Skip to content

[NEW][APPS] Allowing apps to register authenticated routes #25937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kodiakhq merged 7 commits into from
Jun 28, 2022
Merged

[NEW][APPS] Allowing apps to register authenticated routes #25937

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c6e8b3f
Allowing apps to register authenticated routes
d-gubert Jun 15, 2022
421cf6e
Merge remote-tracking branch 'origin/develop' into apps/authenticated…
d-gubert Jun 22, 2022
08f66d4
Refactor behavior
d-gubert Jun 23, 2022
6812ec4
Merge remote-tracking branch 'origin/develop' into apps/authenticated…
d-gubert Jun 24, 2022
0457a4d
Update Apps-Engine
d-gubert Jun 24, 2022
b638c0c
Fix validation in oauth2 authentication method
d-gubert Jun 27, 2022
150a684
Merge remote-tracking branch 'origin/develop' into apps/authenticated…
d-gubert Jun 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions apps/meteor/app/api/server/middlewares/authentication.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
import { Request, Response, NextFunction } from 'express';

import { Users } from '../../../models/server';
import { oAuth2ServerAuth } from '../../../oauth2-server-config/server/oauth/oauth2-server';

export type AuthenticationMiddlewareConfig = {
rejectUnauthorized: boolean;
};

export const defaultAuthenticationMiddlewareConfig = {
rejectUnauthorized: true,
};

export function authenticationMiddleware(config: AuthenticationMiddlewareConfig = defaultAuthenticationMiddlewareConfig) {
return (req: Request, res: Response, next: NextFunction): void => {
const { 'x-user-id': userId, 'x-auth-token': authToken } = req.headers;

if (userId && authToken) {
req.user = Users.findOneByIdAndLoginToken(userId, authToken);
} else {
req.user = oAuth2ServerAuth(req)?.user;
}

if (config.rejectUnauthorized && !req.user) {
res.status(401).send('Unauthorized');
return;
}

req.userId = req.user?._id;

next();
};
}
17 changes: 12 additions & 5 deletions apps/meteor/app/apps/server/bridges/api.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,18 @@ import { AppApi } from '@rocket.chat/apps-engine/server/managers/AppApi';
import { RequestMethod } from '@rocket.chat/apps-engine/definition/accessors';

import { AppServerOrchestrator } from '../orchestrator';
import { authenticationMiddleware } from '../../../api/server/middlewares/authentication';

const apiServer = express();

apiServer.disable('x-powered-by');

WebApp.connectHandlers.use(apiServer);

type RequestWithPrivateHash = Request & {
interface IRequestWithPrivateHash extends Request {
_privateHash?: string;
content?: any;
};
}

export class AppApisBridge extends ApiBridge {
appRouters: Map<string, IRouter>;
Expand All @@ -27,7 +28,7 @@ export class AppApisBridge extends ApiBridge {
super();
this.appRouters = new Map();

apiServer.use('/api/apps/private/:appId/:hash', (req: RequestWithPrivateHash, res: Response) => {
apiServer.use('/api/apps/private/:appId/:hash', (req: IRequestWithPrivateHash, res: Response) => {
const notFound = (): Response => res.sendStatus(404);

const router = this.appRouters.get(req.params.appId);
Expand Down Expand Up @@ -73,7 +74,7 @@ export class AppApisBridge extends ApiBridge {
}

if (router[method] instanceof Function) {
router[method](routePath, Meteor.bindEnvironment(this._appApiExecutor(endpoint, appId)));
router[method](routePath, this._authMiddleware(endpoint, appId), Meteor.bindEnvironment(this._appApiExecutor(endpoint, appId)));
}
}

Expand All @@ -85,6 +86,11 @@ export class AppApisBridge extends ApiBridge {
}
}

private _authMiddleware(endpoint: IApiEndpoint, _appId: string): RequestHandler {
const authFunction = authenticationMiddleware({ rejectUnauthorized: !!endpoint.authRequired });
return Meteor.bindEnvironment(authFunction);
}

private _verifyApi(api: IApi, endpoint: IApiEndpoint): void {
if (typeof api !== 'object') {
throw new Error('Invalid Api parameter provided, it must be a valid IApi object.');
Expand All @@ -96,14 +102,15 @@ export class AppApisBridge extends ApiBridge {
}

private _appApiExecutor(endpoint: IApiEndpoint, appId: string): RequestHandler {
return (req: RequestWithPrivateHash, res: Response): void => {
return (req: IRequestWithPrivateHash, res: Response): void => {
const request: IApiRequest = {
method: req.method.toLowerCase() as RequestMethod,
headers: req.headers as { [key: string]: string },
query: (req.query as { [key: string]: string }) || {},
params: req.params || {},
content: req.body,
privateHash: req._privateHash,
user: req.user && this.orch.getConverters()?.get('users')?.convertToApp(req.user),
};

this.orch
Expand Down
12 changes: 5 additions & 7 deletions apps/meteor/app/apps/server/communication/uikit.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ import { WebApp } from 'meteor/webapp';
import { UIKitIncomingInteractionType } from '@rocket.chat/apps-engine/definition/uikit';
import { AppInterface } from '@rocket.chat/apps-engine/definition/metadata';

import { Users } from '../../../models/server';
import { settings } from '../../../settings/server';
import { Apps, AppServerOrchestrator } from '../orchestrator';
import { UiKitCoreApp } from '../../../../server/sdk';
import { authenticationMiddleware } from '../../../api/server/middlewares/authentication';

const apiServer = express();

Expand Down Expand Up @@ -51,16 +51,14 @@ Meteor.startup(() => {
settings.get('API_Enable_Rate_Limiter') !== true ||
(process.env.NODE_ENV === 'development' && settings.get('API_Enable_Rate_Limiter_Dev') !== true),
});

router.use(apiLimiter);
});

router.use((req, res, next) => {
const { 'x-user-id': userId, 'x-auth-token': authToken, 'x-visitor-token': visitorToken } = req.headers;
router.use(authenticationMiddleware({ rejectUnauthorized: false }));

Check failure

Code scanning / CodeQL

Missing rate limiting

This route handler performs [authorization](1), but is not rate-limited. This route handler performs [authorization](2), but is not rate-limited.

if (userId && authToken) {
req.body.user = Users.findOneByIdAndLoginToken(userId, authToken);
req.body.userId = req.body.user._id;
}
router.use((req, res, next) => {
const { 'x-visitor-token': visitorToken } = req.headers;

if (visitorToken) {
req.body.visitor = Apps.getConverters()?.get('visitors').convertByToken(visitorToken);
Expand Down
54 changes: 25 additions & 29 deletions apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import { Mongo } from 'meteor/mongo';
import { WebApp } from 'meteor/webapp';
import { OAuth2Server } from 'meteor/rocketchat:oauth2-server';
import { Request, Response } from 'express';
import { IUser } from '@rocket.chat/core-typings';
import { OAuthApps } from '@rocket.chat/models';

import { Users } from '../../../models/server';
Expand All @@ -25,6 +26,29 @@ function getAccessToken(accessToken: string): any {
});
}

export function oAuth2ServerAuth(partialRequest: {
headers: Record<string, any>;
query: Record<string, any>;
}): { user: IUser } | undefined {
const headerToken = partialRequest.headers.authorization?.replace('Bearer ', '');
const queryToken = partialRequest.query.access_token;

const accessToken = getAccessToken(headerToken || queryToken);

// If there is no token available or the token has expired, return undefined
if (!accessToken || (accessToken.expires != null && accessToken.expires !== 0 && accessToken.expires < new Date())) {
return;
}

const user = Users.findOne(accessToken.userId);

if (user == null) {
return;
}

return { user };
}

oauth2server.app.disable('x-powered-by');
oauth2server.routes.disable('x-powered-by');

Expand Down Expand Up @@ -57,33 +81,5 @@ oauth2server.routes.get('/oauth/userinfo', function (req: Request, res: Response
});

API.v1.addAuthMethod(function () {
const headerToken = this.request.headers.authorization;
const getToken = this.request.query.access_token;

let token: string | undefined;
if (headerToken != null) {
const matches = headerToken.match(/Bearer\s(\S+)/);
if (matches) {
token = matches[1];
} else {
token = undefined;
}
}
const bearerToken = token || getToken;
if (bearerToken == null) {
return;
}

const accessToken = getAccessToken(bearerToken);
if (accessToken == null) {
return;
}
if (accessToken.expires != null && accessToken.expires !== 0 && accessToken.expires < new Date()) {
return;
}
const user = Users.findOne(accessToken.userId);
if (user == null) {
return;
}
return { user };
return oAuth2ServerAuth(this.request);
});
11 changes: 11 additions & 0 deletions apps/meteor/definition/externals/express.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
import 'express';

import { IUser } from '@rocket.chat/core-typings';

declare module 'express' {
// eslint-disable-next-line @typescript-eslint/interface-name-prefix
export interface Request {
userId?: string;
user?: IUser;
}
}