From b676e8b3f3563487fb2a5a282bb89cea7a50a1ba Mon Sep 17 00:00:00 2001 From: garma00 Date: Wed, 21 Jun 2023 15:24:05 +0200 Subject: [PATCH 1/5] Add some logs --- utils/auth_jwt.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/utils/auth_jwt.ts b/utils/auth_jwt.ts index 5159ff9..9f55961 100644 --- a/utils/auth_jwt.ts +++ b/utils/auth_jwt.ts @@ -12,6 +12,8 @@ import { getResponseErrorForbiddenNotAuthorized, IResponseErrorForbiddenNotAuthorized } from "@pagopa/ts-commons/lib/responses"; +import { eventLog } from "@pagopa/winston-ts"; +import { readableReportSimplified } from "@pagopa/ts-commons/lib/reporters"; import { AssertionRef } from "../generated/definitions/internal/AssertionRef"; import { OperationId } from "../generated/definitions/internal/OperationId"; @@ -84,6 +86,14 @@ export const verifyJWTMiddleware = ( pipe( req.headers[jwtConfig.BEARER_AUTH_HEADER], JWTAuthBearer.decode, + eventLog.either.infoLeft(error => [ + `Invalid JWT`, + { + error: readableReportSimplified(error), + jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER], + name: "lollipop.jwt.invalid" + } + ]), E.mapLeft(_ => getResponseErrorForbiddenNotAuthorized( `Invalid or missing JWT in header ${jwtConfig.BEARER_AUTH_HEADER}` @@ -95,6 +105,14 @@ export const verifyJWTMiddleware = ( pipe( token, getValidateAuthJWT(jwtConfig), + eventLog.taskEither.infoLeft(error => [ + `JWT validation error`, + { + errorMessage: error.message, + jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER], + name: "lollipop.jwt.sign.error" + } + ]), TE.mapLeft(_ => getResponseErrorForbiddenNotAuthorized("Invalid or expired JWT") ) From b97d0722b740704dbf560a709e9cee74d57edcb7 Mon Sep 17 00:00:00 2001 From: garma00 Date: Wed, 21 Jun 2023 15:25:59 +0200 Subject: [PATCH 2/5] Add request url --- utils/auth_jwt.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/utils/auth_jwt.ts b/utils/auth_jwt.ts index 9f55961..2049d1a 100644 --- a/utils/auth_jwt.ts +++ b/utils/auth_jwt.ts @@ -91,7 +91,8 @@ export const verifyJWTMiddleware = ( { error: readableReportSimplified(error), jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER], - name: "lollipop.jwt.invalid" + name: "lollipop.jwt.invalid", + requestUrl: req.url } ]), E.mapLeft(_ => @@ -110,7 +111,8 @@ export const verifyJWTMiddleware = ( { errorMessage: error.message, jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER], - name: "lollipop.jwt.sign.error" + name: "lollipop.jwt.sign.error", + requestUrl: req.url } ]), TE.mapLeft(_ => From 6f1721937d5f4089e16a427fe4afa52baf126603 Mon Sep 17 00:00:00 2001 From: garma00 Date: Thu, 22 Jun 2023 10:54:13 +0200 Subject: [PATCH 3/5] Replace infoLeft with errorLeft --- utils/auth_jwt.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/auth_jwt.ts b/utils/auth_jwt.ts index 2049d1a..7f7ff51 100644 --- a/utils/auth_jwt.ts +++ b/utils/auth_jwt.ts @@ -86,7 +86,7 @@ export const verifyJWTMiddleware = ( pipe( req.headers[jwtConfig.BEARER_AUTH_HEADER], JWTAuthBearer.decode, - eventLog.either.infoLeft(error => [ + eventLog.either.errorLeft(error => [ `Invalid JWT`, { error: readableReportSimplified(error), @@ -106,7 +106,7 @@ export const verifyJWTMiddleware = ( pipe( token, getValidateAuthJWT(jwtConfig), - eventLog.taskEither.infoLeft(error => [ + eventLog.taskEither.errorLeft(error => [ `JWT validation error`, { errorMessage: error.message, From 49045ce808648064abab056310dc8829bd0375c8 Mon Sep 17 00:00:00 2001 From: gquadrati Date: Thu, 22 Jun 2023 11:24:59 +0200 Subject: [PATCH 4/5] pass function name to middleware --- GetAssertion/handler.ts | 2 +- utils/__tests__/auth_jwt.test.ts | 20 ++++++++++++++++---- utils/auth_jwt.ts | 7 ++++--- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/GetAssertion/handler.ts b/GetAssertion/handler.ts index d17ef03..0e0b30f 100644 --- a/GetAssertion/handler.ts +++ b/GetAssertion/handler.ts @@ -157,7 +157,7 @@ export function GetAssertion( const middlewaresWrap = withRequestMiddlewares( AzureApiAuthMiddleware(new Set([UserGroup.ApiLollipopAssertionRead])), RequiredParamMiddleware("assertion_ref", AssertionRef), - verifyJWTMiddleware(jwtConfig) + verifyJWTMiddleware(jwtConfig, FN_LOG_NAME) ); return wrapRequestHandler(middlewaresWrap(handler)); } diff --git a/utils/__tests__/auth_jwt.test.ts b/utils/__tests__/auth_jwt.test.ts index 82924dd..006b0b4 100644 --- a/utils/__tests__/auth_jwt.test.ts +++ b/utils/__tests__/auth_jwt.test.ts @@ -104,7 +104,10 @@ describe("VerifyJWTMiddleware", () => { const authJwt = await getGenerateAuthJWT(aConfigWithPrimaryKey)(aPayload)(); expect(E.isRight(authJwt)).toBeTruthy(); - const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys); + const middleware = verifyJWTMiddleware( + aConfigWithTwoPrimaryKeys, + "function-Name" + ); if (E.isRight(authJwt)) { const mockReq = ({ @@ -129,7 +132,10 @@ describe("VerifyJWTMiddleware", () => { WHEN VerifyJWTMiddleware is called\ THEN it should return a IResponseErrorForbiddenNotAuthorized\ ", async () => { - const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys); + const middleware = verifyJWTMiddleware( + aConfigWithTwoPrimaryKeys, + "function-Name" + ); const mockReq = ({ headers: { @@ -155,7 +161,10 @@ describe("VerifyJWTMiddleware", () => { ", async () => { const invalidAuth = "invalidAuth"; - const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys); + const middleware = verifyJWTMiddleware( + aConfigWithTwoPrimaryKeys, + "function-Name" + ); const mockReq = ({ headers: { @@ -181,7 +190,10 @@ describe("VerifyJWTMiddleware", () => { ", async () => { const invalidAuth = "Bearer aa"; - const middleware = verifyJWTMiddleware(aConfigWithTwoPrimaryKeys); + const middleware = verifyJWTMiddleware( + aConfigWithTwoPrimaryKeys, + "function-Name" + ); const mockReq = ({ headers: { diff --git a/utils/auth_jwt.ts b/utils/auth_jwt.ts index 7f7ff51..49e0213 100644 --- a/utils/auth_jwt.ts +++ b/utils/auth_jwt.ts @@ -78,7 +78,8 @@ export const getValidateAuthJWT = ({ * */ export const verifyJWTMiddleware = ( - jwtConfig: JWTConfig + jwtConfig: JWTConfig, + fnName: string ): IRequestMiddleware<"IResponseErrorForbiddenNotAuthorized", AuthJWT> => ( req // TODO refactor in order to use this method witha generic type @@ -91,7 +92,7 @@ export const verifyJWTMiddleware = ( { error: readableReportSimplified(error), jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER], - name: "lollipop.jwt.invalid", + name: fnName, requestUrl: req.url } ]), @@ -111,7 +112,7 @@ export const verifyJWTMiddleware = ( { errorMessage: error.message, jwt: req.headers[jwtConfig.BEARER_AUTH_HEADER], - name: "lollipop.jwt.sign.error", + name: fnName, requestUrl: req.url } ]), From 9bc1d0f737435037356726272dff84dbd39cc991 Mon Sep 17 00:00:00 2001 From: gquadrati Date: Thu, 22 Jun 2023 11:38:49 +0200 Subject: [PATCH 5/5] fix server url --- openapi/external.yaml | 7 +++---- openapi/external.yaml.template | 17 ++++++++--------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/openapi/external.yaml b/openapi/external.yaml index 629d925..5660037 100644 --- a/openapi/external.yaml +++ b/openapi/external.yaml @@ -4,11 +4,10 @@ info: title: IO Lollipop Function Lollipop Consumer API x-logo: url: https://io.italia.it/assets/img/io-logo-blue.svg - description: > - Documentation of the IO Lollipop Function API exposed to Lollipop - Consumerhere. + description: | + Documentation of the IO Lollipop Function API exposed to Lollipop Consumer. servers: - - url: https://api.pagopa.it/lollipop/api/v1 + - url: https://api.io.pagopa.it/lollipop/api/v1 security: - ApiKeyAuth: [] paths: diff --git a/openapi/external.yaml.template b/openapi/external.yaml.template index 7038580..e5ad8cb 100755 --- a/openapi/external.yaml.template +++ b/openapi/external.yaml.template @@ -5,9 +5,9 @@ info: x-logo: url: https://io.italia.it/assets/img/io-logo-blue.svg description: | - Documentation of the IO Lollipop Function API exposed to Lollipop Consumerhere. -servers: - - url: https://api.pagopa.it/lollipop/api/v1 + Documentation of the IO Lollipop Function API exposed to Lollipop Consumer. +servers: + - url: https://api.io.pagopa.it/lollipop/api/v1 security: - ApiKeyAuth: [] paths: @@ -19,7 +19,7 @@ paths: - name: assertion_ref required: true in: path - schema: + schema: $ref: "#/components/schemas/AssertionRef" - name: x-pagopa-lollipop-auth required: true @@ -78,7 +78,7 @@ components: $ref: "../node_modules/@pagopa/io-functions-commons/openapi/lollipop_definitions.yaml#/components/schemas/AssertionRefSha512" AssertionRef: $ref: "../node_modules/@pagopa/io-functions-commons/openapi/lollipop_definitions.yaml#/components/schemas/AssertionRef" - + LollipopAuthBearer: type: string pattern: "^Bearer [a-zA-Z0-9-_].+" @@ -88,7 +88,7 @@ components: SamlUserInfo: type: object properties: - response_xml: + response_xml: type: string description: A string representation of a signed SPID/CIE response minLength: 1 @@ -103,16 +103,15 @@ components: OidcUserInfo: type: object properties: - id_token: + id_token: $ref: "#/components/schemas/OidcSignedJwt" claims_token: $ref: "#/components/schemas/OidcSignedJwt" required: - id_token - claims_token - + LCUserInfo: oneOf: - $ref: "#/components/schemas/SamlUserInfo" - $ref: "#/components/schemas/OidcUserInfo" -