100.00%> (+1.90%)	⬆️
... and 22 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b586b9f...2c38bd5. Read the comment docs.

[InnayTool]

This PR adds some database fields, we have to update the db-schema.plantuml.

[DerMolly]

This PR adds some database fields, we have to update the db-schema.plantuml.

This PR is still a Draft 😉

[InnayTool]

We should hash the auth token in database because it's working like a password.

[InnayTool]

This PR adds some database fields, we have to update the db-schema.plantuml.

This PR is still a Draft wink

yes I only want to mention it because it can easiely be forgotten.

[SISheogorath]

A minor and a major remark that we should get sorted.

[davidmehren]

I feel using a JWT is a bit overcomplicated here.
Why not:

• generate some random bytes
• create a string using base64url -> the secret
• hash the string using bcrypt2 and save to the database
• hand the token to the user as base64url(username).secret

When we get a token from the user, we can then get the username and only check the database for tokens that correspond to the user.

The only downside of this approach is that check-time scales linearly with the amount of API tokens a user has, but we could just limit that to a reasonable number (20?).

[ErikMichelson]

Inspired by @davidmehren's idea: What about having a key-secret pair?

I could imagine the following process:

• generate two random strings using base64url
• one of the strings will be inserted into the database directly as keyid, the other one will be hashed and inserted into the database as corresponding secret
• the token consists of KEYID.SECRET

With that approach you won't have a linear scale on the process to find the user for a token.

[DerMolly]

If we use the id of the token anyway (for deletion purposes), we could just use that instead of a new second random string.

[SISheogorath]

Let's not invent an own session management. The OWASP has some quite clear guidelines: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

We should also see if there might be a library which just takes care of that, as it appears to be a quite common use case.

[DerMolly]

Let's not invent an own session management. The OWASP has some quite clear guidelines: cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Your linking to something talking about sessions, when we don't implement any sessions (in this PR). I'm a bit confused what we should take from that post?

[DerMolly]

If we use the id of the token anyway (for deletion purposes), we could just use that instead of a new second random string.

A point against this made by @InnayTool is that an incrementing id would tell every user exactly how many tokens were at one point issued on the instance. An information we may want to not disclose.

[ErikMichelson]

To make it clear:
I had the following data-structure in my mind:

• id (autogenerated, may be counted up, is always non-public, needs to be unique)
• user-id (relation to users table)
• keyid (A, needs to be unique)
• secret (hash of B)

The token is made from A.B.
A and B are both each a base64url version of random bytes.

An API user authenticates via the A.B token. The database lookup for the user of the token is O(1) as the keyid can be matched directly to the user.

This doesn't involve any session logic. It's just about the tokens for the API. A user has a list of their API keyids to delete them any time. After generation a user can not reclaim the secret as it's only stored hashed.

In some terms this would be similar to GitHub's PATs.

Should be adressed