diff --git a/.env.example b/.env.example index e9840146..777fefde 100644 --- a/.env.example +++ b/.env.example @@ -5,20 +5,7 @@ ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 # JWT # Required secrets to sign JWT tokens -JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a -JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff -JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f -JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200 -JWT_SERVICE_TOKEN_SECRET=f32f716d70a42c5703f4656015e76200 -JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201 - -# JWT lifetime -# Optional lifetimes for JWT tokens expressed in seconds or a string -# describing a time span (e.g. 60, "2 days", "10h", "7d") -JWT_AUTH_LIFETIME= -JWT_REFRESH_LIFETIME= -JWT_SIGNUP_LIFETIME= -JWT_PROVIDER_AUTH_LIFETIME= +AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE= # MongoDB # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref @@ -68,5 +55,12 @@ SENTRY_DSN= POSTHOG_HOST= POSTHOG_PROJECT_API_KEY= -CLIENT_ID_GOOGLE= -CLIENT_SECRET_GOOGLE= +# SSO-specific variables +CLIENT_ID_GOOGLE_LOGIN= +CLIENT_SECRET_GOOGLE_LOGIN= + +CLIENT_ID_GITHUB_LOGIN= +CLIENT_SECRET_GITHUB_LOGIN= + +CLIENT_ID_GITLAB_LOGIN= +CLIENT_SECRET_GITLAB_LOGIN= diff --git a/backend/src/config/index.ts b/backend/src/config/index.ts index 5c3e2f81..c57a6110 100644 --- a/backend/src/config/index.ts +++ b/backend/src/config/index.ts @@ -17,17 +17,13 @@ export const getRootEncryptionKey = async () => { } export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true" export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10; +export const getAuthSecret = async () => (await client.getSecret("AUTH_SECRET")).secretValue; // new export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d"; -export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue; export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m"; -export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m"; export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d"; -export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue; -export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue; +export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue; // TODO: deprecate (related to ST V1) export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m"; -export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue; export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m"; -export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue; export const getJwtServiceTokenSecret = async () => (await client.getSecret("JWT_SERVICE_TOKEN_SECRET")).secretValue; export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue; export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production"; diff --git a/backend/src/controllers/v1/authController.ts b/backend/src/controllers/v1/authController.ts index 6f641154..e426eef5 100644 --- a/backend/src/controllers/v1/authController.ts +++ b/backend/src/controllers/v1/authController.ts @@ -6,15 +6,18 @@ const jsrp = require("jsrp"); import { LoginSRPDetail, TokenVersion, User } from "../../models"; import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth"; import { checkUserDevice } from "../../helpers/user"; -import { ACTION_LOGIN, ACTION_LOGOUT } from "../../variables"; +import { + ACTION_LOGIN, + ACTION_LOGOUT, + AuthTokenType +} from "../../variables"; import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors"; import { EELogService } from "../../ee/services"; import { getUserAgentType } from "../../utils/posthog"; import { + getAuthSecret, getHttpsEnabled, - getJwtAuthLifetime, - getJwtAuthSecret, - getJwtRefreshSecret + getJwtAuthLifetime } from "../../config"; import { ActorType } from "../../ee/models"; import { validateRequest } from "../../helpers/validation"; @@ -238,6 +241,7 @@ export const checkAuth = async (req: Request, res: Response) => { * @returns */ export const getNewToken = async (req: Request, res: Response) => { + const refreshToken = req.cookies.jid; if (!refreshToken) @@ -245,7 +249,9 @@ export const getNewToken = async (req: Request, res: Response) => { message: "Failed to find refresh token in request cookies" }); - const decodedToken = jwt.verify(refreshToken, await getJwtRefreshSecret()); + const decodedToken = jwt.verify(refreshToken, await getAuthSecret()); + + if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN) throw UnauthorizedRequestError(); const user = await User.findOne({ _id: decodedToken.userId @@ -268,12 +274,13 @@ export const getNewToken = async (req: Request, res: Response) => { const token = createToken({ payload: { + authTokenType: AuthTokenType.ACCESS_TOKEN, userId: decodedToken.userId, tokenVersionId: tokenVersion._id.toString(), accessVersion: tokenVersion.refreshVersion }, expiresIn: await getJwtAuthLifetime(), - secret: await getJwtAuthSecret() + secret: await getAuthSecret() }); return res.status(200).send({ diff --git a/backend/src/controllers/v1/membershipOrgController.ts b/backend/src/controllers/v1/membershipOrgController.ts index 57ebb79a..eeba9678 100644 --- a/backend/src/controllers/v1/membershipOrgController.ts +++ b/backend/src/controllers/v1/membershipOrgController.ts @@ -8,11 +8,11 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization"; import { sendMail } from "../../helpers/nodemailer"; import { TokenService } from "../../services"; import { EELicenseService } from "../../ee/services"; -import { ACCEPTED, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables"; +import { ACCEPTED, AuthTokenType, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables"; import * as reqValidator from "../../validation/membershipOrg"; import { + getAuthSecret, getJwtSignupLifetime, - getJwtSignupSecret, getSiteURL, getSmtpConfigured } from "../../config"; @@ -272,10 +272,11 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => { // generate temporary signup token const token = createToken({ payload: { + authTokenType: AuthTokenType.SIGNUP_TOKEN, userId: user._id.toString() }, expiresIn: await getJwtSignupLifetime(), - secret: await getJwtSignupSecret() + secret: await getAuthSecret() }); return res.status(200).send({ diff --git a/backend/src/controllers/v1/passwordController.ts b/backend/src/controllers/v1/passwordController.ts index 65447bcf..d0b59f31 100644 --- a/backend/src/controllers/v1/passwordController.ts +++ b/backend/src/controllers/v1/passwordController.ts @@ -5,12 +5,12 @@ import * as bigintConversion from "bigint-conversion"; import { BackupPrivateKey, LoginSRPDetail, User } from "../../models"; import { clearTokens, createToken, sendMail } from "../../helpers"; import { TokenService } from "../../services"; -import { TOKEN_EMAIL_PASSWORD_RESET } from "../../variables"; +import { AuthTokenType, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables"; import { BadRequestError } from "../../utils/errors"; import { + getAuthSecret, getHttpsEnabled, getJwtSignupLifetime, - getJwtSignupSecret, getSiteURL } from "../../config"; import { ActorType } from "../../ee/models"; @@ -88,10 +88,11 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => { // generate temporary password-reset token const token = createToken({ payload: { + authTokenType: AuthTokenType.SIGNUP_TOKEN, userId: user._id.toString() }, expiresIn: await getJwtSignupLifetime(), - secret: await getJwtSignupSecret() + secret: await getAuthSecret() }); return res.status(200).send({ diff --git a/backend/src/controllers/v1/signupController.ts b/backend/src/controllers/v1/signupController.ts index 68a4e07f..4dceb278 100644 --- a/backend/src/controllers/v1/signupController.ts +++ b/backend/src/controllers/v1/signupController.ts @@ -4,14 +4,15 @@ import { checkEmailVerification, sendEmailVerification } from "../../helpers/sig import { createToken } from "../../helpers/auth"; import { BadRequestError } from "../../utils/errors"; import { + getAuthSecret, getInviteOnlySignup, getJwtSignupLifetime, - getJwtSignupSecret, getSmtpConfigured } from "../../config"; import { validateUserEmail } from "../../validation"; import { validateRequest } from "../../helpers/validation"; import * as reqValidator from "../../validation/auth"; +import { AuthTokenType } from "../../variables"; /** * Signup step 1: Initialize account for user under email [email] and send a verification code @@ -95,10 +96,11 @@ export const verifyEmailSignup = async (req: Request, res: Response) => { // generate temporary signup token const token = createToken({ payload: { + authTokenType: AuthTokenType.SIGNUP_TOKEN, userId: user._id.toString() }, expiresIn: await getJwtSignupLifetime(), - secret: await getJwtSignupSecret() + secret: await getAuthSecret() }); return res.status(200).send({ diff --git a/backend/src/controllers/v2/authController.ts b/backend/src/controllers/v2/authController.ts index d75206c6..46c288ea 100644 --- a/backend/src/controllers/v2/authController.ts +++ b/backend/src/controllers/v2/authController.ts @@ -10,9 +10,9 @@ import { sendMail } from "../../helpers/nodemailer"; import { TokenService } from "../../services"; import { EELogService } from "../../ee/services"; import { BadRequestError, InternalServerError } from "../../utils/errors"; -import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables"; +import { ACTION_LOGIN, AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables"; import { getUserAgentType } from "../../utils/posthog"; // TODO: move this -import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config"; +import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config"; import { validateRequest } from "../../helpers/validation"; import * as reqValidator from "../../validation/auth"; @@ -109,10 +109,11 @@ export const login2 = async (req: Request, res: Response) => { // generate temporary MFA token const token = createToken({ payload: { + authTokenType: AuthTokenType.MFA_TOKEN, userId: user._id.toString() }, expiresIn: await getJwtMfaLifetime(), - secret: await getJwtMfaSecret() + secret: await getAuthSecret() }); const code = await TokenService.createToken({ diff --git a/backend/src/controllers/v3/authController.ts b/backend/src/controllers/v3/authController.ts index 1b228a39..9cd23cf8 100644 --- a/backend/src/controllers/v3/authController.ts +++ b/backend/src/controllers/v3/authController.ts @@ -10,9 +10,9 @@ import { sendMail } from "../../helpers/nodemailer"; import { TokenService } from "../../services"; import { EELogService } from "../../ee/services"; import { BadRequestError, InternalServerError } from "../../utils/errors"; -import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables"; +import { ACTION_LOGIN, AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables"; import { getUserAgentType } from "../../utils/posthog"; // TODO: move this -import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config"; +import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config"; import { AuthMethod } from "../../models/user"; import { validateRequest } from "../../helpers/validation"; import * as reqValidator from "../../validation/auth"; @@ -134,10 +134,11 @@ export const login2 = async (req: Request, res: Response) => { // generate temporary MFA token const token = createToken({ payload: { + authTokenType: AuthTokenType.MFA_TOKEN, userId: user._id.toString() }, expiresIn: await getJwtMfaLifetime(), - secret: await getJwtMfaSecret() + secret: await getAuthSecret() }); const code = await TokenService.createToken({ diff --git a/backend/src/controllers/v3/signupController.ts b/backend/src/controllers/v3/signupController.ts index 79d661b5..d16fbe9c 100644 --- a/backend/src/controllers/v3/signupController.ts +++ b/backend/src/controllers/v3/signupController.ts @@ -5,10 +5,10 @@ import { MembershipOrg, User } from "../../models"; import { completeAccount } from "../../helpers/user"; import { initializeDefaultOrg } from "../../helpers/signup"; import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth"; -import { ACCEPTED, INVITED } from "../../variables"; +import { ACCEPTED, AuthTokenType, INVITED } from "../../variables"; import { standardRequest } from "../../config/request"; -import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config"; -import { BadRequestError } from "../../utils/errors"; +import { getAuthSecret, getHttpsEnabled, getLoopsApiKey } from "../../config"; +import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors"; import { TelemetryService } from "../../services"; import { AuthMethod } from "../../models"; import { validateRequest } from "../../helpers/validation"; @@ -78,12 +78,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => { } const decodedToken = ( - jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret()) + jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret()) ); - - if (decodedToken.userId !== user.id) { - throw BadRequestError(); - } + + if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw UnauthorizedRequestError(); + if (decodedToken.userId !== user.id) throw UnauthorizedRequestError(); } // complete setting up user's account diff --git a/backend/src/helpers/auth.ts b/backend/src/helpers/auth.ts index 31e584fe..2a8a14d8 100644 --- a/backend/src/helpers/auth.ts +++ b/backend/src/helpers/auth.ts @@ -19,15 +19,14 @@ import { UnauthorizedRequestError, } from "../utils/errors"; import { + getAuthSecret, getJwtAuthLifetime, - getJwtAuthSecret, - getJwtProviderAuthSecret, getJwtRefreshLifetime, - getJwtRefreshSecret, getJwtServiceTokenSecret } from "../config"; import { - AuthMode + AuthMode, + AuthTokenType } from "../variables"; import { ServiceTokenAuthData, @@ -51,8 +50,6 @@ export const validateAuthMode = ({ acceptedAuthModes: AuthMode[] }) => { - // TODO: update this to accept service token v3 - const apiKey = headers["x-api-key"]; const authHeader = headers["authorization"]; @@ -120,9 +117,11 @@ export const getAuthUserPayload = async ({ authTokenValue: string; }): Promise => { const decodedToken = ( - jwt.verify(authTokenValue, await getJwtAuthSecret()) + jwt.verify(authTokenValue, await getAuthSecret()) ); + if (decodedToken.authTokenType !== AuthTokenType.ACCESS_TOKEN) throw UnauthorizedRequestError(); + const user = await User.findOne({ _id: new Types.ObjectId(decodedToken.userId), }).select("+publicKey +accessVersion"); @@ -159,11 +158,6 @@ export const getAuthUserPayload = async ({ userAgent: req.headers["user-agent"] ?? "", userAgentType: getUserAgentType(req.headers["user-agent"]) } - - // return ({ - // user, - // tokenVersionId: tokenVersion._id, // what to do with this? // move this out - // }); } /** @@ -404,22 +398,24 @@ export const issueAuthTokens = async ({ // issue tokens const token = createToken({ payload: { + authTokenType: AuthTokenType.ACCESS_TOKEN, userId, tokenVersionId: tokenVersion._id.toString(), accessVersion: tokenVersion.accessVersion, }, expiresIn: await getJwtAuthLifetime(), - secret: await getJwtAuthSecret(), + secret: await getAuthSecret(), }); const refreshToken = createToken({ payload: { + authTokenType: AuthTokenType.REFRESH_TOKEN, userId, tokenVersionId: tokenVersion._id.toString(), refreshVersion: tokenVersion.refreshVersion, }, expiresIn: await getJwtRefreshLifetime(), - secret: await getJwtRefreshSecret(), + secret: await getAuthSecret(), }); return { @@ -451,7 +447,7 @@ export const clearTokens = async (tokenVersionId: Types.ObjectId): Promise * bearer/auth, refresh, and temporary signup tokens * @param {Object} obj * @param {Object} obj.payload - payload of (JWT) token - * @param {String} obj.secret - (JWT) secret such as [JWT_AUTH_SECRET] + * @param {String} obj.secret - (JWT) secret such as [AUTH_SECRET] * @param {String} obj.expiresIn - string describing time span such as '10h' or '7d' */ export const createToken = ({ @@ -479,13 +475,16 @@ export const validateProviderAuthToken = async ({ email: string; providerAuthToken?: string; }) => { + if (!providerAuthToken) { throw new Error("Invalid authentication request."); } const decodedToken = ( - jwt.verify(providerAuthToken, await getJwtProviderAuthSecret()) + jwt.verify(providerAuthToken, await getAuthSecret()) ); + + if (decodedToken.authTokenType !== AuthTokenType.PROVIDER_TOKEN) throw UnauthorizedRequestError(); if (decodedToken.email !== email) { throw new Error("Invalid authentication credentials.") diff --git a/backend/src/index.ts b/backend/src/index.ts index 1276a90c..08572d98 100644 --- a/backend/src/index.ts +++ b/backend/src/index.ts @@ -81,7 +81,7 @@ import { getSecretScanningPrivateKey, getSecretScanningWebhookProxy, getSecretScanningWebhookSecret, - getSiteURL + getSiteURL, } from "./config"; import { setup } from "./utils/setup"; import { syncSecretsToThirdPartyServices } from "./queues/integrations/syncSecretsToThirdPartyServices"; diff --git a/backend/src/middleware/requireMfaAuth.ts b/backend/src/middleware/requireMfaAuth.ts index 7a7f7db4..9c5313b0 100644 --- a/backend/src/middleware/requireMfaAuth.ts +++ b/backend/src/middleware/requireMfaAuth.ts @@ -2,7 +2,8 @@ import jwt from "jsonwebtoken"; import { NextFunction, Request, Response } from "express"; import { User } from "../models"; import { BadRequestError, UnauthorizedRequestError } from "../utils/errors"; -import { getJwtMfaSecret } from "../config"; +import { getAuthSecret } from "../config"; +import { AuthTokenType } from "../variables"; declare module "jsonwebtoken" { export interface UserIDJwtPayload extends jwt.JwtPayload { @@ -26,8 +27,10 @@ const requireMfaAuth = async ( if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: "Missing Authorization Body in the request header"})) const decodedToken = ( - jwt.verify(AUTH_TOKEN_VALUE, await getJwtMfaSecret()) + jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret()) ); + + if (decodedToken.authTokenType !== AuthTokenType.MFA_TOKEN) throw UnauthorizedRequestError(); const user = await User.findOne({ _id: decodedToken.userId, diff --git a/backend/src/middleware/requireSignupAuth.ts b/backend/src/middleware/requireSignupAuth.ts index 3c5c48d1..510cb3d0 100644 --- a/backend/src/middleware/requireSignupAuth.ts +++ b/backend/src/middleware/requireSignupAuth.ts @@ -2,7 +2,8 @@ import jwt from "jsonwebtoken"; import { NextFunction, Request, Response } from "express"; import { User } from "../models"; import { BadRequestError, UnauthorizedRequestError } from "../utils/errors"; -import { getJwtSignupSecret } from "../config"; +import { getAuthSecret } from "../config"; +import { AuthTokenType } from "../variables"; declare module "jsonwebtoken" { export interface UserIDJwtPayload extends jwt.JwtPayload { @@ -27,8 +28,10 @@ const requireSignupAuth = async ( if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: "Missing Authorization Body in the request header"})) const decodedToken = ( - jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret()) + jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret()) ); + + if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw UnauthorizedRequestError(); const user = await User.findOne({ _id: decodedToken.userId, diff --git a/backend/src/utils/auth.ts b/backend/src/utils/auth.ts index 803004f2..c1c0e6ac 100644 --- a/backend/src/utils/auth.ts +++ b/backend/src/utils/auth.ts @@ -13,6 +13,7 @@ import { } from "../models"; import { createToken } from "../helpers/auth"; import { + getAuthSecret, getClientIdGitHubLogin, getClientIdGitLabLogin, getClientIdGoogleLogin, @@ -20,13 +21,12 @@ import { getClientSecretGitLabLogin, getClientSecretGoogleLogin, getJwtProviderAuthLifetime, - getJwtProviderAuthSecret, getSiteURL, getUrlGitLabLogin } from "../config"; import { getSSOConfigHelper } from "../ee/helpers/organizations"; import { InternalServerError, OrganizationNotFoundError } from "./errors"; -import { ACCEPTED, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables"; +import { ACCEPTED, AuthTokenType, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables"; import { standardRequest } from "../config/request"; // eslint-disable-next-line @typescript-eslint/no-var-requires @@ -131,6 +131,7 @@ const initializePassport = async () => { const isUserCompleted = !!user.publicKey; const providerAuthToken = createToken({ payload: { + authTokenType: AuthTokenType.PROVIDER_TOKEN, userId: user._id.toString(), email: user.email, firstName: user.firstName, @@ -143,7 +144,7 @@ const initializePassport = async () => { } : {}) }, expiresIn: await getJwtProviderAuthLifetime(), - secret: await getJwtProviderAuthSecret(), + secret: await getAuthSecret(), }); req.isUserCompleted = isUserCompleted; @@ -204,6 +205,7 @@ const initializePassport = async () => { const isUserCompleted = !!user.publicKey; const providerAuthToken = createToken({ payload: { + authTokenType: AuthTokenType.PROVIDER_TOKEN, userId: user._id.toString(), email: user.email, firstName: user.firstName, @@ -216,7 +218,7 @@ const initializePassport = async () => { } : {}) }, expiresIn: await getJwtProviderAuthLifetime(), - secret: await getJwtProviderAuthSecret(), + secret: await getAuthSecret(), }); req.isUserCompleted = isUserCompleted; @@ -258,6 +260,7 @@ const initializePassport = async () => { const isUserCompleted = !!user.publicKey; const providerAuthToken = createToken({ payload: { + authTokenType: AuthTokenType.PROVIDER_TOKEN, userId: user._id.toString(), email: user.email, firstName: user.firstName, @@ -270,7 +273,7 @@ const initializePassport = async () => { } : {}) }, expiresIn: await getJwtProviderAuthLifetime(), - secret: await getJwtProviderAuthSecret(), + secret: await getAuthSecret(), }); req.isUserCompleted = isUserCompleted; @@ -401,6 +404,7 @@ const initializePassport = async () => { const isUserCompleted = !!user.publicKey; const providerAuthToken = createToken({ payload: { + authTokenType: AuthTokenType.PROVIDER_TOKEN, userId: user._id.toString(), email: user.email, firstName, @@ -413,7 +417,7 @@ const initializePassport = async () => { } : {}) }, expiresIn: await getJwtProviderAuthLifetime(), - secret: await getJwtProviderAuthSecret(), + secret: await getAuthSecret(), }); req.isUserCompleted = isUserCompleted; diff --git a/backend/src/variables/authentication.ts b/backend/src/variables/authentication.ts index 1376c977..3aa06a20 100644 --- a/backend/src/variables/authentication.ts +++ b/backend/src/variables/authentication.ts @@ -1,3 +1,11 @@ +export enum AuthTokenType { + ACCESS_TOKEN = "accessToken", + REFRESH_TOKEN = "refreshToken", + SIGNUP_TOKEN = "signupToken", + MFA_TOKEN = "mfaToken", + PROVIDER_TOKEN = "providerToken" +} + export enum AuthMode { JWT = "jwt", SERVICE_TOKEN = "serviceToken", diff --git a/docs/self-hosting/configuration/envars.mdx b/docs/self-hosting/configuration/envars.mdx index e348f5b3..ef79219c 100644 --- a/docs/self-hosting/configuration/envars.mdx +++ b/docs/self-hosting/configuration/envars.mdx @@ -11,43 +11,12 @@ Other environment variables are listed below to increase the functionality of yo - Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16` - - -{" "} - - - Must be a random 16 byte hex string. Can be generated with `openssl rand -hex - 16` - - -{" "} - - - Must be a random 16 byte hex string. Can be generated with `openssl rand -hex - 16` - - -{" "} - - - Must be a random 16 byte hex string. Can be generated with `openssl rand -hex - 16` - - -{" "} - - - Must be a random 16 byte hex string. Can be generated with `openssl rand -hex - 16` - - -{" "} + Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16` + - - Must be a random 16 byte hex string. Can be generated with `openssl rand -hex - 16` - + + Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32` + *TLS based connection string is not yet supported @@ -140,9 +109,6 @@ Other environment variables are listed below to increase the functionality of yo To integrate with external auth providers, provide value for the related keys - - Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16` - OAuth2 client ID for Google login