authenticate private urls

README.md

@@ -164,6 +164,7 @@ gulp eslint
 | AWS_SECRET_ACCESS_KEY                | XXXX                         |                                                                             |
 | AWS_DEFAULT_REGION                   | us-east-1                    |                                                                             |
 | AWS_S3_BUCKET_NAME                   | maestroserver                |                                                                             |
+| AWS_S3_PRIVATE_BUCKET_NAME           | privatemaestro               | Used to upload internal files, as an example ansible facts and tf states    |
 | AWS_ENDPOINT                         | ny3.spacesdigitalocean       | S3 endpoint                                                                 |
 | MAESTRO_UPLOAD_TYPE                  | S3/Local                     | Upload mode                                                                 |
 | LOCAL_DIR                            | /public/static               | Upload public folder, as an example avatar images.                          |

app/identity/config/auth_conector_private.js

@@ -0,0 +1,36 @@
+'use strict';
+
+const _ = require('lodash');
+const {Passport} = require('passport');
+
+const {Strategy} = require('passport-jwt');
+const config = require('./auth_config_private')();
+const PermissionError = require('core/errors/factoryError')('PermissionError');
+
+module.exports = function () {
+    const passport = new Passport();
+
+    const strategy = new Strategy(config.jwtSecret, function (payload, done) {
+
+        const {noauth} = payload;
+
+        const countern = process.env.MAESTRO_NOAUTH || "defaultSecretNoAuthToken"
+
+        if (noauth === countern) {
+            return done(null, payload);
+        }
+        return done(new PermissionError("Invalid token"), false);
+
+    });
+
+    passport.use(strategy);
+
+    return {
+        initialize: () => {
+            return passport.initialize();
+        },
+        authenticate: () => {
+            return passport.authenticate("jwt", config.jwtSession);
+        }
+    };
+};

app/identity/config/auth_config_private.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const {ExtractJwt} = require('passport-jwt');
+
+module.exports = () => {
+    const secret = process.env.MAESTRO_SECRETJWT_PRIVATE;
+
+    return {
+        jwtSecret: {
+            secretOrKey: secret || 'defaultSecretKeyPrivate',
+            jwtFromRequest: ExtractJwt.fromAuthHeaderWithScheme('jwt')
+        },
+        jwtSession: {
+            session: false
+        }
+    };
+};

app/identity/middlewares/authenticate_private.js

@@ -0,0 +1,7 @@
+'use strict';
+
+const privateAuth = require('identity/config/auth_conector_private');
+
+module.exports = function () {
+    return privateAuth().authenticate();
+};

app/identity/routers/profile/users.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const authenticate = require('identity/middlewares/authenticate');
+const authenticate_private = require('identity/middlewares/authenticate_private');
 
 const User = require('identity/entities/Users');
 const UserAuth = require('identity/entities/Auth');
@@ -130,7 +131,7 @@ module.exports = function (router) {
          *     HTTP/1.1 200 OK
          *     {}
          */
-        .get('/upload/file/', UploaderApp.readFile)
+        .get('/upload/file/', authenticate_private(), UploaderApp.readFile)
 
         /**
          * @api {put} /users/upload g. Upload file in local server (used only local upload is enabled)