use Zod to parse Okta responses

Raphael Kabo · Raphael Kabo · commit 0514e366e736 · 2023-12-12T15:53:40.000Z
diff --git a/server/middleware/OktaServerSideAuthMiddleware.ts b/server/middleware/OktaServerSideAuthMiddleware.ts
@@ -1,20 +1,79 @@
 import { joinUrl } from '@guardian/libs';
 import type { NextFunction, Request, Response } from 'express';
+import { z } from 'zod';
 import {
 	clearIdentityLocalState,
 	getIdentityLocalState,
 	setIdentityLocalState,
 } from '@/server/IdentityLocalState';
 import { OAuthAccessTokenCookieName } from '@/server/oauth';
+import type { OktaConfig } from '@/server/oktaConfig';
 import { getConfig as getOktaConfig } from '@/server/oktaConfig';
 import { requiresSignin } from '../../shared/requiresSignin';
 
 declare const CYPRESS: string;
 
-type OktaUserInfo = {
-	legacy_identity_id: string;
-	email: string;
-	name: string;
+const OktaUserInfo = z.object({
+	legacy_identity_id: z.optional(z.string()),
+	email: z.optional(z.string()),
+	name: z.optional(z.string()),
+});
+
+interface OktaValidationResponse {
+	ok: boolean;
+	valid: boolean;
+	userId?: string;
+	displayName?: string;
+	email?: string;
+}
+
+const validateWithOkta = async ({
+	oktaConfig,
+	accessToken,
+}: {
+	oktaConfig: OktaConfig;
+	accessToken: string;
+}): Promise<OktaValidationResponse> => {
+	const issuerUrl = joinUrl(
+		oktaConfig.orgUrl,
+		'/oauth2/',
+		oktaConfig.authServerId,
+	);
+
+	try {
+		const oktaResponse = await fetch(`${issuerUrl}/v1/userinfo/`, {
+			headers: {
+				'Content-Type': 'application/json',
+				Authorization: `Bearer ${accessToken}`,
+			},
+		});
+		if (oktaResponse.status === 200) {
+			// Valid token
+			const oktaUserInfo = OktaUserInfo.parse(await oktaResponse.json());
+			return {
+				ok: true,
+				valid: true,
+				userId: oktaUserInfo.legacy_identity_id,
+				displayName: oktaUserInfo.name,
+				email: oktaUserInfo.email,
+			};
+		} else if ([401, 403].includes(oktaResponse.status)) {
+			console.error(
+				`OAuth / Serverside Validation Middleware / Error: invalid token.`,
+			);
+			return { ok: true, valid: false };
+		} else {
+			console.error(
+				`OAuth / Serverside Validation Middleware / Error: unexpected status code from Okta: ${oktaResponse.status}`,
+			);
+			return { ok: false, valid: false };
+		}
+	} catch (error) {
+		console.error(
+			`OAuth / Serverside Validation Middleware / Error: ${error.message}`,
+		);
+		return { ok: false, valid: false };
+	}
 };
 
 export const withOktaSeverSideValidation = async (
@@ -27,66 +86,83 @@ export const withOktaSeverSideValidation = async (
 	}
 	const oktaConfig = await getOktaConfig();
 	if (!oktaConfig.useOkta) {
-		console.log('Okta disabled, skipping Okta server side validation...');
+		/**
+		 * OKTA NOT ENABLED
+		 *
+		 * If Okta is disabled, we will still run this middleware, but
+		 * it won't be able to do anyting so we just pass through.
+		 */
 		return next();
 	}
 
-	console.log('Validating token server side ...');
 	const signinRequired = requiresSignin(req.originalUrl);
 
 	const locallyValidatedIdentityData = getIdentityLocalState(res);
 	const accessToken = req.signedCookies[OAuthAccessTokenCookieName];
 	if (!accessToken || !locallyValidatedIdentityData?.userId) {
 		if (signinRequired) {
+			/**
+			 * NO TOKEN OR USER - SIGN IN REQUIRED
+			 *
+			 * This is unexpected and should be impossible because the withIdentity
+			 * middleware should have run first and not allowed the request to get
+			 * here. Return a 500.
+			 */
 			console.error(
-				'error: no access token or user in request for a sign-in required endpoint! this should have failed local validation',
+				`OAuth / Serverside Validation Middleware / Error: no access token or user in request for a sign-in required endpoint! This should have failed local validation.`,
 			);
 			return res.sendStatus(500);
 		} else {
+			/**
+			 * NO TOKEN OR USER - SIGN IN NOT REQUIRED
+			 *
+			 * This is expected - continue.
+			 */
 			return next();
 		}
 	}
 
-	const issuerUrl = joinUrl(
-		oktaConfig.orgUrl,
-		'/oauth2/',
-		oktaConfig.authServerId,
-	);
-
-	const oktaResponse = await fetch(`${issuerUrl}/v1/userinfo/`, {
-		method: 'GET',
-		headers: {
-			'Content-Type': 'application/json',
-			Authorization: `Bearer ${accessToken}`,
-		},
+	const oktaValidationResponse = await validateWithOkta({
+		oktaConfig,
+		accessToken,
 	});
 
-	console.log(`okta response status: ${oktaResponse.status}`);
-	if (oktaResponse.status == 200) {
-		//valid token
-		const oktaUserInfo = (await oktaResponse.json()) as OktaUserInfo;
-		// Refresh the local state from the Okta response.
-		setIdentityLocalState(res, {
-			// This is always 'signedInRecently' because we've just checked
-			// the token is valid with Okta, and it's only valid for 30 minutes.
-			signInStatus: 'signedInRecently',
-			userId: oktaUserInfo.legacy_identity_id,
-			displayName: oktaUserInfo.name,
-			email: oktaUserInfo.email,
-		});
-		return next();
-	} else if ([401, 403].includes(oktaResponse.status)) {
-		//invalid token
+	if (!oktaValidationResponse.ok) {
+		/**
+		 * UNEXPECTED ERROR
+		 */
+		return res.sendStatus(500);
+	}
+
+	if (!oktaValidationResponse.valid) {
+		/**
+		 * INVALID TOKEN
+		 *
+		 * Clear the local state. If the endpoint requires sign-in,
+		 * return a 401 which can be handled down the line. Otherwise
+		 * continue (the user will see the page as if they are not
+		 * signed in).
+		 */
 		clearIdentityLocalState(res);
 		if (signinRequired) {
 			return res.sendStatus(401);
 		}
 		return next();
-	} else {
-		//unexpected return status
-		console.error(
-			`unexpected status from okta userinfo ${oktaResponse.status}`,
-		);
-		return res.sendStatus(500);
 	}
+
+	/**
+	 * VALID TOKEN
+	 *
+	 * Update the local state with the latest user info from Okta.
+	 */
+	setIdentityLocalState(res, {
+		// This is always 'signedInRecently' because we've just checked
+		// the token is valid with Okta, and it's only valid for 30 minutes.
+		signInStatus: 'signedinrecently',
+		userId: oktaValidationResponse.userId,
+		displayName: oktaValidationResponse.displayName,
+		email: oktaValidationResponse.email,
+	});
+
+	return next();
 };
diff --git a/server/oauth.ts b/server/oauth.ts
@@ -1,11 +1,11 @@
 import crypto from 'crypto';
 import { joinUrl } from '@guardian/libs';
-import type { JwtClaims } from '@okta/jwt-verifier';
 import OktaJwtVerifier from '@okta/jwt-verifier';
 import type { CookieOptions, Request, Response } from 'express';
 import ms from 'ms';
 import type { Client, IssuerMetadata } from 'openid-client';
 import { generators, Issuer } from 'openid-client';
+import { z } from 'zod';
 import { conf } from '@/server/config';
 import { setIdentityLocalState } from '@/server/IdentityLocalState';
 import type { OktaConfig } from '@/server/oktaConfig';
@@ -26,11 +26,12 @@ export const oauthCookieOptions: CookieOptions = {
 	httpOnly: true,
 };
 
-interface IdTokenClaims extends JwtClaims {
-	legacy_identity_id: string;
-	name: string;
-	email: string;
-}
+// Zod schema for the claims we expect to find in the ID token
+const IdTokenClaims = z.object({
+	legacy_identity_id: z.optional(z.string()),
+	name: z.optional(z.string()),
+	email: z.optional(z.string()),
+});
 
 /**
  * @function getOktaOrgUrl
@@ -359,7 +360,7 @@ export const setLocalStateFromIdTokenOrUserCookie = (
 		legacy_identity_id: userId,
 		name: displayName,
 		email,
-	} = idToken?.claims as IdTokenClaims;
+	} = IdTokenClaims.parse(idToken?.claims || {});
 	setIdentityLocalState(res, {
 		signInStatus: hasIdTokenOrUserCookie ? 'signedInRecently' : undefined,
 		userId,
