[IOPLT-1003] Add support for x-user token in bearerSessionTokenStrategy (#1204)

* Update bearerSessionTokenStrategy to use x-user header
Add FF_IO_X_USER_TOKEN_ENABLED feature flag
Add proxy:io-auth models
Remove bearerMyPortalTokenStrategy and MyPortal references

* Update proxy:io-auth commit id

* Fix linting
Add changeset

* Update app.test

* Fix import for tests

* Add x-user-token tests
Fix linting

* Update x-user feature flag
Update logic for enabled users

* Fix tests

* Fix linting

* Remove unused code

* Update getUser code

* Refactor bearerSessionTokenStrategy

* Collapse the conditions into a single if

* Update readme

* Update documentation

Author: robbcocco

.changeset/shiny-mails-reply.md

@@ -0,0 +1,5 @@
+---
+"@pagopa/io-backend": minor
+---
+
+Add support for x-user token in bearerSessionTokenStrategy

.env.example

@@ -10,10 +10,8 @@ REDIS_PORT=put_the_azure_redis_port_here
 REDIS_PASSWORD=put_the_azure_redis_password_here
 PRE_SHARED_KEY="12345"
 ALLOW_NOTIFY_IP_SOURCE_RANGE="::ffff:ac13:1/112"
-ALLOW_MYPORTAL_IP_SOURCE_RANGE="::ffff:ac13:1/112"
 ALLOW_SESSION_HANDLER_IP_SOURCE_RANGE="::ffff:ac13:1/112"
 AUTHENTICATION_BASE_PATH=""
-MYPORTAL_BASE_PATH=/myportal/api/v1
 PAGOPA_API_URL_PROD="https://pagopa-proxy-prod"
 PAGOPA_API_KEY_PROD=foo
 PAGOPA_API_URL_TEST="https://pagopa-proxy-test"
@@ -113,6 +111,13 @@ FF_ROUTING_PUSH_NOTIF="ALL"
 FF_ROUTING_PUSH_NOTIF_BETA_TESTER_SHA_LIST=foo
 FF_ROUTING_PUSH_NOTIF_CANARY_SHA_USERS_REGEX="XYZ"
 
+# ------------------------------------
+# IO_X_USER_TOKEN
+# ------------------------------------
+FF_IO_X_USER_TOKEN=ALL
+FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST=foo
+FF_IO_X_USER_TOKEN_CANARY_SHA_USERS_REGEX="XYZ"
+
 # ------------------------------------
 # LOLLIPOP
 # ------------------------------------

README.md

@@ -114,14 +114,12 @@ Those are all Environment variables needed by the application:
 | ALLOW_NOTIFY_IP_SOURCE_RANGE              | The range in CIDR form of allowed IPs for the webhook notifications                                  | string |
 | NOTIFICATIONS_STORAGE_CONNECTION_STRING   | Connection string to Azure queue storage for notification hub messages                               | string |
 | NOTIFICATIONS_QUEUE_NAME                  | Queue name of Azure queue storage for notification hub messages                                      | string |
-| ALLOW_MYPORTAL_IP_SOURCE_RANGE            | The range in CIDR form of allowed IPs for the MyPortal API                                           | string |
 | ALLOW_SESSION_HANDLER_IP_SOURCE_RANGE     | The range in CIDR form of IPs of service allowed to handle user sessions                             | string |
 | AUTHENTICATION_BASE_PATH                  | The root path for the authentication endpoints                                                       | string |
 | PAGOPA_API_URL_PROD                       | The url for the PagoPA api endpoints in prod mode                                                    | string |
 | PAGOPA_API_KEY_PROD                       | The api-key needed to call the pagopa proxy API                                                      | string |
 | PAGOPA_API_URL_TEST                       | The url for the PagoPA api endpoints in test mode                                                    | string |
 | PAGOPA_API_KEY_UAT                        | The api-key needed to call the pagopa proxy API for UAT instance                                     | string |
-| MYPORTAL_BASE_PATH                        | The root path for the MyPortal endpoints                                                             | string |
 | CACHE_MAX_AGE_SECONDS                     | The value in seconds for duration of in-memory api cache                                             | int    |
 | APICACHE_DEBUG                            | When is `true` enable the apicache debug mode                                                        | boolean |
 | GITHUB_TOKEN                              | The value of your Github Api Key, used in build phase                                                | string |
@@ -164,6 +162,9 @@ Those are all Environment variables needed by the application:
 | TRIAL_SYSTEM_API_BASE_PATH                | Trial System Api Base path                                                                           | string |
 | TRIAL_SYSTEM_API_URL                      | Trial System FunctionApp Api url                                                                     | string |
 | TRIAL_SYSTEM_API_KEY                      | The key used to authenticate to the Trial System API                                                 | string |
+| FF_IO_X_USER_TOKEN                        | Enables/disables the use of the x-user header                                                        | string (enum: NONE, BETA, ALL) |
+| FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST   | List of fiscal codes enabled for the feature                                                         | csv     |
+| FF_IO_X_USER_TOKEN_CANARY_SHA_USERS_REGEX | Regex used to identify canary users enabled for the feature                                          | regex   |
 
 Notes:
  * `FETCH_KEEPALIVE_ENABLED` should be enabled when deploying on Azure App Service to avoid [SNAT Exhaustion](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections)

helm/values-prod01.yaml

@@ -74,13 +74,14 @@ microservice-chart:
     FF_PN_ACTIVATION_ENABLED: '1'
     FF_ROUTING_PUSH_NOTIF: 'ALL'
     FF_ROUTING_PUSH_NOTIF_CANARY_SHA_USERS_REGEX: '^([(0-9)|(a-f)|(A-F)]{63}[(0-4)]{1})$'
+    FF_IO_X_USER_TOKEN: 'ALL'
+    FF_IO_X_USER_TOKEN_CANARY_SHA_USERS_REGEX: '^([(0-9)|(a-f)|(A-F)]{63}[(0-4)]{1})$'
     IO_SIGN_API_BASE_PATH: '/api/v1/sign'
     IO_SIGN_API_URL: 'https://io-p-sign-user-func.azurewebsites.net'
     IO_SIGN_SERVICE_ID: '01GQQZ9HF5GAPRVKJM1VDAVFHM'
     IS_APPBACKENDLI: 'true'
     JWT_SUPPORT_TOKEN_EXPIRATION: '1209600'
     JWT_SUPPORT_TOKEN_ISSUER: 'app-backend.io.italia.it'
-    MYPORTAL_BASE_PATH: '/myportal/api/v1'
     NODE_ENV: 'production'
     NOTIFICATIONS_QUEUE_NAME: 'push-notifications'
     PAGOPA_API_URL_PROD: 'https://api.platform.pagopa.it/checkout/auth/payments/v1'
@@ -122,9 +123,9 @@ microservice-chart:
     PRE_SHARED_KEY: 'appbackend-PRE-SHARED-KEY'
     PAGOPA_API_KEY_PROD: 'appbackend-PAGOPA-API-KEY-PROD-PRIMARY'
     PAGOPA_API_KEY_UAT: 'appbackend-PAGOPA-API-KEY-UAT-PRIMARY'
-    ALLOW_MYPORTAL_IP_SOURCE_RANGE: 'appbackend-ALLOW-MYPORTAL-IP-SOURCE-RANGE'
     JWT_SUPPORT_TOKEN_PRIVATE_RSA_KEY: 'appbackend-JWT-SUPPORT-TOKEN-PRIVATE-RSA-KEY'
     FF_ROUTING_PUSH_NOTIF_BETA_TESTER_SHA_LIST: 'appbackend-APP-MESSAGES-BETA-FISCAL-CODES'
+    FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST: 'appbackend-X-USER-TOKEN-BETA-FISCAL-CODES'
     PECSERVER_TOKEN_SECRET: 'appbackend-PECSERVER-TOKEN-SECRET'
     PECSERVERS_poste_secret: 'appbackend-PECSERVER-TOKEN-SECRET'
     PECSERVERS_aruba_secret: 'appbackend-PECSERVER-ARUBA-TOKEN-SECRET'

package.json

@@ -44,6 +44,7 @@
     "generate:proxy:io-sign-models": "rimraf generated/io-sign && gen-api-models --api-spec api_io_sign.yaml --out-dir generated/io-sign",
     "generate:proxy:io-fims-models": "rimraf generated/io-fims && gen-api-models --api-spec api_io_fims.yaml --out-dir generated/io-fims",
     "generate:proxy:cgn-operator-search-models": "rimraf generated/cgn-operator-search && gen-api-models --api-spec api_cgn_operator_search.yaml --out-dir generated/cgn-operator-search",
+    "generate:proxy:io-auth": "rimraf generated/io-auth && gen-api-models --api-spec https://raw.githubusercontent.com/pagopa/io-auth-n-identity-domain/4d9ee9a6a141943ce7d167698b204456a2874d28/apps/io-session-manager/api/token_introspection.yaml --no-strict --out-dir generated/io-auth --request-types",
     "generate:api:io-bonus": "rimraf generated/io-bonus-api && gen-api-models --api-spec openapi/consumed/fn_bonus.yaml --no-strict --out-dir generated/io-bonus-api --request-types --response-decoders --client",
     "generate:api:io-sign": "rimraf generated/io-sign-api && gen-api-models --api-spec https://raw.githubusercontent.com/pagopa/io-sign/0a9124b7c782b2569dd82c094496e50a17b418f4/apps/io-func-sign-user/openapi.yaml --no-strict --out-dir generated/io-sign-api --request-types --response-decoders --client",
     "generate:api:io-fims": "rimraf generated/io-fims-api && gen-api-models --api-spec https://raw.githubusercontent.com/pagopa/io-fims/44c478f9b9ca024aa4db963873a85f8d9c37f5d3/apps/user-func/openapi.yaml --no-strict --out-dir generated/io-fims-api --request-types --response-decoders --client",

src/__mocks__/user_mock.ts

@@ -19,6 +19,7 @@ import {
   ZendeskToken,
 } from "../types/token";
 import { User } from "../types/user";
+import { UserIdentity } from "../../generated/io-auth/UserIdentity";
 
 export const aTimestamp = 1518010929530;
 export const aFiscalCode = "GRBGPP87L04L741X" as FiscalCode;
@@ -60,6 +61,16 @@ export const mockedUser: User = {
   session_tracking_id: aSessionTrackingId,
 };
 
+export const mockedUserIdentity: UserIdentity = {
+  family_name: aValidFamilyname,
+  fiscal_code: aFiscalCode,
+  name: aValidName,
+  date_of_birth: aValidDateofBirth,
+  spid_email: aSpidEmailAddress,
+  spid_level: aValidSpidLevel,
+  session_tracking_id: aSessionTrackingId,
+};
+
 export const aCustomEmailAddress = "custom-email@example.com" as EmailAddress;
 
 export const anIsInboxEnabled = true as IsInboxEnabled;

src/__tests__/app.test.ts

@@ -61,7 +61,6 @@ const X_FORWARDED_PROTO_HEADER = "X-Forwarded-Proto";
 
 const aAPIBasePath = "/api/v1";
 const aBonusAPIBasePath = "/bonus/api/v1";
-const aMyPortalBasePath = "/myportal/api/v1";
 const aCgnAPIBasePath = "/api/v1/cgn";
 const aCgnOperatorSearchAPIBasePath = "/api/v1/cgn-operator-search";
 const aEuCovidCertAPIBasePath = "/api/v1/eucovidcert";
@@ -84,10 +83,8 @@ describe("Success app start", () => {
       IoFimsAPIBasePath: aIoFimsAPIBasePath,
       IoSignAPIBasePath: aIoSignAPIBasePath,
       IoWalletAPIBasePath: aIoWalletAPIBasePath,
-      MyPortalBasePath: aMyPortalBasePath,
       ServicesAppBackendBasePath: aServicesAppBackendBasePath,
       TrialSystemBasePath: aTrialSystemBasePath,
-      allowMyPortalIPSourceRange: [aValidCIDR],
       allowNotifyIPSourceRange: [aValidCIDR],
       allowSessionHandleIPSourceRange: [aValidCIDR],
       authenticationBasePath: "",
@@ -193,10 +190,8 @@ describe("Failure app start", () => {
         IoFimsAPIBasePath: aIoFimsAPIBasePath,
         IoSignAPIBasePath: aIoSignAPIBasePath,
         IoWalletAPIBasePath: aIoWalletAPIBasePath,
-        MyPortalBasePath: aMyPortalBasePath,
         ServicesAppBackendBasePath: aServicesAppBackendBasePath,
         TrialSystemBasePath: aTrialSystemBasePath,
-        allowMyPortalIPSourceRange: [aValidCIDR],
         allowNotifyIPSourceRange: [aValidCIDR],
         allowSessionHandleIPSourceRange: [aValidCIDR],
         authenticationBasePath: "",

src/app.ts

@@ -34,6 +34,9 @@ import {
   FF_IO_FIMS_ENABLED,
   FF_IO_SIGN_ENABLED,
   FF_IO_WALLET_ENABLED,
+  FF_IO_X_USER_TOKEN,
+  FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST,
+  FF_IO_X_USER_TOKEN_CANARY_SHA_USERS_REGEX,
   FF_ROUTING_PUSH_NOTIF,
   FF_ROUTING_PUSH_NOTIF_BETA_TESTER_SHA_LIST,
   FF_ROUTING_PUSH_NOTIF_CANARY_SHA_USERS_REGEX,
@@ -70,7 +73,6 @@ import { registerFirstLollipopConsumer } from "./routes/firstLollipopConsumerRou
 import { registerIoFimsAPIRoutes } from "./routes/ioFimsRoutes";
 import { registerIoSignAPIRoutes } from "./routes/ioSignRoutes";
 import { registerIoWalletAPIRoutes } from "./routes/ioWalletRoutes";
-import { registerMyPortalRoutes } from "./routes/myportalRoutes";
 import { registerPNRoutes } from "./routes/pnRoutes";
 import { registerPublicRoutes } from "./routes/publicRoutes";
 import { registerServicesAppBackendRoutes } from "./routes/servicesRoutes";
@@ -97,7 +99,6 @@ import RedisUserMetadataStorage from "./services/redisUserMetadataStorage";
 import ServicesAppBackendService from "./services/servicesAppBackendService";
 import TrialService from "./services/trialService";
 import UserDataProcessingService from "./services/userDataProcessingService";
-import bearerMyPortalTokenStrategy from "./strategies/bearerMyPortalTokenStrategy";
 import bearerSessionTokenStrategy from "./strategies/bearerSessionTokenStrategy";
 import { User } from "./types/user";
 import { attachTrackingData } from "./utils/appinsights";
@@ -117,12 +118,10 @@ export interface IAppFactoryParameters {
   readonly env: NodeEnvironment;
   readonly appInsightsClient?: appInsights.TelemetryClient;
   readonly allowNotifyIPSourceRange: ReadonlyArray<CIDR>;
-  readonly allowMyPortalIPSourceRange: ReadonlyArray<CIDR>;
   readonly allowSessionHandleIPSourceRange: ReadonlyArray<CIDR>;
   readonly authenticationBasePath: string;
   readonly APIBasePath: string;
   readonly BonusAPIBasePath: string;
-  readonly MyPortalBasePath: string;
   readonly CGNAPIBasePath: string;
   readonly CGNOperatorSearchAPIBasePath: string;
   readonly IoSignAPIBasePath: string;
@@ -136,13 +135,11 @@ export interface IAppFactoryParameters {
 export async function newApp({
   env,
   allowNotifyIPSourceRange,
-  allowMyPortalIPSourceRange,
   allowSessionHandleIPSourceRange,
   appInsightsClient,
   authenticationBasePath,
   APIBasePath,
   BonusAPIBasePath,
-  MyPortalBasePath,
   CGNAPIBasePath,
   IoSignAPIBasePath,
   IoFimsAPIBasePath,
@@ -168,20 +165,20 @@ export async function newApp({
   // Add the strategy to authenticate proxy clients.
   passport.use(
     "bearer.session",
-    bearerSessionTokenStrategy(SESSION_STORAGE, attachTrackingData)
+    bearerSessionTokenStrategy(
+      FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST,
+      FF_IO_X_USER_TOKEN_CANARY_SHA_USERS_REGEX,
+      FF_IO_X_USER_TOKEN,
+      SESSION_STORAGE,
+      attachTrackingData
+    )
   );
 
-  // Add the strategy to authenticate MyPortal clients.
-  passport.use("bearer.myportal", bearerMyPortalTokenStrategy(SESSION_STORAGE));
-
   // Add the strategy to authenticate webhook calls.
   passport.use(URL_TOKEN_STRATEGY);
 
   // Creates middlewares for each implemented strategy
   const authMiddlewares = {
-    bearerMyPortal: passport.authenticate("bearer.myportal", {
-      session: false
-    }),
     bearerSession: passport.authenticate("bearer.session", {
       session: false
     }),
@@ -495,13 +492,6 @@ export async function newApp({
           );
         }
 
-        registerMyPortalRoutes(
-          app,
-          MyPortalBasePath,
-          allowMyPortalIPSourceRange,
-          authMiddlewares.bearerMyPortal
-        );
-
         registerServicesAppBackendRoutes(
           app,
           ServicesAppBackendBasePath,

src/config.ts

@@ -94,20 +94,6 @@ export const ALLOW_NOTIFY_IP_SOURCE_RANGE = pipe(
   })
 );
 
-// IP(s) or CIDR(s) allowed for myportal endpoint
-export const ALLOW_MYPORTAL_IP_SOURCE_RANGE = pipe(
-  process.env.ALLOW_MYPORTAL_IP_SOURCE_RANGE,
-  decodeCIDRs,
-  E.getOrElseW((errs) => {
-    log.error(
-      `Missing or invalid ALLOW_MYPORTAL_IP_SOURCE_RANGE environment variable: ${readableReport(
-        errs
-      )}`
-    );
-    return process.exit(1);
-  })
-);
-
 // IP(s) or CIDR(s) allowed for handling sessions
 export const ALLOW_SESSION_HANDLER_IP_SOURCE_RANGE = pipe(
   process.env.ALLOW_SESSION_HANDLER_IP_SOURCE_RANGE,
@@ -354,8 +340,6 @@ export const AUTHENTICATION_BASE_PATH = getRequiredENVVar(
   "AUTHENTICATION_BASE_PATH"
 );
 
-export const MYPORTAL_BASE_PATH = getRequiredENVVar("MYPORTAL_BASE_PATH");
-
 export const SERVICES_APP_BACKEND_BASE_PATH = getRequiredENVVar(
   "SERVICES_APP_BACKEND_BASE_PATH"
 );
@@ -615,3 +599,26 @@ export const IO_WALLET_API_CLIENT = IoWalletAPIClient(
 export const FF_IO_WALLET_ENABLED = process.env.FF_IO_WALLET_ENABLED === "1";
 export const FF_IO_WALLET_TRIAL_ENABLED =
   process.env.FF_IO_WALLET_TRIAL_ENABLED === "1";
+
+export const FF_IO_X_USER_TOKEN = pipe(
+  process.env.FF_IO_X_USER_TOKEN,
+  FeatureFlag.decode,
+  E.getOrElse(() => FeatureFlagEnum.NONE)
+);
+export const FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST = pipe(
+  process.env.FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST,
+  CommaSeparatedListOf(NonEmptyString).decode,
+  E.getOrElseW((errs) => {
+    log.error(
+      `Missing or invalid FF_IO_X_USER_TOKEN_BETA_TESTER_SHA_LIST environment variable: ${readableReport(
+        errs
+      )}`
+    );
+    return process.exit(1);
+  })
+);
+export const FF_IO_X_USER_TOKEN_CANARY_SHA_USERS_REGEX = pipe(
+  process.env.FF_IO_X_USER_TOKEN_CANARY_SHA_USERS_REGEX,
+  NonEmptyString.decode,
+  E.getOrElse(() => "XYZ" as NonEmptyString)
+);

src/routes/myportalRoutes.ts

@@ -16,7 +16,6 @@ import * as path from "path";
 
 import { newApp } from "./app";
 import {
-  ALLOW_MYPORTAL_IP_SOURCE_RANGE,
   ALLOW_NOTIFY_IP_SOURCE_RANGE,
   ALLOW_SESSION_HANDLER_IP_SOURCE_RANGE,
   API_BASE_PATH,
@@ -29,7 +28,6 @@ import {
   IO_FIMS_API_BASE_PATH,
   IO_SIGN_API_BASE_PATH,
   IO_WALLET_API_BASE_PATH,
-  MYPORTAL_BASE_PATH,
   SERVER_PORT,
   SERVICES_APP_BACKEND_BASE_PATH,
   TRIAL_SYSTEM_API_BASE_PATH,
@@ -47,7 +45,6 @@ import { TimeTracer } from "./utils/timer";
 const authenticationBasePath = AUTHENTICATION_BASE_PATH;
 const APIBasePath = API_BASE_PATH;
 const BonusAPIBasePath = BONUS_API_BASE_PATH;
-const MyPortalBasePath = MYPORTAL_BASE_PATH;
 const CGNAPIBasePath = CGN_API_BASE_PATH;
 const IoSignAPIBasePath = IO_SIGN_API_BASE_PATH;
 const IoFimsAPIBasePath = IO_FIMS_API_BASE_PATH;
@@ -103,10 +100,8 @@ newApp({
   IoFimsAPIBasePath,
   IoSignAPIBasePath,
   IoWalletAPIBasePath,
-  MyPortalBasePath,
   ServicesAppBackendBasePath,
   TrialSystemBasePath,
-  allowMyPortalIPSourceRange: ALLOW_MYPORTAL_IP_SOURCE_RANGE,
   allowNotifyIPSourceRange: ALLOW_NOTIFY_IP_SOURCE_RANGE,
   allowSessionHandleIPSourceRange: ALLOW_SESSION_HANDLER_IP_SOURCE_RANGE,
   appInsightsClient: O.toUndefined(maybeAppInsightsClient),

src/server.ts

@@ -6,24 +6,11 @@ import { FiscalCode } from "../../generated/io-bonus-api/FiscalCode";
 import { toFiscalCodeHash } from "../types/notification";
 import {
   FeatureFlag,
+  getIsUserACanaryTestUser,
   getIsUserEligibleForNewFeature
 } from "../utils/featureFlag";
 import NotificationService from "./notificationService";
 
-/**
- *
- * @param regex The regex to use
- * @returns
- */
-const getIsUserACanaryTestUser = (
-  regex: string
-): ((sha: NonEmptyString) => boolean) => {
-  const regExp = new RegExp(regex);
-  return (sha: NonEmptyString): boolean => regExp.test(sha);
-};
-
-// ------------------------------------------
-
 export type NotificationServiceFactory = (
   fiscalCode: FiscalCode
 ) => NotificationService;