From 741ad03928ca22efe764c4bb9b8c7a1723d214fd Mon Sep 17 00:00:00 2001 From: Greg Akins Date: Thu, 11 Apr 2024 08:31:56 -0400 Subject: [PATCH 1/6] MAT-6729: Adding Cors attribute to allow the service to be called from our front end --- src/main.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.ts b/src/main.ts index a0399f6..43f0d0f 100644 --- a/src/main.ts +++ b/src/main.ts @@ -2,7 +2,7 @@ import { NestFactory } from '@nestjs/core'; import { ExportModule } from './export.module'; export async function bootstrap() { - const app = await NestFactory.create(ExportModule); + const app = await NestFactory.create(ExportModule, { cors: true }); await app.listen(3000); } bootstrap(); From ca45d57f75088c5a08a03b3a629cb4dd2d3dcd44 Mon Sep 17 00:00:00 2001 From: Greg Akins Date: Thu, 11 Apr 2024 14:59:37 -0400 Subject: [PATCH 2/6] MAT-6729: Changing JWT validation to Okta --- package-lock.json | 127 +++++++++++++++++++++++++++++------- package.json | 13 ++-- src/auth/auth.guard.spec.ts | 2 +- src/auth/auth.guard.ts | 20 +++--- 4 files changed, 124 insertions(+), 38 deletions(-) diff --git a/package-lock.json b/package-lock.json index 6bafc63..ea7dd46 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,6 +14,7 @@ "@nestjs/core": "^10.3.5", "@nestjs/jwt": "^10.2.0", "@nestjs/platform-express": "^10.3.5", + "@okta/jwt-verifier": "^3.1.0", "cqm-models": "4.1.3", "exceljs": "^4.4.0", "jsonwebtoken": "^9.0.2", @@ -2078,6 +2079,18 @@ "npm": ">=5.0.0" } }, + "node_modules/@okta/jwt-verifier": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/@okta/jwt-verifier/-/jwt-verifier-3.1.0.tgz", + "integrity": "sha512-Gy7cstZRV71MafaezFS6VW6f9H44hdpE+q77q2O4Rog1rZpLnw3l7pmN/LD/6jhYapOu+IhUZ1QN5v2E6Bi9PA==", + "dependencies": { + "jwks-rsa": "^3.1.0", + "njwt": "^2.0.0" + }, + "engines": { + "node": ">=14" + } + }, "node_modules/@pkgjs/parseargs": { "version": "0.11.0", "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", @@ -2193,7 +2206,6 @@ "version": "1.19.5", "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.5.tgz", "integrity": "sha512-fB3Zu92ucau0iQ0JMCFQE7b/dv8Ot07NI3KaZIkIUNXq82k4eBAqUaneXfleGY9JWskeS9y+u0nXMyspcuQrCg==", - "dev": true, "dependencies": { "@types/connect": "*", "@types/node": "*" @@ -2211,7 +2223,6 @@ "version": "3.4.38", "resolved": "https://registry.npmjs.org/@types/connect/-/connect-3.4.38.tgz", "integrity": "sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==", - "dev": true, "dependencies": { "@types/node": "*" } @@ -2252,7 +2263,6 @@ "version": "4.17.21", "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.21.tgz", "integrity": "sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ==", - "dev": true, "dependencies": { "@types/body-parser": "*", "@types/express-serve-static-core": "^4.17.33", @@ -2264,7 +2274,6 @@ "version": "4.17.43", "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.17.43.tgz", "integrity": "sha512-oaYtiBirUOPQGSWNGPWnzyAFJ0BP3cwvN4oWZQY+zUBwpVIGsKUkpBpSztp74drYcjavs7SKFZ4DX1V2QeN8rg==", - "dev": true, "dependencies": { "@types/node": "*", "@types/qs": "*", @@ -2284,8 +2293,7 @@ "node_modules/@types/http-errors": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.4.tgz", - "integrity": "sha512-D0CFMMtydbJAegzOyHjtiKPLlvnm3iTZyZRSZoLq2mRhDdmLfIWOCYPfQJ4cu2erKghU++QvjcUjp/5h7hESpA==", - "dev": true + "integrity": "sha512-D0CFMMtydbJAegzOyHjtiKPLlvnm3iTZyZRSZoLq2mRhDdmLfIWOCYPfQJ4cu2erKghU++QvjcUjp/5h7hESpA==" }, "node_modules/@types/istanbul-lib-coverage": { "version": "2.0.6", @@ -2344,8 +2352,7 @@ "node_modules/@types/mime": { "version": "1.3.5", "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz", - "integrity": "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w==", - "dev": true + "integrity": "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w==" }, "node_modules/@types/mongodb": { "version": "3.6.20", @@ -2373,14 +2380,12 @@ "node_modules/@types/qs": { "version": "6.9.11", "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.11.tgz", - "integrity": "sha512-oGk0gmhnEJK4Yyk+oI7EfXsLayXatCWPHary1MtcmbAifkobT9cM9yutG/hZKIseOU0MqbIwQ/u2nn/Gb+ltuQ==", - "dev": true + "integrity": "sha512-oGk0gmhnEJK4Yyk+oI7EfXsLayXatCWPHary1MtcmbAifkobT9cM9yutG/hZKIseOU0MqbIwQ/u2nn/Gb+ltuQ==" }, "node_modules/@types/range-parser": { "version": "1.2.7", "resolved": "https://registry.npmjs.org/@types/range-parser/-/range-parser-1.2.7.tgz", - "integrity": "sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==", - "dev": true + "integrity": "sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==" }, "node_modules/@types/semver": { "version": "7.5.8", @@ -2392,7 +2397,6 @@ "version": "0.17.4", "resolved": "https://registry.npmjs.org/@types/send/-/send-0.17.4.tgz", "integrity": "sha512-x2EM6TJOybec7c52BX0ZspPodMsQUd5L6PRwOunVyVUhXiBSKf3AezDL8Dgvgt5o0UfKNfuA0eMLr2wLT4AiBA==", - "dev": true, "dependencies": { "@types/mime": "^1", "@types/node": "*" @@ -2402,7 +2406,6 @@ "version": "1.15.5", "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.15.5.tgz", "integrity": "sha512-PDRk21MnK70hja/YF8AHfC7yIsiQHn1rcXx7ijCFBX/k+XQJhQT/gw3xekXKJvx+5SXaMMS8oqQy09Mzvz2TuQ==", - "dev": true, "dependencies": { "@types/http-errors": "*", "@types/mime": "*", @@ -4881,14 +4884,6 @@ "node": ">=14.14" } }, - "node_modules/exceljs/node_modules/uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", - "bin": { - "uuid": "dist/bin/uuid" - } - }, "node_modules/execa": { "version": "5.1.1", "resolved": "https://registry.npmjs.org/execa/-/execa-5.1.1.tgz", @@ -6888,6 +6883,14 @@ "url": "https://github.com/chalk/supports-color?sponsor=1" } }, + "node_modules/jose": { + "version": "4.15.5", + "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.5.tgz", + "integrity": "sha512-jc7BFxgKPKi94uOvEmzlSWFFe2+vASyXaKUpdQKatWAESU2MWjDfFf0fdfc83CDKcA5QecabZeNLyfhe3yKNkg==", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/js-tokens": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", @@ -7014,6 +7017,22 @@ "safe-buffer": "^5.0.1" } }, + "node_modules/jwks-rsa": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/jwks-rsa/-/jwks-rsa-3.1.0.tgz", + "integrity": "sha512-v7nqlfezb9YfHHzYII3ef2a2j1XnGeSE/bK3WfumaYCqONAIstJbrEGapz4kadScZzEt7zYCN7bucj8C0Mv/Rg==", + "dependencies": { + "@types/express": "^4.17.17", + "@types/jsonwebtoken": "^9.0.2", + "debug": "^4.3.4", + "jose": "^4.14.6", + "limiter": "^1.1.5", + "lru-memoizer": "^2.2.0" + }, + "engines": { + "node": ">=14" + } + }, "node_modules/jws": { "version": "3.2.2", "resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz", @@ -7090,6 +7109,11 @@ "immediate": "~3.0.5" } }, + "node_modules/limiter": { + "version": "1.1.5", + "resolved": "https://registry.npmjs.org/limiter/-/limiter-1.1.5.tgz", + "integrity": "sha512-FWWMIEOxz3GwUI4Ts/IvgVy6LPvoMPgjMdQ185nN6psJyBJ4yOpzqm695/h5umdLJg2vW3GR5iG11MAkR2AzJA==" + }, "node_modules/lines-and-columns": { "version": "1.2.4", "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", @@ -7131,6 +7155,11 @@ "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", "dev": true }, + "node_modules/lodash.clonedeep": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz", + "integrity": "sha512-H5ZhCF25riFd9uB5UCkVKo61m3S/xZk1x4wA6yp/L3RFP6Z/eHH1ymQcGLo7J3GMPfm0V/7m1tryHuGVxpqEBQ==" + }, "node_modules/lodash.defaults": { "version": "4.2.0", "resolved": "https://registry.npmjs.org/lodash.defaults/-/lodash.defaults-4.2.0.tgz", @@ -7263,6 +7292,29 @@ "yallist": "^3.0.2" } }, + "node_modules/lru-memoizer": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/lru-memoizer/-/lru-memoizer-2.2.0.tgz", + "integrity": "sha512-QfOZ6jNkxCcM/BkIPnFsqDhtrazLRsghi9mBwFAzol5GCvj4EkFT899Za3+QwikCg5sRX8JstioBDwOxEyzaNw==", + "dependencies": { + "lodash.clonedeep": "^4.5.0", + "lru-cache": "~4.0.0" + } + }, + "node_modules/lru-memoizer/node_modules/lru-cache": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-4.0.2.tgz", + "integrity": "sha512-uQw9OqphAGiZhkuPlpFGmdTU2tEuhxTourM/19qGJrxBPHAr/f8BT1a0i/lOclESnGatdJG/UCkP9kZB/Lh1iw==", + "dependencies": { + "pseudomap": "^1.0.1", + "yallist": "^2.0.0" + } + }, + "node_modules/lru-memoizer/node_modules/yallist": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-2.1.2.tgz", + "integrity": "sha512-ncTzHV7NvsQZkYe1DW7cbDLm0YpzHmZF5r/iyP3ZnQtMiJ+pjzisCiMNI+Sj+xQF5pXhSHxSB3uDbsBTzY/c2A==" + }, "node_modules/luxon": { "version": "1.28.1", "resolved": "https://registry.npmjs.org/luxon/-/luxon-1.28.1.tgz", @@ -7659,6 +7711,24 @@ "integrity": "sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==", "dev": true }, + "node_modules/njwt": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/njwt/-/njwt-2.0.0.tgz", + "integrity": "sha512-1RcqirhCqThBEe4KO83pFg0wPBa1c9NiXNCrocD2EbZqb6ksWWDVnp/w/p0gsyUcVa05PhhaaPjs9rc/GLmdxQ==", + "dependencies": { + "@types/node": "^15.0.1", + "ecdsa-sig-formatter": "^1.0.5", + "uuid": "^8.3.2" + }, + "engines": { + "node": ">=12.0" + } + }, + "node_modules/njwt/node_modules/@types/node": { + "version": "15.14.9", + "resolved": "https://registry.npmjs.org/@types/node/-/node-15.14.9.tgz", + "integrity": "sha512-qjd88DrCxupx/kJD5yQgZdcYKZKSIGBVDIBE1/LTGcNm3d2Np/jxojkdePDdfnBHJc5W7vSMpbJ1aB7p/Py69A==" + }, "node_modules/node-abort-controller": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/node-abort-controller/-/node-abort-controller-3.1.1.tgz", @@ -8227,6 +8297,11 @@ "node": ">= 0.10" } }, + "node_modules/pseudomap": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/pseudomap/-/pseudomap-1.0.2.tgz", + "integrity": "sha512-b/YwNhb8lk1Zz2+bXXpS/LK9OisiZZ1SNsSLxN1x2OXVEhW2Ckr/7mWE5vrC1ZTiJlD9g19jWszTmJsB+oEpFQ==" + }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", @@ -9896,6 +9971,14 @@ "node": ">= 0.4.0" } }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + }, "node_modules/v8-compile-cache-lib": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz", diff --git a/package.json b/package.json index 6df56da..d62bcf1 100644 --- a/package.json +++ b/package.json @@ -10,15 +10,15 @@ "precommit": "npm run lint && npm test", "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"", "start": "nest start", - "start:dev": "nest start --watch", + "start:dev": "ISSUER=\"https://dev-18092578.okta.com/oauth2/default\" CLIENT_ID=\"0oa2fqtaz95fqJqbf5d7\" nest start --watch", "start:debug": "nest start --debug --watch", "start:prod": "node dist/main", "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix", - "test": "JWT_SECRET=ThisIsMySecret jest", - "test:watch": "JWT_SECRET=ThisIsMySecret jest --watch", - "test:cov": "JWT_SECRET=ThisIsMySecret jest --coverage", - "test:debug": "JWT_SECRET=ThisIsMySecret node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand", - "test:e2e": "JWT_SECRET=ThisIsMySecret jest --config ./test/jest-e2e.json" + "test": "ISSUER=\"https://dev-18092578.okta.com/oauth2/default\" CLIENT_ID=\"0oa2fqtaz95fqJqbf5d7\" jest", + "test:watch": " jest --watch", + "test:cov": "jest --coverage", + "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand", + "test:e2e": "jest --config ./test/jest-e2e.json" }, "dependencies": { "@madie/madie-models": "^1.3.49", @@ -26,6 +26,7 @@ "@nestjs/core": "^10.3.5", "@nestjs/jwt": "^10.2.0", "@nestjs/platform-express": "^10.3.5", + "@okta/jwt-verifier": "^3.1.0", "cqm-models": "4.1.3", "exceljs": "^4.4.0", "jsonwebtoken": "^9.0.2", diff --git a/src/auth/auth.guard.spec.ts b/src/auth/auth.guard.spec.ts index f6a8d55..5afc008 100644 --- a/src/auth/auth.guard.spec.ts +++ b/src/auth/auth.guard.spec.ts @@ -48,7 +48,7 @@ describe('AuthGuard', () => { body: undefined, headers: { authorization: - 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.kcPmFlSUdC9LvuMufomQepInu3GwbBKKct49e2dxyrI', + 'Bearer eyJraWQiOiJNNG9CMW9DSmthdC0tYTNENFFXUFA3RWZCbUl3NG9BV05KYWJxdEJhUnM4IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlhGdHk4Y1JqNVZaRUg4Wlo1WFhNekVlanl4R2JQa3NQS2x3RGVqV2FsNEUiLCJpc3MiOiJodHRwczovL2Rldi0xODA5MjU3OC5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE3MTI4NTg0MTUsImV4cCI6MTcxMjg2MjAxNSwiY2lkIjoiMG9hMmZxdGF6OTVmcUpxYmY1ZDciLCJ1aWQiOiIwMHUyNWh3c3AxUG04MW5jTzVkNyIsInNjcCI6WyJvcGVuaWQiLCJlbWFpbCIsInByb2ZpbGUiXSwiYXV0aF90aW1lIjoxNzEyODU4NDE0LCJzdWIiOiJncmVnb3J5LmFraW5zQHNlbWFudGljYml0cy5jb20ifQ.Hi8mdaKMDvKprTE0cYAAKfKGxUel3P8GqeLAvCzVUYSFSbyX2-P8CNAUm287uhYTRsi5SE0go0rvxbxRZgpDLxNOAC5h2nKcc5mYr9bdsP7nX7iW6OWqvovrDcqn0FhkGcoG9qyLO2JqyQ3OgznKTw3t3dyXAuDSnNKnXcRRxjwkxanHPiulgff9hGNOMsFINlShgNKIwcsqXi9ENsE_we_3lbUjiU9_Qkx2u21RoWNrJsF9H2byv79ZLLZO6awVyQafdpqBW_XCNBJ1e_NGuheNcwdx2HQfvLSTqr_PLEND8gRXtsJLqDPQ2Vo0WDmMBi9Kxa7HS2hDhvXOgwjpXg', }, } as unknown as Request; }); diff --git a/src/auth/auth.guard.ts b/src/auth/auth.guard.ts index f659d00..0c2d6db 100644 --- a/src/auth/auth.guard.ts +++ b/src/auth/auth.guard.ts @@ -6,26 +6,28 @@ import { } from '@nestjs/common'; import { JwtService } from '@nestjs/jwt'; - +import * as OktaJwtVerifier from '@okta/jwt-verifier'; import { Request } from 'express'; @Injectable() export class AuthGuard implements CanActivate { constructor(private jwtService: JwtService) {} - + + async canActivate(context: ExecutionContext): Promise { + const oktaJwtVerifier = new OktaJwtVerifier({ + issuer: process.env.ISSUER, + clientId: process.env.CLIENT_ID + }) + const request = context.switchToHttp().getRequest(); const token = this.extractTokenFromHeader(request); if (!token) { throw new UnauthorizedException('Token not present'); } - try { - const payload = await this.jwtService.verifyAsync(token, { - secret: process.env.JWT_SECRET, - }); - // 💡 We're assigning the payload to the request object here - // so that we can access it in our route handlers - request['user'] = payload; + try { + const oktaToken = await oktaJwtVerifier.verifyAccessToken(token, 'api://default') + request['user'] = oktaToken.claims.sub; } catch { throw new UnauthorizedException('Token not valid'); } From 47b4ac5719c64aaad2dff4bf713bf1afe34fd311 Mon Sep 17 00:00:00 2001 From: Greg Akins Date: Thu, 11 Apr 2024 15:21:59 -0400 Subject: [PATCH 3/6] MAT-6729: Changing to Okta JWT Verification --- src/auth/auth.guard.spec.ts | 2 +- src/auth/auth.guard.ts | 19 ++++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/auth/auth.guard.spec.ts b/src/auth/auth.guard.spec.ts index 5afc008..69cbecc 100644 --- a/src/auth/auth.guard.spec.ts +++ b/src/auth/auth.guard.spec.ts @@ -48,7 +48,7 @@ describe('AuthGuard', () => { body: undefined, headers: { authorization: - 'Bearer eyJraWQiOiJNNG9CMW9DSmthdC0tYTNENFFXUFA3RWZCbUl3NG9BV05KYWJxdEJhUnM4IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlhGdHk4Y1JqNVZaRUg4Wlo1WFhNekVlanl4R2JQa3NQS2x3RGVqV2FsNEUiLCJpc3MiOiJodHRwczovL2Rldi0xODA5MjU3OC5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE3MTI4NTg0MTUsImV4cCI6MTcxMjg2MjAxNSwiY2lkIjoiMG9hMmZxdGF6OTVmcUpxYmY1ZDciLCJ1aWQiOiIwMHUyNWh3c3AxUG04MW5jTzVkNyIsInNjcCI6WyJvcGVuaWQiLCJlbWFpbCIsInByb2ZpbGUiXSwiYXV0aF90aW1lIjoxNzEyODU4NDE0LCJzdWIiOiJncmVnb3J5LmFraW5zQHNlbWFudGljYml0cy5jb20ifQ.Hi8mdaKMDvKprTE0cYAAKfKGxUel3P8GqeLAvCzVUYSFSbyX2-P8CNAUm287uhYTRsi5SE0go0rvxbxRZgpDLxNOAC5h2nKcc5mYr9bdsP7nX7iW6OWqvovrDcqn0FhkGcoG9qyLO2JqyQ3OgznKTw3t3dyXAuDSnNKnXcRRxjwkxanHPiulgff9hGNOMsFINlShgNKIwcsqXi9ENsE_we_3lbUjiU9_Qkx2u21RoWNrJsF9H2byv79ZLLZO6awVyQafdpqBW_XCNBJ1e_NGuheNcwdx2HQfvLSTqr_PLEND8gRXtsJLqDPQ2Vo0WDmMBi9Kxa7HS2hDhvXOgwjpXg', + 'Bearer eyJraWQiOiJNNG9CMW9DSmthdC0tYTNENFFXUFA3RWZCbUl3NG9BV05KYWJxdEJhUnM4IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlBlN3hEc000MksyTnhHSW5vSWV1UEVEVmgxY3YydDVqQ1FKZmU1Sm9ZbkUiLCJpc3MiOiJodHRwczovL2Rldi0xODA5MjU3OC5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE3MTI4NjMyNzcsImV4cCI6MTcxMjg2Njg3NywiY2lkIjoiMG9hMmZxdGF6OTVmcUpxYmY1ZDciLCJ1aWQiOiIwMHUyNWh3c3AxUG04MW5jTzVkNyIsInNjcCI6WyJvcGVuaWQiLCJlbWFpbCIsInByb2ZpbGUiXSwiYXV0aF90aW1lIjoxNzEyODYzMjc2LCJzdWIiOiJncmVnb3J5LmFraW5zQHNlbWFudGljYml0cy5jb20ifQ.nptyxgS8-o0hn29fhnZ7fOb5_pC4eSCTgxjzj7ZUvJ3-qqoEMx25uYJNLc5_EDQlTVEA6IpZPhioJXwEG8DEFc3nFu7iur5gUqK2n1EEKrSMUyRTUSauZKtAKu1KwQZ03DU786EdT6zQcKueeFJxV3UGPIyZKu9yiJZc6Kcz6-0XOo74Zc6ZIpPdn6eggdvm9bHf0FuDWW6XnlvGcl8Uf-7-RdviZTUuowuIinAeMowmnC294fe_JSJAdCzeeh75EOjz6uqrjysFfjf57YX0tJVjdZmHPvesmqWTTzcDBbx0iA-GS9TpVHHKABQGYmZoXmSDLgHDKfCBnGERL_bG1w', }, } as unknown as Request; }); diff --git a/src/auth/auth.guard.ts b/src/auth/auth.guard.ts index 0c2d6db..f6a83d4 100644 --- a/src/auth/auth.guard.ts +++ b/src/auth/auth.guard.ts @@ -12,21 +12,26 @@ import { Request } from 'express'; @Injectable() export class AuthGuard implements CanActivate { constructor(private jwtService: JwtService) {} - - + async canActivate(context: ExecutionContext): Promise { + const oktaJwtVerifier = new OktaJwtVerifier({ issuer: process.env.ISSUER, - clientId: process.env.CLIENT_ID - }) - + clientId: process.env.CLIENT_ID, + }); + const request = context.switchToHttp().getRequest(); const token = this.extractTokenFromHeader(request); + if (!token) { throw new UnauthorizedException('Token not present'); } - try { - const oktaToken = await oktaJwtVerifier.verifyAccessToken(token, 'api://default') + try { + console.log('Token', token); + const oktaToken = await oktaJwtVerifier.verifyAccessToken( + token, + 'api://default', + ); request['user'] = oktaToken.claims.sub; } catch { throw new UnauthorizedException('Token not valid'); From 7dc57c606f8ee3e951424a565f913e80e7b671f6 Mon Sep 17 00:00:00 2001 From: Greg Akins Date: Thu, 11 Apr 2024 15:23:01 -0400 Subject: [PATCH 4/6] MAT-6729: Changing to Okta JWT Verification --- src/auth/auth.guard.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/auth/auth.guard.ts b/src/auth/auth.guard.ts index f6a83d4..cbe5558 100644 --- a/src/auth/auth.guard.ts +++ b/src/auth/auth.guard.ts @@ -14,15 +14,14 @@ export class AuthGuard implements CanActivate { constructor(private jwtService: JwtService) {} async canActivate(context: ExecutionContext): Promise { - const oktaJwtVerifier = new OktaJwtVerifier({ issuer: process.env.ISSUER, clientId: process.env.CLIENT_ID, }); - + const request = context.switchToHttp().getRequest(); const token = this.extractTokenFromHeader(request); - + if (!token) { throw new UnauthorizedException('Token not present'); } From 61fed166a83682736d5f0e5f7de797caf14aab02 Mon Sep 17 00:00:00 2001 From: Greg Akins Date: Thu, 11 Apr 2024 15:25:53 -0400 Subject: [PATCH 5/6] MAT-6729: Changing to Okta JWT Verification --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index d62bcf1..e4236df 100644 --- a/package.json +++ b/package.json @@ -15,8 +15,8 @@ "start:prod": "node dist/main", "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix", "test": "ISSUER=\"https://dev-18092578.okta.com/oauth2/default\" CLIENT_ID=\"0oa2fqtaz95fqJqbf5d7\" jest", - "test:watch": " jest --watch", - "test:cov": "jest --coverage", + "test:watch": "ISSUER=\"https://dev-18092578.okta.com/oauth2/default\" CLIENT_ID=\"0oa2fqtaz95fqJqbf5d7\" jest --watch", + "test:cov": "ISSUER=\"https://dev-18092578.okta.com/oauth2/default\" CLIENT_ID=\"0oa2fqtaz95fqJqbf5d7\" jest --coverage", "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand", "test:e2e": "jest --config ./test/jest-e2e.json" }, From 455b489d719ea5e285e9681c3809ce812ac50a60 Mon Sep 17 00:00:00 2001 From: Greg Akins Date: Thu, 11 Apr 2024 16:04:44 -0400 Subject: [PATCH 6/6] MAT-6729: Modifying CORS check to it's specific to our servers, GET & PUT --- src/auth/auth.guard.ts | 1 - src/main.ts | 12 +++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/auth/auth.guard.ts b/src/auth/auth.guard.ts index cbe5558..d11cdaf 100644 --- a/src/auth/auth.guard.ts +++ b/src/auth/auth.guard.ts @@ -26,7 +26,6 @@ export class AuthGuard implements CanActivate { throw new UnauthorizedException('Token not present'); } try { - console.log('Token', token); const oktaToken = await oktaJwtVerifier.verifyAccessToken( token, 'api://default', diff --git a/src/main.ts b/src/main.ts index 43f0d0f..bdcbc30 100644 --- a/src/main.ts +++ b/src/main.ts @@ -2,7 +2,17 @@ import { NestFactory } from '@nestjs/core'; import { ExportModule } from './export.module'; export async function bootstrap() { - const app = await NestFactory.create(ExportModule, { cors: true }); + const app = await NestFactory.create(ExportModule); + app.enableCors({ + origin: [ + 'http://localhost:9000', + 'https://dev-madie.hcqis.org', + 'https://test-madie.hcqis.org', + 'https://impl-madie.hcqis.org', + 'https://madie.cms.gov', + ], + methods: ['GET', 'PUT'], + }); await app.listen(3000); } bootstrap();