Merge pull request #42 from pagopa/add-jwt-log

fix: Add jwt log
pagopa · Jun 22, 2023 · ec14b8f · ec14b8f
2 parents 928a21a + 9bc1d0f
commit ec14b8f
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 19 deletions.
diff --git a/GetAssertion/handler.ts b/GetAssertion/handler.ts
@@ -157,7 +157,7 @@ export function GetAssertion(
   const middlewaresWrap = withRequestMiddlewares(
     AzureApiAuthMiddleware(new Set([UserGroup.ApiLollipopAssertionRead])),
     RequiredParamMiddleware("assertion_ref", AssertionRef),
-    verifyJWTMiddleware(jwtConfig)
+    verifyJWTMiddleware(jwtConfig, FN_LOG_NAME)
   );
   return wrapRequestHandler(middlewaresWrap(handler));
 }
diff --git a/openapi/external.yaml b/openapi/external.yaml
@@ -4,11 +4,10 @@ info:
   title: IO Lollipop Function Lollipop Consumer API
   x-logo:
     url: https://io.italia.it/assets/img/io-logo-blue.svg
-  description: >
-    Documentation of the IO Lollipop Function API exposed to Lollipop
-    Consumerhere.
+  description: |
+    Documentation of the IO Lollipop Function API exposed to Lollipop Consumer.
 servers:
-  - url: https://api.pagopa.it/lollipop/api/v1
+  - url: https://api.io.pagopa.it/lollipop/api/v1
 security:
   - ApiKeyAuth: []
 paths:

diff --git a/openapi/external.yaml.template b/openapi/external.yaml.template
@@ -5,9 +5,9 @@ info:
   x-logo:
     url: https://io.italia.it/assets/img/io-logo-blue.svg
   description: |
-    Documentation of the IO Lollipop Function API exposed to Lollipop Consumerhere.
-servers: 
-  - url: https://api.pagopa.it/lollipop/api/v1
+    Documentation of the IO Lollipop Function API exposed to Lollipop Consumer.
+servers:
+  - url: https://api.io.pagopa.it/lollipop/api/v1
 security:
   - ApiKeyAuth: []
 paths:
@@ -19,7 +19,7 @@ paths:
         - name: assertion_ref
           required: true
           in: path
-          schema: 
+          schema:
             $ref: "#/components/schemas/AssertionRef"
         - name: x-pagopa-lollipop-auth
           required: true
@@ -78,7 +78,7 @@ components:
       $ref: "../node_modules/@pagopa/io-functions-commons/openapi/lollipop_definitions.yaml#/components/schemas/AssertionRefSha512"
     AssertionRef:
       $ref: "../node_modules/@pagopa/io-functions-commons/openapi/lollipop_definitions.yaml#/components/schemas/AssertionRef"
-    
+
     LollipopAuthBearer:
       type: string
       pattern: "^Bearer [a-zA-Z0-9-_].+"
@@ -88,7 +88,7 @@ components:
     SamlUserInfo:
       type: object
       properties:
-        response_xml: 
+        response_xml:
           type: string
           description: A string representation of a signed SPID/CIE response
           minLength: 1
@@ -103,16 +103,15 @@ components:
     OidcUserInfo:
       type: object
       properties:
-        id_token: 
+        id_token:
           $ref: "#/components/schemas/OidcSignedJwt"
         claims_token:
           $ref: "#/components/schemas/OidcSignedJwt"
       required:
         - id_token
         - claims_token
-          
+
     LCUserInfo:
       oneOf:
         - $ref: "#/components/schemas/SamlUserInfo"
         - $ref: "#/components/schemas/OidcUserInfo"
-
diff --git a/utils/__tests__/auth_jwt.test.ts b/utils/__tests__/auth_jwt.test.ts
@@ -104,7 +104,10 @@ describe("VerifyJWTMiddleware", () => {
     const authJwt = await getGenerateAuthJWT(aConfigWithPrimaryKey)(aPayload)();
     expect(E.isRight(authJwt)).toBeTruthy();
 
-    const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys);
+    const middleware = verifyJWTMiddleware(
+      aConfigWithTwoPrimaryKeys,
+      "function-Name"
+    );
 
     if (E.isRight(authJwt)) {
       const mockReq = ({
@@ -129,7 +132,10 @@ describe("VerifyJWTMiddleware", () => {
     WHEN VerifyJWTMiddleware is called\
     THEN it should return a IResponseErrorForbiddenNotAuthorized\
     ", async () => {
-    const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys);
+    const middleware = verifyJWTMiddleware(
+      aConfigWithTwoPrimaryKeys,
+      "function-Name"
+    );
 
     const mockReq = ({
       headers: {
@@ -155,7 +161,10 @@ describe("VerifyJWTMiddleware", () => {
     ", async () => {
     const invalidAuth = "invalidAuth";
 
-    const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys);
+    const middleware = verifyJWTMiddleware(
+      aConfigWithTwoPrimaryKeys,
+      "function-Name"
+    );
 
     const mockReq = ({
       headers: {
@@ -181,7 +190,10 @@ describe("VerifyJWTMiddleware", () => {
     ", async () => {
     const invalidAuth = "Bearer aa";
 
-    const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys);
+    const middleware = verifyJWTMiddleware(
+      aConfigWithTwoPrimaryKeys,
+      "function-Name"
+    );
 
     const mockReq = ({
       headers: {

diff --git a/utils/auth_jwt.ts b/utils/auth_jwt.ts
@@ -12,6 +12,8 @@ import {
   getResponseErrorForbiddenNotAuthorized,
   IResponseErrorForbiddenNotAuthorized
 } from "@pagopa/ts-commons/lib/responses";
+import { eventLog } from "@pagopa/winston-ts";
+import { readableReportSimplified } from "@pagopa/ts-commons/lib/reporters";
 import { AssertionRef } from "../generated/definitions/internal/AssertionRef";
 import { OperationId } from "../generated/definitions/internal/OperationId";
 
@@ -76,14 +78,24 @@ export const getValidateAuthJWT = ({
  * */
 
 export const verifyJWTMiddleware = (
-  jwtConfig: JWTConfig
+  jwtConfig: JWTConfig,
+  fnName: string
 ): IRequestMiddleware<"IResponseErrorForbiddenNotAuthorized", AuthJWT> => (
   req
   // TODO refactor in order to use this method witha generic type
 ): Promise<E.Either<IResponseErrorForbiddenNotAuthorized, AuthJWT>> =>
   pipe(
     req.headers[jwtConfig.BEARER_AUTH_HEADER],
     JWTAuthBearer.decode,
+    eventLog.either.errorLeft(error => [
+      `Invalid JWT`,
+      {
+        error: readableReportSimplified(error),
+        jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER],
+        name: fnName,
+        requestUrl: req.url
+      }
+    ]),
     E.mapLeft(_ =>
       getResponseErrorForbiddenNotAuthorized(
         `Invalid or missing JWT in header ${jwtConfig.BEARER_AUTH_HEADER}`
@@ -95,6 +107,15 @@ export const verifyJWTMiddleware = (
       pipe(
         token,
         getValidateAuthJWT(jwtConfig),
+        eventLog.taskEither.errorLeft(error => [
+          `JWT validation error`,
+          {
+            errorMessage: error.message,
+            jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER],
+            name: fnName,
+            requestUrl: req.url
+          }
+        ]),
         TE.mapLeft(_ =>
           getResponseErrorForbiddenNotAuthorized("Invalid or expired JWT")
         )