Implement auth using admin JWT token (#398)

longquanzheng · web-flow · commit 140a80b8d79d · 2021-09-09T14:32:49.000-07:00
* Implement auth using admin jwt token

* address comments

* fix undefined

* add auth pkg

* done

* address comments

* fix typo

* fix typo
diff --git a/README.md b/README.md
@@ -19,7 +19,10 @@ Set these environment variables if you need to change their defaults
 | CADENCE_TCHANNEL_PEERS    | Comma-delmited list of tchannel peers         | 127.0.0.1:7933    |
 | CADENCE_TCHANNEL_SERVICE  | Name of the cadence tchannel service to call  | cadence-frontend  |
 | CADENCE_WEB_PORT          | HTTP port to serve on                         | 8088              |
-| CADENCE_EXTERNAL_SCRIPTS     | Addtional JavaScript tags to serve in the UI  |                   |
+| CADENCE_EXTERNAL_SCRIPTS     | Addtional JavaScript tags to serve in the UI  |                |
+| ENABLE_AUTH          | Enable auth feature                                | false             |
+| AUTH_TYPE          | concurrently supports ADMIN_JWT                      | ''                |
+| AUTH_ADMIN_JWT_PRIVATE_KEY          | JWT signing private key for ADMIN_JWT type  | ''        |
 
 ### Running locally
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -50,6 +50,7 @@
     "html-webpack-plugin": "^2.30.1",
     "html-webpack-template": "^6.1.0",
     "is-ipv4-node": "^1.0.6",
+    "jsonwebtoken": "^8.5.1",
     "koa": "^2.3.0",
     "koa-better-error-handler": "^1.3.0",
     "koa-bodyparser": "^4.2.0",
diff --git a/server/index.js b/server/index.js
@@ -28,6 +28,7 @@ const koaSend = require('koa-send');
 const koaStatic = require('koa-static');
 const koaWebpack = require('koa-webpack');
 const webpack = require('webpack');
+const jwt = require('jsonwebtoken');
 
 const webpackConfig = require('../webpack.config');
 const tchannelClient = require('./middleware/tchannel-client');
@@ -54,6 +55,9 @@ app.init = function({
   serviceName = process.env.CADENCE_TCHANNEL_SERVICE || SERVICE_NAME_DEFAULT,
   timeout = REQUEST_TIMEOUT_DEFAULT,
   useWebpack = process.env.NODE_ENV !== 'production',
+  enableAuth = process.env.ENABLE_AUTH === 'true',
+  authType = process.env.AUTH_TYPE,
+  authAdminJwtPrivateKey = process.env.AUTH_ADMIN_JWT_PRIVATE_KEY,
 } = {}) {
   const requestConfig = {
     retryFlags,
@@ -94,6 +98,22 @@ app.init = function({
         filter: contentType => !contentType.startsWith('text/event-stream'),
       })
     )
+    .use(async function(ctx, next) {
+      if (enableAuth && authType === 'ADMIN_JWT' && authAdminJwtPrivateKey) {
+        ctx.authTokenHeaders = ctx.authTokenHeaders || {};
+        const token = jwt.sign(
+          { admin: true, ttl: 10 },
+          authAdminJwtPrivateKey,
+          {
+            algorithm: 'RS256',
+          }
+        );
+
+        ctx.authTokenHeaders['cadence-authorization'] = token;
+      }
+
+      await next();
+    })
     .use(tchannelClient({ peers, requestConfig }))
     .use(
       useWebpack
