feat: add token validation

Author: alexey-yarmosh

Diff for: package-lock.json

@@ -5,6 +5,7 @@
 	"type": "module",
 	"main": "dist/src/index.js",
 	"dependencies": {
+		"@isaacs/ttlcache": "^1.4.1",
 		"@koa/router": "^12.0.1",
 		"@maxmind/geoip2-node": "^4.2.0",
 		"@redocly/openapi-core": "^1.6.0",

Diff for: package.json

@@ -142,7 +142,7 @@ export class AdoptedProbes {
 	}
 
 	private async fetchAdoptedProbes () {
-		const rows = await this.sql({ probes: ADOPTED_PROBES_TABLE }).select<Row[]>();
+		const rows = await this.sql(ADOPTED_PROBES_TABLE).select<Row[]>();
 
 
 		const adoptedProbes: AdoptedProbe[] = rows.map(row => ({

Diff for: src/lib/adopted-probes.ts

@@ -1,12 +1,112 @@
+import { createHash } from 'node:crypto';
 import type { Knex } from 'knex';
+import TTLCache from '@isaacs/ttlcache';
+import { scopedLogger } from '../logger.js';
 import { client } from '../sql/client.js';
 
+export const GP_TOKENS_TABLE = 'gp_tokens';
+
+const logger = scopedLogger('auth');
+
+type Token = {
+	value: string,
+	expire: Date | null,
+	origins: string[],
+	date_last_used: Date | null
+}
+
+type Row = Omit<Token, 'origins'> & {
+	origins: string | null,
+}
+
 export class Auth {
+	private validTokens = new TTLCache<string, Token>({ ttl: 2 * 60 * 1000 });
+	private invalidTokens = new TTLCache<string, true>({ ttl: 2 * 60 * 1000 });
 	constructor (private readonly sql: Knex) {}
 
-	async validate (token: string) {
+	scheduleSync () {
+		setTimeout(() => {
+			this.syncTokens()
+				.finally(() => this.scheduleSync())
+				.catch(error => logger.error(error));
+		}, 60_000);
+	}
+
+	async syncTokens () {
+		const tokens = await this.fetchTokens();
+		tokens.forEach((token) => {
+			if (token.expire && this.isExpired(token.expire)) {
+				this.invalidTokens.set(token.value, true);
+			} else {
+				this.validTokens.set(token.value, token);
+			}
+		});
+	}
+
+	async syncSpecificToken (hash: string) {
+		const tokens = await this.fetchTokens({ value: hash });
+
+		if (tokens.length === 0) {
+			this.invalidTokens.set(hash, true);
+			return undefined;
+		}
+
+		const token = tokens[0]!;
+
+		if (token.expire && this.isExpired(token.expire)) {
+			this.invalidTokens.set(hash, true);
+			return undefined;
+		}
+
+		this.validTokens.set(hash, token);
+		return token;
+	}
+
+	async fetchTokens (filter: Partial<Row> = {}) {
+		const rows = await this.sql(GP_TOKENS_TABLE).select<Row[]>('value', 'expire', 'origins', 'date_last_used').where(filter);
+
+		const tokens: Token[] = rows.map(row => ({
+			...row,
+			origins: (row.origins ? JSON.parse(row.origins) as string[] : []),
+		}));
+
+		return tokens;
+	}
+
+	async validate (tokenString: string, origin: string) {
+		const bytes = Buffer.from(tokenString, 'base64');
+		const hash = createHash('sha256').update(bytes).digest('base64');
+
+		if (this.invalidTokens.get(hash)) {
+			return false;
+		}
+
+		let token = this.validTokens.get(hash);
+
+		if (!token) {
+			token = await this.syncSpecificToken(hash);
+		}
+
+		if (!token) {
+			return false;
+		}
+
+		if (!this.isValidOrigin(origin, token.origins)) {
+			return false;
+		}
+
 		return true;
 	}
+
+	private isExpired (date: Date) {
+		const currentDate = new Date();
+		currentDate.setHours(0, 0, 0, 0);
+		return date < currentDate;
+	}
+
+	private isValidOrigin (origin: string, validOrigins: string[]) {
+		return validOrigins.length > 0 ? validOrigins.includes(origin) : true;
+	}
 }
 
 export const auth = new Auth(client);

Diff for: src/lib/http/auth.ts

@@ -2,17 +2,18 @@ import type { Context, Next } from 'koa';
 import { auth } from '../auth.js';
 
 export const isAuthenticatedMw = async (ctx: Context, next: Next) => {
-	const { header } = ctx.request;
+	const { headers } = ctx.request;
 
-	if (header && header.authorization) {
-		const parts = header.authorization.split(' ');
+	if (headers && headers.authorization) {
+		const parts = headers.authorization.split(' ');
 
 		if (parts.length !== 2 || parts[0] !== 'Bearer') {
 			ctx.status = 401;
 			return;
 		}
 
-		const isValid = await auth.validate(parts[1]!);
+		const origin = ctx.get('Origin');
+		const isValid = await auth.validate(parts[1]!, origin);
 
 		if (!isValid) {
 			ctx.status = 401;

Diff for: src/lib/http/middleware/is-authenticated.ts

@@ -9,6 +9,7 @@ import { populateCitiesList } from './geoip/city-approximation.js';
 import { adoptedProbes } from './adopted-probes.js';
 import { reconnectProbes } from './ws/helper/reconnect-probes.js';
 import { initPersistentRedisClient } from './redis/persistent-client.js';
+import { auth } from './http/auth.js';
 
 export const createServer = async (): Promise<Server> => {
 	await initRedisClient();
@@ -28,6 +29,9 @@ export const createServer = async (): Promise<Server> => {
 	await adoptedProbes.syncDashboardData();
 	adoptedProbes.scheduleSync();
 
+	await auth.syncTokens();
+	auth.scheduleSync();
+
 	reconnectProbes();
 
 	const { getWsServer } = await import('./ws/server.js');