Merge branch 'chore/login' into docs/swagger-autogen

2025-03-09 09:27:42 +01:00 · 2025-03-09 09:27:42 +01:00 · bf36790b28
commit bf36790b28
parent ab8ece2a76 355c0a4eda
30 changed files with 5058 additions and 315 deletions
--- a/backend/.env.development.example
+++ b/backend/.env.development.example
@ -4,3 +4,13 @@ DWENGO_DB_PORT=5431
 DWENGO_DB_USERNAME=postgres
 DWENGO_DB_PASSWORD=postgres
 DWENGO_DB_UPDATE=true
+
+DWENGO_AUTH_STUDENT_URL=http://localhost:7080/realms/student
+DWENGO_AUTH_STUDENT_CLIENT_ID=dwengo
+DWENGO_AUTH_STUDENT_JWKS_ENDPOINT=http://localhost:7080/realms/student/protocol/openid-connect/certs
+DWENGO_AUTH_TEACHER_URL=http://localhost:7080/realms/teacher
+DWENGO_AUTH_TEACHER_CLIENT_ID=dwengo
+DWENGO_AUTH_TEACHER_JWKS_ENDPOINT=http://localhost:7080/realms/teacher/protocol/openid-connect/certs
+
+# Allow Vite dev-server to access the backend (for testing purposes). Don't forget to remove this in production!
+DWENGO_CORS_ALLOWED_ORIGINS=http://localhost:5173
--- a/backend/.env.example
+++ b/backend/.env.example
@ -2,10 +2,31 @@
 # Basic configuration
 #

-PORT=3000                              # The port the backend will listen on
+# The port the backend will listen on
+DWENGO_PORT=3000
+DWENGO_DB_HOST=domain-or-ip-of-database
+DWENGO_DB_PORT=5432
+
+# Change this to the actual credentials of the user Dwengo should use in the backend
+DWENGO_DB_USERNAME=postgres
+DWENGO_DB_PASSWORD=postgres
+
+# Set this to true when the database scheme needs to be updated. In that case, take a backup first.
+DWENGO_DB_UPDATE=false
+
+# Data for the identity provider via which the students authenticate.
+DWENGO_AUTH_STUDENT_URL=http://localhost:7080/realms/student
+DWENGO_AUTH_STUDENT_CLIENT_ID=dwengo
+DWENGO_AUTH_STUDENT_JWKS_ENDPOINT=http://localhost:7080/realms/student/protocol/openid-connect/certs
+
+# Data for the identity provider via which the teachers authenticate.
+DWENGO_AUTH_TEACHER_URL=http://localhost:7080/realms/teacher
+DWENGO_AUTH_TEACHER_CLIENT_ID=dwengo
+DWENGO_AUTH_TEACHER_JWKS_ENDPOINT=http://localhost:7080/realms/teacher/protocol/openid-connect/certs

 #
 # Advanced configuration
 #

-# LOKI_HOST=http://localhost:3102      # The address of the Loki instance, used for logging
+# The address of the Lokiinstance, used for logging
+# LOKI_HOST=http://localhost:3102
--- a/backend/package.json
+++ b/backend/package.json
@ -18,11 +18,13 @@
        "@mikro-orm/postgresql": "^6.4.6",
        "@mikro-orm/reflection": "^6.4.6",
        "@mikro-orm/sqlite": "6.4.6",
-        "@types/js-yaml": "^4.0.9",
        "axios": "^1.8.1",
        "dotenv": "^16.4.7",
        "express": "^5.0.1",
+        "express-jwt": "^8.5.1",
+        "jwks-rsa": "^3.1.0",
        "js-yaml": "^4.1.0",
+        "cors": "^2.8.5",
        "loki-logger-ts": "^1.0.2",
        "response-time": "^2.3.3",
        "swagger-ui-express": "^5.0.1",
@ -31,11 +33,13 @@
        "winston-loki": "^6.1.3"
    },
    "devDependencies": {
+        "@types/js-yaml": "^4.0.9",
        "@mikro-orm/cli": "^6.4.6",
        "@types/express": "^5.0.0",
        "@types/node": "^22.13.4",
        "@types/response-time": "^2.3.8",
        "@types/swagger-ui-express": "^4.1.8",
+        "@types/cors": "^2.8.17",
        "globals": "^15.15.0",
        "ts-node": "^10.9.2",
        "tsx": "^4.19.3",
--- a/backend/src/app.ts
+++ b/backend/src/app.ts
@ -11,7 +11,9 @@ import assignmentRouter from './routes/assignment.js';
 import submissionRouter from './routes/submission.js';
 import classRouter from './routes/class.js';
 import questionRouter from './routes/question.js';
-import loginRouter from './routes/login.js';
+import authRouter from './routes/auth.js';
+import {authenticateUser} from './middleware/auth/auth.js';
+import cors from './middleware/cors.js';
 import { getLogger, Logger } from './logging/initalize.js';
 import { responseTimeLogger } from './logging/responseTimeLogger.js';
 import responseTime from 'response-time';
@ -25,6 +27,10 @@ const app: Express = express();
 const port: string | number = getNumericEnvVar(EnvVars.Port);

 app.use(express.json());
+app.use(cors);
+app.use(authenticateUser);
+// Add response time logging
+app.use(responseTime(responseTimeLogger));

 // TODO Replace with Express routes
 app.get('/', (_, res: Response) => {
@ -41,15 +47,12 @@ app.use('/assignment', assignmentRouter /* #swagger.tags = ['Assignment'] */);
 app.use('/submission', submissionRouter /* #swagger.tags = ['Submission'] */);
 app.use('/class', classRouter /* #swagger.tags = ['Class'] */);
 app.use('/question', questionRouter /* #swagger.tags = ['Question'] */);
-app.use('/login', loginRouter /* #swagger.tags = ['Login'] */);
-
+app.use('/auth', authRouter /* #swagger.tags = ['Auth'] */);
 app.use('/theme', themeRoutes /* #swagger.tags = ['Theme'] */);
+
 app.use('/learningPath', learningPathRoutes /* #swagger.tags = ['Learning Path'] */);
 app.use('/learningObject', learningObjectRoutes /* #swagger.tags = ['Learning Object'] */);

-// Add response time loggin
-app.use(responseTime(responseTimeLogger));
-
 // Swagger UI for API documentation
 app.use('/api-docs', swaggerUi.serve, swaggerMiddleware);

--- a/backend/src/controllers/auth.ts
+++ b/backend/src/controllers/auth.ts
@ -0,0 +1,33 @@
+import {EnvVars, getEnvVar} from "../util/envvars.js";
+
+type FrontendIdpConfig = {
+    authority: string,
+    clientId: string,
+    scope: string,
+    responseType: string
+}
+
+type FrontendAuthConfig = {
+    student: FrontendIdpConfig,
+    teacher: FrontendIdpConfig
+}
+
+const SCOPE = "openid profile email";
+const RESPONSE_TYPE = "code";
+
+export function getFrontendAuthConfig(): FrontendAuthConfig {
+    return {
+        student: {
+            authority: getEnvVar(EnvVars.IdpStudentUrl),
+            clientId: getEnvVar(EnvVars.IdpStudentClientId),
+            scope: SCOPE,
+            responseType: RESPONSE_TYPE
+        },
+        teacher: {
+            authority: getEnvVar(EnvVars.IdpTeacherUrl),
+            clientId: getEnvVar(EnvVars.IdpTeacherClientId),
+            scope: SCOPE,
+            responseType: RESPONSE_TYPE
+        },
+    };
+}
--- a/backend/src/exceptions.ts
+++ b/backend/src/exceptions.ts
@ -0,0 +1,13 @@
+export class UnauthorizedException extends Error {
+    status = 401;
+    constructor(message: string = "Unauthorized") {
+        super(message);
+    }
+}
+
+export class ForbiddenException extends Error {
+    status = 403;
+    constructor(message: string = "Forbidden") {
+        super(message);
+    }
+}
--- a/backend/src/middleware/auth/auth.ts
+++ b/backend/src/middleware/auth/auth.ts
@ -0,0 +1,141 @@
+import {EnvVars, getEnvVar} from "../../util/envvars.js";
+import {expressjwt} from 'express-jwt';
+import {JwtPayload} from 'jsonwebtoken'
+import jwksClient from 'jwks-rsa';
+import * as express from "express";
+import * as jwt from "jsonwebtoken";
+import {AuthenticatedRequest} from "./authenticated-request.js";
+import {AuthenticationInfo} from "./authentication-info.js";
+import {ForbiddenException, UnauthorizedException} from "../../exceptions";
+
+const JWKS_CACHE = true;
+const JWKS_RATE_LIMIT = true;
+const REQUEST_PROPERTY_FOR_JWT_PAYLOAD = "jwtPayload";
+const JWT_ALGORITHM = "RS256"; // Not configurable via env vars since supporting other algorithms would
+                                        // require additional libraries to be added.
+
+const JWT_PROPERTY_NAMES = {
+    username: "preferred_username",
+    firstName: "given_name",
+    lastName: "family_name",
+    name: "name",
+    email: "email"
+};
+
+function createJwksClient(uri: string): jwksClient.JwksClient {
+    return jwksClient({
+        cache: JWKS_CACHE,
+        rateLimit: JWKS_RATE_LIMIT,
+        jwksUri: uri,
+    });
+}
+
+const idpConfigs = {
+    student: {
+        issuer: getEnvVar(EnvVars.IdpStudentUrl),
+        jwksClient: createJwksClient(getEnvVar(EnvVars.IdpStudentJwksEndpoint)),
+    },
+    teacher: {
+        issuer: getEnvVar(EnvVars.IdpTeacherUrl),
+        jwksClient: createJwksClient(getEnvVar(EnvVars.IdpTeacherJwksEndpoint)),
+    }
+};
+
+/**
+ * Express middleware which verifies the JWT Bearer token if one is given in the request.
+ */
+const verifyJwtToken = expressjwt({
+    secret: async (_: express.Request, token: jwt.Jwt | undefined) => {
+        if (!token?.payload || !(token.payload as JwtPayload).iss) {
+            throw new Error("Invalid token");
+        }
+
+        let issuer = (token.payload as JwtPayload).iss;
+
+        let idpConfig = Object.values(idpConfigs).find(config => config.issuer === issuer);
+        if (!idpConfig) {
+            throw new Error("Issuer not accepted.");
+        }
+
+        const signingKey = await idpConfig.jwksClient.getSigningKey(token.header.kid);
+        if (!signingKey) {
+            throw new Error("Signing key not found.");
+        }
+        return signingKey.getPublicKey();
+    },
+    audience: getEnvVar(EnvVars.IdpAudience),
+    algorithms: [JWT_ALGORITHM],
+    credentialsRequired: false,
+    requestProperty: REQUEST_PROPERTY_FOR_JWT_PAYLOAD
+});
+
+/**
+ * Get an object with information about the authenticated user from a given authenticated request.
+ */
+function getAuthenticationInfo(req: AuthenticatedRequest): AuthenticationInfo | undefined {
+    if (!req.jwtPayload) {
+        return;
+    }
+    let issuer = req.jwtPayload.iss;
+    let accountType: "student" | "teacher";
+
+    if (issuer === idpConfigs.student.issuer) {
+        accountType = "student";
+    } else if (issuer === idpConfigs.teacher.issuer) {
+        accountType = "teacher";
+    } else {
+        return;
+    }
+    return {
+        accountType: accountType,
+        username: req.jwtPayload[JWT_PROPERTY_NAMES.username]!,
+        name: req.jwtPayload[JWT_PROPERTY_NAMES.name],
+        firstName: req.jwtPayload[JWT_PROPERTY_NAMES.firstName],
+        lastName: req.jwtPayload[JWT_PROPERTY_NAMES.lastName],
+        email: req.jwtPayload[JWT_PROPERTY_NAMES.email],
+    }
+}
+
+/**
+ * Add the AuthenticationInfo object with the information about the current authentication to the request in order
+ * to avoid that the routers have to deal with the JWT token.
+ */
+const addAuthenticationInfo = (req: AuthenticatedRequest, res: express.Response, next: express.NextFunction) => {
+    req.auth = getAuthenticationInfo(req);
+    next();
+};
+
+export const authenticateUser = [verifyJwtToken, addAuthenticationInfo];
+
+/**
+ * Middleware which rejects unauthenticated users (with HTTP 401) and authenticated users which do not fulfill
+ * the given access condition.
+ * @param accessCondition Predicate over the current AuthenticationInfo. Access is only granted when this evaluates
+ *                        to true.
+ */
+export const authorize = (accessCondition: (auth: AuthenticationInfo) => boolean) => {
+    return (req: AuthenticatedRequest, res: express.Response, next: express.NextFunction): void => {
+        if (!req.auth) {
+            throw new UnauthorizedException();
+        } else if (!accessCondition(req.auth)) {
+            throw new ForbiddenException();
+        } else {
+            next();
+        }
+    }
+}
+
+/**
+ * Middleware which rejects all unauthenticated users, but accepts all authenticated users.
+ */
+export const authenticatedOnly = authorize(_ => true);
+
+/**
+ * Middleware which rejects requests from unauthenticated users or users that aren't students.
+ */
+export const studentsOnly = authorize(auth => auth.accountType === "student");
+
+/**
+ * Middleware which rejects requests from unauthenticated users or users that aren't teachers.
+ */
+export const teachersOnly = authorize(auth => auth.accountType === "teacher");
--- a/backend/src/middleware/auth/authenticated-request.d.ts
+++ b/backend/src/middleware/auth/authenticated-request.d.ts
@ -0,0 +1,9 @@
+import { Request } from "express";
+import { JwtPayload } from "jsonwebtoken";
+import {AuthenticationInfo} from "./authentication-info.js";
+
+export interface AuthenticatedRequest extends Request {
+    // Properties are optional since the user is not necessarily authenticated.
+    jwtPayload?: JwtPayload;
+    auth?: AuthenticationInfo;
+}
--- a/backend/src/middleware/auth/authentication-info.d.ts
+++ b/backend/src/middleware/auth/authentication-info.d.ts
@ -0,0 +1,11 @@
+/**
+ * Object with information about the user who is currently logged in.
+ */
+export type AuthenticationInfo = {
+    accountType: "student" | "teacher",
+    username: string,
+    name?: string,
+    firstName?: string,
+    lastName?: string,
+    email?: string
+};
--- a/backend/src/middleware/cors.ts
+++ b/backend/src/middleware/cors.ts
@ -0,0 +1,7 @@
+import cors from "cors";
+import {EnvVars, getEnvVar} from "../util/envvars.js";
+
+export default cors({
+    origin: getEnvVar(EnvVars.CorsAllowedOrigins).split(','),
+    allowedHeaders: getEnvVar(EnvVars.CorsAllowedHeaders).split(',')
+});
--- a/backend/src/routes/auth.ts
+++ b/backend/src/routes/auth.ts
@ -0,0 +1,23 @@
+import express from 'express'
+import {getFrontendAuthConfig} from "../controllers/auth.js";
+import {authenticatedOnly, studentsOnly, teachersOnly} from "../middleware/auth/auth.js";
+const router = express.Router();
+
+// returns auth configuration for frontend
+router.get('/config', (req, res) => {
+    res.json(getFrontendAuthConfig());
+});
+
+router.get('/testAuthenticatedOnly', authenticatedOnly, (req, res) => {
+    res.json({message: "If you see this, you should be authenticated!"});
+});
+
+router.get('/testStudentsOnly', studentsOnly, (req, res) => {
+    res.json({message: "If you see this, you should be a student!"});
+});
+
+router.get('/testTeachersOnly', teachersOnly, (req, res) => {
+    res.json({message: "If you see this, you should be a teacher!"});
+});
+
+export default router;
--- a/backend/src/routes/login.ts
+++ b/backend/src/routes/login.ts
@ -1,14 +0,0 @@
-import express from 'express';
-const router = express.Router();
-
-// Returns login paths for IDP
-router.get('/', (req, res) => {
-    res.json({
-        // Dummy variables, needs to be changed
-        // With IDP endpoints
-        leerkracht: '/login-leerkracht',
-        leerling: '/login-leerling',
-    });
-});
-
-export default router;
--- a/backend/src/util/envvars.ts
+++ b/backend/src/util/envvars.ts
@ -1,5 +1,9 @@
 const PREFIX = 'DWENGO_';
 const DB_PREFIX = PREFIX + 'DB_';
+const IDP_PREFIX = PREFIX + 'AUTH_';
+const STUDENT_IDP_PREFIX = IDP_PREFIX + 'STUDENT_';
+const TEACHER_IDP_PREFIX = IDP_PREFIX + 'TEACHER_';
+const CORS_PREFIX = PREFIX + 'CORS_';

 type EnvVar = { key: string; required?: boolean; defaultValue?: any };

@ -11,6 +15,15 @@ export const EnvVars: { [key: string]: EnvVar } = {
    DbUsername: { key: DB_PREFIX + 'USERNAME', required: true },
    DbPassword: { key: DB_PREFIX + 'PASSWORD', required: true },
    DbUpdate: { key: DB_PREFIX + 'UPDATE', defaultValue: false },
+    IdpStudentUrl: { key: STUDENT_IDP_PREFIX + 'URL', required: true },
+    IdpStudentClientId: { key: STUDENT_IDP_PREFIX + 'CLIENT_ID', required: true },
+    IdpStudentJwksEndpoint: { key: STUDENT_IDP_PREFIX + 'JWKS_ENDPOINT', required: true },
+    IdpTeacherUrl: { key: TEACHER_IDP_PREFIX + 'URL', required: true },
+    IdpTeacherClientId: { key: TEACHER_IDP_PREFIX + 'CLIENT_ID', required: true },
+    IdpTeacherJwksEndpoint: { key: TEACHER_IDP_PREFIX + 'JWKS_ENDPOINT', required: true },
+    IdpAudience: { key: IDP_PREFIX + 'AUDIENCE', defaultValue: 'account' },
+    CorsAllowedOrigins: { key: CORS_PREFIX + 'ALLOWED_ORIGINS', defaultValue: ''},
+    CorsAllowedHeaders: { key: CORS_PREFIX + 'ALLOWED_HEADERS', defaultValue: 'Authorization,Content-Type'}
 } as const;

 /**