Reverts jwt.signingSecret change in favor of firebase.legacyToken

open-duelyst · Sep 20, 2022 · e1b3270 · e1b3270
1 parent 55019f5
commit e1b3270
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -67,7 +67,10 @@ When working in the `server` or `worker` directories, no rebuilds are needed. Se
 #### Starting a test environment in Docker
 
 - Create a [Firebase Realtime Database](https://firebase.google.com/docs/database/) in Google Cloud
-  - Set `FIREBASE_URL` in a `.env` file in the repo root, e.g. `FIREBASE_URL=https://my-example-project.firebaseio.com/`
+  - Set `FIREBASE_URL` in a `.env` file in the repo root
+    - E.g. `FIREBASE_URL=https://my-example-project.firebaseio.com/`
+  - Retrieve your Firebase Database legacy token in `Settings > Service Accounts > Database Secrets`, and put it in `.env` as well
+    - E.g. `FIREBASE_LEGACY_TOKEN=abcdefg1234567890abcdefg1234567890`
   - Create a new service account with read+write access to your realtime database
   - Create a new JSON key for the service account, and store it in a `serviceAccountKey.json` file in the repo root
 - Run database migrations with `docker compose up migrate`

diff --git a/config/config.js b/config/config.js
@@ -41,6 +41,11 @@ const config = convict({
       default: '',
       env: 'FIREBASE_URL',
     },
+    legacyToken: {
+      doc: 'Firebase legacy token, e.g. abcdefg1234567890abcdefg1234567890',
+      default: '',
+      env: 'FIREBASE_LEGACY_TOKEN',
+    },
     authServiceUrl: {
       doc: 'Firebase URL for auth service',
       // format: "url",
@@ -54,11 +59,6 @@ const config = convict({
     },
   },
   jwt: {
-    signingSecret: {
-      doc: 'The secret used when signing JSON Web Tokens',
-      default: 'duelyst', // Set in .env
-      env: 'JWT_SECRET',
-    },
     tokenExpiration: {
       doc: 'Time (in minutes) before tokens expire.',
       format: 'int',

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -46,6 +46,7 @@ services:
       REDIS_IP: redis
       POSTGRES_CONNECTION: "pg://duelyst:duelyst@db/duelyst"
       FIREBASE_URL: ${FIREBASE_URL}
+      FIREBASE_LEGACY_TOKEN: ${FIREBASE_LEGACY_TOKEN}
     command: docker/start api
     depends_on:
       - db
@@ -60,6 +61,7 @@ services:
     environment:
       REDIS_IP: redis
       FIREBASE_URL: ${FIREBASE_URL}
+      FIREBASE_LEGACY_TOKEN: ${FIREBASE_LEGACY_TOKEN}
     command: docker/start game
     depends_on:
       - redis
@@ -71,6 +73,7 @@ services:
     environment:
       REDIS_IP: redis
       FIREBASE_URL: ${FIREBASE_URL}
+      FIREBASE_LEGACY_TOKEN: ${FIREBASE_LEGACY_TOKEN}
     command: docker/start sp
     depends_on:
       - redis
@@ -83,6 +86,7 @@ services:
       REDIS_IP: redis
       POSTGRES_CONNECTION: "pg://duelyst:duelyst@db/duelyst"
       FIREBASE_URL: ${FIREBASE_URL}
+      FIREBASE_LEGACY_TOKEN: ${FIREBASE_LEGACY_TOKEN}
     command: docker/start worker
     depends_on:
       - db
@@ -106,6 +110,7 @@ services:
       NODE_ENV: development
       POSTGRES_CONNECTION: "pg://duelyst:duelyst@db/duelyst"
       FIREBASE_URL: ${FIREBASE_URL}
+      FIREBASE_LEGACY_TOKEN: ${FIREBASE_LEGACY_TOKEN}
     depends_on:
       - db
     working_dir: /app

diff --git a/server/game.coffee b/server/game.coffee
@@ -76,7 +76,7 @@ io = require('socket.io')().listen(server, {
 })
 io.use(
   ioJwt.authorize(
-    secret: config.get('jwt.signingSecret'),
+    secret: config.get('firebase.legacyToken'),
     timeout: 15000
   )
 )
@@ -308,7 +308,7 @@ onGameSpectatorJoin = (requestData) ->
 
 	# verify - synchronous
 	try
-		spectateToken = jwt.verify(requestData.spectateToken, config.get('jwt.signingSecret'))
+		spectateToken = jwt.verify(requestData.spectateToken, config.get('firebase.legacyToken'))
 	catch error
 		Logger.module("IO").error "[G:#{gameId}]", "spectate_game -> ERROR decoding spectate token: #{error?.message}".red
 

diff --git a/server/middleware/signed_in.coffee b/server/middleware/signed_in.coffee
@@ -12,7 +12,7 @@ Then ensure both an ID and maybe(EMAIL) are present in the JWT payload
 We can add additional checks to the JWT payload here
 ###
 module.exports = compose([
-	expressJwt({secret: config.get('jwt.signingSecret')}),
+	expressJwt({secret: config.get('firebase.legacyToken')}),
 	(req, res, next) ->
 		result = t.validate(req.user.d, validators.token)
 		if not result.isValid()

diff --git a/server/routes/api/me/spectate.coffee b/server/routes/api/me/spectate.coffee
@@ -38,7 +38,7 @@ router = express.Router()
 # 			algorithm: 'HS256'
 #
 # 		# We are encoding the payload inside the token
-# 		token = jwt.sign(payload, config.get('jwt.signingSecret'), options)
+# 		token = jwt.sign(payload, config.get('firebase.legacyToken'), options)
 # 		res.status(200).json(token)
 #
 # 	.catch (error) -> next(error)
@@ -104,7 +104,7 @@ router.get "/:player_id", (req, res, next) ->
 			algorithm: 'HS256'
 
 		# We are encoding the payload inside the token
-		@.token = jwt.sign(payload, config.get('jwt.signingSecret'), options)
+		@.token = jwt.sign(payload, config.get('firebase.legacyToken'), options)
 	.then ()->
 		responseData =
 			gameData: DataAccessHelpers.restifyData(@.gameRow)

diff --git a/server/routes/session.coffee b/server/routes/session.coffee
@@ -85,7 +85,7 @@ logUserIn = (id) ->
 			expiresIn: config.get('jwt.tokenExpiration')
 			algorithm: 'HS256'
 
-		@token = jwt.sign(payload, config.get('jwt.signingSecret'), options)
+		@token = jwt.sign(payload, config.get('firebase.legacyToken'), options)
 		@analyticsData = analyticsDataFromUserData(data)
 		return UsersModule.bumpSessionCountAndSyncDataIfNeeded(id, data)
 	.then (synced) ->
@@ -172,7 +172,7 @@ router.post "/session/", (req, res, next) ->
 				algorithm: 'HS256'
 
 			# We are encoding the payload inside the token
-			@.token = jwt.sign(payload, config.get('jwt.signingSecret'), options)
+			@.token = jwt.sign(payload, config.get('firebase.legacyToken'), options)
 
 			# make a db transaction/ledger event for the login
 			# UsersModule.logEvent(@id,"session","login")

diff --git a/server/single_player.coffee b/server/single_player.coffee
@@ -77,7 +77,7 @@ io = require('socket.io')().listen(server, {
 })
 io.use(
   ioJwt.authorize(
-    secret: config.get('jwt.signingSecret')
+    secret: config.get('firebase.legacyToken')
     timeout: 15000
   )
 )
@@ -303,7 +303,7 @@ onGameSpectatorJoin = (requestData) ->
 
 	# verify - synchronous
 	try
-		spectateToken = jwt.verify(requestData.spectateToken, config.get('jwt.signingSecret'))
+		spectateToken = jwt.verify(requestData.spectateToken, config.get('firebase.legacyToken'))
 	catch error
 		Logger.module("IO").error "[G:#{gameId}]", "spectate_game -> ERROR decoding spectate token: #{error?.message}".red