DEV Community: Carlos Dominguez Padron The latest articles on DEV Community by Carlos Dominguez Padron (@charlietfe). https://dev.to/charlietfe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F432891%2Fb671e55b-5f3a-4358-80c5-e0645418d377.jpeg DEV Community: Carlos Dominguez Padron https://dev.to/charlietfe en Booster authorization in a nutshell Carlos Dominguez Padron Thu, 26 May 2022 09:01:46 +0000 https://dev.to/boostercloud/booster-authorization-in-a-nutshell-5beo https://dev.to/boostercloud/booster-authorization-in-a-nutshell-5beo <h2> Overview </h2> <p>After several successful projects using The Booster Framework, with a variety of clients and internal projects, a common recurring question is How does Booster handle Authorization?<br> In this article, I will shed some light on this topic, by dissecting Booster’s approach towards authorization.</p> <h2> Standards, standards, standards </h2> <p>By design, The Booster Framework is a role-based authorized framework, which means that commands and read operations, are performed by specific roles created by the user, i.e. Admin, Customer, User, you name it. If you want to keep your API open, you can use the predefined <strong><em>all</em></strong> role, but that would be a bad idea. A better practice would be to limit the access to your API. If you want to know more about how to define roles in Booster, click <a href="https://docs.booster.cloud/chapters/04_features?id=authentication-and-authorization" rel="noopener noreferrer">here</a>.</p> <p>One widely adopted and standard way of transmitting secure information and authorizing users is the usage of <a href="https://jwt.io/introduction/" rel="noopener noreferrer">JWT Tokens</a>. </p> <p>In this article, I don't want to dig deeper into the details of the JWT standard, but long story short, you will need a JWT auth provider, or create your own, which generates valid tokens for your users. Inside of those tokens includes the user roles you need as claims in your Booster application.</p> <p>In the early stages of Booster development, and since we were using AWS as our first cloud provider, Booster offered endpoints to create, update, and login users, using <a href="https://aws.amazon.com/cognito/" rel="noopener noreferrer">AWS Cognito</a>. When you created a user, you had to specify that user's role as a part of the associated information. When the user signed in, Cognito returned a JWT token with all the information associated with the user, including the role.</p> <p>Then, you had to use that token in the Authorization header in your API requests as a bearer token, and Booster internally called Cognito again to verify if the token was valid, and if it contained the right role to perform the API call.</p> <p>That approach worked for a while, until some Booster users didn't want to use Cognito. Some wanted to use their auth, while others were using a different auth provider like Auth0, Firebase, Cognito, Okta, or whatever.</p> <p>Once again the standards to the rescue. Even if we were using JWT, Booster was tightly coupled to Cognito to verify the token and get the information associated with it. We decided to extract that part and use a standard token verification <a href="https://github.com/boostercloud/booster/blob/main/packages/framework-core/src/booster-token-verifier.ts" rel="noopener noreferrer">inside the Booster core</a>, which works with the JWT tokens, no matter which provider you are using. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frxzw8q981w8su8nfttaz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frxzw8q981w8su8nfttaz.png" alt="Architecture diagram"></a></p> <p><strong>Side note:</strong> We removed the Cognito dependency from Booster, but if you still want to use it, you can include the <a href="https://github.com/boostercloud/rocket-auth-aws-infrastructure" rel="noopener noreferrer">AWS Auth Rocket</a> which provides the most common Cognito features out-of-the-box for Booster applications. </p> <h2> Token verifiers </h2> <p>The JWT standard works by signing tokens using private and public key pairs using <a href="https://en.wikipedia.org/wiki/Public-key_cryptography" rel="noopener noreferrer">asymmetric cryptography</a> and different algorithms (mostly RSA or ECDSA). So basically, the public key is well known by the clients, but the private key must be secret and will only be available on the server side.</p> <p>Ok...but what do I need to use an auth in Booster?</p> <p>In Booster you will need to specify <a href="https://docs.booster.cloud/chapters/04_features?id=jwt-configuration" rel="noopener noreferrer">token verifiers</a>. You can use more than one depending on the use case, but for the moment, let's focus on using one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Booster</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">config</span><span class="p">:</span> <span class="nx">BoosterConfig</span><span class="p">):</span> <span class="k">void</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nx">tokenVerifiers</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://demoapp.firebase.com/.well-known/jwks.json</span><span class="dl">'</span><span class="p">,</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://securetoken.google.com/demoapp</span><span class="dl">'</span><span class="p">,</span> <span class="na">rolesClaim</span><span class="p">:</span> <span class="dl">'</span><span class="s1">firebase:groups</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> </code></pre> </div> <p>In the example above, we are using Firebase as a provider for a demo app. The <em><strong>jwksUri</strong></em> property contains the public URL where Firebase exposes the public keys as <a href="https://datatracker.ietf.org/doc/html/rfc7517" rel="noopener noreferrer">JSON web keys</a>, the <em><strong>issuer</strong></em> specifies who is emitting tokens, and the <strong><em>rolesClaim</em></strong> value is the claim where Firebase adds the roles.</p> <p>Let's create a configuration using the Cognito provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Booster</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">config</span><span class="p">:</span> <span class="nx">BoosterConfig</span><span class="p">):</span> <span class="k">void</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nx">tokenVerifiers</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json</span><span class="dl">'</span><span class="p">,</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://cognito-idp.{region}.amazonaws.com/{userPoolId}</span><span class="dl">'</span><span class="p">,</span> <span class="na">rolesClaim</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cognito:groups</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> </code></pre> </div> <p>The same here, nothing weird, except provider specific configuration.</p> <p>That's great, but what if I want to test my roles as a part of the development process and I don't want to stick without any auth provider.</p> <p>In Booster you can use the awesome <a href="https://docs.booster.cloud/chapters/04_features?id=local-provider" rel="noopener noreferrer">local provider</a> for testing purposes and configure it alongside a local token verifier.</p> <h2> Your local kingdom </h2> <p>First, we need to generate our public and private keys for our local JWT auth token generator. For that, you can use this <a href="https://cryptotools.net/rsagen" rel="noopener noreferrer">online tool</a>. <strong>Attention! Don't use those keys in any production environment</strong>.</p> <p>After that, save both keys into proper files, like <em><strong>private.key</strong></em> and <strong><em>public.key</em></strong> since you will need them later on.</p> <p>To generate tokens for different users, with different roles, let’s create a simple <strong><em>node.js</em></strong> script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>testToken<span class="p">;</span><span class="nb">cd </span>testToken<span class="p">;</span>npm init <span class="nt">-y</span><span class="p">;</span>npm <span class="nb">install </span>jsonwebtoken </code></pre> </div> <p>Move the private.key you saved into the project into a folder inside your project i.e. keys folder. </p> <p>Then copy the following code into the index.js and change it accordingly, depending on your needs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">privateKey</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keys</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">private.key</span><span class="dl">'</span><span class="p">))</span> <span class="kd">function</span> <span class="nf">forUser</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">role</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">keyid</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">booster</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">issuer</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">booster</span><span class="dl">'</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="na">demoRole</span><span class="p">:</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="p">},</span> <span class="nx">privateKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RS256</span><span class="dl">'</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">issuer</span><span class="p">,</span> <span class="nx">keyid</span><span class="p">,</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Here is your admin user token: </span><span class="dl">'</span><span class="p">,</span> <span class="nf">forUser</span><span class="p">(</span><span class="dl">'</span><span class="s1">test@boostercloud.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Admin</span><span class="dl">'</span><span class="p">))</span> </code></pre> </div> <p>The code above is self explanatory, but basically it’s using the <em><strong>jsonwebtoken</strong></em> library to sign tokens with the private key and it’s adding some data like the email and the role in the <em><strong>demoRole</strong></em> property.</p> <p>Finally let's run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node index.js Here is your admin user token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJvb3N0ZXIifQ.eyJpZCI6InRlc3RAYm9vc3RlcmNsb3VkLmNvbSIsImRlbW9Sb2xlIjoiQWRtaW4iLCJlbWFpbCI6InRlc3RAYm9vc3RlcmNsb3VkLmNvbSIsImlhdCI6MTY1MjE5MDE1NiwiZXhwIjoxNjUyMTkwMTU2LCJpc3MiOiJib29zdGVyIiwic3ViIjoidGVzdEBib29zdGVyY2xvdWQuY29tIn0.HMBm_2MPVA_QHKr5hMTW_zmH9BFC5TplOOfSD34NrUUONzOU-1d6gKgNNRV_NX6Nem_4yksnUV64IhhLffmRNljBtIGQ-HaiVQ9S4MnNqyJCQRCArkK4xyu5EQd7RTNtLPS_xetn8kAJYzIlnO1KRNeQphplaeyEMCS5irjR9-A </code></pre> </div> <p>Woohoo! you have created a valid JWT token to use in Booster.</p> <p>In order to use that token in Booster, in the API request headers you will need to config the <em><strong>public.key</strong></em> in your token verifier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Booster</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">config</span><span class="p">:</span> <span class="nx">BoosterConfig</span><span class="p">):</span> <span class="k">void</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nx">tokenVerifiers</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">publicKey</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keys</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public.key</span><span class="dl">'</span><span class="p">)),</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">booster</span><span class="dl">'</span><span class="p">,</span> <span class="na">rolesClaim</span><span class="p">:</span> <span class="dl">'</span><span class="s1">demoRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> </code></pre> </div> <p>The code above will use the <em><strong>publicKey</strong></em> property instead of the <strong><em>jwksUri</em></strong> since we don’t have a public URL with the keys, as many providers offer.</p> <p>Take into account that we are using the same issuer we used to sign in the token.</p> <h2> Extra, extra! </h2> <p>Some users asked about token validations that will check other data encoded inside the token, and grant or deny access based on that. For this purpose, Booster config has a property function called <em><strong>extraValidation</strong></em> which receives the decoded token as a parameter, allowing the users to do things like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Booster</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">config</span><span class="p">:</span> <span class="nx">BoosterConfig</span><span class="p">):</span> <span class="k">void</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nx">tokenVerifiers</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">publicKey</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keys</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public.key</span><span class="dl">'</span><span class="p">)),</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">booster</span><span class="dl">'</span><span class="p">,</span> <span class="na">rolesClaim</span><span class="p">:</span> <span class="dl">'</span><span class="s1">demoRole</span><span class="dl">'</span><span class="p">,</span> <span class="na">extraValidation</span><span class="p">:</span> <span class="p">(</span><span class="nx">decodedToken</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">decodedToken</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">trust</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="dl">'</span><span class="s1">We don</span><span class="dl">'</span><span class="nx">t</span> <span class="nx">trust</span> <span class="nx">on</span> <span class="nx">you</span><span class="dl">'</span><span class="s1"> } } } ] }) </span></code></pre> </div> <h2> Conclusions </h2> <p>As you have seen, Booster provides a standard and easy way of authenticating requests based on user roles which will cover most of the common use cases, since the JWS is widely adopted. For those use cases that won’t fit with the defaults, Booster provides a way of extending the framework thanks to the usage of rockets, but that’s another story. If you want to know more about how to create rockets, please refer to the official <a href="https://docs.booster.cloud/chapters/05_going-deeper?id=extending-booster-with-rockets" rel="noopener noreferrer">documentation</a>. </p> <p>Last but not least, if you have any questions about Booster or any other topic related, we would be happy to hear your thoughts on <a href="https://discord.gg/bDY8MKx" rel="noopener noreferrer">our community channel</a>.</p>