Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swap out keycloak-connect for jsonwebtoken for JWT authentication #109

Merged
merged 1 commit into from
Apr 23, 2024
Merged

Swap out keycloak-connect for jsonwebtoken for JWT authentication #109

merged 1 commit into from
Apr 23, 2024

Conversation

norrisng-bc
Copy link
Contributor

@norrisng-bc norrisng-bc commented Apr 22, 2024
edited
Loading

Description

JWT validation was previously handled by the keycloak-connect package. This PR replaces the keycloak-connect-based implementation with one using jsonwebtoken.

keycloak-connect has been deprecated since 2022.

In addition, authentication errors now return a HTTP 401 instead of a HTTP 500. A detailed error message was already present in the 500, but nonetheless it's still better to return an actual 401 instead.

https://apps.nrs.gov.bc.ca/int/jira/browse/SHOWCASE-3576

Types of changes

Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have read the CONTRIBUTING doc
  • I have checked that unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have updated the OpenAPI 3.0 v*.api-spec.yaml documentation (if appropriate)
  • I have added necessary documentation (if appropriate)

Further comments

The jsonwebtoken-based implementation was ported over from COMS.

Authentication-related config variables, if set to false, are now read correctly. This bugfix was also ported over from COMS (see bcgov/common-object-management-service#245)

@github-actions GitHub Actions
Copy link

Coverage Report

Totals Coverage
Statements: 15.98% ( 140 / 876 )
Methods: 25.71% ( 18 / 70 )
Lines: 15.36% ( 82 / 534 )
Branches: 14.71% ( 40 / 272 )

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 22, 2024
View reviewed changes
app/src/routes/v2/index.js Dismissed Show dismissed Hide dismissed
app/src/routes/v2/index.js Dismissed Show dismissed Hide dismissed
app/src/routes/v2/index.js Dismissed Show dismissed Hide dismissed
TimCsaky
TimCsaky reviewed Apr 22, 2024
View reviewed changes
Copy link
Contributor

@TimCsaky TimCsaky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussed wrapping authenticate code in a try/catch to return general Auth error response in event of javascript error.
Apart from that it all looks good to me.

@norrisng-bc norrisng-bc force-pushed the chore/drop-keycloak-connect branch 3 times, most recently from 3a44388 to 46e2c5b Compare April 23, 2024 18:55
@norrisng-bc
Swap out keycloak-connect for jsonwebtoken
fb57163 
Implementation taken from COMS
@norrisng-bc norrisng-bc force-pushed the chore/drop-keycloak-connect branch from 46e2c5b to fb57163 Compare April 23, 2024 23:08
@TimCsaky TimCsaky merged commit e899938 into master Apr 23, 2024
12 of 13 checks passed
@TimCsaky TimCsaky deleted the chore/drop-keycloak-connect branch April 23, 2024 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TimCsaky TimCsaky TimCsaky approved these changes

@jatindersingh93 jatindersingh93 Awaiting requested review from jatindersingh93

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@norrisng-bc @TimCsaky