Use public key to validate access to the cloud templates (#1619)

Fixes OPS-2983.

Author: MarceloRGonc

packages/react-ui/src/app/routes/cloud-connection/cloud-connection-page.tsx

@@ -33,18 +33,14 @@ const CloudConnectionPage = () => {
     if (!flags || isLoading) {
       return;
     }
-    const { FRONTEGG_URL, FRONTEGG_CLIENT_ID, FRONTEGG_APP_ID } = flags;
+    const { FRONTEGG_URL } = flags;
 
-    if (!FRONTEGG_URL || !FRONTEGG_CLIENT_ID || !FRONTEGG_APP_ID) {
+    if (!FRONTEGG_URL) {
       navigate('/');
       return;
     }
 
-    const app = initializeFrontegg(
-      FRONTEGG_URL as string,
-      FRONTEGG_CLIENT_ID as string,
-      FRONTEGG_APP_ID as string,
-    );
+    const app = initializeFrontegg(FRONTEGG_URL as string);
 
     app.ready(() => {
       app.store.subscribe(() => {

packages/react-ui/src/app/routes/cloud-connection/cloud-logout-page.tsx

@@ -30,18 +30,14 @@ const CloudLogoutPage = () => {
     if (!flags || isLoading) {
       return;
     }
-    const { FRONTEGG_URL, FRONTEGG_CLIENT_ID, FRONTEGG_APP_ID } = flags;
+    const { FRONTEGG_URL } = flags;
 
-    if (!FRONTEGG_URL || !FRONTEGG_CLIENT_ID || !FRONTEGG_APP_ID) {
+    if (!FRONTEGG_URL) {
       navigate('/');
       return;
     }
 
-    const app = initializeFrontegg(
-      FRONTEGG_URL as string,
-      FRONTEGG_CLIENT_ID as string,
-      FRONTEGG_APP_ID as string,
-    );
+    const app = initializeFrontegg(FRONTEGG_URL as string);
 
     Cookies.remove('cloud-token');
     Cookies.remove('cloud-refresh-token');

packages/react-ui/src/app/routes/cloud-connection/frontegg-setup.ts

@@ -1,23 +1,21 @@
-import { initialize } from '@frontegg/js';
+import { FronteggApp, initialize } from '@frontegg/js';
 
 export const additionalFronteggParams = {
   // Google OAuth 2.0: Prompt the user to select an account. https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient
   prompt: 'select_account',
 };
 
-export const initializeFrontegg = (
-  FRONTEGG_URL: string,
-  FRONTEGG_CLIENT_ID: string,
-  FRONTEGG_APP_ID: string,
-) =>
-  initialize({
+export function initializeFrontegg(url: string, tenant?: string): FronteggApp {
+  const tenantResolver = tenant ? () => ({ tenant }) : undefined;
+
+  return initialize({
     contextOptions: {
-      baseUrl: FRONTEGG_URL as string,
-      clientId: FRONTEGG_CLIENT_ID as string,
-      appId: FRONTEGG_APP_ID as string,
+      baseUrl: url,
+      tenantResolver,
     },
     authOptions: {
       keepSessionAlive: true,
     },
     hostedLoginBox: true,
   });
+}

packages/server/api/src/app/flags/flag.service.ts

@@ -251,18 +251,6 @@ export const flagService = {
         created,
         updated,
       },
-      {
-        id: FlagId.FRONTEGG_CLIENT_ID,
-        value: system.get(AppSystemProp.FRONTEGG_CLIENT_ID),
-        created,
-        updated,
-      },
-      {
-        id: FlagId.FRONTEGG_APP_ID,
-        value: system.get(AppSystemProp.FRONTEGG_APP_ID),
-        created,
-        updated,
-      },
       {
         id: FlagId.CLOUD_CONNECTION_PAGE_ENABLED,
         value: system.getBoolean(AppSystemProp.CLOUD_CONNECTION_PAGE_ENABLED),

packages/server/api/src/app/flow-template/cloud-template.controller.ts

@@ -2,50 +2,29 @@ import {
   FastifyPluginAsyncTypebox,
   Type,
 } from '@fastify/type-provider-typebox';
-import { IdentityClient } from '@frontegg/client';
 import { AppSystemProp, logger, system } from '@openops/server-shared';
 import { ALL_PRINCIPAL_TYPES, OpenOpsId } from '@openops/shared';
-import { getCloudToken, getCloudUser } from '../user-info/cloud-auth';
+import { allowAllOriginsHookHandler } from '../helper/allow-all-origins-hook-handler';
+import { getVerifiedUser } from '../user-info/cloud-auth';
 import { flowTemplateService } from './flow-template.service';
 
 export const cloudTemplateController: FastifyPluginAsyncTypebox = async (
   app,
 ) => {
-  const fronteggClientId = system.get(AppSystemProp.FRONTEGG_CLIENT_ID);
-  const fronteggApiKey = system.get(AppSystemProp.FRONTEGG_API_KEY);
+  const publicKey = system.get(AppSystemProp.FRONTEGG_PUBLIC_KEY);
+  const connectionPageEnabled = system.getBoolean(
+    AppSystemProp.CLOUD_CONNECTION_PAGE_ENABLED,
+  );
 
-  if (!fronteggClientId || !fronteggApiKey) {
+  if (!publicKey || !connectionPageEnabled) {
     logger.info(
       'Missing Frontegg configuration, disabling cloud templates API',
     );
     return;
   }
 
-  const identityClient = new IdentityClient({
-    FRONTEGG_CLIENT_ID: fronteggClientId,
-    FRONTEGG_API_KEY: fronteggApiKey,
-  });
-
   // cloud templates are available on any origin
-  app.addHook('onSend', (request, reply, payload, done) => {
-    void reply.header(
-      'Access-Control-Allow-Origin',
-      request.headers.origin || request.headers['Ops-Origin'] || '*',
-    );
-    void reply.header('Access-Control-Allow-Methods', 'GET,OPTIONS');
-    void reply.header(
-      'Access-Control-Allow-Headers',
-      'Content-Type,Ops-Origin,Authorization',
-    );
-    void reply.header('Access-Control-Allow-Credentials', 'true');
-
-    if (request.method === 'OPTIONS') {
-      return reply.status(204).send();
-    }
-
-    done(null, payload);
-    return;
-  });
+  app.addHook('onSend', allowAllOriginsHookHandler);
 
   app.get(
     '/',
@@ -70,23 +49,7 @@ export const cloudTemplateController: FastifyPluginAsyncTypebox = async (
       },
     },
     async (request) => {
-      const token = getCloudToken(request);
-
-      if (!(await getCloudUser(identityClient, token))) {
-        return flowTemplateService.getFlowTemplates({
-          search: request.query.search,
-          tags: request.query.tags,
-          services: request.query.services,
-          domains: request.query.domains,
-          blocks: request.query.blocks,
-          projectId: request.principal.projectId,
-          organizationId: request.principal.organization.id,
-          cloudTemplates: true,
-          isSample: true,
-          version: request.query.version,
-          categories: request.query.categories,
-        });
-      }
+      const user = getVerifiedUser(request, publicKey);
 
       return flowTemplateService.getFlowTemplates({
         search: request.query.search,
@@ -97,6 +60,7 @@ export const cloudTemplateController: FastifyPluginAsyncTypebox = async (
         projectId: request.principal.projectId,
         organizationId: request.principal.organization.id,
         cloudTemplates: true,
+        isSample: !user,
         version: request.query.version,
         categories: request.query.categories,
       });
@@ -120,13 +84,14 @@ export const cloudTemplateController: FastifyPluginAsyncTypebox = async (
       },
     },
     async (request, reply) => {
-      const token = getCloudToken(request);
-      if (!(await getCloudUser(identityClient, token))) {
+      const user = getVerifiedUser(request, publicKey);
+
+      if (!user) {
         const template = await flowTemplateService.getFlowTemplate(
           request.params.id,
         );
 
-        return template?.isSample ? template : reply.status(404).send();
+        return template?.isSample ? template : reply.status(403).send();
       }
 
       return flowTemplateService.getFlowTemplate(request.params.id);

packages/server/api/src/app/helper/allow-all-origins-hook-handler.ts

@@ -0,0 +1,29 @@
+import { onSendHookHandler } from 'fastify/types/hooks';
+
+export const allowAllOriginsHookHandler: onSendHookHandler = (
+  request,
+  reply,
+  payload,
+  done,
+) => {
+  void reply.header(
+    'Access-Control-Allow-Origin',
+    request.headers.origin || request.headers['Ops-Origin'] || '*',
+  );
+
+  void reply.header('Access-Control-Allow-Methods', 'GET,OPTIONS');
+
+  void reply.header(
+    'Access-Control-Allow-Headers',
+    'Content-Type,Ops-Origin,Authorization',
+  );
+
+  void reply.header('Access-Control-Allow-Credentials', 'true');
+
+  if (request.method === 'OPTIONS') {
+    return reply.status(204).send();
+  }
+
+  done(null, payload);
+  return;
+};

packages/server/api/src/app/user-info/cloud-auth.ts

@@ -1,34 +1,28 @@
-import { IdentityClient } from '@frontegg/client';
-import {
-  IAccessToken,
-  IEntityWithRoles,
-} from '@frontegg/client/dist/src/clients/identity/types';
 import { FastifyRequest } from 'fastify';
+import jwt, { JwtPayload } from 'jsonwebtoken';
 
 const CLOUD_TOKEN_COOKIE_NAME = 'cloud-token';
 
-export const getCloudToken = (request: FastifyRequest): string | undefined => {
+const getCloudToken = (request: FastifyRequest): string | undefined => {
   let token = request.headers.authorization?.replace('Bearer ', '');
   if (!token) {
     token = request.cookies[CLOUD_TOKEN_COOKIE_NAME];
   }
   return token;
 };
 
-export async function getCloudUser(
-  identityClient: IdentityClient,
-  token?: string,
-): Promise<null | IEntityWithRoles | IAccessToken> {
+export function getVerifiedUser(
+  request: FastifyRequest,
+  publicKey: string,
+): string | JwtPayload | undefined {
+  const token = getCloudToken(request);
   if (!token) {
-    return null;
+    return undefined;
   }
 
   try {
-    const user = await identityClient.validateIdentityOnToken(token);
-    return user;
-  } catch (e) {
-    // eslint-disable-next-line no-console
-    console.error(e);
-    return null;
+    return jwt.verify(token, publicKey, { algorithms: ['RS256'] });
+  } catch {
+    return undefined;
   }
 }

packages/server/api/src/app/user-info/user-info.module.ts

@@ -1,48 +1,28 @@
 import { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
-import { IdentityClient } from '@frontegg/client';
 import { AppSystemProp, logger, system } from '@openops/server-shared';
 import { ALL_PRINCIPAL_TYPES } from '@openops/shared';
-import { getCloudToken, getCloudUser } from './cloud-auth';
+import { allowAllOriginsHookHandler } from '../helper/allow-all-origins-hook-handler';
+import { getVerifiedUser } from './cloud-auth';
 
 export const userInfoModule: FastifyPluginAsyncTypebox = async (app) => {
   await app.register(userInfoController, { prefix: '/v1/user-info' });
 };
 
 export const userInfoController: FastifyPluginAsyncTypebox = async (app) => {
-  const fronteggClientId = system.get(AppSystemProp.FRONTEGG_CLIENT_ID);
-  const fronteggApiKey = system.get(AppSystemProp.FRONTEGG_API_KEY);
+  const publicKey = system.get(AppSystemProp.FRONTEGG_PUBLIC_KEY);
+  const connectionPageEnabled = system.getBoolean(
+    AppSystemProp.CLOUD_CONNECTION_PAGE_ENABLED,
+  );
 
-  if (!fronteggClientId || !fronteggApiKey) {
+  if (!publicKey || !connectionPageEnabled) {
     logger.info(
       'Missing Frontegg configuration, disabling cloud templates API',
     );
     return;
   }
 
-  const identityClient = new IdentityClient({
-    FRONTEGG_CLIENT_ID: fronteggClientId,
-    FRONTEGG_API_KEY: fronteggApiKey,
-  });
-
   // user-info is available on any origin
-  app.addHook('onSend', (request, reply, payload, done) => {
-    void reply.header(
-      'Access-Control-Allow-Origin',
-      request.headers.origin || request.headers['Ops-Origin'] || '*',
-    );
-    void reply.header('Access-Control-Allow-Methods', 'GET,OPTIONS');
-    void reply.header(
-      'Access-Control-Allow-Headers',
-      'Content-Type,Ops-Origin,Authorization',
-    );
-    void reply.header('Access-Control-Allow-Credentials', 'true');
-    if (request.method === 'OPTIONS') {
-      return reply.status(204).send();
-    }
-
-    done(null, payload);
-    return;
-  });
+  app.addHook('onSend', allowAllOriginsHookHandler);
 
   app.get(
     '/',
@@ -53,8 +33,7 @@ export const userInfoController: FastifyPluginAsyncTypebox = async (app) => {
       },
     },
     async (request, reply) => {
-      const token = getCloudToken(request);
-      const user = await getCloudUser(identityClient, token);
+      const user = getVerifiedUser(request, publicKey);
 
       if (!user) {
         return reply.status(401).send();