feat: Add API key support

2023-06-20 01:47:00 +02:00
parent 5c1ed32cb6
commit eac88b2ec3
14 changed files with 406 additions and 75 deletions
--- a/src/components/Passthrough.astro
+++ b/src/components/Passthrough.astro
@ -0,0 +1,16 @@
+---
+const json = JSON.stringify(Astro.props)
+
+/**
+ * note: you MUST only pass simple items that can go in JSON format natively
+ */
+export function load<T extends {} = {}>(): T {
+	const tag = document.querySelector<HTMLScriptElement>('#ASTRO_DATA')
+	if (!tag) {
+		throw new Error('could not load client variables, tag not found')
+	}
+	return JSON.parse(tag.innerText)
+}
+
+---
+<script id="ASTRO_DATA" is:inline type="application/json" set:html={json}></script>
--- a/src/libs/CookieManager.ts
+++ b/src/libs/CookieManager.ts
@ -0,0 +1,56 @@
+import type { ServerResponse } from 'node:http'
+
+export default class CookieManager {
+	private cookies: Record<string, string> = {}
+	public constructor(data?: string | Record<string, string>) {
+		if (typeof data === 'string') {
+			data.split(';').forEach((keyValuePair) => {
+				const [key, value] = keyValuePair.split('=')
+				this.cookies[key.trim()] = value.trim().replace(/%3B/g, ';')
+			})
+		} else if (typeof data === 'object') {
+			this.cookies = data
+		}
+	}
+
+	public static addCookie(res: ServerResponse, cookie: {
+		key: string
+		value: string
+		expire?: string
+		maxAge?: number
+		domain?: string
+		path?: string
+		secure?: boolean
+		httpOnly?: boolean
+		sameSite?: 'Lax' | 'None' | 'Strict'}
+	) {
+		const items: Array<string> = [`${cookie.key}=${cookie.value.replace(/;/g, '%3B')}`]
+		if (cookie.expire) {
+			items.push(`Expires=${cookie.expire}`)
+		}
+		if (cookie.maxAge) {
+			items.push(`Max-Age=${cookie.maxAge}`)
+		}
+		if (cookie.domain) {
+			items.push(`Domain=${cookie.domain}`)
+		}
+		if (cookie.path) {
+			items.push(`Path=${cookie.path}`)
+		}
+		if (cookie.secure) {
+			items.push('Secure')
+		}
+		if (cookie.httpOnly) {
+			items.push('HttpOnly')
+		}
+		if (cookie.sameSite) {
+			items.push(`SameSite=${cookie.sameSite}`)
+		}
+		res.setHeader('Set-Cookie', items.join('; '))
+	}
+
+	public get(key: string): string | undefined {
+		return this.cookies[key]
+	}
+
+}
--- a/src/libs/RFCs/RFC7807.ts
+++ b/src/libs/RFCs/RFC7807.ts
@ -52,6 +52,11 @@ export default interface RFC7807 {
 	instance?: string
 }

+/**
+ *
+ * @param error the error (base items are type, status, title details and instance)
+ * @returns
+ */
 export function buildRFC7807(error: RFC7807 & Record<string, any>): Response {
 	return new Response(JSON.stringify(error), {
 		headers: {
--- a/src/libs/validateAuth.ts
+++ b/src/libs/validateAuth.ts
@ -0,0 +1,123 @@
+import DaoFactory from '../models/DaoFactory'
+import CookieManager from './CookieManager'
+import RFC7807, { buildRFC7807 } from './RFCs/RFC7807'
+
+interface Permission {
+	name: string
+	/**
+	 * if set it will be usable by users
+	 *
+	 * else only users with the `admin.` prefix in the key can run it
+	 */
+	api: boolean
+
+	/**
+	 * if set to true it will pass if a cookie authenticate a valid user
+	 */
+	cookie: boolean
+}
+
+/**
+ * validate the authentification
+ * @param request the request
+ * @param permission the permission to validate
+ * @returns a Response if the request is invalid, null otherwise
+ *
+ * TODO: implement rate limiting
+ * http/2.0 429 TOO MANY REQUESTS
+ * Content-Type: application/json
+ * X-RateLimit-Limit: 1000
+ * X-RateLimit-Remaining: 0
+ * X-RateLimit-Reset: 123456789
+ * X-RateLimit-Reset-After: 9 // Number of seconds before the remaining Rate go back to 0
+ */
+export async function validateAuth(request: Request, permission: Permission): Promise<Response | null> {
+	const apiKeyHeader = request.headers.get('Authorization')
+	const cookieHeader = request.headers.get('Cookie')
+	if (apiKeyHeader) {
+		const apiKey = apiKeyHeader.slice(apiKeyHeader.lastIndexOf(' ') + 1)
+		const dao = await DaoFactory.get('apiKey').findOne({
+			key: apiKey
+		})
+		const perm = permission.name.split('.')
+		const match = dao?.permissions.find((it) => {
+			const itSplit = it.split('.')
+			if (itSplit[0] === 'admin') {
+				itSplit.shift()
+			}
+			for (let idx = 0; idx < itSplit.length; idx++) {
+				const permissionLayer = itSplit[idx]
+				const requestPermissionLayer = perm[idx]
+				if (permissionLayer === '*') {
+					return true
+				} else if (permissionLayer !== requestPermissionLayer) {
+					return false
+				}
+			}
+			return itSplit.length === perm.length
+			// return it.endsWith(permission.name)
+		})
+		if (match && (permission.api || match.startsWith('admin.'))) {
+			return null
+		} else if (permission.api) {
+			return buildRFC7807({
+				type: '/unauthorized-access',
+				status: 401,
+				title: 'Unauthorized access',
+				details: `you are missing the permission "${permission.name}" or is not an admin`
+			})
+		}
+	} else if (permission.api && !permission.cookie) {
+		return buildRFC7807({
+			type: '/unauthorized-access',
+			status: 401,
+			title: 'Unauthorized access',
+			details: `You MUST define an API key fo use this endpoint`
+		})
+	}
+
+	if (cookieHeader && permission.cookie) {
+		// TODO: make a better cookie implementation
+		const cookies = new CookieManager(cookieHeader)
+		const userCookie = cookies.get('userId')
+		if (!userCookie) {
+			return buildRFC7807({
+				type: '/unauthorized-access',
+				status: 401,
+				title: 'Unauthorized access',
+				details: `you must be connected to use this endpoint (missing the userId cookie)`
+			})
+		}
+		const dao = await DaoFactory.get('user').get(userCookie)
+		if (!dao) {
+			return buildRFC7807({
+				type: '/unauthorized-access',
+				status: 401,
+				title: 'Unauthorized access',
+				details: `the user does not exists`
+			})
+		}
+		return null
+	} else if (!permission.api && permission.cookie) {
+		return buildRFC7807({
+			type: '/unauthorized-access',
+			status: 401,
+			title: 'Unauthorized access',
+			details: `You MUST be connected to your account to use this endpoint`
+		})
+	} else if (permission.api && permission.cookie) {
+		return buildRFC7807({
+			type: '/unauthorized-access',
+			status: 401,
+			title: 'Unauthorized access',
+			details: `You must be connected or use an API key to access this endpoint`
+		})
+	}
+	return buildRFC7807({
+		type: '/unauthorized-access',
+		status: 401,
+		title: 'Unauthorized access',
+		details: `the following endpoint is not currently accessible by any means`
+	})
+
+}
--- a/src/models/APIKey/APIKeyDao.ts
+++ b/src/models/APIKey/APIKeyDao.ts
@ -0,0 +1,79 @@
+import { objectOmit } from '@dzeio/object-util'
+import mongoose from 'mongoose'
+import type APIKey from '.'
+import Client from '../Client'
+import Dao from '../Dao'
+
+export default class APIKeyDao extends Dao<APIKey> {
+
+	// @ts-expect-error typing fix
+	private model = mongoose.models['APIKey'] as null ?? mongoose.model('APIKey', new mongoose.Schema({
+		user: { type: String, required: true },
+		key: { type: String, required: true, unique: true, index: true},
+		permissions: [{ type: String }]
+	}, {
+		timestamps: true
+	}))
+
+	public async create(obj: Omit<APIKey, 'id' | 'created' | 'updated'>): Promise<APIKey | null> {
+		await Client.get()
+		return this.fromSource(await this.model.create(obj))
+	}
+
+	public async findAll(query?: Partial<APIKey> | undefined): Promise<APIKey[]> {
+		await Client.get()
+		try {
+			if (query?.id) {
+				const item = await this.model.findById(new mongoose.Types.ObjectId(query.id))
+				if (!item) {
+					return []
+				}
+				return [this.fromSource(item)]
+			}
+			const resp = await this.model.find(query ? this.toSource(query as APIKey) : {})
+			return resp.map(this.fromSource)
+		} catch (e) {
+			console.error(e)
+			return []
+		}
+
+	}
+
+	public async update(obj: APIKey): Promise<APIKey | null> {
+		await Client.get()
+
+		const query = await this.model.updateOne({
+			_id: new mongoose.Types.ObjectId(obj.id)
+		}, this.toSource(obj))
+		if (query.matchedCount >= 1) {
+			obj.updated = new Date()
+			return obj
+		}
+		return null
+		// return this.fromSource()
+	}
+
+	public async delete(obj: APIKey): Promise<boolean> {
+		await Client.get()
+		const res = await this.model.deleteOne({
+			_id: new mongoose.Types.ObjectId(obj.id)
+		})
+		return res.deletedCount > 0
+	}
+
+	private toSource(obj: APIKey): Omit<APIKey, 'id'> {
+		return objectOmit(obj, 'id', 'updated', 'created')
+	}
+
+	private fromSource(doc: mongoose.Document<any, any, APIKey>): APIKey {
+		return {
+			id: doc._id.toString(),
+			user: doc.get('user'),
+			key: doc.get('key'),
+			permissions: doc.get('permissions') ?? [],
+			updated: doc.get('updatedAt'),
+			created: doc.get('createdAt')
+		}
+	}
+
+}
--- a/src/models/APIKey/ApiKeyDao.ts
+++ b/src/models/APIKey/ApiKeyDao.ts
@ -1,21 +0,0 @@
-import type APIKey from '.'
-import Dao from '../Dao'
-
-export default class APIKeyDao extends Dao<APIKey> {
-	private idx = 0
-	public async create(obj: Omit<APIKey, 'id'>): Promise<APIKey | null> {
-		console.log('pouet', this.idx++)
-		return null
-		// throw new Error('Method not implemented.')
-	}
-	public async findAll(query?: Partial<APIKey> | undefined): Promise<APIKey[]> {
-		throw new Error('Method not implemented.')
-	}
-	public async update(obj: APIKey): Promise<APIKey | null> {
-		throw new Error('Method not implemented.')
-	}
-	public async delete(obj: APIKey): Promise<boolean> {
-		throw new Error('Method not implemented.')
-	}
-
-}
--- a/src/models/APIKey/index.ts
+++ b/src/models/APIKey/index.ts
@ -1,4 +1,8 @@
 export default interface APIKey {
 	id: string
 	user: string
+	key: string
+	permissions: Array<string>
+	created: Date
+	updated: Date
 }
--- a/src/models/DaoFactory.ts
+++ b/src/models/DaoFactory.ts
@ -1,4 +1,4 @@
-import Client from './Client'
+import APIKeyDao from './APIKey/APIKeyDao'
 import ConfigDao from './Config/ConfigDao'
 import Dao from './Dao'
 import UserDao from './User/UserDao'
@ -17,6 +17,7 @@ import UserDao from './User/UserDao'
 interface DaoItem {
 	config: ConfigDao
 	user: UserDao
+	apiKey: APIKeyDao
 }

 /**
@ -57,6 +58,7 @@ export default class DaoFactory {
 		switch (item) {
 			case 'config': return new ConfigDao()
 			case 'user': return new UserDao()
+			case 'apiKey': return new APIKeyDao()
 			default: return undefined
 		}
 	}
--- a/src/models/User/UserDao.ts
+++ b/src/models/User/UserDao.ts
@ -6,19 +6,18 @@ import Dao from '../Dao'

 export default class UserDao extends Dao<User> {

-	private model = mongoose.model('User', new mongoose.Schema({
+	// @ts-expect-error typing fix
+	private model = mongoose.models['User'] as null ?? mongoose.model('User', new mongoose.Schema({
 		email: { type: String, required: true }
 	}, {
 		timestamps: true
 	}))

-	private collection = 'users'
-
-	private idx = 0
 	public async create(obj: Omit<User, 'id' | 'created' | 'updated'>): Promise<User | null> {
 		await Client.get()
 		return this.fromSource(await this.model.create(obj))
 	}
+
 	public async findAll(query?: Partial<User> | undefined): Promise<User[]> {
 		await Client.get()
 		if (query?.id) {
@ -32,6 +31,7 @@ export default class UserDao extends Dao<User> {
 		return resp.map(this.fromSource)

 	}
+
 	public async update(obj: User): Promise<User | null> {
 		await Client.get()

@ -45,6 +45,7 @@ export default class UserDao extends Dao<User> {
 		return null
 		// return this.fromSource()
 	}
+
 	public async delete(obj: User): Promise<boolean> {
 		await Client.get()
 		const res = await this.model.deleteOne({
--- a/src/pages/admin.astro
+++ b/src/pages/admin.astro
@ -0,0 +1,41 @@
+---
+import Passthrough from '../components/Passthrough.astro'
+import Layout from '../layouts/Layout.astro'
+import DaoFactory from '../models/DaoFactory'
+
+const user = await DaoFactory.get('user').get('648f81f857503c7d29465318')
+const list = await DaoFactory.get('apiKey').findAll({
+	user: user!.id
+})
+const userId = user?.id ?? 'unknown'
+
+---
+
+<Layout title="Welcome to Astro.">
+	<main>
+		<ul>
+			{list.map((it) => (
+				<li>
+					<p>access key: {it.key}</p>
+					<p>permissions: {it.permissions}</p>
+				</li>
+			))}
+
+			<button>Create a new API Key</button>
+		</ul>
+	</main>
+	<Passthrough userId={userId} />
+</Layout>
+
+<script>
+	import { load } from '../components/Passthrough.astro'
+
+	const vars = load<{userId: string}>()
+	console.log(vars)
+	document.querySelector('button')?.addEventListener('click', async () => {
+		await fetch(`/api/users/${vars.userId}/keys`, {
+			method: 'POST'
+		})
+		window.location.reload()
+	})
+</script>
--- a/src/pages/api/users/[userId]/keys/index.ts
+++ b/src/pages/api/users/[userId]/keys/index.ts
@ -0,0 +1,19 @@
+import type { APIRoute } from 'astro'
+import crypto from 'node:crypto'
+import DaoFactory from '../../../../../models/DaoFactory'
+
+export const post: APIRoute = async ({ params, request }) => {
+	const userId = params.userId as string
+
+	const dao = await DaoFactory.get('apiKey').create({
+		user: userId,
+		key: crypto.randomUUID(),
+		permissions: [
+			'admin.user.list'
+		]
+	})
+	return {
+		status: 201,
+		body: JSON.stringify(dao)
+	}
+}
--- a/src/pages/api/users/index.ts
+++ b/src/pages/api/users/index.ts
@ -0,0 +1,17 @@
+import type { APIRoute } from 'astro'
+import { validateAuth } from '../../../libs/validateAuth'
+
+export const get: APIRoute = async ({ params, request }) => {
+	const requestInvalid = await validateAuth(request, {
+		name: 'user.list',
+		api: false,
+		cookie: true
+	})
+	if (requestInvalid) {
+		return requestInvalid
+	}
+	return {
+		status: 200,
+		body: JSON.stringify({iam: true})
+	}
+}