Merge branch 'main' into dependabot/npm_and_yarn/jose-5.6.3

ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2

@@ -30,11 +30,6 @@ spec:
             git.branch: {{ SCHULCLOUD_SERVER_BRANCH_NAME }}
             git.repo: {{ SCHULCLOUD_SERVER_REPO_NAME }}
         spec:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
-            runAsNonRoot: true
           volumes:
             - name: libraries-list
               configMap:

ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2

@@ -20,11 +20,6 @@ spec:
     spec:
       template:
         spec:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
-            runAsNonRoot: true
           containers:
           - name: delete-s3-files-cronjob
             image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}

ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2

@@ -29,11 +29,6 @@ spec:
     spec:
       template:
         spec:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
-            runAsNonRoot: true
           containers:
           - name: data-deletion-trigger-cronjob
             image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}

ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2

@@ -11,11 +11,6 @@ spec:
       labels:
         app: api-migration
     spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-        runAsNonRoot: true
       containers:
       - name: api-migration-job
         image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}

ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2

@@ -20,11 +20,6 @@ spec:
     spec:
       template:
         spec:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
-            runAsNonRoot: true
           containers:
           - name: tldraw-delete-files-cronjob
             image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}

ansible/roles/schulcloud-server-init/templates/job_init.yml.j2

@@ -7,11 +7,6 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-        runAsNonRoot: true
       containers:
       - name: api-init
         image: quay.io/schulcloudverbund/infra-tools:latest

ansible/roles/schulcloud-server-ldapsync/templates/api-ldap-sync-full-cronjob.yml.j2

@@ -20,11 +20,6 @@ spec:
       activeDeadlineSeconds: {{ SERVER_LDAP_SYNC_FULL_CRONJOB_TIMEOUT|default("39600", true) }}
       template:
         spec:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
-            runAsNonRoot: true
           containers:
           - name: api-ldapsync-cronjob
             image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}

apps/server/src/infra/authorization-client/authorization-client.adapter.ts

@@ -1,9 +1,8 @@
 import { Inject, Injectable } from '@nestjs/common';
 import { REQUEST } from '@nestjs/core';
 import { RawAxiosRequestConfig } from 'axios';
-import cookie from 'cookie';
 import { Request } from 'express';
-import { ExtractJwt, JwtFromRequestFunction } from 'passport-jwt';
+import { extractJwtFromHeader } from '@shared/common';
 import { AuthorizationApi, AuthorizationBodyParams } from './authorization-api-client';
 import { AuthorizationErrorLoggableException, AuthorizationForbiddenLoggableException } from './error';
 
@@ -19,9 +18,9 @@ export class AuthorizationClientAdapter {
 	}
 
 	public async hasPermissionsByReference(params: AuthorizationBodyParams): Promise<boolean> {
-		const options = this.createOptionParams(params);
-
 		try {
+			const options = this.createOptionParams();
+
 			const response = await this.authorizationApi.authorizationReferenceControllerAuthorizeByReference(
 				params,
 				options
@@ -34,34 +33,20 @@ export class AuthorizationClientAdapter {
 		}
 	}
 
-	private createOptionParams(params: AuthorizationBodyParams): RawAxiosRequestConfig<any> {
-		const jwt = this.getJWT(params);
+	private createOptionParams(): RawAxiosRequestConfig<any> {
+		const jwt = this.getJwt();
 		const options: RawAxiosRequestConfig<any> = { headers: { authorization: `Bearer ${jwt}` } };
 
 		return options;
 	}
 
-	private getJWT(params: AuthorizationBodyParams): string {
-		const getJWT = ExtractJwt.fromExtractors([ExtractJwt.fromAuthHeaderAsBearerToken(), this.fromCookie('jwt')]);
-		const jwt = getJWT(this.request) || this.request.headers.authorization;
+	private getJwt(): string {
+		const jwt = extractJwtFromHeader(this.request) || this.request.headers.authorization;
 
 		if (!jwt) {
-			const error = new Error('Authentication is required.');
-			throw new AuthorizationErrorLoggableException(error, params);
+			throw new Error('Authentication is required.');
 		}
 
 		return jwt;
 	}
-
-	private fromCookie(name: string): JwtFromRequestFunction {
-		return (request: Request) => {
-			let token: string | null = null;
-			const cookies = cookie.parse(request.headers.cookie || '');
-			if (cookies && cookies[name]) {
-				token = cookies[name];
-			}
-
-			return token;
-		};
-	}
 }

apps/server/src/modules/authentication/decorator/auth.decorator.ts

@@ -8,10 +8,9 @@ import {
 } from '@nestjs/common';
 import { ApiBearerAuth } from '@nestjs/swagger';
 import { Request } from 'express';
-import { ExtractJwt } from 'passport-jwt';
+import { extractJwtFromHeader } from '@shared/common';
 import { JwtAuthGuard } from '../guard/jwt-auth.guard';
 import { ICurrentUser, isICurrentUser } from '../interface/user';
-import { JwtExtractor } from '../helper/jwt-extractor';
 
 const STRATEGIES = ['jwt'] as const;
 type Strategies = typeof STRATEGIES;
@@ -56,9 +55,8 @@ export const CurrentUser = createParamDecorator<never, never, ICurrentUser>((_,
  * @requires Authenticated
  */
 export const JWT = createParamDecorator<never, never, string>((_, ctx: ExecutionContext) => {
-	const getJWT = ExtractJwt.fromExtractors([ExtractJwt.fromAuthHeaderAsBearerToken(), JwtExtractor.fromCookie('jwt')]);
 	const req: Request = ctx.switchToHttp().getRequest();
-	const jwt = getJWT(req) || req.headers.authorization;
+	const jwt = extractJwtFromHeader(req) || req.headers.authorization;
 
 	if (!jwt) {
 		throw new UnauthorizedException('Authentication is required.');

apps/server/src/modules/authentication/services/authentication.service.ts

@@ -44,7 +44,7 @@ export class AuthenticationService {
 	async generateJwt(user: CreateJwtPayload): Promise<LoginDto> {
 		const jti = randomUUID();
 
-		const result: LoginDto = new LoginDto({
+		const result = new LoginDto({
 			accessToken: this.jwtService.sign(user, {
 				subject: user.accountId,
 				jwtid: jti,

apps/server/src/modules/authentication/strategy/jwt.strategy.ts

@@ -1,21 +1,18 @@
 import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
-import { ExtractJwt, Strategy } from 'passport-jwt';
+import { Strategy } from 'passport-jwt';
+import { extractJwtFromHeader } from '@shared/common';
 import { jwtConstants } from '../constants';
 import { ICurrentUser } from '../interface';
 import { JwtPayload } from '../interface/jwt-payload';
 import { CurrentUserMapper } from '../mapper';
-import { JwtExtractor } from '../helper/jwt-extractor';
 import { JwtValidationAdapter } from '../helper/jwt-validation.adapter';
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
 	constructor(private readonly jwtValidationAdapter: JwtValidationAdapter) {
 		super({
-			jwtFromRequest: ExtractJwt.fromExtractors([
-				ExtractJwt.fromAuthHeaderAsBearerToken(),
-				JwtExtractor.fromCookie('jwt'),
-			]),
+			jwtFromRequest: extractJwtFromHeader,
 			ignoreExpiration: false,
 			secretOrKey: jwtConstants.secret,
 			...jwtConstants.jwtOptions,

apps/server/src/modules/authentication/strategy/local.strategy.ts

@@ -3,7 +3,7 @@ import { Account } from '@modules/account';
 import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { PassportStrategy } from '@nestjs/passport';
-import { GuardAgainst } from '@shared/common/utils/guard-against';
+import { TypeGuard } from '@shared/common';
 import { UserRepo } from '@shared/repo';
 import bcrypt from 'bcryptjs';
 import { Strategy } from 'passport-local';
@@ -28,13 +28,13 @@ export class LocalStrategy extends PassportStrategy(Strategy) {
 
 		if (this.configService.get('FEATURE_IDENTITY_MANAGEMENT_LOGIN_ENABLED')) {
 			const jwt = await this.idmOauthService.resourceOwnerPasswordGrant(username, password);
-			GuardAgainst.nullOrUndefined(jwt, new UnauthorizedException());
+			TypeGuard.checkNotNullOrUndefined(jwt, new UnauthorizedException());
 		} else {
-			const accountPassword = GuardAgainst.nullOrUndefined(account.password, new UnauthorizedException());
+			const accountPassword = TypeGuard.checkNotNullOrUndefined(account.password, new UnauthorizedException());
 			await this.checkCredentials(password, accountPassword, account);
 		}
 
-		const accountUserId = GuardAgainst.nullOrUndefined(
+		const accountUserId = TypeGuard.checkNotNullOrUndefined(
 			account.userId,
 			new Error(`login failing, because account ${account.id} has no userId`)
 		);
@@ -44,8 +44,8 @@ export class LocalStrategy extends PassportStrategy(Strategy) {
 	}
 
 	private cleanupInput(username?: string, password?: string): { username: string; password: string } {
-		username = GuardAgainst.nullOrUndefined(username, new UnauthorizedException());
-		password = GuardAgainst.nullOrUndefined(password, new UnauthorizedException());
+		username = TypeGuard.checkNotNullOrUndefined(username, new UnauthorizedException());
+		password = TypeGuard.checkNotNullOrUndefined(password, new UnauthorizedException());
 		username = this.authenticationService.normalizeUsername(username);
 		password = this.authenticationService.normalizePassword(password);
 		return { username, password };

apps/server/src/modules/authentication/strategy/ws-jwt.strategy.ts

@@ -2,11 +2,11 @@ import { Injectable } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { WsException } from '@nestjs/websockets';
 import { ExtractJwt, Strategy } from 'passport-jwt';
+import { JwtExtractor } from '@shared/common';
 import { jwtConstants } from '../constants';
 import { ICurrentUser } from '../interface';
 import { JwtPayload } from '../interface/jwt-payload';
 import { CurrentUserMapper } from '../mapper';
-import { JwtExtractor } from '../helper/jwt-extractor';
 import { JwtValidationAdapter } from '../helper/jwt-validation.adapter';
 
 @Injectable()