API Key Authentication (#188)

Author: codesalatdev

packages/open-collaboration-server/README.md

@@ -23,6 +23,8 @@ Usage of the public instance is bound to its [Terms of Use](https://www.open-col
 | OCT_LOGIN_PAGE_URL        | Url of the login page. Defaults to /login.html?token={token}  |
 | OCT_LOGIN_SUCCESS_URL     | Url of the login success page. Defaults a simple "Login Successful. You can close this page" text  |
 | OCT_ACTIVATE_SIMPLE_LOGIN | Activates the simple login handler to alow unverified authentication just with username and optionally email |
+| OCT_ACTIVATE_API_KEY_AUTH | Activates API key authentication. When enabled, a key can be provided via `OCT_API_KEY` or one will be auto-generated and logged on startup |
+| OCT_API_KEY               | Sets a specific API key for API key authentication. If not set and API key auth is activated, a key will be auto-generated |
 | OCT_REDIRECT_URL_WHITELIST | A comma seperated list to allow usage of the specified URLs with the `redirect` query parameter when authenticating with a provider which redirects back after success. The query of a URL is ignored when validating against this list   |
 | OCT_BASE_URL              | Base URL of the server is reachable under. Used for oauth redirects |
 | OCT_CORS_ALLOWED_ORIGINS | `,` seperated list to configure the allowed origins for CORS. This will be evaluated based on the origin header of the request. if there is no match, fail the request. if not set all origin will be allowed |

packages/open-collaboration-server/src/auth-endpoints/api-key-endpoint.ts

@@ -0,0 +1,113 @@
+// ******************************************************************************
+// Copyright 2024 TypeFox GmbH
+// This program and the accompanying materials are made available under the
+// terms of the MIT License, which is available in the project root.
+// ******************************************************************************
+import { inject, injectable, postConstruct } from 'inversify';
+import { type Express } from 'express';
+import { Emitter, FormAuthProvider, Info } from 'open-collaboration-protocol';
+import { AuthEndpoint, AuthSuccessEvent } from './auth-endpoint.js';
+import { Logger } from '../utils/logging.js';
+import { Configuration } from '../utils/configuration.js';
+import { generateSecureId } from '../utils/cryptography.js';
+
+@injectable()
+export class ApiKeyAuthEndpoint implements AuthEndpoint {
+
+    protected static readonly ENDPOINT = '/api/login/apikey';
+
+    @inject(Logger) protected logger: Logger;
+
+    @inject(Configuration) protected configuration: Configuration;
+
+    private authSuccessEmitter = new Emitter<AuthSuccessEvent>();
+    onDidAuthenticate = this.authSuccessEmitter.event;
+
+    private apiKey: string = '';
+
+    @postConstruct()
+    protected initialize(): void {
+        if (!this.shouldActivate()) {
+            return;
+        }
+        const configuredKey = this.configuration.getValue('oct-api-key');
+        if (configuredKey) {
+            this.apiKey = configuredKey;
+            this.logger.info('API key authentication enabled (key provided via configuration)');
+        } else {
+            this.apiKey = generateSecureId(48);
+            this.logger.info(`API key authentication enabled (auto-generated key): ${this.apiKey}`);
+        }
+    }
+
+    shouldActivate(): boolean {
+        return this.configuration.getValue('oct-activate-api-key-auth', 'boolean') ?? false;
+    }
+
+    getProtocolProvider(): FormAuthProvider {
+        return {
+            type: 'form',
+            name: 'apikey',
+            endpoint: ApiKeyAuthEndpoint.ENDPOINT,
+            label: {
+                code: 'ApiKeyLoginLabel',
+                message: 'API Key',
+                params: []
+            },
+            details: {
+                code: 'ApiKeyLoginDetails',
+                message: 'Login with a server API key for non-interactive use',
+                params: []
+            },
+            group: {
+                code: Info.Codes.BuiltinsGroup,
+                message: 'Builtins',
+                params: []
+            },
+            fields: [
+                {
+                    name: 'apiKey',
+                    label: {
+                        code: 'ApiKeyLabel',
+                        message: 'API Key',
+                        params: []
+                    },
+                    required: true,
+                    placeHolder: {
+                        code: 'ApiKeyPlaceholder',
+                        message: 'The server API key',
+                        params: []
+                    }
+                }
+            ]
+        };
+    }
+
+    onStart(app: Express, _hostname: string, _port: number): void {
+        app.post(ApiKeyAuthEndpoint.ENDPOINT, async (req, res) => {
+            try {
+                const token = req.body.token as string;
+                const apiKey = req.body.apiKey as string;
+                if (!token || !apiKey) {
+                    res.status(400);
+                    res.send('Missing token or apiKey');
+                    return;
+                }
+                if (apiKey !== this.apiKey) {
+                    res.status(403);
+                    res.send('Invalid API key');
+                    return;
+                }
+                await Promise.all(this.authSuccessEmitter.fire({
+                    token,
+                    userInfo: { name: 'API Key User', authProvider: 'API Key' }
+                }));
+                res.send('Ok');
+            } catch (err) {
+                this.logger.error('Failed to perform API key login', err);
+                res.status(400);
+                res.send('Failed to perform API key login');
+            }
+        });
+    }
+}

packages/open-collaboration-server/src/credentials-manager.ts

@@ -8,7 +8,7 @@ import { inject, injectable, postConstruct } from 'inversify';
 import { User, isUser } from './types.js';
 import { UserManager } from './user-manager.js';
 import * as jose from 'jose';
-import { nanoid, customAlphabet } from 'nanoid';
+import { generateSecureId } from './utils/cryptography.js';
 import { Disposable, Emitter, Event } from 'open-collaboration-protocol';
 import { Logger } from './utils/logging.js';
 import { UserInfo } from './auth-endpoints/auth-endpoint.js';
@@ -33,7 +33,6 @@ export class CredentialsManager {
     @inject(Configuration) protected configuration: Configuration;
 
     protected deferredAuths = new Map<string, DelayedAuth>();
-    protected nanoid = this.generateAlphabet();
 
     @postConstruct()
     initialize() {
@@ -61,7 +60,7 @@ export class CredentialsManager {
     }
 
     async startAuth(): Promise<string> {
-        const confirmToken = this.secureId();
+        const confirmToken = generateSecureId(24);
         const updateEmitter = new Emitter<string>();
         const failureEmitter = new Emitter<Error>();
         const dispose = () => {
@@ -131,22 +130,4 @@ export class CredentialsManager {
     protected async getJwtExpiration(): Promise<string | number | undefined> {
         return undefined;
     }
-
-    protected generateAlphabet(): typeof nanoid {
-        let alphabet = '';
-        for (let digit = 48 /* '0' */; digit <= 57 /* '9' */; digit++) {
-            alphabet += String.fromCharCode(digit);
-        }
-        for (let letter = 65 /* 'A' */; letter <= 90 /* 'Z' */; letter++) {
-            alphabet += String.fromCharCode(letter);
-        }
-        for (let letter = 97 /* 'a' */; letter <= 122 /* 'z' */; letter++) {
-            alphabet += String.fromCharCode(letter);
-        }
-        return customAlphabet(alphabet, 24);
-    }
-
-    secureId(): string {
-        return this.nanoid(24);
-    }
 }

packages/open-collaboration-server/src/inversify-module.ts

@@ -21,6 +21,7 @@ import { PeerManager } from './peer-manager.js';
 import { AuthentikOAuthEndpoint } from './auth-endpoints/authentik-endpoint.js';
 import { KeycloakOAuthEndpoint } from './auth-endpoints/keycloak-endpoint.js';
 import { GenericOAuthEndpoint } from './auth-endpoints/generic-oauth-endpoint.js';
+import { ApiKeyAuthEndpoint } from './auth-endpoints/api-key-endpoint.js';
 
 /**
  * This is the default dependency injection container module for the Open Collaboration Server.
@@ -56,5 +57,7 @@ export default new ContainerModule(bind => {
     bind(AuthEndpoint).toService(KeycloakOAuthEndpoint);
     bind(GenericOAuthEndpoint).toSelf().inSingletonScope();
     bind(AuthEndpoint).toService(GenericOAuthEndpoint);
+    bind(ApiKeyAuthEndpoint).toSelf().inSingletonScope();
+    bind(AuthEndpoint).toService(ApiKeyAuthEndpoint);
 
 });

packages/open-collaboration-server/src/room-manager.ts

@@ -10,6 +10,7 @@ import { MessageRelay } from './message-relay.js';
 import { Peer, Room, User, isUser } from './types.js';
 import { Messages, BroadcastMessage, NotificationMessage, RequestMessage, ResponseMessage, isObject, Info, Event, Disposable, Emitter, JoinRoomResponse, JoinRoomPollResponse, JoinResponse } from 'open-collaboration-protocol';
 import { Logger } from './utils/logging.js';
+import { generateSecureId } from './utils/cryptography.js';
 
 export interface PreparedRoom {
     id: string;
@@ -67,7 +68,7 @@ export class RoomManager {
     }
 
     async prepareRoom(user: User): Promise<PreparedRoom> {
-        const id = this.credentials.secureId();
+        const id = generateSecureId(24);
         const claim: RoomClaim = {
             room: id,
             user: {
@@ -164,7 +165,7 @@ export class RoomManager {
 
     async requestJoin(room: Room, user: User): Promise<string> {
         this.logger.info(`Request to join room [id: '${room.id}'] by user [id: '${user.id}' | name: '${user.name}' | email: '${user.email ?? '<none>'}']`);
-        const responseId = this.credentials.secureId();
+        const responseId = generateSecureId(24);
         const timeout = setTimeout(() => {
             pollResult.update({
                 code: 'JoinTimeout',
@@ -189,7 +190,7 @@ export class RoomManager {
         };
         this.pollResults.set(responseId, pollResult);
         try {
-            const requestMessage = RequestMessage.create(Messages.Peer.Join, this.credentials.secureId(), '', room.host.id, [user]);
+            const requestMessage = RequestMessage.create(Messages.Peer.Join, generateSecureId(24), '', room.host.id, [user]);
             const responsePromise = this.messageRelay.sendRequest(
                 room.host,
                 requestMessage,

packages/open-collaboration-server/src/utils/cryptography.ts

@@ -0,0 +1,24 @@
+// ******************************************************************************
+// Copyright 2024 TypeFox GmbH
+// This program and the accompanying materials are made available under the
+// terms of the MIT License, which is available in the project root.
+// ******************************************************************************
+import { customAlphabet } from 'nanoid';
+
+const ALPHANUMERIC_ALPHABET = (() => {
+    let alphabet = '';
+    for (let digit = 48 /* '0' */; digit <= 57 /* '9' */; digit++) {
+        alphabet += String.fromCharCode(digit);
+    }
+    for (let letter = 65 /* 'A' */; letter <= 90 /* 'Z' */; letter++) {
+        alphabet += String.fromCharCode(letter);
+    }
+    for (let letter = 97 /* 'a' */; letter <= 122 /* 'z' */; letter++) {
+        alphabet += String.fromCharCode(letter);
+    }
+    return alphabet;
+})();
+
+export function generateSecureId(length: number): string {
+    return customAlphabet(ALPHANUMERIC_ALPHABET, length)();
+}