Prepare keys for environment migration (#2090)

Part of OPS-3849.

Author: MarceloRGonc

packages/server/api/src/app/flow-template/cloud-template.controller.ts

@@ -8,13 +8,14 @@ import {
   OpenOpsId,
   PUBLIC_ROUTE_POLICY,
 } from '@openops/shared';
-import { FastifyRequest } from 'fastify';
-import { JwtPayload } from 'jsonwebtoken';
 import {
   allowAllOriginsHookHandler,
   registerOptionsEndpoint,
 } from '../helper/allow-all-origins-hook-handler';
-import { getVerifiedUser } from '../user-info/cloud-auth';
+import {
+  filterValidKeys,
+  verifyUserWithPublicKeys,
+} from '../user-info/cloud-auth';
 import { flowTemplateService } from './flow-template.service';
 
 export const cloudTemplateController: FastifyPluginAsyncTypebox = async (
@@ -32,7 +33,9 @@ export const cloudTemplateController: FastifyPluginAsyncTypebox = async (
     return;
   }
 
-  const publicKeys = [publicKey];
+  const oldPublicKey = system.get(AppSystemProp.OLD_FRONTEGG_PUBLIC_KEY);
+  const publicKeys = filterValidKeys([publicKey, oldPublicKey]);
+
   // cloud templates are available on any origin
   app.addHook('onRequest', allowAllOriginsHookHandler);
 
@@ -112,18 +115,3 @@ export const cloudTemplateController: FastifyPluginAsyncTypebox = async (
     },
   );
 };
-
-function verifyUserWithPublicKeys(
-  request: FastifyRequest,
-  keysToCheck: string[],
-): string | JwtPayload | undefined {
-  for (const key of keysToCheck) {
-    const user = getVerifiedUser(request, key);
-
-    if (user) {
-      return user;
-    }
-  }
-
-  return undefined;
-}

packages/server/api/src/app/user-info/cloud-auth.ts

@@ -19,7 +19,7 @@ const getCloudToken = (request: FastifyRequest): string | undefined => {
   return headerToken;
 };
 
-export function getVerifiedUser(
+function getVerifiedUser(
   request: FastifyRequest,
   publicKey: string,
 ): string | JwtPayload | undefined {
@@ -34,3 +34,22 @@ export function getVerifiedUser(
     return undefined;
   }
 }
+
+export function verifyUserWithPublicKeys(
+  request: FastifyRequest,
+  keysToCheck: string[],
+): string | JwtPayload | undefined {
+  for (const key of keysToCheck) {
+    const user = getVerifiedUser(request, key);
+
+    if (user) {
+      return user;
+    }
+  }
+
+  return undefined;
+}
+
+export function filterValidKeys(keys: unknown[]): string[] {
+  return keys.filter((key): key is string => Boolean(key));
+}

packages/server/api/src/app/user-info/user-info.module.ts

@@ -5,7 +5,7 @@ import {
   allowAllOriginsHookHandler,
   registerOptionsEndpoint,
 } from '../helper/allow-all-origins-hook-handler';
-import { getVerifiedUser } from './cloud-auth';
+import { filterValidKeys, verifyUserWithPublicKeys } from './cloud-auth';
 
 export const userInfoModule: FastifyPluginAsyncTypebox = async (app) => {
   await app.register(userInfoController, { prefix: '/v1/user-info' });
@@ -24,6 +24,9 @@ export const userInfoController: FastifyPluginAsyncTypebox = async (app) => {
     return;
   }
 
+  const oldPublicKey = system.get(AppSystemProp.OLD_FRONTEGG_PUBLIC_KEY);
+  const publicKeys = filterValidKeys([publicKey, oldPublicKey]);
+
   // user-info is available on any origin
   app.addHook('onRequest', allowAllOriginsHookHandler);
   registerOptionsEndpoint(app);
@@ -38,7 +41,7 @@ export const userInfoController: FastifyPluginAsyncTypebox = async (app) => {
       },
     },
     async (request, reply) => {
-      const user = getVerifiedUser(request, publicKey);
+      const user = verifyUserWithPublicKeys(request, publicKeys);
 
       if (!user) {
         return reply.status(401).send();

packages/server/api/test/integration/cloud/cloud/cloud-auth.test.ts

@@ -1,6 +1,6 @@
 import { FastifyRequest } from 'fastify';
 import jwt from 'jsonwebtoken';
-import { getVerifiedUser } from '../../../../src/app/user-info/cloud-auth';
+import { verifyUserWithPublicKeys } from '../../../../src/app/user-info/cloud-auth';
 
 type MockFastifyRequest = FastifyRequest & {
   cookies: Record<string, string>;
@@ -37,7 +37,7 @@ function createMockRequest(options: {
   } as unknown as MockFastifyRequest;
 }
 
-describe('getVerifiedUser', () => {
+describe('Verify user with public keys', () => {
   const publicKey = 'test-public-key';
 
   beforeEach(() => {
@@ -47,7 +47,7 @@ describe('getVerifiedUser', () => {
   it('should return undefined when no token is present (no header, no cookie)', () => {
     const mockRequest = createMockRequest({ headers: {}, cookies: {} });
 
-    const result = getVerifiedUser(mockRequest, publicKey);
+    const result = verifyUserWithPublicKeys(mockRequest, [publicKey]);
 
     expect(result).toBeUndefined();
     expect(jwt.verify).not.toHaveBeenCalled();
@@ -61,7 +61,7 @@ describe('getVerifiedUser', () => {
       cookies: {},
     });
 
-    const result = getVerifiedUser(mockRequest, publicKey);
+    const result = verifyUserWithPublicKeys(mockRequest, [publicKey]);
 
     expect(jwt.verify).toHaveBeenCalledWith('header-token', publicKey, {
       algorithms: ['RS256'],
@@ -77,7 +77,7 @@ describe('getVerifiedUser', () => {
       cookies: { 'cloud-token': 'cookie-token' },
     });
 
-    const result = getVerifiedUser(mockRequest, publicKey);
+    const result = verifyUserWithPublicKeys(mockRequest, [publicKey]);
 
     expect(jwt.verify).toHaveBeenCalledWith('cookie-token', publicKey, {
       algorithms: ['RS256'],
@@ -93,7 +93,7 @@ describe('getVerifiedUser', () => {
       cookies: {},
     });
 
-    const result = getVerifiedUser(mockRequest, publicKey);
+    const result = verifyUserWithPublicKeys(mockRequest, [publicKey]);
 
     expect(jwt.verify).toHaveBeenCalledWith('cookie-header-token', publicKey, {
       algorithms: ['RS256'],
@@ -110,7 +110,7 @@ describe('getVerifiedUser', () => {
       cookies: {},
     });
 
-    const result = getVerifiedUser(mockRequest, publicKey);
+    const result = verifyUserWithPublicKeys(mockRequest, [publicKey]);
 
     expect(result).toBeUndefined();
     expect(jwt.verify).toHaveBeenCalledWith('bad-token', publicKey, {

packages/server/shared/src/lib/system/system-prop.ts

@@ -87,6 +87,7 @@ export enum AppSystemProp {
 
   FRONTEGG_URL = 'FRONTEGG_URL',
   FRONTEGG_PUBLIC_KEY = 'FRONTEGG_PUBLIC_KEY',
+  OLD_FRONTEGG_PUBLIC_KEY = 'OLD_FRONTEGG_PUBLIC_KEY', // TODO: Can be removed after 13/04/2026
 
   ENGINE_URL = 'ENGINE_URL',
   TELEMETRY_MODE = 'TELEMETRY_MODE',