feat(auth): Make sig validation not processed in dev mode (#683)

* feat: bypass as signature check * remove test import Co-authored-by: Brandon Wilson <[email protected]> * chore(auth): fix formatting * fix(auth): add missing test call * fix(auth): add tests, reset config * refactor: update config Co-authored-by: Brandon Wilson <[email protected]> * refactor: prefer done over isdone Co-authored-by: Brandon Wilson <[email protected]> * refactor: remove extra test * fix(auth): make tests work by punting on done Co-authored-by: Brandon Wilson <[email protected]> * chore(auth): reset default bypassSignatureValidation via @wilsonianb * chore(auth): allow multiple configs in tests Co-authored-by: Brandon Wilson <[email protected]>
interledger · Nov 3, 2022 · 8898075 · 8898075
1 parent 3807051
commit 8898075
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 4 deletions.
diff --git a/packages/auth/docker-compose.yml b/packages/auth/docker-compose.yml
@@ -10,6 +10,7 @@ services:
       - "5432:5432"
     environment:
       POSTGRES_PASSWORD: password
+      BYPASS_SIGNATURE_VALIDATION: false
   redis:
     image: "redis:7"
     restart: unless-stopped

diff --git a/packages/auth/src/config/app.ts b/packages/auth/src/config/app.ts
@@ -43,5 +43,6 @@ export const Config = {
   databaseCleanupWorkers: envInt('DATABASE_CLEANUP_WORKERS', 1),
   accessTokenDeletionDays: envInt('ACCESS_TOKEN_DELETION_DAYS', 30),
   introspectionHttpsig: envBool('INTROSPECTION_HTTPSIG', false),
-  incomingPaymentInteraction: envBool('INCOMING_PAYMENT_INTERACTION', false)
+  incomingPaymentInteraction: envBool('INCOMING_PAYMENT_INTERACTION', false),
+  bypassSignatureValidation: envBool('BYPASS_SIGNATURE_VALIDATION', false)
 }
diff --git a/packages/auth/src/signature/middleware.test.ts b/packages/auth/src/signature/middleware.test.ts
@@ -32,7 +32,8 @@ import {
 
 describe('Signature Service', (): void => {
   let deps: IocContract<AppServices>
-  let appContainer: TestContainer
+  const appContainers: TestContainer[] = []
+
   let keyPath: string
   let publicKey: JWKWithRequired
   let privateKey: JWKWithRequired
@@ -43,7 +44,8 @@ describe('Signature Service', (): void => {
 
   beforeAll(async (): Promise<void> => {
     deps = await initIocContainer(Config)
-    appContainer = await createTestApp(deps)
+    const appContainer = await createTestApp(deps)
+    appContainers.push(appContainer)
 
     const keys = await generateTestKeys()
     keyPath = '/' + keys.keyId
@@ -57,7 +59,9 @@ describe('Signature Service', (): void => {
 
   afterAll(async (): Promise<void> => {
     nock.restore()
-    await appContainer.shutdown()
+    for (let i = 0; i < appContainers.length; i++) {
+      await appContainers[i].shutdown()
+    }
   })
 
   describe('signatures', (): void => {
@@ -401,6 +405,55 @@ describe('Signature Service', (): void => {
       scope.isDone()
     })
 
+    test('middleware succeeds if BYPASS_SIGNATURE_VALIDATION is true with bad signature', async (): Promise<void> => {
+      const altDeps = await initIocContainer({
+        ...Config,
+        bypassSignatureValidation: true
+      })
+
+      const altContainer = await createTestApp(altDeps)
+      appContainers.push(altContainer)
+
+      nock(KEY_REGISTRY_ORIGIN)
+        .get(keyPath)
+        .reply(200, {
+          jwk: testClientKey.jwk,
+          client: TEST_CLIENT
+        } as ClientKey)
+
+      const ctx = await createContextWithSigHeaders(
+        {
+          headers: {
+            Accept: 'application/json'
+          },
+          url: '/',
+          method: 'POST'
+        },
+        {},
+        {
+          client: {
+            display: TEST_CLIENT_DISPLAY,
+            key: {
+              proof: 'httpsig',
+              jwk: testClientKey.jwk
+            }
+          }
+        },
+        privateKey,
+        altDeps
+      )
+
+      ctx.headers['signature'] = 'wrong-signature'
+
+      await grantInitiationHttpsigMiddleware(ctx, next)
+
+      expect(ctx.response.status).toEqual(200)
+      expect(next).toHaveBeenCalled()
+
+      // TODO: https://github.com/interledger/rafiki/issues/656
+      // scope.done()
+    })
+
     test('middleware fails if client is invalid', async (): Promise<void> => {
       const ctx = await createContextWithSigHeaders(
         {

diff --git a/packages/auth/src/signature/middleware.ts b/packages/auth/src/signature/middleware.ts
@@ -21,6 +21,12 @@ async function verifySigAndChallenge(
   clientKey: JWKWithRequired,
   ctx: HttpSigContext
 ): Promise<boolean> {
+  const config = await ctx.container.use('config')
+  if (config.bypassSignatureValidation) {
+    // bypass
+    return true
+  }
+
   const sig = ctx.headers['signature'] as string
   const sigInput = ctx.headers['signature-input'] as string
   const challenge = sigInputToChallenge(sigInput, ctx)