Wire client secret from app to login.gov provider in deployed apps.

apps/server-doj/src/server.ts

@@ -14,15 +14,24 @@ export const createCustomServer = async (): Promise<any> => {
   );
   const db = createDatabaseGateway(dbCtx);
 
+  const secrets = getServerSecrets();
   return createServer({
     title: 'DOJ Form Service',
     db,
     loginGovOptions: {
       loginGovUrl: 'https://idp.int.identitysandbox.gov',
       clientId:
         'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:tts-10x-atj-dev-server-doj',
-      clientSecret: '',
-      redirectURI: 'http://localhost:4321/signin/callback',
+      clientSecret: secrets.loginGovClientSecret,
     },
   });
 };
+
+export const getServerSecrets = () => {
+  const services = JSON.parse(process.env.VCAP_SERVICES || '{}');
+  const loginClientSecret =
+    services['user-provided']?.credentials?.SECRET_LOGIN_GOV_PRIVATE_KEY;
+  return {
+    loginGovClientSecret: loginClientSecret,
+  };
+};

apps/server-kansas/src/server.ts

@@ -14,15 +14,24 @@ export const createCustomServer = async (): Promise<any> => {
   );
   const db = createDatabaseGateway(dbCtx);
 
+  const secrets = getServerSecrets();
   return createServer({
     title: 'KS Courts Form Service',
     db,
     loginGovOptions: {
       loginGovUrl: 'https://idp.int.identitysandbox.gov',
       clientId:
         'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:tts-10x-atj-dev-server-doj',
-      clientSecret: '',
-      redirectURI: 'http://localhost:4321/signin/callback',
+      clientSecret: secrets.loginGovClientSecret,
     },
   });
 };
+
+export const getServerSecrets = () => {
+  const services = JSON.parse(process.env.VCAP_SERVICES || '{}');
+  const loginClientSecret =
+    services['user-provided']?.credentials?.SECRET_LOGIN_GOV_PRIVATE_KEY;
+  return {
+    loginGovClientSecret: loginClientSecret,
+  };
+};

infra/cdktf/src/lib/cloud.gov/node-astro.ts

@@ -36,7 +36,7 @@ export class AstroService extends Construct {
           name: `${id}-login-gov-service`,
           space: spaceId,
           credentials: {
-            SECRET_LOGIN_GOV_PRIVATE_KEY: secrets.loginGovPrivateKey,
+            loginGovPrivateKey: secrets.loginGovPrivateKey,
           },
         }
       );

packages/auth/src/provider.ts

@@ -16,7 +16,7 @@ export type LoginGovOptions = {
   loginGovUrl: LoginGovUrl;
   clientId: string;
   clientSecret: string;
-  redirectURI: string;
+  redirectURI?: string;
 };
 
 export class LoginGov implements OAuth2ProviderWithPKCE {

packages/auth/src/services/process-provider-callback.ts

@@ -55,25 +55,6 @@ export const processProviderCallback = async (
     return validateResult;
   }
 
-  /**
-   * {
-      sub: '9bf734c4-54a4-4406-b2f1-4f0c46c2a4a6',
-      iss: 'https://idp.int.identitysandbox.gov/',
-      email: '[email protected]',
-      email_verified: true,
-      ial: 'http://idmanagement.gov/ns/assurance/ial/1',
-      aal: 'urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo',
-      nonce: 'hardcoded-nonce-fixme-hardcoded-nonce-fixme-hardcoded-nonce-fixme',
-      aud: 'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:tts-10x-atj-dev-server-doj',
-      jti: 'aQ5X-RwN8taB4HOvDI5l_Q',
-      at_hash: 'sr4z2Mu-fVcgECukwfLSFA',
-      c_hash: 'dLhtGK59t3hplY-hFbiSuQ',
-      acr: 'http://idmanagement.gov/ns/assurance/ial/1',
-      exp: 1722461645,
-      iat: 1722460745,
-      nbf: 1722460745
-    }
-   */
   if (validateResult.data.decodedToken.nonce !== storedParams.nonce) {
     return r.failure({
       status: 403,

packages/server/handler.ts

@@ -1,38 +1,15 @@
 /**
  * This is the entrypoint for the server. It provides a `createServer` factory
- * that return an Express handler that wraps the Astro web server.
+ * that returns an Express handler, which in turn wraps the Astro web server.
  * This en
  */
 import path, { dirname } from 'path';
 import { fileURLToPath } from 'url';
 
 import express from 'express';
 
-import { type LoginGovOptions } from '@atj/auth';
-import { type DatabaseGateway } from '@atj/database';
-
 import { type ServerOptions } from './src/context.js';
 
-export const createServerAuth = async ({
-  database,
-  loginGovOptions,
-}: {
-  database: DatabaseGateway;
-  loginGovOptions: LoginGovOptions;
-}) => {
-  return createServer({
-    title: 'DOJ Form Service',
-    db: database,
-    loginGovOptions: {
-      loginGovUrl: 'https://idp.int.identitysandbox.gov',
-      clientId:
-        'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:tts-10x-atj-dev-server-doj',
-      clientSecret: '',
-      redirectURI: 'http://localhost:4322/signin/callback',
-    },
-  });
-};
-
 export const createServer = async (
   serverOptions: ServerOptions
 ): Promise<express.Express> => {

packages/server/src/context.ts

@@ -61,7 +61,7 @@ const getDefaultServerOptions = async (): Promise<ServerOptions> => {
       loginGovUrl: 'https://idp.int.identitysandbox.gov',
       clientId:
         'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:tts-10x-atj-dev-server-doj',
-      clientSecret: '',
+      clientSecret: import.meta.env.SECRET_LOGIN_GOV_PRIVATE_KEY,
       redirectURI: 'http://localhost:4322/signin/callback',
     },
   };
@@ -82,6 +82,14 @@ const createDefaultDatabaseGateway = async () => {
   return Promise.resolve(gateway);
 };
 
+const getOriginFromRequest = (Astro: AstroGlobal | APIContext) => {
+  const url = new URL(Astro.request.url);
+  const scheme = url.protocol;
+  const hostname = url.hostname;
+  const port = url.port;
+  return `${scheme}//${hostname}${port ? `:${port}` : ''}`;
+};
+
 const createDefaultAuthContext = async ({
   Astro,
   db,
@@ -94,7 +102,10 @@ const createDefaultAuthContext = async ({
   const { LoginGov, DevAuthContext } = await import('@atj/auth');
   return new DevAuthContext(
     db,
-    new LoginGov(loginGovOptions),
+    new LoginGov({
+      ...loginGovOptions,
+      redirectURI: `${getOriginFromRequest(Astro)}/signin/callback`,
+    }),
     function getCookie(name: string) {
       return Astro.cookies.get(name)?.value;
     },