From c40741e7f106a71a6e8e919f3e7cdd36823dba19 Mon Sep 17 00:00:00 2001
From: golobitch <tadej.golobic@icloud.com>
Date: Wed, 17 Apr 2024 00:00:22 +0200
Subject: [PATCH] feat(auth): move interaction choice to different port

Accept and reject interaction choices should not be exposed. but other routes can and must be
exposed. This is why we need to move the choice routes to different port

BREAKING CHANGE: Routes for accepting and rejecting choice are no longer exposed. Ideally, this must
be done through ASE backend service that checks for authentication / authorization

#2649
---
 packages/auth/src/app.ts        | 56 +++++++++++++++++++++++++++------
 packages/auth/src/config/app.ts |  1 +
 packages/auth/src/index.ts      |  3 ++
 3 files changed, 50 insertions(+), 10 deletions(-)

diff --git a/packages/auth/src/app.ts b/packages/auth/src/app.ts
index ee81ba3b85..6e683b5a85 100644
--- a/packages/auth/src/app.ts
+++ b/packages/auth/src/app.ts
@@ -103,6 +103,7 @@ export type AppContainer = IocContract<AppServices>
 
 export class App {
   private authServer!: Server
+  private authChoiceServer!: Server;
   private introspectionServer!: Server
   private adminServer!: Server
   private logger!: Logger
@@ -330,16 +331,6 @@ export class App {
       interactionRoutes.details
     )
 
-    // Grant accept/reject
-    router.post<DefaultState, ChooseContext>(
-      '/grant/:id/:nonce/:choice',
-      createValidatorMiddleware<ChooseContext>(openApi.idpSpec, {
-        path: '/grant/{id}/{nonce}/{choice}',
-        method: HttpMethod.POST
-      }),
-      interactionRoutes.acceptOrReject
-    )
-
     koa.use(cors())
     koa.keys = [this.config.cookieKey]
     koa.use(
@@ -391,6 +382,44 @@ export class App {
     this.introspectionServer = koa.listen(port)
   }
 
+  public async startAuthChoiceServer(port: number | string): Promise<void> {
+    const koa = await this.createKoaServer();
+
+    const router = new Router<DefaultState, AppContext>();
+    router.use(bodyParser());
+
+    const openApi = await this.container.use('openApi')
+    const interactionRoutes = await this.container.use('interactionRoutes');
+
+    // Grant accept/reject
+    router.post<DefaultState, ChooseContext>(
+      '/grant/:id/:nonce/:choice',
+      createValidatorMiddleware<ChooseContext>(openApi.idpSpec, {
+        path: '/grant/{id}/{nonce}/{choice}',
+        method: HttpMethod.POST
+      }),
+      interactionRoutes.acceptOrReject
+    )
+
+    koa.use(cors())
+    koa.keys = [this.config.cookieKey]
+    koa.use(
+      session(
+        {
+          key: 'sessionId',
+          maxAge: 60 * 1000,
+          signed: true
+        },
+        koa
+      )
+    )
+
+    koa.use(router.middleware())
+    koa.use(router.routes())
+
+    this.authChoiceServer = koa.listen(port);
+  }
+
   private async createKoaServer(): Promise<Koa<Koa.DefaultState, AppContext>> {
     const koa = new Koa<DefaultState, AppContext>({
       proxy: this.config.trustProxy
@@ -427,6 +456,9 @@ export class App {
     if (this.authServer) {
       await this.stopServer(this.authServer)
     }
+    if (this.authChoiceServer) {
+      await this.stopServer(this.authChoiceServer)
+    }
     if (this.adminServer) {
       await this.stopServer(this.adminServer)
     }
@@ -455,6 +487,10 @@ export class App {
     return this.getPort(this.authServer)
   }
 
+  public getAuthChoicePort(): number {
+    return this.getPort(this.authChoiceServer)
+  }
+
   public getIntrospectionPort(): number {
     return this.getPort(this.introspectionServer)
   }
diff --git a/packages/auth/src/config/app.ts b/packages/auth/src/config/app.ts
index d738cd004c..1332ea61b5 100644
--- a/packages/auth/src/config/app.ts
+++ b/packages/auth/src/config/app.ts
@@ -25,6 +25,7 @@ export const Config = {
   logLevel: envString('LOG_LEVEL', 'info'),
   adminPort: envInt('ADMIN_PORT', 3003),
   authPort: envInt('AUTH_PORT', 3006),
+  authChoiceServer: envInt('AUTH_CHOICE_SERVER', 3009),
   introspectionPort: envInt('INTROSPECTION_PORT', 3007),
   env: envString('NODE_ENV', 'development'),
   trustProxy: envBool('TRUST_PROXY', false),
diff --git a/packages/auth/src/index.ts b/packages/auth/src/index.ts
index a1daa2868d..b95f87f044 100644
--- a/packages/auth/src/index.ts
+++ b/packages/auth/src/index.ts
@@ -287,6 +287,9 @@ export const start = async (
   await app.startAuthServer(config.authPort)
   logger.info(`Auth server listening on ${app.getAuthPort()}`)
 
+  await app.startAuthChoiceServer(config.authChoiceServer)
+  logger.info(`Auth choice server listening on ${app.getAuthChoicePort()}`)
+
   await app.startIntrospectionServer(config.introspectionPort)
   logger.info(`Introspection server listening on ${app.getIntrospectionPort()}`)
 }