Merge pull request #122 from UoA-eResearch/rc2.2.0

Rc2.2.0

Author: rosemcc

.github/workflows/linting.yml

@@ -0,0 +1,36 @@
+name: Lint
+
+on:
+  # Trigger the workflow on push or pull request,
+  # but only for the main branch
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  run-linters:
+    name: Run linters
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v2
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 14
+          
+      - name: Install Node.js dependencies
+        working-directory: ./research-hub-web
+        run: npm ci
+
+      - name: Install Angular CLI
+        run: npm install -g @angular/cli
+        
+      - name: ng lint
+        working-directory: ./research-hub-web
+        run: ng lint

.gitignore

@@ -45,3 +45,5 @@ research-hub-web/typings
 serverless-now/.serverless/
 serverless-now/env/local.env
 
+# ====================== cer-graphql =================== #
+cer-graphql/build

cer-graphql/Dockerfile

@@ -4,6 +4,13 @@ EXPOSE 4000
 WORKDIR /cer-graphql/
 ADD package.json .
 ADD package-lock.json .
-ADD index.js .
+ADD index.ts .
+ADD tsconfig.json .
+ADD authenticateByJwt.ts .
+ADD validateUnauthenticatedQuery.ts .
+ADD assertResultsArePublicItems.ts .
+ADD jest.config.js .
+
 RUN  npm install
-CMD ["node","index.js"]
+RUN npm run build
+CMD ["node","build/index.js"]

cer-graphql/assertResultsArePublicItems.ts

@@ -0,0 +1,16 @@
+import { AuthenticationError } from "apollo-server-errors";
+/**
+ * A validation function that does a shallow check on whether each item in results
+ * is public. If not, throw an authenticationerror.  
+ * @param result Result from delegating a GraphQL call.
+ */
+function assertResultsArePublicItems(result: Record<string, any>) {
+    if (result.items && Array.isArray(result.items)) {
+        const isEveryItemPublic = (result.items as any[]).every(item => !item?.ssoProtected);
+        if (!isEveryItemPublic) {
+            throw new AuthenticationError("Authentication required to view protected content.");
+        }
+    }
+}
+
+export default assertResultsArePublicItems;

cer-graphql/authenticateByJwt.ts

@@ -0,0 +1,74 @@
+import jwt, { JwtHeader } from "jsonwebtoken";
+import jwkToPem, { JWK } from "jwk-to-pem";
+import { NextFunction, Request, Response } from "express";
+import fetch from "cross-fetch";
+import { AuthenticationError } from "apollo-server-errors";
+import { formatError } from "graphql";
+
+interface CognitoPublicKeys {
+    keys: Array<JWK & JwtHeader>
+}
+
+export async function fetchCognitoPublicKeys(jwkUrl: string): Promise<CognitoPublicKeys> {
+    return fetch(jwkUrl).then((response: any) => {
+        if (!response.ok) {
+            throw new Error("Could not reach Cognito public keys URL.");
+        }
+        const jwk = response.json();
+        console.log("Cognito public keys loaded successfully.");
+        return jwk;
+    });
+  }
+
+const verifyJwt = (token: string, jwk: CognitoPublicKeys) => {
+    const decodedJwt = jwt.decode(token, { complete: true });
+    if (!decodedJwt) {
+        throw new Error("Invalid token.");
+    }
+    const key = jwk.keys.find(key => {
+        return key.kid === decodedJwt.header.kid
+    });
+    if (!key) {
+        throw new Error("Signing key for token not found in Cognito public keys.");
+    }
+    const pem = jwkToPem(key);
+    const verifiedToken = jwt.verify(token, pem);
+    if (typeof verifiedToken !== "object") {
+        throw new Error("Token is not in expected format.");
+    }
+    return verifiedToken;
+  };
+
+function getJwtToken(authHeader: string = "") {
+        if (!authHeader.startsWith("Bearer ")) {
+            return null;
+        }
+        return authHeader.substring('Bearer '.length);
+}
+
+export default async function authenticateByJwt(cognitoPublicKeys: CognitoPublicKeys, authHeader = "", isPreviewEnv: boolean)  {
+    const token = getJwtToken(authHeader);
+    // Check if the authorization header exists and has a bearer token.
+    // If not, return null
+    if (!token) {
+        if (isPreviewEnv) {
+            // Reject all non-logged in queries in preview environment
+            console.log("No bearer token sent. In preview environment, so returning AuthenticationError.");
+            throw new AuthenticationError('You must sign in to SSO before accessing preview API.');
+        }
+        return {};
+    } else {
+        try {
+            return {
+                user: verifyJwt(token, cognitoPublicKeys)
+            };
+        } catch (e) {
+            console.log("Exception thrown while verifying user", e);
+            if (isPreviewEnv) {
+                // Reject all non-logged in queries in preview environment
+                console.log("In preview environment, so returning AuthenticationError.\n", e)
+                throw new AuthenticationError('You must sign in to SSO before accessing preview API.');
+            }
+        }
+    }
+}