Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support for jwt on api #896

Merged
merged 27 commits into from Aug 21, 2018
Merged

feat: add support for jwt on api #896

merged 27 commits into from Aug 21, 2018

Conversation

@juanpicado
Copy link
Member

juanpicado commented Aug 5, 2018

Type: feat
Description:

This PR aims to deprecate AES token generator but without replacing it and allow to use JWT as an alternative on API. (#168 (comment))

Provides customize JWT signature and verification based on
https://github.com/auth0/node-jsonwebtoken#usage

Default Security Config

security:
  api:
    jwt:
      sign:
        expiresIn: 60d
        notBefore: 1
  web:
    sign:
      expiresIn: 7d

Legacy

Legacy refers to the default authentification (#168 (comment)) used by 2.x and 3.x. If you don't define the security block, legacy is being enabled by default.

security:
  api:
    legacy: true
  web:
    sign:
      expiresIn: 7d

.npmrc

//localhost:4873/:_authToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoianVhbjExIiwiZ3JvdXBzIjpbImp1YW4xMSIsIiRhbGwiLCIkYXV0aGVudGljYXRlZCIsIkBhbGwiLCJAYXV0aGVudGljYXRlZCIsImFsbCJdLCJyZWFsX2dyb3VwcyI6WyJqdWFuMTEiXSwiZ3JvdXAiOlsianVhbjExIl0sImlhdCI6MTUzNDAwOTkzOSwibmJmIjoxNTM0MDA5OTM5LCJleHAiOjE1MzQ2MTQ3Mzl9.FPQ__wb-CIT2Gnti0fMyBw6XK20Zv8xuuZBqVVaCr7s

Resolves #168 #729

馃啎 enable JWT by default on API.

https://verdaccio.org/blog/2019/04/19/diving-into-jwt-support-for-verdaccio-4

@juanpicado juanpicado added the WIP label Aug 5, 2018
@juanpicado juanpicado added this to the 4.0.0 milestone Aug 5, 2018
@juanpicado juanpicado changed the base branch from master to 4.x Aug 5, 2018
@juanpicado juanpicado force-pushed the feature-168 branch from 271fdf0 to 5800169 Aug 5, 2018
@juanpicado juanpicado force-pushed the feature-168 branch from 5800169 to ac1936f Aug 5, 2018
@verdaccio verdaccio deleted a comment from commitlint bot Aug 5, 2018
add multiple scenarios with configuration file
@juanpicado juanpicado force-pushed the feature-168 branch from 14ae935 to f7f978a Aug 7, 2018
juanpicado added 11 commits Aug 8, 2018
@@ -15,7 +15,7 @@ const spliceURL = require('../../utils/string').spliceURL;
module.exports = function(config, auth, storage) {
Search.configureStorage(storage);

router.use(auth.webUIJWTmiddleware());
// router.use(auth.webUIJWTmiddleware());

This comment has been minimized.

Copy link
@juanpicado

juanpicado Aug 14, 2018

Author Member

reminder: this is odd

juanpicado added 4 commits Aug 15, 2018
@juanpicado juanpicado mentioned this pull request Aug 15, 2018
juanpicado added 2 commits Aug 15, 2018

return credentials;
} else {
return;

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

No need of return

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

may be you want it more readable..

Copy link
Member

ayusharma left a comment

Can you replace err with error. I'll run it locally later and give one more review.

return jwt.sign(payload, secretOrPrivateKey, {
notBefore: '1000', // Make sure the time will not rollback :)
...options,
}, (err, token) => {

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

arrow ===> function expression

@@ -76,7 +76,7 @@ export default class VerdaccioProcess implements IServerProcess {
});

this.childFork.on('error', (err) => {
console.log('error process', err);
// console.log('error process', err);

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

can we remove it ?

});
} else {
// i am wiling to use here _.isNil but flow does not like it yet.
if (typeof security.api.jwt !== 'undefined' &&

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

Destructure...

const {jwt} = security.api;

export function createSessionToken(): CookieSessionToken {
return {
// npmjs.org sets 10h expire
expires: new Date(Date.now() + 10 * 60 * 60 * 1000),

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

can we have this as a constant somewhere?

}

export function getAuthenticatedMessage(user: string): string {
return `you are authenticated as '${user}'`;

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

Just check ' this in $user

This comment has been minimized.

Copy link
@juanpicado

juanpicado Aug 17, 2018

Author Member

Yes, it's intended. Don't ask me why :-) ... it was there already and unless I know what it does i cannot remove it.

}

export function isAESLegacy(security: Security): boolean {
return _.isNil(security.api.legacy) === false &&

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

Suggestion: destructures..


return credentials;
} else {
return;

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

may be you want it more readable..

if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
return verifyJWTPayload(token, secret);
} else {
return;

This comment has been minimized.

Copy link
@ayusharma

ayusharma Aug 16, 2018

Member

same here.. return

This comment has been minimized.

Copy link
@juanpicado

juanpicado Aug 17, 2018

Author Member

it was mostly for debugging. Removed

juanpicado added 3 commits Aug 17, 2018
Copy link
Contributor

priscilawebdev left a comment

Great! Looks fine 馃憤

juanpicado added 3 commits Aug 21, 2018
I forgot add this before 馃樂
in case we want more output
@juanpicado juanpicado merged commit a68d247 into 4.x Aug 21, 2018
14 checks passed
14 checks passed
DEP All dependencies are resolved
WIP ready for review
Details
bundlesize Total bundle size is 330.17KB/590.5KB (-null)
Details
ci/circleci: coverage Your tests passed on CircleCI!
Details
ci/circleci: prepare Your tests passed on CircleCI!
Details
ci/circleci: test_e2e Your tests passed on CircleCI!
Details
ci/circleci: test_node10 Your tests passed on CircleCI!
Details
ci/circleci: test_node6 Your tests passed on CircleCI!
Details
ci/circleci: test_node8 Your tests passed on CircleCI!
Details
ci/circleci: test_node9 Your tests passed on CircleCI!
Details
ci/circleci: test_size Your tests passed on CircleCI!
Details
commitlint found 0 problems, 0 warnings
security/snyk - package.json (juanpicado) No new issues
Details
security/snyk - website/package.json (juanpicado) No manifest changes detected
Verdaccio 4 automation moved this from In Progress to Done Aug 21, 2018
@delete-merged-branch delete-merged-branch bot deleted the feature-168 branch Aug 21, 2018
@juanpicado

This comment has been minimized.

Copy link
Member Author

juanpicado commented Aug 21, 2018

Thanks @priscilawebdev @ayusharma for CR, this is a nice feature.

priscilawebdev added a commit that referenced this pull request Sep 16, 2018
* feat: add support for jwt on api

* test: add unit test for sign token with jwt

add multiple scenarios with configuration file

* chore: add JWT verification on middleware

* chore: restore headless

* chore: restore middleware header validation

* refactor: fix login whether user exists

* refactor: JWT is signed asynchronously

* refactor: better structure and new naming convention

* test: add unit test for token signature

* test: add unit test for creating user with JWT enabled

#168

* docs: add security section jwt

* refactor: renable  web auth middleware

* test(auth): add legacy disabled scenario

* chore: update gitignore

* chore: add some es6 sugar

* feat: enable JWT token signature for new installations

* chore: add yaml files to git

I forgot add this before 馃樂

* chore: trace log on auth

in case we want more output
priscilawebdev added a commit that referenced this pull request Sep 19, 2018
* feat: add support for jwt on api

* test: add unit test for sign token with jwt

add multiple scenarios with configuration file

* chore: add JWT verification on middleware

* chore: restore headless

* chore: restore middleware header validation

* refactor: fix login whether user exists

* refactor: JWT is signed asynchronously

* refactor: better structure and new naming convention

* test: add unit test for token signature

* test: add unit test for creating user with JWT enabled

#168

* docs: add security section jwt

* refactor: renable  web auth middleware

* test(auth): add legacy disabled scenario

* chore: update gitignore

* chore: add some es6 sugar

* feat: enable JWT token signature for new installations

* chore: add yaml files to git

I forgot add this before 馃樂

* chore: trace log on auth

in case we want more output
@lock

This comment has been minimized.

Copy link

lock bot commented Jan 8, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
Verdaccio 4
  
Done
3 participants
You can鈥檛 perform that action at this time.