Add /auth/token endpoint for service to exchange secret for api token

prisma/migrations/20250306091254_add_bot_flag_to_user_entity/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "bot" BOOLEAN NOT NULL DEFAULT false;

prisma/schema.prisma

@@ -354,6 +354,7 @@ model User {
   name  String
   githubId   String? @unique
   githubImageUrl String?
+  bot   Boolean @default(false)
 
   // TODO: connect with github ID
   // TODO: store github profile image - or get it via API

src/api/plugins/auth.ts

@@ -1,17 +1,14 @@
 import { FastifyInstance, RouteGenericInterface } from 'fastify'
 import fp from 'fastify-plugin'
 import { User } from '@prisma/client'
-
-import apiConfig from '../../config/api'
 import { authService } from '../services/authService'
 
 declare module 'fastify' {
   export interface FastifyRequest {
     user: User | null
   }
 
-  export interface AuthenticatedFastifyRequest<T extends RouteGenericInterface>
-    extends FastifyRequest<T> {
+  export interface AuthenticatedFastifyRequest<T extends RouteGenericInterface> extends FastifyRequest<T> {
     user: User
   }
 }
@@ -26,24 +23,21 @@ async function authPlugin(app: FastifyInstance) {
     try {
       const token = request.headers['authorization']?.replace('Bearer ', '')
 
-      if (!token || !apiConfig.tokens?.includes(token)) {
-        request.log.error('No token', {
-          token,
-          apiConfigTokens: apiConfig.tokens,
-        })
+      if (!token) {
+        request.log.error('No token provided')
         return reply.status(401).send(unauthorizedError)
       }
 
-      const { user, newToken } = authService.verifyUser(token)
+      const { user, newToken } = authService.verifyToken(token)
 
       if (newToken !== undefined) {
         reply.headers['x-auth-token'] = newToken
       } else {
-        request.log.error('No user found')
+        request.log.error('Could not create new token for user', user)
       }
       request.user = user
     } catch (err) {
-      request.log.error(err)
+      request.log.error('Authentication failed:', err)
       return reply.status(401).send(unauthorizedError)
     }
   })

src/api/routes/auth.ts

@@ -1,40 +1,62 @@
 import { FastifyInstance, FastifyRequest } from "fastify"
 import { getTags } from "../../config/openapi";
-import { authenticationBodySchema, AuthentificationResponseScheme, getErrorSchemas } from "../schemas";
-import { authenticationBody } from "../types";
+import { userAuthenticationBodySchema, AuthentificationResponseScheme, getErrorSchemas, serviceAuthenticationBodySchema } from "../schemas";
+import { userAuthenticationBody, serviceAuthenticationBody } from "../types";
 import { authService } from "../services/authService";
 
-const unauthorizedError = {
-    message: 'Unauthorized',
-  }
-
-
 export async function authentificationRoutes(app: FastifyInstance) {
-    app.post(
-      '/github',
-      {
-        schema: {
-          summary: 'Auth User with Github Identity',
-          description: 'Authenticates a user using a Github access code',
-          tags: getTags('Auth'),
-          response: {
-            200: AuthentificationResponseScheme,
-            ...getErrorSchemas(401)
-          },
-          body: authenticationBodySchema
+  app.post(
+    '/github',
+    {
+      schema: {
+        summary: 'Auth User with Github Identity',
+        description: 'Authenticates a user using a Github access code',
+        tags: getTags('Auth'),
+        response: {
+          200: AuthentificationResponseScheme,
+          ...getErrorSchemas(401)
+        },
+        body: userAuthenticationBodySchema
+      },
+    },
+    async (
+      request: FastifyRequest<{Body: userAuthenticationBody}>,
+      reply
+    ) => {
+      try {
+          const token = await authService.authorizeUser(request.body.code);
+          reply.status(200).send({token});
+      } catch(error) {
+          console.log(error);
+          return reply.status(401).send()
+      }
+    }
+  )
+  app.post(
+    '/token',
+    {
+      schema: {
+        summary: 'Auth Client with API Secret',
+        description: 'Authenticates a client using a service secret',
+        tags: getTags('Auth'),
+        response: {
+          200: AuthentificationResponseScheme,
+          ...getErrorSchemas(401)
         },
+        body: serviceAuthenticationBodySchema
       },
-      async (
-        request: FastifyRequest<{Body: authenticationBody}>,
-        reply
-      ) => {
-        try {
-            const token = await authService.authUser(request.body.code);
-            reply.status(200).send({token});
-        } catch(error) {
-            console.log(error);
-            return reply.status(401).send()
-        }
+    },
+    async (
+      request: FastifyRequest<{Body: serviceAuthenticationBody}>,
+      reply
+    ) => {
+      try {
+          const token = await authService.authorizeService(request.body);
+          reply.status(200).send({token});
+      } catch(error) {
+          console.log(error);
+          return reply.status(401).send()
       }
-    )
-  }
+    }
+  )
+}

src/api/schemas/request.ts

@@ -190,6 +190,11 @@ export const MunicipalityNameParamSchema = z.object({
   name: MunicipalityNameSchema,
 })
 
-export const authenticationBodySchema = z.object({
+export const userAuthenticationBodySchema = z.object({
   code: z.string()
 })
+
+export const serviceAuthenticationBodySchema = z.object({
+  client_id: z.string(),
+  client_secret: z.string()
+})

src/api/services/authService.ts

@@ -2,8 +2,9 @@ import axios from "axios";
 import apiConfig from "../../config/api"
 import { prisma } from "../../lib/prisma";
 import jwt from "jsonwebtoken";
+import { serviceAuthenticationBody } from "../types";
 
-interface Userinfo {
+interface GithubUserinfo {
     login: string,
     avatar_url: string,
     name: string,
@@ -16,10 +17,11 @@ interface User {
     email: string,
     githubId: string | null,
     githubImageUrl: string | null
+    bot: boolean
 }
 
 class AuthService {
-    async authUser(code: string) {
+    async authorizeUser(code: string) {
 
         const accessTokenRes = await axios.post<{access_token: string}>("https://github.com/login/oauth/access_token", {
             client_id: apiConfig.githubClientId,
@@ -32,7 +34,7 @@ class AuthService {
 
         const accessToken =  accessTokenRes.data.access_token;
 
-        const userinfoRes = await axios.get<Userinfo>("https://api.github.com/user", {
+        const userinfoRes = await axios.get<GithubUserinfo>("https://api.github.com/user", {
             headers: {
                 Authorization: "Bearer " + accessToken,
                 Accept: "application/vnd.github+json"
@@ -41,14 +43,14 @@ class AuthService {
 
         const userinfo = userinfoRes.data;
 
-        const isMemeber = await axios.get("https://api.github.com/orgs/" + apiConfig.githubOrganization + "/members/" + userinfo.login, {
+        const isMember = await axios.get("https://api.github.com/orgs/" + apiConfig.githubOrganization + "/members/" + userinfo.login, {
             headers: {
                 Authorization: "Bearer " + accessToken,
                 Accept: "application/vnd.github+json"
             }
         })
 
-        if(isMemeber.status !== 204) {
+        if(isMember.status !== 204) {
             throw new Error("User is not member of the organization");
         }
 
@@ -71,20 +73,52 @@ class AuthService {
 
         return this.createToken(user);
     }
+
+    async authorizeService(serviceAuth: serviceAuthenticationBody) {
+        if (serviceAuth.client_secret !== apiConfig.secret) {
+            throw new Error("Invalid secret");
+        }
+
+        let user = await prisma.user.findFirst({
+            where: {
+                name: serviceAuth.client_id
+            }
+        })
+
+        if(!user) {
+          user = await prisma.user.upsert({
+              where: {
+                  email: serviceAuth.client_id + "@klimatkollen.se"
+              },
+              update: {
+                  name: serviceAuth.client_id,
+                  email: serviceAuth.client_id + "@klimatkollen.se",
+                  bot: true
+              },
+              create: {
+                  name: serviceAuth.client_id,
+                  email: serviceAuth.client_id + "@klimatkollen.se",
+                  bot: true
+              }
+          })
+        }
+
+        return this.createToken(user);
+    }
 
     private static readonly TOKEN_EXPIRY_BUFFER_MINUTES = 15;
     private static readonly SECONDS_IN_A_MINUTE = 60;
 
-    verifyUser(token: string) {
-        const payload = jwt.verify(token, apiConfig.jwtSecret) as User & {exp: number};
+    verifyToken(token: string) {
+        const user = jwt.verify(token, apiConfig.jwtSecret) as User & {exp: number};
         const currentTimeInSeconds = Date.now() / 1000;
         const renewalThreshold = AuthService.TOKEN_EXPIRY_BUFFER_MINUTES * AuthService.SECONDS_IN_A_MINUTE;
 
-        const shouldRenew = currentTimeInSeconds > payload.exp - renewalThreshold;
+        const shouldRenew = currentTimeInSeconds > user.exp - renewalThreshold;
 
         return {
-            user: payload, 
-            newToken: shouldRenew ? this.createToken(payload) : undefined
+            user, 
+            newToken: shouldRenew ? this.createToken(user) : undefined
         }
     }
 

src/api/types.ts

@@ -34,6 +34,10 @@ export type MunicipalityNameParams = z.infer<
   typeof schemas.MunicipalityNameParamSchema
 >
 
-export type authenticationBody = z.infer<
-  typeof schemas.authenticationBodySchema
+export type userAuthenticationBody = z.infer<
+  typeof schemas.userAuthenticationBodySchema
+>
+
+export type serviceAuthenticationBody = z.infer<
+  typeof schemas.serviceAuthenticationBodySchema
 >

src/config/api.ts

@@ -10,7 +10,7 @@ const envSchema = z.object({
    * Comma-separated list of API tokens. E.g. garbo:lk3h2k1,alex:ax32bg4
    * NOTE: This is only relevant during import with alex data, and then we switch to proper auth tokens.
    */
-  API_TOKENS: z.string().transform((tokens) => tokens.split(',')),
+  API_SECRET: z.string(),
   FRONTEND_URL: z
     .string()
     .default(
@@ -72,7 +72,7 @@ const apiConfig = {
       ? productionOrigins
       : developmentOrigins,
 
-  tokens: env.API_TOKENS,
+  secret: env.API_SECRET,
   frontendURL: env.FRONTEND_URL,
   baseURL: env.API_BASE_URL,
   port: env.PORT,

src/lib/api.ts

@@ -1,6 +1,23 @@
 import apiConfig from '../config/api'
 
-const GARBO_TOKEN = apiConfig.tokens.find((token) => token.startsWith('garbo'))
+let GARBO_TOKEN = await getApiToken(apiConfig.secret)
+
+async function getApiToken(secret: string) {
+  const response = await fetch(`${apiConfig.baseURL}/auth/token`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      client_id: 'garbo',
+      client_secret: secret,
+    }),
+  })
+
+  const token = (await response.json()).token
+  console.log(token)
+  return token
+}
 
 export async function apiFetch(
   endpoint: string,
@@ -24,6 +41,10 @@ export async function apiFetch(
 
   const response = await fetch(`${apiConfig.baseURL}${endpoint}`, config)
   if (response.ok) {
+    const newToken = response.headers.get('x-auth-token')
+    if (newToken) {
+      GARBO_TOKEN = newToken
+    }
     return response.json()
   } else {
     const errorMessage = await response.text()