Change sso callback verification (#1092)

(cherry picked from commit 5aee96b) (cherry picked from commit b52fe6f)
CrowdDotDev · Jul 11, 2023 · 4fdfff8 · 4fdfff8
1 parent 16d4227
commit 4fdfff8
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 11 deletions.
diff --git a/backend/config/custom-environment-variables.json b/backend/config/custom-environment-variables.json
@@ -181,8 +181,7 @@
     "secretAccessKey": "CROWD_OPENSEARCH_AWS_SECRET_ACCESS_KEY"
   },
   "auth0": {
-    "domain": "CROWD_AUTH0_DOMAIN",
     "clientId": "CROWD_AUTH0_CLIENT_ID",
-    "cert": "CROWD_AUTH0_CERT"
+    "jwks": "CROWD_AUTH0_JWKS"
   }
 }
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -99,6 +99,7 @@
     "html-to-text": "^8.2.1",
     "json2csv": "^5.0.7",
     "jsonwebtoken": "8.5.1",
+    "jwks-rsa": "^3.0.1",
     "lodash": "4.17.21",
     "moment": "2.29.4",
     "moment-timezone": "^0.5.34",

diff --git a/backend/src/api/auth/ssoCallback.ts b/backend/src/api/auth/ssoCallback.ts
@@ -1,31 +1,44 @@
 import jwt from 'jsonwebtoken'
+import jwksClient from 'jwks-rsa'
 import AuthService from '../../services/auth/authService'
 import { AUTH0_CONFIG } from '../../conf'
 import Error401 from '../../errors/Error401'
 
+const jwks = jwksClient({
+  jwksUri: AUTH0_CONFIG.jwks,
+  cache: true,
+  cacheMaxEntries: 5,
+  cacheMaxAge: 86400000,
+})
+
+async function getKey(header, callback) {
+  jwks.getSigningKey(header.kid, (err, key: any) => {
+    const signingKey = key.publicKey || key.rsaPublicKey
+    callback(null, signingKey)
+  })
+}
+
 export default async (req, res) => {
   const { idToken, invitationToken, tenantId } = req.body
 
   try {
     const verifyToken = new Promise((resolve, reject) => {
-      const publicKey = AUTH0_CONFIG.cert.replaceAll('"', '').replace(/\\n/g, '\n')
-      jwt.verify(idToken, publicKey, { algorithms: ['RS256'] }, (err, decoded) => {
-        // If error verifying token
+      jwt.verify(idToken, getKey, { algorithms: ['RS256'] }, (err, decoded) => {
         if (err) {
           reject(new Error401())
         }
 
-        // If token matches auth0 validation criteria
-        const { aud, iss } = decoded as any
-        if (aud !== AUTH0_CONFIG.clientId || !iss.includes(AUTH0_CONFIG.domain)) {
+        const { aud } = decoded as any
+
+        if (aud !== AUTH0_CONFIG.clientId) {
           reject(new Error401())
         }
 
-        // If token validation passed
         resolve(decoded)
       })
     })
     const data: any = await verifyToken
+
     // Signin with data
     const token: string = await AuthService.signinFromSSO(
       'auth0',

diff --git a/backend/src/conf/configTypes.ts b/backend/src/conf/configTypes.ts
@@ -79,9 +79,8 @@ export interface ApiConfiguration {
 }
 
 export interface Auth0Configuration {
-  domain: string
   clientId: string
-  cert: string
+  jwks: string
 }
 
 export interface PlansConfiguration {