9715319812

Committed 28 Jun 2024 03:36PM UTC coverage: 48.779% (+0.001%) from 48.778%

Build # 9715319812

Build Type

push

github

Committed by

web-flow

Commit Message

Adjust access token cookie configuration (#1705)

Set accessToken cookie SameSite attribute depending on CGW_ENV

Run Details

414 of 2513 branches covered (16.47%)

Branch coverage included in aggregate %.

9 of 13 new or added lines in 1 file covered. (69.23%)

4199 of 6944 relevant lines covered (60.47%)

13.19 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

51.85

/src/routes/auth/auth.controller.ts

import { IConfigurationService } from '@/config/configuration.service.interface';
import { getMillisecondsUntil } from '@/domain/common/utils/time';
import { AuthService } from '@/routes/auth/auth.service';
import { SiweDto, SiweDtoSchema } from '@/routes/auth/entities/siwe.dto.entity';
import { ValidationPipe } from '@/validation/pipes/validation.pipe';
import {
  Body,
  Controller,
  Get,
  HttpCode,
  Inject,
  Post,
  Res,
} from '@nestjs/common';
import { ApiExcludeController } from '@nestjs/swagger';
import { Response } from 'express';

/**
 * The AuthController is responsible for handling authentication:
 *
 * 1. Calling `/v1/auth/nonce` returns a unique nonce to be signed.
 * 2. The client signs this nonce in a SiWe message, sending it and
 *    the signature to `/v1/auth/verify` for verification.
 * 3. If verification succeeds, JWT token is added to `access_token`
 *    Set-Cookie.
 */
@Controller({ path: 'auth', version: '1' })
@ApiExcludeController()
export class AuthController {
  static readonly ACCESS_TOKEN_COOKIE_NAME = 'access_token';
  static readonly ACCESS_TOKEN_COOKIE_SAME_SITE_LAX = 'lax';
  static readonly ACCESS_TOKEN_COOKIE_SAME_SITE_NONE = 'none';
  static readonly CGW_ENV_PRODUCTION = 'production';
  private readonly cgwEnv: string;

  constructor(
    @Inject(IConfigurationService)
    private readonly configurationService: IConfigurationService,
    private readonly authService: AuthService,
  ) {
    this.cgwEnv =
      this.configurationService.getOrThrow<string>('application.env');
  }

  @Get('nonce')
  async getNonce(): Promise<{
    nonce: string;
  }> {
    return this.authService.getNonce();
  }

  @HttpCode(200)
  @Post('verify')
  async verify(
    @Res({ passthrough: true })
    res: Response,
    @Body(new ValidationPipe(SiweDtoSchema))
    siweDto: SiweDto,
  ): Promise<void> {
    const { accessToken } = await this.authService.getAccessToken(siweDto);
    const isProduction = this.cgwEnv === AuthController.CGW_ENV_PRODUCTION;

    res.cookie(AuthController.ACCESS_TOKEN_COOKIE_NAME, accessToken, {
      httpOnly: true,
      secure: true,
      sameSite: isProduction
        ? AuthController.ACCESS_TOKEN_COOKIE_SAME_SITE_LAX
        : AuthController.ACCESS_TOKEN_COOKIE_SAME_SITE_NONE,
      path: '/',
      // Extract maxAge from token as it may slightly differ to SiWe message
      maxAge: this.getMaxAge(accessToken),
    });
  }

  /**
   * Extract the expiration time from the token and return the maximum age.
   * @param accessToken - JWT token
   * @returns maximum age of the token in milliseconds or undefined if none set
   *
   * Note: the `Max-Age` of a cookie is in seconds, but express' requires it in
   * milliseconds when setting it with `res.cookie()`.
   * @see http://expressjs.com/en/api.html
   */
  private getMaxAge(accessToken: string): number | undefined {
    const { exp } = this.authService.getTokenPayloadWithClaims(accessToken);
    return exp ? getMillisecondsUntil(new Date(exp * 1_000)) : undefined;
  }
}

1	import { IConfigurationService } from '@/config/configuration.service.interface';	16✔
2	import { getMillisecondsUntil } from '@/domain/common/utils/time';	16✔
3	import { AuthService } from '@/routes/auth/auth.service';	16✔
4	import { SiweDto, SiweDtoSchema } from '@/routes/auth/entities/siwe.dto.entity';	16✔
5	import { ValidationPipe } from '@/validation/pipes/validation.pipe';	16✔
6	import {	16✔
7	Body,
8	Controller,
9	Get,
10	HttpCode,
11	Inject,
12	Post,
13	Res,
14	} from '@nestjs/common';
15	import { ApiExcludeController } from '@nestjs/swagger';	16✔
16	import { Response } from 'express';
17
18	/**
19	* The AuthController is responsible for handling authentication:
20	*
21	* 1. Calling `/v1/auth/nonce` returns a unique nonce to be signed.
22	* 2. The client signs this nonce in a SiWe message, sending it and
23	* the signature to `/v1/auth/verify` for verification.
24	* 3. If verification succeeds, JWT token is added to `access_token`
25	* Set-Cookie.
26	*/
27	@Controller({ path: 'auth', version: '1' })
28	@ApiExcludeController()
29	export class AuthController {	16✔
30	static readonly ACCESS_TOKEN_COOKIE_NAME = 'access_token';	16✔
31	static readonly ACCESS_TOKEN_COOKIE_SAME_SITE_LAX = 'lax';	16✔
32	static readonly ACCESS_TOKEN_COOKIE_SAME_SITE_NONE = 'none';	16✔
33	static readonly CGW_ENV_PRODUCTION = 'production';	16✔
34	private readonly cgwEnv: string;
35
36	constructor(
37	@Inject(IConfigurationService)
NEW 38	private readonly configurationService: IConfigurationService,	×
NEW 39	private readonly authService: AuthService,	×
40	) {
NEW 41	this.cgwEnv =	×
42	this.configurationService.getOrThrow<string>('application.env');
43	}
44
45	@Get('nonce')
46	async getNonce(): Promise<{	16✔
47	nonce: string;
48	}> {
49	return this.authService.getNonce();	×
50	}
51
52	@HttpCode(200)
53	@Post('verify')
54	async verify(	16✔
55	@Res({ passthrough: true })
56	res: Response,
57	@Body(new ValidationPipe(SiweDtoSchema))
58	siweDto: SiweDto,
59	): Promise<void> {
60	const { accessToken } = await this.authService.getAccessToken(siweDto);	×
NEW 61	const isProduction = this.cgwEnv === AuthController.CGW_ENV_PRODUCTION;	×
62
63	res.cookie(AuthController.ACCESS_TOKEN_COOKIE_NAME, accessToken, {	×
64	httpOnly: true,
65	secure: true,
66	sameSite: isProduction	×
67	? AuthController.ACCESS_TOKEN_COOKIE_SAME_SITE_LAX
68	: AuthController.ACCESS_TOKEN_COOKIE_SAME_SITE_NONE,
69	path: '/',
70	// Extract maxAge from token as it may slightly differ to SiWe message
71	maxAge: this.getMaxAge(accessToken),
72	});
73	}
74
75	/**
76	* Extract the expiration time from the token and return the maximum age.
77	* @param accessToken - JWT token
78	* @returns maximum age of the token in milliseconds or undefined if none set
79	*
80	* Note: the `Max-Age` of a cookie is in seconds, but express' requires it in
81	* milliseconds when setting it with `res.cookie()`.
82	* @see http://expressjs.com/en/api.html
83	*/
84	private getMaxAge(accessToken: string): number \| undefined {
85	const { exp } = this.authService.getTokenPayloadWithClaims(accessToken);	×
86	return exp ? getMillisecondsUntil(new Date(exp * 1_000)) : undefined;	×
87	}
88	}

safe-global / safe-client-gateway / 9715319812

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous