Skip to content

Commit

Permalink
better vault service
Browse files Browse the repository at this point in the history
  • Loading branch information
Szotkowski committed Sep 19, 2023
1 parent 674d6c0 commit 016729b
Show file tree
Hide file tree
Showing 11 changed files with 205 additions and 94 deletions.
61 changes: 36 additions & 25 deletions .github/workflows/continuous-deployment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,23 @@ jobs:
- name: Set deployment variables
run: |
if [ "${{ github.ref }}" = "refs/heads/dev" ]; then
echo "EXTPORT=3002" >> $GITHUB_ENV
echo "IMAGE=backend-dev" >> $GITHUB_ENV
echo "VAULT_PORT=8202" >> $GITHUB_ENV
echo "SQLDATABASE=selecro_dev" >> $GITHUB_ENV
echo "DEFAULT_PORT=${{ secrets.DEFAULT_PORT_DEV }}" >> $GITHUB_ENV
echo "SQL_DATABASE=${{ secrets.SQL_DATABASE_DEV }}" >> $GITHUB_ENV
echo "VAULT_PORT=${{ secrets.VAULT_PORT_DEV }}" >> $GITHUB_ENV
echo "UNSEAL_KEY_1=${{ secrets.UNSEAL_KEY_1_DEV }}" >> $GITHUB_ENV
echo "UNSEAL_KEY_2=${{ secrets.UNSEAL_KEY_2_DEV }}" >> $GITHUB_ENV
echo "UNSEAL_KEY_3=${{ secrets.UNSEAL_KEY_3_DEV }}" >> $GITHUB_ENV
echo "ROOT_VAULT_TOKEN=${{ secrets.ROOT_VAULT_TOKEN_DEV }}" >> $GITHUB_ENV
elif [ "${{ github.ref }}" = "refs/heads/main" ]; then
echo "EXTPORT=3001" >> $GITHUB_ENV
echo "IMAGE=backend-main" >> $GITHUB_ENV
echo "VAULT_PORT=8201" >> $GITHUB_ENV
echo "SQLDATABASE=selecro_main" >> $GITHUB_ENV
echo "DEFAULT_PORT=${{ secrets.DEFAULT_PORT_MAIN }}" >> $GITHUB_ENV
echo "SQL_DATABASE=${{ secrets.SQL_DATABASE_MAIN }}" >> $GITHUB_ENV
echo "VAULT_PORT=${{ secrets.VAULT_PORT_MAIN }}" >> $GITHUB_ENV
echo "UNSEAL_KEY_1=${{ secrets.UNSEAL_KEY_1_MAIN }}" >> $GITHUB_ENV
echo "UNSEAL_KEY_2=${{ secrets.UNSEAL_KEY_2_MAIN }}" >> $GITHUB_ENV
echo "UNSEAL_KEY_3=${{ secrets.UNSEAL_KEY_3_MAIN }}" >> $GITHUB_ENV
echo "ROOT_VAULT_TOKEN=${{ secrets.ROOT_VAULT_TOKEN_MAIN }}" >> $GITHUB_ENV
else
echo "Invalid branch for deployment" && exit 1
fi
Expand Down Expand Up @@ -78,27 +86,30 @@ jobs:
docker ps -a | grep ${{ env.IMAGE }} && docker stop ${{ env.IMAGE }} || true && \
docker ps -a | grep ${{ env.IMAGE }} && docker rm ${{ env.IMAGE }} || true && \
docker run \
-e HOST="${{ secrets.HOST }}" \
-e SQLHOST="${{ secrets.SQLHOST }}" \
-e SQLPORT="${{ secrets.SQLPORT }}" \
-e SQLUSER="${{ secrets.SQLUSER }}" \
-e SQLPASSWORD="${{ secrets.SQLPASSWORD }}" \
-e SQLDATABASE="${{ env.SQLDATABASE }}" \
-e TOKEN="${{ secrets.TOKEN }}" \
-e EXTPORT="${{ env.EXTPORT }}" \
-e EMAILHOST="${{ secrets.EMAILHOST }}" \
-e EMAILPORT="${{ secrets.EMAILPORT }}" \
-e EMAILUSER="${{ secrets.EMAILUSER }}" \
-e EMAILPASSWORD="${{ secrets.EMAILPASSWORD }}" \
-e JWT_SECRET="$${{ secrets.JWT_SECRET }}" \
-e UNSEAL_KEY_1="${{ secrets.UNSEAL_KEY_1 }}" \
-e UNSEAL_KEY_2="${{ secrets.UNSEAL_KEY_2 }}" \
-e DEFAULT_HOST="${{ secrets.DEFAULT_HOST }}" \
-e DEFAULT_PORT="${{ env.DEFAULT_PORT }}" \
-e JWT_SECRET="${{ secrets.JWT_SECRET }}" \
-e JWT_SECRET_EMAIL="${{ secrets.JWT_SECRET_EMAIL }}" \
-e JWT_SECRET_SIGNUP="${{ secrets.JWT_SECRET_SIGNUP }}" \
-e SQL_HOST="${{ secrets.SQL_HOST }}" \
-e SQL_PORT="${{ secrets.SQL_PORT }}" \
-e SQL_USER="${{ secrets.SQL_USER }}" \
-e SQL_PASSWORD="${{ secrets.SQL_PASSWORD }}" \
-e SQL_DATABASE="${{ env.SQL_DATABASE }}" \
-e EMAIL_HOST="${{ secrets.EMAIL_HOST }}" \
-e EMAIL_PORT="${{ secrets.EMAIL_PORT }}" \
-e EMAIL_USER="${{ secrets.EMAIL_USER }}" \
-e EMAIL_PASSWORD="${{ secrets.EMAIL_PASSWORD }}" \
-e VAULT_URL="${{ secrets.VAULT_URL }}" \
-e VAULT_URL="${{ secrets.VAULT_URL }}" \
-e VAULT_PORT="${{ env.VAULT_PORT }}" \
-e CLIENT_ID="${{ secrets.CLIENT_ID }}" \
-e ROOT_VAULT="${{ secrets.ROOT_VAULT }}" \
-e INSTRUCTION_KEY="${{ secrets.INSTRUCTION_KEY }}" \
-e INSTRUCTION_KEY_PERMISSIONS="${{ secrets.INSTRUCTION_KEY_PERMISSIONS }}" \
-e UNSEAL_KEY_1="${{ env.UNSEAL_KEY_1 }}" \
-e UNSEAL_KEY_2="${{ env.UNSEAL_KEY_2 }}" \
-e UNSEAL_KEY_3="${{ env.UNSEAL_KEY_3 }}" \
-e ROOT_VAULT_TOKEN="${{ env.ROOT_VAULT_TOKEN }}" \
-e IMGUR_CLIENT_ID="${{ secrets.IMGUR_CLIENT_ID }}" \
-e INSTRUCTION_KEY_PREMIUM="${{ secrets.INSTRUCTION_KEY_PREMIUM }}" \
-e INSTRUCTION_KEY_PREMIUM_PERMISSIONS="${{ secrets.INSTRUCTION_KEY_PREMIUM_PERMISSIONS }}" \
--name ${{ env.IMAGE }} -dp ${{ env.EXTPORT }}:${{ env.EXTPORT }} \
selecro/${{ env.IMAGE }}:${{ github.ref_name }}-${{ env.SHORT_SHA }} && \
docker update --restart unless-stopped ${{ env.IMAGE }} && exit
Expand Down
2 changes: 1 addition & 1 deletion src/application.ts
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ export class SelecroBackendApplication extends BootMixin(

this.bind('services.jwt.service').toClass(JWTService);
this.bind('authentication.jwt.expiresIn').to('32d');
this.bind('authentication.jwt.secret').to(process.env.TOKEN);
this.bind('authentication.jwt.secret').to(process.env.JWT_SECRET);
this.bind('services.hasher').toClass(BcryptHasher);
this.bind('services.hasher.rounds').to(10);
this.bind('services.user.service').toClass(MyUserService);
Expand Down
8 changes: 4 additions & 4 deletions src/controllers/user-instruction.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ export class UserInstructionController {
@repository(StepRepository) public stepRepository: StepRepository,
@repository(UserRepository)
protected progressRepository: ProgressRepository,
) {}
) { }

@authenticate('jwt')
@post('/users/{id}/instructions/{instructionId}', {
Expand Down Expand Up @@ -96,7 +96,7 @@ export class UserInstructionController {
if (!key) {
throw new HttpErrors.Unauthorized('Key not providen');
}
const instructionKey = process.env.INSTRUCTION_KEY ?? '';
const instructionKey = process.env.INSTRUCTION_KEY_PREMIUM ?? '';
const keyMatch = await this.hasher.comparePassword(key, instructionKey);
if (!keyMatch) {
throw new HttpErrors.Unauthorized('Invalid password');
Expand Down Expand Up @@ -440,7 +440,7 @@ export class UserInstructionController {
if (!instruction) {
throw new HttpErrors.NotFound('Instruction not found');
}
const instructionKey = process.env.INSTRUCTION_KEY ?? '';
const instructionKey = process.env.INSTRUCTION_KEY_PREMIUM ?? '';
const keyMatch = await this.hasher.comparePassword(
request.key,
instructionKey,
Expand Down Expand Up @@ -664,7 +664,7 @@ export class UserInstructionController {
@param.query.number('instructionId') instructionId: number,
@param.query.number('userId') userId: number,
): Promise<boolean> {
const instructionKey = process.env.INSTRUCTION_KEY_PERMISSIONS ?? '';
const instructionKey = process.env.INSTRUCTION_KEY_PREMIUM_PERMISSIONS ?? '';
const keyMatch = await this.hasher.comparePassword(
request.key,
instructionKey,
Expand Down
112 changes: 91 additions & 21 deletions src/controllers/user.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ export class UserController {
@repository(StepRepository) public stepRepository: StepRepository,
@repository(UserLinkRepository)
public userLinkRepository: UserLinkRepository,
) {}
) { }

@post('/login', {
responses: {
Expand Down Expand Up @@ -99,7 +99,7 @@ export class UserController {
},
})
credentials: Credentials,
): Promise<{token: string; tokenKMS: string}> {
): Promise<string> {
const user = await this.userService.verifyCredentials(credentials);
const userProfile = this.userService.convertToUserProfile(user);
const existingUser = await this.userRepository.findOne({
Expand All @@ -109,11 +109,7 @@ export class UserController {
throw new HttpErrors.UnprocessableEntity('email is not verified');
}
const token = await this.jwtService.generateToken(userProfile);
const tokenKMS = await this.vaultService.authenticate(
String(existingUser.id),
credentials.password,
);
return {token, tokenKMS};
return token;
}

@post('/signup', {
Expand Down Expand Up @@ -142,7 +138,6 @@ export class UserController {
password0: {type: 'string'},
password1: {type: 'string'},
language: {enum: Object.values(Language)},
wrappedDEK: {type: 'string'},
kekSalt: {type: 'string'},
initializationVector: {type: 'string'},
},
Expand All @@ -152,7 +147,6 @@ export class UserController {
'password0',
'password1',
'language',
'wrappedDEK',
'kekSalt',
'initializationVector',
],
Expand All @@ -178,26 +172,102 @@ export class UserController {
const hashedPassword = await this.hasher.hashPassword(
credentials.password0,
);
await this.vaultService.createUser(
String(credentials.id),
credentials.password0,
);
const tokenKMS = await this.vaultService.authenticate(
String(credentials.id),
credentials.password0,
);
const newUser = new User({
email: credentials.email,
username: credentials.username,
passwordHash: hashedPassword,
wrappedDEK: credentials.wrappedDEK.toString('base64'),
wrappedDEK: 'null',
kekSalt: credentials.kekSalt,
initializationVector: credentials.initializationVector.toString('base64'),
language: credentials.language,
});
const dbUser = await this.userRepository.create(newUser);
await this.vaultService.createUserPolicy(
String(dbUser.id),
);
await this.vaultService.createUser(
String(dbUser.id),
credentials.password0,
);
await this.vaultService.createUserKey(
String(dbUser.id),
);
await this.emailService.sendRegistrationEmail(dbUser);
return tokenKMS;
const secret = process.env.JWT_SECRET_SIGNUP ?? '';
const userId = dbUser.id;
const token = jwt.sign({userId}, secret, {
expiresIn: 60,
algorithm: 'HS256',
});
return token;
}

@post('/save-Wrapped-DEK', {
responses: {
'200': {
description: 'Save Wrapped DEK',
content: {
'application/json': {
schema: {
type: 'boolean',
},
},
},
},
},
})
async saveWrappedDEK(
@requestBody({
content: {
'application/json': {
schema: {
type: 'object',
properties: {
token: {type: 'string'},
wrappedDEK: {type: 'string'},
},
required: ['token', 'wrappedDEK'],
},
},
},
})
request: {
token: string;
wrappedDEK: string;
},
): Promise<boolean> {
interface DecodedToken {
userId: number;
iat: number;
exp: number;
}
try {
const {token} = request;
const secret = process.env.JWT_SECRET_SIGNUP ?? '';
const decodedToken = jwt.verify(token, secret) as DecodedToken;
const {userId} = decodedToken;
const user = await this.userRepository.findById(userId);
if (!user) {
throw new HttpErrors.UnprocessableEntity('User not found');
}
if (user.wrappedDEK !== 'null') {
throw new HttpErrors.UnprocessableEntity('DEK already saved');
}
await this.userRepository.updateById(user.id, {wrappedDEK: request.wrappedDEK});
return true;
} catch (error) {
if (error.name === 'TokenExpiredError') {
throw new HttpErrors.UnprocessableEntity(
'Verification token has expired',
);
} else if (error.name === 'JsonWebTokenError') {
throw new HttpErrors.UnprocessableEntity('Invalid verification token');
} else {
throw new HttpErrors.UnprocessableEntity(
'Failed to update user email verification status',
);
}
}
}

@post('/verify-email', {
Expand Down Expand Up @@ -239,7 +309,7 @@ export class UserController {
}
try {
const {token} = request;
const secret = process.env.JWT_SECRET ?? '';
const secret = process.env.JWT_SECRET_EMAIL ?? '';
const decodedToken = jwt.verify(token, secret) as DecodedToken;
const {userId} = decodedToken;
const user = await this.userRepository.findById(userId);
Expand Down Expand Up @@ -349,7 +419,7 @@ export class UserController {
exp: number;
}
try {
const secret = process.env.JWT_SECRET ?? '';
const secret = process.env.JWT_SECRET_EMAIL ?? '';
const decodedToken = jwt.verify(request.token, secret) as DecodedToken;
const {userData} = decodedToken;
const user = await this.userRepository.findById(userData);
Expand Down
13 changes: 6 additions & 7 deletions src/datasources/db.datasource.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ dotenv.config();
const config = {
name: 'db',
connector: 'postgresql',
host: process.env.SQLHOST,
port: Number(process.env.SQLPORT),
user: process.env.SQLUSER,
password: process.env.SQLPASSWORD,
database: process.env.SQLDATABASE,
host: process.env.SQL_HOST,
port: Number(process.env.SQL_PORT),
user: process.env.SQL_USER,
password: process.env.SQL_PASSWORD,
database: process.env.SQL_DATABASE,
};

// Observe application's life cycle to disconnect the datasource when
Expand All @@ -20,8 +20,7 @@ const config = {
@lifeCycleObserver('datasource')
export class DbDataSource
extends juggler.DataSource
implements LifeCycleObserver
{
implements LifeCycleObserver {
static dataSourceName = 'db';
static readonly defaultConfig = config;

Expand Down
8 changes: 4 additions & 4 deletions src/datasources/email.datasource.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@ import * as nodemailer from 'nodemailer';
dotenv.config();

const config = {
host: process.env.EMAILHOST,
host: process.env.EMAIL_HOST,
secure: true,
port: Number(process.env.EMAILPORT),
port: Number(process.env.EMAIL_PORT),
auth: {
user: process.env.EMAILUSER,
pass: process.env.EMAILPASSWORD,
user: process.env.EMAIL_USER,
pass: process.env.EMAIL_PASSWORD,
},
};

Expand Down
5 changes: 2 additions & 3 deletions src/index.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
import * as dotenv from 'dotenv';
import {ApplicationConfig, SelecroBackendApplication} from './application';
//import {SocketController} from './controllers';
dotenv.config();

export * from './application';
Expand All @@ -21,8 +20,8 @@ if (require.main === module) {
// Run the application
const config = {
rest: {
port: +(process.env.EXTPORT ?? 3000),
host: process.env.HOST,
port: +(process.env.DEFAULT_PORT ?? 3000),
host: process.env.DEFAULT_HOST,
// The `gracePeriodForClose` provides a graceful close for http/https
// servers with keep-alive clients. The default value is `Infinity`
// (don't force-close). If you want to immediately destroy all sockets
Expand Down
Loading

0 comments on commit 016729b

Please sign in to comment.