BC-8019 Switch to asymmetric signing of JWT (#5294)

* Switch to asymmetric signing

* Adjust configs

* Fix tests

* Make secret combination of private and public key in feathers

* Add tests

* Update typ of JWT

* Update authConfig in tests

* Handle new lines in keys

* Clean up strategy tests

* Use JwtModuleOptionsFactory

* Use factory method instead of class

* Remove authConfig

* Remove unnecessary props in AuthGuardConfig

* Add AuthGuardConfig to files-storage

* Change setting of options in authn service

* Add authn test modules

* Fix authn service test

* Change iss and aud of JWT

* Fix reading of config for other apps

* Add JWT_SIGNING_ALGORITHM as env var

* Add check of algorithm in JWT validation

* Add check of issuer and audience in JWT validation

* Remove unnecessary consts

* Skip broken test

* Add SC_Domain to preview-generator-configmap

* Add values to top-level configs where forgotten

* Add factory for strategy options to satisfy SonarCloud

* Use getOrThrow to read values from ConfigService

* Define defaultMikroOrmOptions in for AdminApiServerModule separately to fix dependency problem

* Add JWT_PUBLIC_KEY to configmap of admin-api-server

* Add JWT_PUBLIC_KEY to configmap of preview-generator

---------

Co-authored-by: Max Bischof <[email protected]>

ansible/roles/schulcloud-server-core/templates/admin-api-server-configmap.yml.j2

@@ -22,3 +22,4 @@ data:
   IDENTITY_MANAGEMENT__TENANT: "{{ IDENTITY_MANAGEMENT__TENANT }}"
   IDENTITY_MANAGEMENT__CLIENTID: "{{ IDENTITY_MANAGEMENT__CLIENTID }}"
   TLDRAW__WEBSOCKET_URL: "wss://{{ DOMAIN }}/tldraw-server"
+  JWT_PUBLIC_KEY: "{{ JWT_PUBLIC_KEY }}"

ansible/roles/schulcloud-server-core/templates/preview-generator-configmap.yml.j2

@@ -8,3 +8,5 @@ metadata:
 data:
   NEST_LOG_LEVEL: "{{ NEST_LOG_LEVEL }}"
   EXIT_ON_ERROR: "true"
+  SC_DOMAIN: "{{ DOMAIN }}"
+  JWT_PUBLIC_KEY: "{{ JWT_PUBLIC_KEY }}"

apps/server/src/infra/auth-guard/auth-guard.config.ts

@@ -1,6 +1,8 @@
+import { Algorithm } from 'jsonwebtoken';
+
 export interface AuthGuardConfig {
 	ADMIN_API__ALLOWED_API_KEYS: string[];
-	JWT_AUD: string;
-	JWT_LIFETIME: string;
-	AUTHENTICATION: string;
+	JWT_PUBLIC_KEY: string;
+	JWT_SIGNING_ALGORITHM: Algorithm;
+	SC_DOMAIN: string;
 }

apps/server/src/infra/auth-guard/config/index.ts

@@ -1,2 +1 @@
-export * from './auth-config';
 export * from './x-api-key.config';

apps/server/src/infra/auth-guard/index.ts

@@ -1,7 +1,7 @@
 export { JwtValidationAdapter } from './adapter';
 export { AuthGuardModule } from './auth-guard.module';
 export { AuthGuardConfig } from './auth-guard.config';
-export { XApiKeyConfig, authConfig } from './config';
+export { XApiKeyConfig } from './config';
 export { CurrentUser, JWT, JwtAuthentication } from './decorator';
 // JwtAuthGuard only exported because api tests still overried this guard.
 // Use JwtAuthentication decorator for request validation

apps/server/src/infra/auth-guard/mapper/index.ts

@@ -1,3 +1,3 @@
-export * from './authConfig.factory';
 export * from './current-user.factory';
 export * from './jwt.factory';
+export * from './jwt-strategy-options.factory';