feat: add auth code APIs (#789)

MwanPygmay · Matthis-M-ReliefApps · AntoineRelief · web-flow · commit 20ff5d8b9732 · 2023-11-07T09:43:37.000+01:00
---------

Co-authored-by: Matthis-M-ReliefApps &lt;matthis@reliefapplications.org&gt;
Co-authored-by: Antoine Hurard &lt;AntoineRelief@users.noreply.github.com&gt;
Co-authored-by: Antoine Hurard &lt;antoine.reliefapps@gmail.com&gt;
diff --git a/src/const/enumTypes.ts b/src/const/enumTypes.ts
@@ -36,6 +36,7 @@ export const authType = {
   public: 'public',
   serviceToService: 'service-to-service',
   userToService: 'user-to-service',
+  authorizationCode: 'authorization-code',
 };
 
 /** AuthType type for queries/mutations argument */
diff --git a/src/i18n/en.json b/src/i18n/en.json
@@ -145,6 +145,7 @@
 			},
 			"fetch": {
 				"errors": {
+					"fetchRequestFailed": "Failed to fetch groups.",
 					"groupsFromServiceDisabled": "Fetching groups from service not available."
 				}
 			}
diff --git a/src/i18n/test.json b/src/i18n/test.json
@@ -145,6 +145,7 @@
 			},
 			"fetch": {
 				"errors": {
+					"fetchRequestFailed": "******",
 					"groupsFromServiceDisabled": "******"
 				}
 			}
diff --git a/src/routes/download/index.ts b/src/routes/download/index.ts
@@ -31,6 +31,7 @@ import { formatFilename } from '@utils/files/format.helper';
 import { sendEmail } from '@utils/email';
 import exportBatch from '@utils/files/exportBatch';
 import { accessibleBy } from '@casl/mongoose';
+import dataSources from '@server/apollo/dataSources';
 
 /**
  * Exports files in csv or xlsx format, excepted if specified otherwise
@@ -208,6 +209,15 @@ router.get('/form/records/:id/history', async (req, res) => {
         {
           translate: req.t,
           ability,
+          context: {
+            // Need to use 'any' in order to use a class which is supposed to initialize with Apollo context
+            dataSources: (
+              await dataSources({
+                // Passing upstream request so accesstoken can be used for authentication
+                req: req,
+              } as any)
+            )(),
+          },
         }
       ).getHistory();
       const fields = filters.fields;
diff --git a/src/routes/gis/index.ts b/src/routes/gis/index.ts
@@ -409,7 +409,12 @@ router.get('/feature', async (req, res) => {
             referenceData.apiConfiguration,
             'name endpoint graphQLEndpoint'
           );
-          const contextDataSources = (await dataSources())();
+          const contextDataSources = (
+            await dataSources({
+              // Passing upstream request so accesstoken can be used for authentication
+              req: req,
+            } as any)
+          )();
           const dataSource = contextDataSources[
             apiConfiguration.name
           ] as CustomAPI;
diff --git a/src/routes/proxy/index.ts b/src/routes/proxy/index.ts
@@ -1,4 +1,4 @@
-import express from 'express';
+import express, { Request, Response } from 'express';
 import { ApiConfiguration } from '@models';
 import { getToken } from '@utils/proxy';
 import { get, isEmpty } from 'lodash';
@@ -8,6 +8,7 @@ import config from 'config';
 import * as CryptoJS from 'crypto-js';
 import axios from 'axios';
 import { createClient, RedisClientType } from 'redis';
+import { authType } from '@const/enumTypes';
 
 /** Express router */
 const router = express.Router();
@@ -24,7 +25,7 @@ const SETTING_PLACEHOLDER = '●●●●●●●●●●●●●';
  * @param path url path
  * @returns API request
  */
-const proxyAPIRequest = async (req, res, api, path) => {
+const proxyAPIRequest = async (req: Request, res: Response, api, path) => {
   try {
     let client: RedisClientType;
     if (config.get('redis.url') && req.method === 'get') {
@@ -45,7 +46,7 @@ const proxyAPIRequest = async (req, res, api, path) => {
       logger.info(`REDIS: get key : ${url}`);
       res.status(200).send(JSON.parse(cacheData));
     } else {
-      const token = await getToken(api);
+      const token = await getToken(api, req.headers.accesstoken);
       await axios({
         url,
         method: req.method,
@@ -59,9 +60,14 @@ const proxyAPIRequest = async (req, res, api, path) => {
         }),
       })
         .then(async ({ data, status }) => {
+          // We are only caching the results of requests that are not user-dependent.
+          // Otherwise, unwanted users could access cached data of other users.
+          // As an improvement, we could include a stringified unique property of the user to the cache-key to enable user-specific cache.
           if (
             client &&
-            ['service-to-service', 'public'].includes(api.authType) &&
+            [authType.serviceToService, authType.public].includes(
+              api.authType
+            ) &&
             status === 200
           ) {
             await client
@@ -86,7 +92,7 @@ const proxyAPIRequest = async (req, res, api, path) => {
   }
 };
 
-router.post('/ping/**', async (req, res) => {
+router.post('/ping/**', async (req: Request, res: Response) => {
   try {
     const body = req.body;
     if (body) {
@@ -148,7 +154,7 @@ router.post('/ping/**', async (req, res) => {
 /**
  * Forward requests to actual API using the API Configuration
  */
-router.all('/:name/**', async (req, res) => {
+router.all('/:name/**', async (req: Request, res: Response) => {
   try {
     const api = await ApiConfiguration.findOne({
       $or: [{ name: req.params.name }, { id: req.params.name }],
diff --git a/src/schema/mutation/editApiConfiguration.mutation.ts b/src/schema/mutation/editApiConfiguration.mutation.ts
@@ -115,7 +115,6 @@ export default {
             ).toString(),
           });
         }
-
         return await ApiConfiguration.findOneAndUpdate(filters, update, {
           new: true,
         });
diff --git a/src/schema/mutation/fetchGroups.mutation.ts b/src/schema/mutation/fetchGroups.mutation.ts
@@ -32,8 +32,14 @@ export default {
           context.i18next.t('common.errors.permissionNotGranted')
         );
       }
-
-      const groups = await fetchGroups();
+      let groups: Group[] = null;
+      try {
+        groups = await fetchGroups();
+      } catch {
+        throw new GraphQLError(
+          context.i18next.t('mutations.group.fetch.errors.fetchRequestFailed')
+        );
+      }
       const bulkOps: any[] = [];
       groups.forEach((group) => {
         const upsertGroup = {
diff --git a/src/server/apollo/context.ts b/src/server/apollo/context.ts
@@ -27,6 +27,9 @@ interface UserWithAbility extends User {
 export default (server: ApolloServer<Context>) =>
   async ({ req }): Promise<Context> => {
     if (req) {
+      // Attaching the request object to server since it needs to be used by datasources
+      // eslint-disable-next-line @typescript-eslint/dot-notation
+      server['req'] = req;
       return {
         // Makes the translation library accessible in the context object.
         // https://github.com/i18next/i18next-http-middleware
diff --git a/src/server/apollo/dataSources.ts b/src/server/apollo/dataSources.ts
@@ -21,6 +21,7 @@ const LAST_UPDATE_CODE = '{{lastUpdate}}';
 /**
  * CustomAPI class to create a dataSource fetching from an APIConfiguration.
  * If nothing is passed in the constructor, it will only be a standard REST DataSource.
+ * Data sources are invoked, for example, when using reference data in a context involving the display of data, such as in a grid, or when fetching or downloading historical record items.
  */
 export class CustomAPI extends RESTDataSource {
   public apiConfiguration: ApiConfiguration;
@@ -38,7 +39,7 @@ export class CustomAPI extends RESTDataSource {
    * @param apiConfiguration optional argument used to initialize the calls using the passed ApiConfiguration
    */
   constructor(
-    server?: ApolloServer<Context>,
+    public server: ApolloServer<Context>,
     apiConfiguration?: ApiConfiguration
   ) {
     super(server ? { cache: server.cache } : undefined);
@@ -60,7 +61,8 @@ export class CustomAPI extends RESTDataSource {
    */
   async willSendRequest(_: string, request: AugmentedRequest) {
     if (this.apiConfiguration) {
-      const token: string = await getToken(this.apiConfiguration);
+      const accessToken = (this.server as any).req.headers.accesstoken ?? '';
+      const token: string = await getToken(this.apiConfiguration, accessToken);
       // eslint-disable-next-line @typescript-eslint/dot-notation
       request.headers['authorization'] = `Bearer ${token}`;
     }
@@ -180,7 +182,10 @@ export class CustomAPI extends RESTDataSource {
     if (!cacheTimestamp || cacheTimestamp < modifiedAt) {
       // Check if referenceData has changed. In this case, refresh choices instead of using cached ones.
       const body = { query: this.processQuery(referenceData) };
-      const data = await this.post(url, { body });
+      let data = await this.post(url, { body });
+      if (typeof data === 'string') {
+        data = JSON.parse(data);
+      }
       items = referenceData.path
         ? jsonpath.query(data, referenceData.path)
         : data;
@@ -191,7 +196,10 @@ export class CustomAPI extends RESTDataSource {
       const isCached = cache !== undefined;
       const valueField = referenceData.valueField || 'id';
       const body = { query: this.processQuery(referenceData) };
-      const data = await this.post(url, { body });
+      let data = await this.post(url, { body });
+      if (typeof data === 'string') {
+        data = JSON.parse(data);
+      }
       items = referenceData.path
         ? jsonpath.query(data, referenceData.path)
         : data;
diff --git a/src/server/pullJobScheduler.ts b/src/server/pullJobScheduler.ts
@@ -87,6 +87,11 @@ export const scheduleJob = (pullJob: PullJob) => {
               // eslint-disable-next-line @typescript-eslint/no-use-before-define
               fetchRecordsPublic(pullJob);
             }
+            if (apiConfiguration.authType === authType.authorizationCode) {
+              throw new Error(
+                'Unsupported Api configuration with Authorization Code authentication.'
+              );
+            }
           } catch (err) {
             logger.error(err.message, { stack: err.stack });
           }
diff --git a/src/utils/history/recordHistory.ts b/src/utils/history/recordHistory.ts
@@ -4,7 +4,7 @@ import {
   RecordHistory as RecordHistoryType,
 } from '@models/history.model';
 import { AppAbility } from 'security/defineUserAbility';
-import dataSources, { CustomAPI } from '../../server/apollo/dataSources';
+import { CustomAPI } from '../../server/apollo/dataSources';
 import { isArray, isEqual, memoize, pick } from 'lodash';
 import { getFullChoices } from '@utils/form';
 import { isNil } from 'lodash';
@@ -36,15 +36,6 @@ export class RecordHistory {
     this.getFields();
   }
 
-  /**
-   * Init dataSources in the case we're invoking this class from REST and not graphQL.
-   */
-  private async initDataSources(): Promise<void> {
-    if (!this.options.context) {
-      this.options.context = { dataSources: (await dataSources())() };
-    }
-  }
-
   /**
    * Get fields from the form
    */
@@ -424,11 +415,9 @@ export class RecordHistory {
     const formatSelectable = async (field: any, change: Change) => {
       // If it's using reference Data, fetch the choices to display the display field
       if (field.referenceData) {
-        const res = await Promise.all([
-          await this.initDataSources(),
-          memoizedGetReferenceData(field.referenceData.id),
-        ]);
-        const referenceData: ReferenceData = res[1];
+        const referenceData: ReferenceData = await memoizedGetReferenceData(
+          field.referenceData.id
+        );
         const dataSource: CustomAPI =
           this.options.context.dataSources[
             (referenceData.apiConfiguration as any)?.name
@@ -464,7 +453,6 @@ export class RecordHistory {
           }
         });
       } else {
-        await this.initDataSources();
         // Otherwise, get the display value from choices stored in the field/choicesByUrl
         const choices = await getFullChoices(field, this.options.context);
         if (change.old !== undefined) {
diff --git a/src/utils/proxy/authManagement.ts b/src/utils/proxy/authManagement.ts
@@ -29,10 +29,12 @@ export const getTokenID = (
  * Get the token for an ApiConfiguration, check first if we have one in the cache, if not fetch it and store it in cache.
  *
  * @param apiConfiguration ApiConfiguration attached to token
+ * @param accessToken upstream accesstoken, is required when getToken is used for an API using authorization code authentication
  * @returns The access token to authenticate to the ApiConfiguration
  */
 export const getToken = async (
-  apiConfiguration: ApiConfiguration
+  apiConfiguration: ApiConfiguration,
+  accessToken?: string | string[]
 ): Promise<string> => {
   if (apiConfiguration.authType === authType.public) {
     return '';
@@ -88,7 +90,8 @@ export const getToken = async (
     });
     cache.set(tokenID, res.data.access_token, res.data.expires_in - 30);
     return res.data.access_token;
-  } else if (apiConfiguration.authType === authType.userToService) {
+  }
+  if (apiConfiguration.authType === authType.userToService) {
     // Retrieve access token from settings, store it and return it
     const settings: { token: string } = JSON.parse(
       CryptoJS.AES.decrypt(
@@ -99,6 +102,11 @@ export const getToken = async (
     cache.set(tokenID, settings.token, 3570);
     return settings.token;
   }
+  if (apiConfiguration.authType === authType.authorizationCode) {
+    // Making sure to return only string, as access token is typed string | string[]
+    return accessToken.toString();
+    // Token doesn't need to be cached since the frontend always keeps it up-to-date
+  }
 };
 
 /**
diff --git a/src/utils/user/fetchGroups.ts b/src/utils/user/fetchGroups.ts
@@ -5,6 +5,7 @@ import jsonpath from 'jsonpath';
 import fetch from 'node-fetch';
 import config from 'config';
 import { GroupListSettings } from './userManagement';
+import { logger } from '@services/logger.service';
 
 /**
  * Fetches groups from external API and returns them.
@@ -24,7 +25,7 @@ export const fetchGroups = async () => {
   const apiConfiguration = await ApiConfiguration.findById(apiConfigurationID);
   let data: any;
 
-  // Switch on all available authTypes
+  // Switch on authTypes supported for fetchGroups
   if (
     apiConfiguration.authType === authType.serviceToService ||
     apiConfiguration.authType === authType.userToService
@@ -38,13 +39,17 @@ export const fetchGroups = async () => {
       headers,
     });
     data = await res.json();
-  }
-
-  if (apiConfiguration.authType === authType.public) {
+  } else if (apiConfiguration.authType === authType.public) {
     const res = await fetch(apiConfiguration.endpoint + endpoint, {
       method: 'get',
     });
     data = await res.json();
+  } else {
+    logger.error(
+      'Failure when fetching groups because of an unsupported API configuration type.'
+    );
+    // Throwing an error here so above function can catch and throw GraphQL error.
+    throw new Error();
   }
   const rawGroups = jsonpath.query(data, path);
   const groups: Group[] = rawGroups.map(

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,7 @@`
`145`	`145`	`},`
`146`	`146`	`"fetch": {`
`147`	`147`	`"errors": {`
	`148`	`+ "fetchRequestFailed": "Failed to fetch groups.",`
`148`	`149`	`"groupsFromServiceDisabled": "Fetching groups from service not available."`
`149`	`150`	`}`
`150`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,6 @@ export default {`
`115`	`115`	`).toString(),`
`116`	`116`	`});`
`117`	`117`	`}`
`118`		`-`
`119`	`118`	`return await ApiConfiguration.findOneAndUpdate(filters, update, {`
`120`	`119`	`new: true,`
`121`	`120`	`});`