IMN-639 - Creating JWKS clients only once at services startup (#1131)

pagopa · Nov 18, 2024 · ceb7f3f · ceb7f3f
1 parent 5ca8442
commit ceb7f3f
Show file tree

Hide file tree

Showing 15 changed files with 63 additions and 29 deletions.
diff --git a/collections/bff/authorization/get Session Token.bru b/collections/bff/authorization/get Session Token.bru
@@ -17,7 +17,7 @@ headers {
 
 body:json {
   {
-    "identity_token": {{JWT}}
+    "identity_token": "{{process.env.JWT}}"
   }
 }
 

diff --git a/collections/environments/PagoPA local.bru b/collections/environments/PagoPA local.bru
@@ -1,6 +1,6 @@
 vars {
   host-agreement: http://localhost:3100
-  JWT: {{process.env.JWT}}
+  JWT: Bearer {{process.env.JWT}}
   host-catalog: http://localhost:3000
   correlation-id: 79eb4963-3866-422f-8ef0-87871e5f9a71
   JWT-Invalid: 
@@ -10,5 +10,5 @@ vars {
   host-purpose: http://localhost:3400
   host-authorization: http://localhost:3300
   host-api-gw: http://localhost:3700/api-gateway/0.0
-  JWT-M2M: {{process.env.JWT-M2M}}
+  JWT-M2M: Bearer {{process.env.JWT-M2M}}
 }
diff --git a/packages/agreement-process/src/app.ts b/packages/agreement-process/src/app.ts
@@ -1,5 +1,6 @@
 import {
   authenticationMiddleware,
+  buildJwksClients,
   contextMiddleware,
   loggerMiddleware,
   zodiosCtx,
@@ -12,13 +13,15 @@ const serviceName = "agreement-process";
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 // Disable the "X-Powered-By: Express" HTTP header for security reasons.
 // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
 app.disable("x-powered-by");
 
 app.use(healthRouter);
 app.use(contextMiddleware(serviceName));
-app.use(authenticationMiddleware(config));
+app.use(authenticationMiddleware(config, jwksClients));
 app.use(loggerMiddleware(serviceName));
 app.use(agreementRouter(zodiosCtx));
 

diff --git a/packages/api-gateway/src/app.ts b/packages/api-gateway/src/app.ts
@@ -1,5 +1,6 @@
 import {
   authenticationMiddleware,
+  buildJwksClients,
   contextMiddleware,
   initRedisRateLimiter,
   loggerMiddleware,
@@ -17,6 +18,8 @@ const clients = getInteropBeClients();
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 const redisRateLimiter = await initRedisRateLimiter({
   limiterGroup: "API_GW",
   maxRequests: config.rateLimiterMaxRequests,
@@ -37,7 +40,7 @@ app.use(
   `/api-gateway/${config.apiGatewayInterfaceVersion}`,
   healthRouter,
   contextMiddleware(serviceName, false),
-  authenticationMiddleware(config),
+  authenticationMiddleware(config, jwksClients),
   // Authenticated routes - rate limiter relies on auth data to work
   rateLimiterMiddleware(redisRateLimiter),
   apiGatewayRouter(zodiosCtx, clients)

diff --git a/packages/attribute-registry-process/src/app.ts b/packages/attribute-registry-process/src/app.ts
@@ -1,5 +1,6 @@
 import {
   authenticationMiddleware,
+  buildJwksClients,
   contextMiddleware,
   loggerMiddleware,
   zodiosCtx,
@@ -12,13 +13,15 @@ const serviceName = "attribute-registry-process";
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 // Disable the "X-Powered-By: Express" HTTP header for security reasons.
 // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
 app.disable("x-powered-by");
 
 app.use(healthRouter);
 app.use(contextMiddleware(serviceName));
-app.use(authenticationMiddleware(config));
+app.use(authenticationMiddleware(config, jwksClients));
 app.use(loggerMiddleware(serviceName));
 app.use(attributeRouter(zodiosCtx));
 

diff --git a/packages/authorization-process/src/app.ts b/packages/authorization-process/src/app.ts
@@ -1,5 +1,6 @@
 import {
   authenticationMiddleware,
+  buildJwksClients,
   contextMiddleware,
   zodiosCtx,
 } from "pagopa-interop-commons";
@@ -11,13 +12,15 @@ const serviceName = "authorization-process";
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 // Disable the "X-Powered-By: Express" HTTP header for security reasons.
 // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
 app.disable("x-powered-by");
 
 app.use(healthRouter);
 app.use(contextMiddleware(serviceName));
-app.use(authenticationMiddleware(config));
+app.use(authenticationMiddleware(config, jwksClients));
 app.use(authorizationRouter(zodiosCtx));
 
 export default app;
diff --git a/packages/backend-for-frontend/src/app.ts b/packages/backend-for-frontend/src/app.ts
@@ -6,6 +6,7 @@ import {
   zodiosCtx,
   initRedisRateLimiter,
   rateLimiterMiddleware,
+  buildJwksClients,
 } from "pagopa-interop-commons";
 import express from "express";
 import { config } from "./config/config.js";
@@ -37,6 +38,8 @@ const clients = getInteropBeClients();
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 const redisRateLimiter = await initRedisRateLimiter({
   limiterGroup: "BFF",
   maxRequests: config.rateLimiterMaxRequests,
@@ -66,16 +69,22 @@ app.use(
   `/backend-for-frontend/${config.backendForFrontendInterfaceVersion}`,
   healthRouter,
   contextMiddleware(serviceName, false),
-  authorizationRouter(zodiosCtx, clients, allowList, redisRateLimiter),
-  authenticationMiddleware(config),
+  authorizationRouter(
+    zodiosCtx,
+    clients,
+    allowList,
+    redisRateLimiter,
+    jwksClients
+  ),
+  authenticationMiddleware(config, jwksClients),
   // Authenticated routes - rate limiter relies on auth data to work
   rateLimiterMiddleware(redisRateLimiter),
   catalogRouter(zodiosCtx, clients, fileManager),
   attributeRouter(zodiosCtx, clients),
   purposeRouter(zodiosCtx, clients),
   agreementRouter(zodiosCtx, clients, fileManager),
   selfcareRouter(clients, zodiosCtx),
-  supportRouter(zodiosCtx, clients, redisRateLimiter),
+  supportRouter(zodiosCtx, clients, redisRateLimiter, jwksClients),
   toolRouter(zodiosCtx, clients),
   tenantRouter(zodiosCtx, clients),
   clientRouter(zodiosCtx, clients),

diff --git a/packages/backend-for-frontend/src/routers/authorizationRouter.ts b/packages/backend-for-frontend/src/routers/authorizationRouter.ts
@@ -8,6 +8,7 @@ import {
   zodiosValidationErrorToApiProblem,
   RateLimiter,
   rateLimiterHeadersFromStatus,
+  buildJwksClients,
 } from "pagopa-interop-commons";
 import { tooManyRequestsError } from "pagopa-interop-models";
 import { makeApiProblem } from "../model/errors.js";
@@ -21,7 +22,8 @@ const authorizationRouter = (
   ctx: ZodiosContext,
   { tenantProcessClient }: PagoPAInteropBeClients,
   allowList: string[],
-  rateLimiter: RateLimiter
+  rateLimiter: RateLimiter,
+  jwksClients: ReturnType<typeof buildJwksClients>
 ): ZodiosRouter<ZodiosEndpointDefinitions, ExpressContext> => {
   const authorizationRouter = ctx.router(bffApi.authorizationApi.api, {
     validationErrorHandler: zodiosValidationErrorToApiProblem,
@@ -32,7 +34,8 @@ const authorizationRouter = (
     interopTokenGenerator,
     tenantProcessClient,
     allowList,
-    rateLimiter
+    rateLimiter,
+    jwksClients
   );
 
   authorizationRouter

diff --git a/packages/backend-for-frontend/src/routers/supportRouter.ts b/packages/backend-for-frontend/src/routers/supportRouter.ts
@@ -1,6 +1,7 @@
 import { ZodiosEndpointDefinitions } from "@zodios/core";
 import { ZodiosRouter } from "@zodios/express";
 import {
+  buildJwksClients,
   ExpressContext,
   InteropTokenGenerator,
   RateLimiter,
@@ -19,7 +20,8 @@ import { fromBffAppContext } from "../utilities/context.js";
 const supportRouter = (
   ctx: ZodiosContext,
   { tenantProcessClient }: PagoPAInteropBeClients,
-  rateLimiter: RateLimiter
+  rateLimiter: RateLimiter,
+  jwksClients: ReturnType<typeof buildJwksClients>
 ): ZodiosRouter<ZodiosEndpointDefinitions, ExpressContext> => {
   const supportRouter = ctx.router(bffApi.supportApi.api, {
     validationErrorHandler: zodiosValidationErrorToApiProblem,
@@ -30,7 +32,8 @@ const supportRouter = (
     interopTokenGenerator,
     tenantProcessClient,
     config.tenantAllowedOrigins,
-    rateLimiter
+    rateLimiter,
+    jwksClients
   );
 
   supportRouter.post("/session/saml2/tokens", async (req, res) => {

diff --git a/packages/backend-for-frontend/src/services/authorizationService.ts b/packages/backend-for-frontend/src/services/authorizationService.ts
@@ -16,7 +16,7 @@ import {
   USER_ROLES,
   WithLogger,
   decodeJwtToken,
-  getJwksClients,
+  buildJwksClients,
   userRoles,
   verifyJwtToken,
 } from "pagopa-interop-commons";
@@ -52,10 +52,9 @@ export function authorizationServiceBuilder(
   interopTokenGenerator: InteropTokenGenerator,
   tenantProcessClient: PagoPAInteropBeClients["tenantProcessClient"],
   allowList: string[],
-  rateLimiter: RateLimiter
+  rateLimiter: RateLimiter,
+  jwksClients: ReturnType<typeof buildJwksClients>
 ) {
-  const jwksClients = getJwksClients(config);
-
   const readJwt = async (
     identityToken: string,
     logger: Logger

diff --git a/packages/catalog-process/src/app.ts b/packages/catalog-process/src/app.ts
@@ -1,5 +1,6 @@
 import {
   authenticationMiddleware,
+  buildJwksClients,
   contextMiddleware,
   loggerMiddleware,
   zodiosCtx,
@@ -12,13 +13,15 @@ const serviceName = "catalog-process";
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 // Disable the "X-Powered-By: Express" HTTP header for security reasons.
 // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
 app.disable("x-powered-by");
 
 app.use(healthRouter);
 app.use(contextMiddleware(serviceName));
-app.use(authenticationMiddleware(config));
+app.use(authenticationMiddleware(config, jwksClients));
 app.use(loggerMiddleware(serviceName));
 app.use(eservicesRouter(zodiosCtx));
 

diff --git a/packages/commons/src/auth/authenticationMiddleware.ts b/packages/commons/src/auth/authenticationMiddleware.ts
@@ -5,10 +5,10 @@ import {
   unauthorizedError,
 } from "pagopa-interop-models";
 import { match } from "ts-pattern";
+import { JwksClient } from "jwks-rsa";
 import {
   ExpressContext,
   fromAppContext,
-  getJwksClients,
   JWTConfig,
   jwtFromAuthHeader,
 } from "../index.js";
@@ -18,17 +18,16 @@ import { readAuthDataFromJwtToken, verifyJwtToken } from "./jwt.js";
 const makeApiProblem = makeApiProblemBuilder({});
 
 export const authenticationMiddleware: (
-  config: JWTConfig
+  config: JWTConfig,
+  jwksClients: JwksClient[]
 ) => ZodiosRouterContextRequestHandler<ExpressContext> =
-  (config: JWTConfig) =>
+  (config: JWTConfig, jwksClients: JwksClient[]) =>
   async (req, res, next): Promise<unknown> => {
     // We assume that:
     // - contextMiddleware already set ctx.serviceName and ctx.correlationId
     const ctx = fromAppContext(req.ctx);
 
     try {
-      const jwksClients = getJwksClients(config);
-
       const jwtToken = jwtFromAuthHeader(req, ctx.logger);
       const valid = await verifyJwtToken(
         jwtToken,

diff --git a/packages/commons/src/auth/jwk.ts b/packages/commons/src/auth/jwk.ts
@@ -67,14 +67,14 @@ export function sortJWK(jwk: JsonWebKey): JsonWebKey {
     );
 }
 
-export function getJwksClients(config: JWTConfig): JwksClient[] {
+export function buildJwksClients(config: JWTConfig): JwksClient[] {
   return config.wellKnownUrls.map((url) =>
     jwksClient({
       cache: true,
       rateLimit: true,
       jwksUri: url,
-      /* If JWKS_CACHE_MAX_AGE_MILLIS not provided using 10 minute like default value: 
-      https://github.com/auth0/node-jwks-rsa/blob/master/EXAMPLES.md#configuration 
+      /* If JWKS_CACHE_MAX_AGE_MILLIS not provided using 10 minutes as default value:
+      https://github.com/auth0/node-jwks-rsa/blob/master/EXAMPLES.md#configuration
       */
       cacheMaxAge: config.jwksCacheMaxAge ?? 600000,
     })

diff --git a/packages/purpose-process/src/app.ts b/packages/purpose-process/src/app.ts
@@ -1,5 +1,6 @@
 import {
   authenticationMiddleware,
+  buildJwksClients,
   contextMiddleware,
   loggerMiddleware,
   zodiosCtx,
@@ -12,13 +13,15 @@ const serviceName = "purpose-process";
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 // Disable the "X-Powered-By: Express" HTTP header for security reasons.
 // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
 app.disable("x-powered-by");
 
 app.use(healthRouter);
 app.use(contextMiddleware(serviceName));
-app.use(authenticationMiddleware(config));
+app.use(authenticationMiddleware(config, jwksClients));
 app.use(loggerMiddleware(serviceName));
 app.use(purposeRouter(zodiosCtx));
 

diff --git a/packages/tenant-process/src/app.ts b/packages/tenant-process/src/app.ts
@@ -1,5 +1,6 @@
 import {
   authenticationMiddleware,
+  buildJwksClients,
   contextMiddleware,
   loggerMiddleware,
   zodiosCtx,
@@ -12,13 +13,15 @@ const serviceName = "tenant-process";
 
 const app = zodiosCtx.app();
 
+const jwksClients = buildJwksClients(config);
+
 // Disable the "X-Powered-By: Express" HTTP header for security reasons.
 // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_16
 app.disable("x-powered-by");
 
 app.use(healthRouter);
 app.use(contextMiddleware(serviceName));
-app.use(authenticationMiddleware(config));
+app.use(authenticationMiddleware(config, jwksClients));
 app.use(loggerMiddleware(serviceName));
 app.use(tenantRouter(zodiosCtx));
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,7 +17,7 @@ headers { @@
     body:json {
       {
-        "identity_token": {{JWT}}
+        "identity_token": "{{process.env.JWT}}"
       }
     }
@@ Expand Down @@