Add "Fix authorization guard access check" back (#133)

* Revert "Revert "Fix authorization guard access check (#129)" (#131)"

This reverts commit 5d9dd45.

* Add tests for auth guard and decode

* Bump SDK to 0.20.0

Author: wcalderipe

apps/vault/src/shared/decorator/permission-guard.decorator.ts

@@ -4,7 +4,7 @@ import { Reflector } from '@nestjs/core'
 import { AuthorizationGuard } from '../guard/authorization.guard'
 import { VaultPermission } from '../type/domain.type'
 
-const RequiredPermission = Reflector.createDecorator<VaultPermission[]>()
+export const RequiredPermission = Reflector.createDecorator<VaultPermission[]>()
 
 export function PermissionGuard(...permissions: VaultPermission[]) {
   return applyDecorators(

apps/vault/src/shared/guard/__test__/unit/authorization.guard.spec.ts

@@ -119,7 +119,7 @@ const getAccessToken = async (request: unknown, opts: object = {}) => {
   return signJwt(payload, enginePrivateJwk, { alg: SigningAlg.EIP191 }, signer)
 }
 
-describe('AuthorizationGuard', () => {
+describe(AuthorizationGuard.name, () => {
   let mockClientService = mock<ClientService>()
   let mockConfigService = mock<ConfigService<Config>>()
 
@@ -134,11 +134,6 @@ describe('AuthorizationGuard', () => {
     mockReflector = mock<Reflector>()
   })
 
-  it('should be defined', () => {
-    const guard = new AuthorizationGuard(mockClientService, mockConfigService, mockReflector, mockLogger)
-    expect(guard).toBeDefined()
-  })
-
   describe('canActivate', () => {
     const mockExecutionContext = ({ request }: { request?: unknown } = {}) => {
       const mockRequest = request || {
@@ -276,7 +271,7 @@ describe('AuthorizationGuard', () => {
       await expect(guard.canActivate(context)).resolves.toEqual(true)
     })
 
-    it('should throw when token validation is enabled and missing accessToken', async () => {
+    it('throws when token validation is enabled and missing accessToken', async () => {
       expect.assertions(2)
       const client = getBaseClient()
       mockClientService.findById.mockResolvedValue(client)
@@ -331,7 +326,7 @@ describe('AuthorizationGuard', () => {
       await expect(guard.canActivate(context)).rejects.toThrow('No engine key configured')
     })
 
-    it('should throw when requieBoundTokens is true and token is not bound', async () => {
+    it('throws when requieBoundTokens is true and token is not bound', async () => {
       const userPrivateJwk = secp256k1PrivateKeyToJwk(FIXTURE.UNSAFE_PRIVATE_KEY.Alice)
       const client = getBaseClient()
       mockClientService.findById.mockResolvedValue(client)
@@ -417,5 +412,90 @@ describe('AuthorizationGuard', () => {
 
       await expect(guard.canActivate(context)).resolves.toEqual(true)
     })
+
+    it('passes when token contains required permissions', async () => {
+      const userPrivateJwk = secp256k1PrivateKeyToJwk(FIXTURE.UNSAFE_PRIVATE_KEY.Alice)
+      const userJwk = secp256k1PublicKeyToJwk(FIXTURE.VIEM_ACCOUNT.Alice.publicKey)
+      const client = getBaseClient()
+      mockClientService.findById.mockResolvedValue(client)
+
+      // Mock the reflector to return permissions
+      mockReflector.get.mockReturnValue(['WALLET_READ'])
+
+      const guard = new AuthorizationGuard(mockClientService, mockConfigService, mockReflector, mockLogger)
+      const payload = {
+        value: 'test-value'
+      }
+
+      const accessToken = await getAccessToken(payload, {
+        sub: 'user-1',
+        cnf: userJwk,
+        access: [
+          {
+            resource: 'vault',
+            permissions: ['WALLET_READ']
+          }
+        ]
+      })
+      const jwsd = await getJwsd({
+        userPrivateJwk,
+        requestUrl: '/test',
+        payload,
+        accessToken
+      })
+
+      const mockRequest = {
+        headers: { 'x-client-id': 'test-client', authorization: `GNAP ${accessToken}`, 'detached-jws': jwsd },
+        body: payload,
+        url: '/test',
+        method: 'POST'
+      }
+      const context = mockExecutionContext({ request: mockRequest })
+
+      await expect(guard.canActivate(context)).resolves.toEqual(true)
+    })
+
+    it('throws when token does not contain required permissions', async () => {
+      const userPrivateJwk = secp256k1PrivateKeyToJwk(FIXTURE.UNSAFE_PRIVATE_KEY.Alice)
+      const userJwk = secp256k1PublicKeyToJwk(FIXTURE.VIEM_ACCOUNT.Alice.publicKey)
+      const client = getBaseClient()
+      mockClientService.findById.mockResolvedValue(client)
+
+      // Mock the reflector to return permissions
+      mockReflector.get.mockReturnValue(['WALLET_READ'])
+
+      const guard = new AuthorizationGuard(mockClientService, mockConfigService, mockReflector, mockLogger)
+      const payload = {
+        value: 'test-value'
+      }
+
+      // Token with different permission than required
+      const accessToken = await getAccessToken(payload, {
+        sub: 'user-1',
+        cnf: userJwk,
+        access: [
+          {
+            resource: 'vault',
+            permissions: ['WALLET_WRITE']
+          }
+        ]
+      })
+      const jwsd = await getJwsd({
+        userPrivateJwk,
+        requestUrl: '/test',
+        payload,
+        accessToken
+      })
+
+      const mockRequest = {
+        headers: { 'x-client-id': 'test-client', authorization: `GNAP ${accessToken}`, 'detached-jws': jwsd },
+        body: payload,
+        url: '/test',
+        method: 'POST'
+      }
+      const context = mockExecutionContext({ request: mockRequest })
+
+      await expect(guard.canActivate(context)).rejects.toThrow('Invalid permissions')
+    })
   })
 })

apps/vault/src/shared/guard/authorization.guard.ts

@@ -6,7 +6,7 @@ import { Reflector } from '@nestjs/core'
 import { z } from 'zod'
 import { ClientService } from '../../client/core/service/client.service'
 import { Config } from '../../main.config'
-import { PermissionGuard } from '../decorator/permission-guard.decorator'
+import { RequiredPermission } from '../decorator/permission-guard.decorator'
 import { ApplicationException } from '../exception/application.exception'
 import { Client, VaultPermission } from '../type/domain.type'
 
@@ -105,7 +105,7 @@ export class AuthorizationGuard implements CanActivate {
 
     // Get the Permissions (scopes) required from the request decorator, if it exists.
     const { request: requestHash } = req.body
-    const permissions: VaultPermission[] | undefined = this.reflector.get(PermissionGuard, context.getHandler())
+    const permissions: VaultPermission[] | undefined = this.reflector.get(RequiredPermission, context.getHandler())
     const access =
       permissions && permissions.length > 0
         ? [

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@narval-xyz/armory-sdk",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "license": "MPL-2.0",
   "publishConfig": {
     "access": "public"

packages/armory-sdk/package.json

@@ -16,6 +16,7 @@ describe('decodeJwt', () => {
     const rawJwt = await signJwt(payload, key, { alg: 'ES256K' })
 
     const jwt = decodeJwt(rawJwt)
+
     expect(jwt).toEqual({
       header: {
         alg: 'ES256K',
@@ -34,4 +35,25 @@ describe('decodeJwt', () => {
   it('throws an error if token is in correct format but not valid base64url encoded data', async () => {
     expect(() => decodeJwt('invalid.invalid.invalid')).toThrow(JwtError)
   })
+
+  it('does not strip arbitrary data from the payload', async () => {
+    const payloadWithArbitraryData = {
+      ...payload,
+      foo: 'foo',
+      bar: 'bar'
+    }
+    const rawJwt = await signJwt(payloadWithArbitraryData, key, { alg: 'ES256K' })
+
+    const jwt = decodeJwt(rawJwt)
+
+    expect(jwt).toEqual({
+      header: {
+        alg: 'ES256K',
+        kid: key.kid,
+        typ: 'JWT'
+      },
+      payload: payloadWithArbitraryData,
+      signature: rawJwt.split('.')[2]
+    })
+  })
 })

packages/signature/src/lib/__test__/unit/decode.spec.ts

@@ -1,6 +1,6 @@
 import { JwtError } from './error'
-import { Header, Payload } from './schemas'
-import { type Jwsd, type Jwt } from './types'
+import { Header } from './schemas'
+import { Payload, type Jwsd, type Jwt } from './types'
 
 import { base64UrlToBytes } from './utils'
 

packages/signature/src/lib/decode.ts

@@ -1,6 +1,6 @@
 import { z } from 'zod'
 import { addressSchema } from './address.schema'
-import { Alg, Curves, KeyTypes, Use } from './types'
+import { Alg, Curves, KeyTypes, Payload, Use } from './types'
 
 // Base JWK Schema
 export const jwkBaseSchema = z.object({
@@ -186,33 +186,6 @@ export const JwsdHeader = z.object({
     )
 })
 
-/**
- * Defines the payload of JWT.
- *
- * @param {string} requestHash - The hashed request.
- * @param {string} [iss] - The issuer of the JWT.
- * @param {number} [iat] - The time the JWT was issued.
- * @param {number} [exp] - The time the JWT expires.
- * @param {string} sub - The subject of the JWT.
- * @param {string} [aud] - The audience of the JWT.
- * @param {string[]} [hashWildcard] - A list of paths that were not hashed in the request.
- * @param {string} [jti] - The JWT ID.
- * @param {Jwk} cnf - The client-bound key.
- *
- */
-export const Payload = z.object({
-  sub: z.string().optional(),
-  iat: z.number().optional(),
-  exp: z.number().optional(),
-  iss: z.string().optional(),
-  aud: z.string().optional(),
-  jti: z.string().optional(),
-  cnf: publicKeySchema.optional(),
-  requestHash: z.string().optional(),
-  hashWildcard: z.array(z.string()).optional(),
-  data: z.string().optional()
-})
-
 export const Jwt = z.object({
   header: Header,
   payload: Payload,