API: Unify restricted use token generation and validation

[tiblu]

Overview

We issue restricted use JWT tokens for very specific authorization:

• We issue a token to Topic Moderators, to moderate a Topic. This token is sent in e-mail.
• We issue a token to User after singing a Vote so that signed container can be downloaded. Not all Users have to be logged in for signing thus enables unauthenticated download of their Vote.
• We issue a token to Riigikogu (Parliament) so that they can add updates to Events (follow-up phase)
• We issue a token to Riigikogu (Parliament) so that they can download signed Topic container.
  ...

Problem

The restricted use token format varies quite a bit in the system and creates significant amount of complexity/confusion/overhead in the code-base. It calls for a rewrite so that we can reuse the issuing and validation code.

What token formats are present, where are they issued?

Token usually contains JWT standard parts + Citizen OS extras. The variance is in the Citizen OS extras. For example path (string), paths (Array) where there may or may not be req.method prefix.

Different path/method format used:here that format is used.

• path - string - Path, NO request method (GET, POST..) limitation. Example: "path": "/api/users/self/topics/:topicId/votes/:voteId/downloads/bdocs/final"
  • getBdocUrl - https://github.com/citizenos/citizenos-api/blob/master/routes/api/topic.js#L461
  • getZipURL - https://github.com/citizenos/citizenos-api/blob/master/routes/api/topic.js#L502
  • _topicUpdate - https://github.com/citizenos/citizenos-api/blob/master/routes/api/topic.js#L1443
• paths - Array - Array of paths with REST methods (GET, POST...). Example: "paths": ["POST_/api/...", "GET_/api/..."]
  • sendCommentReport - https://github.com/citizenos/citizenos-api/blob/master/libs/email.js#L570

Proposed solution

• Rewrite all restricted token issuing code to use audience claim (aud) to specify the scope of use:
  • aud (was path/paths) - Array - with REST method everywhere. Separated by space instead of "_". For example: "aud": ["GET /api/users/self/topics/:topicId/votes/:voteId/downloads/bdocs/final"]
• Create a new middleware to validate these tokens. Call it authTokenRestrictedUse.
  • NOTE: MUST be backward compatible (path vs paths, vs scope) with formats above. Make a comment that other formats are deprecated so that if we know that it's unlikely for an old token to be used, we can delete the backward compatibility.

[tiblu]

Expects tokens payload path to match req.path:

• GET /api/users/:userId/topics/:topicId/votes/:voteId/downloads/bdocs/final
  • Update tests
• GET /api/topics/:topicId/votes/:voteId/downloads/bdocs/final - the Parliament e-mail! BW COMP!
  • Update tests
  • BW comp test
• GET /api/users/:userId/topics/:topicId/votes/:voteId/downloads/zip/final
  • Update tests
• GET /api/topics/:topicId/votes/:voteId/downloads/zip/final
  • Update tests
• POST /api/topics/:topicId/events - the Parliament e-mail! BW COMP!
  • Update tests
  • BW comp test
• GET /api/topics/:topicId/comments/:commentId/reports/:reportId
  • Update tests
  • BW comp test
• GET /api/users/:userId/topics/:topicId/comments/:commentId/reports/:reportId
  • Update tests
  • BW comp test
• POST /api/topics/:topicId/comments/:commentId/reports/:reportId/moderate
  • Update tests
  • BW comp test

[tiblu]

Created a library to issue and verify the restricted use tokens - https://github.com/citizenos/citizenos-api/blob/master/libs/cosJwt.js
Created a middleware to validate restricted use tokens and used where possible - https://github.com/citizenos/citizenos-api/blob/master/libs/middleware/authTokenRestrictedUse.js

[tiblu]

Idea for TESTING ONLY: sniffer that validates all API links sent in e-mails, checks that they work.
#81

[tiblu]

Live.