fix(api): ApiKey auth guard performance

.cspell.json

@@ -540,6 +540,7 @@
     "Ratelimit",
     "stdev",
     "Stdev",
+    "headerapikey",
   ],
   "flagWords": [],
   "patterns": [

apps/api/package.json

@@ -74,6 +74,7 @@
     "newrelic": "^9.15.0",
     "passport": "0.6.0",
     "passport-github2": "^0.1.12",
+    "passport-headerapikey": "^1.2.2",
     "passport-jwt": "^4.0.0",
     "passport-oauth2": "^1.6.1",
     "recursive-diff": "^1.0.8",

apps/api/src/app/auth/auth.module.ts

@@ -18,8 +18,9 @@ import { EnvironmentsModule } from '../environments/environments.module';
 import { JwtSubscriberStrategy } from './services/passport/subscriber-jwt.strategy';
 import { JwtAuthGuard } from './framework/auth.guard';
 import { RootEnvironmentGuard } from './framework/root-environment-guard.service';
+import { ApiKeyStrategy } from './services/passport/apikey.strategy';
 
-const AUTH_STRATEGIES: Provider[] = [];
+const AUTH_STRATEGIES: Provider[] = [JwtStrategy, ApiKeyStrategy, JwtSubscriberStrategy];
 
 if (process.env.GITHUB_OAUTH_CLIENT_ID) {
   AUTH_STRATEGIES.push(GitHubStrategy);
@@ -42,16 +43,7 @@ if (process.env.GITHUB_OAUTH_CLIENT_ID) {
     EnvironmentsModule,
   ],
   controllers: [AuthController],
-  providers: [
-    JwtAuthGuard,
-    ...USE_CASES,
-    ...AUTH_STRATEGIES,
-    JwtStrategy,
-    AuthService,
-    RolesGuard,
-    JwtSubscriberStrategy,
-    RootEnvironmentGuard,
-  ],
+  providers: [JwtAuthGuard, ...USE_CASES, ...AUTH_STRATEGIES, AuthService, RolesGuard, RootEnvironmentGuard],
   exports: [RolesGuard, RootEnvironmentGuard, AuthService, ...USE_CASES, JwtAuthGuard],
 })
 export class AuthModule implements NestModule {

apps/api/src/app/auth/framework/roles.guard.ts

@@ -13,18 +13,6 @@ export class RolesGuard implements CanActivate {
       return true;
     }
 
-    const request = context.switchToHttp().getRequest();
-    if (!request.headers.authorization) return false;
-
-    const token = request.headers.authorization.split(' ')[1];
-    if (!token) return false;
-
-    const authorizationHeader = request.headers.authorization;
-    if (!authorizationHeader?.includes('ApiKey')) {
-      const user = jwt.decode(token) as IJwtPayload;
-      if (!user) return false;
-    }
-
     /*
      * TODO: The roles check implementation is currently not enabled
      * As we are not using roles in the system at this point

apps/api/src/app/auth/framework/root-environment-guard.service.ts

@@ -13,14 +13,7 @@ export class RootEnvironmentGuard implements CanActivate {
 
   async canActivate(context: ExecutionContext) {
     const request = context.switchToHttp().getRequest();
-    if (!request.headers.authorization) return false;
-
-    const token = request.headers.authorization.split(' ')[1];
-    if (!token) return false;
-
-    const user = jwt.decode(token) as IJwtPayload;
-    if (!user) return false;
-    if (!user.environmentId) return false;
+    const user = request.user;
 
     const environment = await this.authService.isRootEnvironment(user);
 

apps/api/src/app/auth/services/passport/apikey.strategy.ts

@@ -0,0 +1,24 @@
+import { HeaderAPIKeyStrategy } from 'passport-headerapikey';
+import { PassportStrategy } from '@nestjs/passport';
+import { Injectable, Logger } from '@nestjs/common';
+import { AuthService } from '@novu/application-generic';
+import { IJwtPayload } from '@novu/shared';
+
+@Injectable()
+export class ApiKeyStrategy extends PassportStrategy(HeaderAPIKeyStrategy) {
+  constructor(private readonly authService: AuthService) {
+    super(
+      { header: 'Authorization', prefix: 'ApiKey ' },
+      true,
+      (apikey: string, verified: (err: Error | null, user?: IJwtPayload | false) => void) => {
+        this.authService.validateApiKey(apikey).then((user) => {
+          if (!user) {
+            return verified(null, false);
+          }
+
+          return verified(null, user);
+        });
+      }
+    );
+  }
+}

apps/api/src/app/auth/services/passport/jwt.strategy.ts

@@ -2,11 +2,11 @@ import { ExtractJwt, Strategy } from 'passport-jwt';
 import { PassportStrategy } from '@nestjs/passport';
 import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { IJwtPayload } from '@novu/shared';
-import { AuthService, Instrument, PinoLogger } from '@novu/application-generic';
+import { AuthService, Instrument } from '@novu/application-generic';
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
-  constructor(private readonly authService: AuthService, private logger: PinoLogger) {
+  constructor(private readonly authService: AuthService) {
     super({
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
       secretOrKey: process.env.JWT_SECRET,
@@ -20,12 +20,6 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
       throw new UnauthorizedException();
     }
 
-    this.logger.assign({
-      userId: user._id,
-      environmentId: payload.environmentId,
-      organizationId: payload.organizationId,
-    });
-
     return payload;
   }
 }

apps/api/src/app/rate-limiting/guards/throttler.guard.ts

@@ -12,7 +12,6 @@ import { EvaluateApiRateLimit, EvaluateApiRateLimitCommand } from '../usecases/e
 import { Reflector } from '@nestjs/core';
 import { FeatureFlagCommand, GetIsApiRateLimitingEnabled } from '@novu/application-generic';
 import { ApiRateLimitCategoryEnum, ApiRateLimitCostEnum, IJwtPayload } from '@novu/shared';
-import * as jwt from 'jsonwebtoken';
 import { ThrottlerCost, ThrottlerCategory } from './throttler.decorator';
 
 export enum RateLimitHeaderKeysEnum {
@@ -175,8 +174,7 @@ export class ApiRateLimitInterceptor extends ThrottlerGuard implements NestInter
 
   private getReqUser(context: ExecutionContext): IJwtPayload {
     const req = context.switchToHttp().getRequest();
-    const token = req.headers[RateLimitHeaderKeysEnum.AUTHORIZATION.toLowerCase()].split(' ')[1];
 
-    return jwt.decode(token);
+    return req.user;
   }
 }

apps/api/src/app/shared/framework/idempotency.interceptor.ts

@@ -15,7 +15,6 @@ import { CacheService } from '@novu/application-generic';
 import { Observable, of, throwError } from 'rxjs';
 import { catchError, map } from 'rxjs/operators';
 import { createHash } from 'crypto';
-import * as jwt from 'jsonwebtoken';
 import { IJwtPayload } from '@novu/shared';
 
 const LOG_CONTEXT = 'IdempotencyInterceptor';
@@ -93,26 +92,22 @@ export class IdempotencyInterceptor implements NestInterceptor {
     return request.headers[HEADER_KEYS.IDEMPOTENCY_KEY.toLocaleLowerCase()];
   }
 
-  private getReqUser(context: ExecutionContext): IJwtPayload | null {
+  private getReqUser(context: ExecutionContext): IJwtPayload {
     const req = context.switchToHttp().getRequest();
-    if (req?.user?.organizationId) {
-      return req.user;
-    }
-    if (req.headers?.authorization?.length) {
-      const token = req.headers.authorization.split(' ')[1];
-      if (token) {
-        return jwt.decode(token);
-      }
-    }
 
-    return null;
+    return req.user;
   }
 
   private getCacheKey(context: ExecutionContext): string {
-    const { organizationId } = this.getReqUser(context) || {};
+    const user = this.getReqUser(context);
+    if (user === undefined) {
+      const message = 'Cannot build cache key without user';
+      Logger.error(message, LOG_CONTEXT);
+      throw new InternalServerErrorException(message);
+    }
     const env = process.env.NODE_ENV;
 
-    return `${env}-${organizationId}-${this.getIdempotencyKey(context)}`;
+    return `${env}-${user.organizationId}-${this.getIdempotencyKey(context)}`;
   }
 
   async setCache(

packages/application-generic/src/decorators/user-session.decorator.ts

@@ -1,5 +1,8 @@
-import { createParamDecorator, UnauthorizedException } from '@nestjs/common';
-import jwt from 'jsonwebtoken';
+import {
+  InternalServerErrorException,
+  Logger,
+  createParamDecorator,
+} from '@nestjs/common';
 
 // eslint-disable-next-line @typescript-eslint/naming-convention
 export const UserSession = createParamDecorator((data, ctx) => {
@@ -11,28 +14,12 @@ export const UserSession = createParamDecorator((data, ctx) => {
   }
 
   if (req.user) {
-    /**
-     * This helps with sentry and other tools that need to know who the user is based on `id` property.
-     */
-    req.user.id = req.user._id;
-    req.user.username = (req.user.firstName || '').trim();
-    req.user.domain = req.user.email?.split('@')[1];
-
     return req.user;
   }
 
-  if (req.headers) {
-    if (req.headers.authorization) {
-      const tokenParts = req.headers.authorization.split(' ');
-      if (tokenParts[0] !== 'Bearer')
-        throw new UnauthorizedException('bad_token');
-      if (!tokenParts[1]) throw new UnauthorizedException('bad_token');
-
-      const user = jwt.decode(tokenParts[1]);
-
-      return user;
-    }
-  }
-
-  return null;
+  Logger.error(
+    'Attempted to access user session without a user in the request. You probably forgot to add the AuthGuard',
+    'UserSession'
+  );
+  throw new InternalServerErrorException();
 });

packages/application-generic/src/services/auth/auth.guard.ts

@@ -1,54 +1,75 @@
 import {
   ExecutionContext,
-  forwardRef,
-  Inject,
   Injectable,
+  Logger,
   UnauthorizedException,
 } from '@nestjs/common';
-import { AuthGuard } from '@nestjs/passport';
+import { AuthGuard, IAuthModuleOptions } from '@nestjs/passport';
 import { Reflector } from '@nestjs/core';
-import { AuthService } from './auth.service';
-import { Instrument } from '../../instrumentation';
+import { PinoLogger } from 'nestjs-pino';
+import { IJwtPayload } from '@novu/shared';
 
 @Injectable()
-export class JwtAuthGuard extends AuthGuard('jwt') {
+export class JwtAuthGuard extends AuthGuard(['jwt', 'headerapikey']) {
   private readonly reflector: Reflector;
 
-  constructor(
-    @Inject(forwardRef(() => AuthService)) private authService: AuthService
-  ) {
+  constructor(private logger: PinoLogger) {
     super();
     this.reflector = new Reflector();
   }
 
-  @Instrument()
-  async canActivate(context: ExecutionContext) {
+  getAuthenticateOptions(context: ExecutionContext): IAuthModuleOptions<any> {
     const request = context.switchToHttp().getRequest();
     const authorizationHeader = request.headers.authorization;
+    const authScheme = authorizationHeader.split(' ')[0];
+    request.authScheme = authScheme;
 
-    if (authorizationHeader) {
-      const authScheme = authorizationHeader.split(' ')[0];
-      request.authScheme = authScheme;
-    }
+    switch (authScheme) {
+      case 'Bearer':
+        return {
+          session: false,
+          defaultStrategy: 'jwt',
+        };
+      case 'ApiKey':
+        const apiEnabled = this.reflector.get<boolean>(
+          'external_api_accessible',
+          context.getHandler()
+        );
+        if (!apiEnabled)
+          throw new UnauthorizedException('API endpoint not available');
 
-    if (authorizationHeader && authorizationHeader.includes('ApiKey')) {
-      const apiEnabled = this.reflector.get<boolean>(
-        'external_api_accessible',
-        context.getHandler()
-      );
-      if (!apiEnabled)
-        throw new UnauthorizedException('API endpoint not available');
+        return {
+          session: false,
+          defaultStrategy: 'headerapikey',
+        };
+      default:
+        throw new UnauthorizedException('Invalid auth scheme');
+    }
+  }
 
-      const key = authorizationHeader.split(' ')[1];
+  handleRequest<TUser = IJwtPayload>(
+    err: any,
+    user: any,
+    info: any,
+    context: ExecutionContext,
+    status?: any
+  ): TUser {
+    const request = context.switchToHttp().getRequest();
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return this.authService.apiKeyAuthenticate(key).then<any>((result) => {
-        request.headers.authorization = `Bearer ${result}`;
+    this.logger.assign({
+      userId: user._id,
+      environmentId: user.environmentId,
+      organizationId: user.organizationId,
+      authScheme: request.authScheme,
+    });
 
-        return true;
-      });
-    }
+    /**
+     * This helps with sentry and other tools that need to know who the user is based on `id` property.
+     */
+    user.id = user._id;
+    user.username = (user.firstName || '').trim();
+    user.domain = user.email?.split('@')[1];
 
-    return super.canActivate(context);
+    return user;
   }
 }