feat(server): move authentication to tokens stored in the database (#1381)

* chore: add typeorm commands to npm and set default database config values

* feat: move to server side authentication tokens

* fix: websocket should emit error and disconnect on error thrown by the server

* refactor: rename cookie-auth-strategy to user-auth-strategy

* feat: user tokens and API keys now use SHA256 hash for performance improvements

* test: album e2e test remove unneeded module import

* infra: truncate api key table as old keys will no longer work with new hash algorithm

* fix(server): e2e tests (#1435)

* fix: root module paths

* chore: linting

* chore: rename user-auth to strategy.ts and make validate return AuthUserDto

* fix: we should always send HttpOnly for our auth cookies

* chore: remove now unused crypto functions and jwt dependencies

* fix: return the extra fields for AuthUserDto in auth service validate

---------

Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>

server/libs/domain/src/api-key/api-key.repository.ts

@@ -10,7 +10,7 @@ export interface IKeyRepository {
    * Includes the hashed `key` for verification
    * @param id
    */
-  getKey(id: number): Promise<APIKeyEntity | null>;
+  getKey(hashedToken: string): Promise<APIKeyEntity | null>;
   getById(userId: string, id: number): Promise<APIKeyEntity | null>;
   getByUserId(userId: string): Promise<APIKeyEntity[]>;
 }

server/libs/domain/src/api-key/api-key.service.spec.ts

@@ -1,6 +1,6 @@
 import { APIKeyEntity } from '@app/infra/db/entities';
 import { BadRequestException, UnauthorizedException } from '@nestjs/common';
-import { authStub, entityStub, newCryptoRepositoryMock, newKeyRepositoryMock } from '../../test';
+import { authStub, userEntityStub, newCryptoRepositoryMock, newKeyRepositoryMock } from '../../test';
 import { ICryptoRepository } from '../auth';
 import { IKeyRepository } from './api-key.repository';
 import { APIKeyService } from './api-key.service';
@@ -10,10 +10,10 @@ const adminKey = Object.freeze({
   name: 'My Key',
   key: 'my-api-key (hashed)',
   userId: authStub.admin.id,
-  user: entityStub.admin,
+  user: userEntityStub.admin,
 } as APIKeyEntity);
 
-const token = Buffer.from('1:my-api-key', 'utf8').toString('base64');
+const token = Buffer.from('my-api-key', 'utf8').toString('base64');
 
 describe(APIKeyService.name, () => {
   let sut: APIKeyService;
@@ -38,7 +38,7 @@ describe(APIKeyService.name, () => {
         userId: authStub.admin.id,
       });
       expect(cryptoMock.randomBytes).toHaveBeenCalled();
-      expect(cryptoMock.hash).toHaveBeenCalled();
+      expect(cryptoMock.hashSha256).toHaveBeenCalled();
     });
 
     it('should not require a name', async () => {
@@ -52,7 +52,7 @@ describe(APIKeyService.name, () => {
         userId: authStub.admin.id,
       });
       expect(cryptoMock.randomBytes).toHaveBeenCalled();
-      expect(cryptoMock.hash).toHaveBeenCalled();
+      expect(cryptoMock.hashSha256).toHaveBeenCalled();
     });
   });
 
@@ -126,8 +126,7 @@ describe(APIKeyService.name, () => {
 
       await expect(sut.validate(token)).rejects.toBeInstanceOf(UnauthorizedException);
 
-      expect(keyMock.getKey).toHaveBeenCalledWith(1);
-      expect(cryptoMock.compareSync).not.toHaveBeenCalled();
+      expect(keyMock.getKey).toHaveBeenCalledWith('bXktYXBpLWtleQ== (hashed)');
     });
 
     it('should validate the token', async () => {
@@ -135,8 +134,7 @@ describe(APIKeyService.name, () => {
 
       await expect(sut.validate(token)).resolves.toEqual(authStub.admin);
 
-      expect(keyMock.getKey).toHaveBeenCalledWith(1);
-      expect(cryptoMock.compareSync).toHaveBeenCalledWith('my-api-key', 'my-api-key (hashed)');
+      expect(keyMock.getKey).toHaveBeenCalledWith('bXktYXBpLWtleQ== (hashed)');
     });
   });
 });

server/libs/domain/src/api-key/api-key.service.ts

@@ -1,4 +1,3 @@
-import { UserEntity } from '@app/infra/db/entities';
 import { BadRequestException, Inject, Injectable, UnauthorizedException } from '@nestjs/common';
 import { AuthUserDto, ICryptoRepository } from '../auth';
 import { IKeyRepository } from './api-key.repository';
@@ -14,15 +13,13 @@ export class APIKeyService {
   ) {}
 
   async create(authUser: AuthUserDto, dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
-    const key = this.crypto.randomBytes(24).toString('base64').replace(/\W/g, '');
+    const secret = this.crypto.randomBytes(32).toString('base64').replace(/\W/g, '');
     const entity = await this.repository.create({
-      key: await this.crypto.hash(key, 10),
+      key: this.crypto.hashSha256(secret),
       name: dto.name || 'API Key',
       userId: authUser.id,
     });
 
-    const secret = Buffer.from(`${entity.id}:${key}`, 'utf8').toString('base64');
-
     return { secret, apiKey: mapKey(entity) };
   }
 
@@ -60,22 +57,18 @@ export class APIKeyService {
   }
 
   async validate(token: string): Promise<AuthUserDto> {
-    const [_id, key] = Buffer.from(token, 'base64').toString('utf8').split(':');
-    const id = Number(_id);
+    const hashedToken = this.crypto.hashSha256(token);
+    const keyEntity = await this.repository.getKey(hashedToken);
+    if (keyEntity?.user) {
+      const user = keyEntity.user;
 
-    if (id && key) {
-      const entity = await this.repository.getKey(id);
-      if (entity?.user && entity?.key && this.crypto.compareSync(key, entity.key)) {
-        const user = entity.user as UserEntity;
-
-        return {
-          id: user.id,
-          email: user.email,
-          isAdmin: user.isAdmin,
-          isPublicUser: false,
-          isAllowUpload: true,
-        };
-      }
+      return {
+        id: user.id,
+        email: user.email,
+        isAdmin: user.isAdmin,
+        isPublicUser: false,
+        isAllowUpload: true,
+      };
     }
 
     throw new UnauthorizedException('Invalid API Key');