[FEATURE] Conditionner la validation des AT utilisateurs en comparant…

… l’aud des AT utilisateurs à la forwardedOrigin (PIX-15944) #11208
1024pix · Jan 29, 2025 · 3f9179c · 3f9179c
2 parents d4bd36d + ad449de
commit 3f9179c
Show file tree

Hide file tree

Showing 189 changed files with 1,176 additions and 1,418 deletions.
diff --git a/api/lib/infrastructure/authentication.js b/api/lib/infrastructure/authentication.js
@@ -1,6 +1,7 @@
 import boom from '@hapi/boom';
 import lodash from 'lodash';
 
+import { getForwardedOrigin } from '../../src/identity-access-management/infrastructure/utils/network.js';
 import { config } from '../../src/shared/config.js';
 import { tokenService } from '../../src/shared/domain/services/token-service.js';
 
@@ -60,7 +61,6 @@ function validateUser(decoded) {
 
 function validateClientApplication(decoded) {
   const application = find(config.apimRegisterApplicationsCredentials, { clientId: decoded.client_id });
-
   if (!application) {
     return { isValid: false, errorCode: 401 };
   }
@@ -73,29 +73,39 @@ function validateClientApplication(decoded) {
 }
 
 async function _checkIsAuthenticated(request, h, { key, validate }) {
-  if (!request.headers.authorization) {
+  const authorizationHeader = request.headers.authorization;
+  if (!authorizationHeader) {
     return boom.unauthorized(null, 'jwt');
   }
 
-  const authorizationHeader = request.headers.authorization;
   const accessToken = tokenService.extractTokenFromAuthChain(authorizationHeader);
-
   if (!accessToken) {
     return boom.unauthorized();
   }
 
   const decodedAccessToken = tokenService.getDecodedToken(accessToken, key);
-  if (decodedAccessToken) {
-    const { isValid, credentials, errorCode } = validate(decodedAccessToken, request, h);
-    if (isValid) {
-      return h.authenticated({ credentials });
-    }
+  if (!decodedAccessToken) {
+    return boom.unauthorized();
+  }
 
-    if (errorCode === 403) {
-      return boom.forbidden();
+  // Only tokens including user_id are User Access Tokens.
+  // This is why applications Access Tokens are not subject to audience validation for now.
+  if (decodedAccessToken.user_id && config.featureToggles.isUserTokenAudConfinementEnabled) {
+    const audience = getForwardedOrigin(request.headers);
+    if (decodedAccessToken.aud !== audience) {
+      return boom.unauthorized();
     }
   }
 
+  const { isValid, credentials, errorCode } = validate(decodedAccessToken, request, h);
+  if (isValid) {
+    return h.authenticated({ credentials });
+  }
+
+  if (errorCode === 403) {
+    return boom.forbidden();
+  }
+
   return boom.unauthorized();
 }
 

diff --git a/api/src/shared/config.js b/api/src/shared/config.js
@@ -497,7 +497,7 @@ const configuration = (function () {
     config.featureToggles.isSelfAccountDeletionEnabled = false;
     config.featureToggles.isQuestEnabled = false;
     config.featureToggles.isAsyncQuestRewardingCalculationEnabled = false;
-    config.featureToggles.isUserTokenAudConfinementEnabled = false;
+    config.featureToggles.isUserTokenAudConfinementEnabled = true;
     config.featureToggles.isTextToSpeechButtonEnabled = false;
     config.featureToggles.isLegalDocumentsVersioningEnabled = false;
     config.featureToggles.showNewResultPage = false;

diff --git a/.../acceptance/application/campaign-participations/campaign-participation-controller_test.js b/.../acceptance/application/campaign-participations/campaign-participation-controller_test.js
@@ -2,7 +2,7 @@ import {
   createServer,
   databaseBuilder,
   expect,
-  generateValidRequestAuthorizationHeader,
+  generateAuthenticatedUserRequestHeaders,
 } from '../../../test-helper.js';
 
 describe('Acceptance | API | Campaign Participations', function () {
@@ -29,7 +29,7 @@ describe('Acceptance | API | Campaign Participations', function () {
       const options = {
         method: 'GET',
         url: `/api/campaign-participations/${campaignParticipation.id}/trainings`,
-        headers: { authorization: generateValidRequestAuthorizationHeader(user.id) },
+        headers: generateAuthenticatedUserRequestHeaders({ userId: user.id }),
       };
 
       // when

diff --git a/api/tests/acceptance/application/campaigns/campaign-controller_test.js b/api/tests/acceptance/application/campaigns/campaign-controller_test.js
@@ -2,7 +2,7 @@ import {
   createServer,
   databaseBuilder,
   expect,
-  generateValidRequestAuthorizationHeader,
+  generateAuthenticatedUserRequestHeaders,
 } from '../../../test-helper.js';
 
 describe('Acceptance | API | Campaign Controller', function () {
@@ -25,7 +25,7 @@ describe('Acceptance | API | Campaign Controller', function () {
       const response = await server.inject({
         method: 'PATCH',
         url: `/api/campaigns/${campaign.id}`,
-        headers: { authorization: generateValidRequestAuthorizationHeader(userId) },
+        headers: generateAuthenticatedUserRequestHeaders({ userId }),
         payload: {
           data: {
             type: 'campaigns',
@@ -59,7 +59,7 @@ describe('Acceptance | API | Campaign Controller', function () {
       const response = await server.inject({
         method: 'PATCH',
         url: `/api/campaigns/${campaign.id}`,
-        headers: { authorization: generateValidRequestAuthorizationHeader(userId) },
+        headers: generateAuthenticatedUserRequestHeaders({ userId }),
         payload: {
           data: {
             type: 'campaigns',

diff --git a/api/tests/acceptance/application/campaigns/campaign-management-controller_test.js b/api/tests/acceptance/application/campaigns/campaign-management-controller_test.js
@@ -2,7 +2,7 @@ import {
   createServer,
   databaseBuilder,
   expect,
-  generateValidRequestAuthorizationHeader,
+  generateAuthenticatedUserRequestHeaders,
 } from '../../../test-helper.js';
 
 describe('Acceptance | API | Campaign Management Controller', function () {
@@ -23,7 +23,7 @@ describe('Acceptance | API | Campaign Management Controller', function () {
       const response = await server.inject({
         method: 'GET',
         url: `/api/admin/campaigns/${campaign.id}`,
-        headers: { authorization: generateValidRequestAuthorizationHeader(user.id) },
+        headers: generateAuthenticatedUserRequestHeaders({ userId: user.id }),
       });
 
       // then

diff --git a/api/tests/acceptance/application/certification-center-invitations/index_test.js b/api/tests/acceptance/application/certification-center-invitations/index_test.js
@@ -2,7 +2,7 @@ import {
   createServer,
   databaseBuilder,
   expect,
-  generateValidRequestAuthorizationHeader,
+  generateAuthenticatedUserRequestHeaders,
   knex,
 } from '../../../test-helper.js';
 
@@ -45,9 +45,7 @@ describe('Acceptance | API | Certification center invitations', function () {
           const response = await server.inject({
             method: 'PATCH',
             url: `/api/certification-center-invitations/${certificationCenterInvitation.id}`,
-            headers: {
-              authorization: generateValidRequestAuthorizationHeader(adminUser.id),
-            },
+            headers: generateAuthenticatedUserRequestHeaders({ userId: adminUser.id }),
           });
 
           // then
@@ -98,9 +96,7 @@ describe('Acceptance | API | Certification center invitations', function () {
           const response = await server.inject({
             method: 'PATCH',
             url: `/api/certification-center-invitations/${certificationCenterInvitation.id}`,
-            headers: {
-              authorization: generateValidRequestAuthorizationHeader(user.id),
-            },
+            headers: generateAuthenticatedUserRequestHeaders({ userId: user.id }),
           });
 
           // then

diff --git a/...ation/certification-center-memberships/certification-center-membership-controller_test.js b/...ation/certification-center-memberships/certification-center-membership-controller_test.js
@@ -4,7 +4,7 @@ import {
   createServer,
   databaseBuilder,
   expect,
-  generateValidRequestAuthorizationHeader,
+  generateAuthenticatedUserRequestHeaders,
   insertUserWithRoleSuperAdmin,
 } from '../../../test-helper.js';
 
@@ -40,9 +40,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
             const request = {
               method: 'DELETE',
               url: `/api/admin/certification-center-memberships/${certificationCenterMembership.id}`,
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(pixAgentWithCertifRole.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: pixAgentWithCertifRole.id }),
             };
 
             await databaseBuilder.commit();
@@ -64,9 +62,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
             const request = {
               method: 'DELETE',
               url: `/api/admin/certification-center-memberships/${certificationCenterMembership.id}`,
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(userWithoutRole.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: userWithoutRole.id }),
             };
 
             await databaseBuilder.commit();
@@ -87,9 +83,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
             const request = {
               method: 'DELETE',
               url: `/api/admin/certification-center-memberships/${nonexistentCertificationCenterMembershipId}`,
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(pixAgentWithAdminRole.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: pixAgentWithAdminRole.id }),
             };
 
             await databaseBuilder.commit();
@@ -141,9 +135,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
                 },
               },
             },
-            headers: {
-              authorization: generateValidRequestAuthorizationHeader(certifCenterAdminUser.id),
-            },
+            headers: generateAuthenticatedUserRequestHeaders({ userId: certifCenterAdminUser.id }),
           };
           await databaseBuilder.commit();
 
@@ -190,9 +182,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
                   },
                 },
               },
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(certifCenterMemberUser.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: certifCenterMemberUser.id }),
             };
             await databaseBuilder.commit();
 
@@ -231,9 +221,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
                   },
                 },
               },
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(certifCenterAdminUser.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: certifCenterAdminUser.id }),
             };
             await databaseBuilder.commit();
 
@@ -267,9 +255,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
                   },
                 },
               },
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(certifCenterAdminUser.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: certifCenterAdminUser.id }),
             };
             await databaseBuilder.commit();
 
@@ -309,9 +295,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
             const request = {
               method: 'DELETE',
               url: `/api/certification-center-memberships/${certificationCenterMembership.id}`,
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(pixCertifAdminUser.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: pixCertifAdminUser.id }),
             };
 
             await databaseBuilder.commit();
@@ -333,9 +317,7 @@ describe('Acceptance | API | Certification Center Membership', function () {
             const request = {
               method: 'DELETE',
               url: `/api/certification-center-memberships/${certificationCenterMembership.id}`,
-              headers: {
-                authorization: generateValidRequestAuthorizationHeader(userWithoutRole.id),
-              },
+              headers: generateAuthenticatedUserRequestHeaders({ userId: userWithoutRole.id }),
             };
 
             await databaseBuilder.commit();

diff --git a/...ests/acceptance/application/certification-centers/certification-center-controller_test.js b/...ests/acceptance/application/certification-centers/certification-center-controller_test.js
@@ -4,7 +4,7 @@ import {
   createServer,
   databaseBuilder,
   expect,
-  generateValidRequestAuthorizationHeader,
+  generateAuthenticatedUserRequestHeaders,
   insertUserWithRoleSuperAdmin,
   knex,
 } from '../../../test-helper.js';
@@ -37,7 +37,7 @@ describe('Acceptance | API | Certification Center', function () {
       const request = {
         method: 'GET',
         url: '/api/certification-centers/' + certificationCenter.id + '/divisions',
-        headers: { authorization: generateValidRequestAuthorizationHeader(user.id) },
+        headers: generateAuthenticatedUserRequestHeaders({ userId: user.id }),
       };
 
       // when
@@ -63,9 +63,7 @@ describe('Acceptance | API | Certification Center', function () {
 
         // when
         const response = await server.inject({
-          headers: {
-            authorization: generateValidRequestAuthorizationHeader(),
-          },
+          headers: generateAuthenticatedUserRequestHeaders(),
           method: 'GET',
           url: `/api/admin/certification-centers/${certificationCenter.id}/certification-center-memberships`,
         });
@@ -91,9 +89,7 @@ describe('Acceptance | API | Certification Center', function () {
 
         // when
         const response = await server.inject({
-          headers: {
-            authorization: generateValidRequestAuthorizationHeader(),
-          },
+          headers: generateAuthenticatedUserRequestHeaders(),
           method: 'GET',
           url: `/api/admin/certification-centers/${certificationCenter.id}/certification-center-memberships`,
         });
@@ -172,9 +168,7 @@ describe('Acceptance | API | Certification Center', function () {
       databaseBuilder.factory.buildCoreSubscription({ certificationCandidateId: candidate.id });
       await databaseBuilder.commit();
       const request = {
-        headers: {
-          authorization: generateValidRequestAuthorizationHeader(userId),
-        },
+        headers: generateAuthenticatedUserRequestHeaders({ userId }),
         method: 'GET',
         url: `/api/certification-centers/${certificationCenterId}/session-summaries?page[number]=1&page[size]=10`,
       };
@@ -214,9 +208,7 @@ describe('Acceptance | API | Certification Center', function () {
       databaseBuilder.factory.buildUser({ email });
 
       request = {
-        headers: {
-          authorization: generateValidRequestAuthorizationHeader(),
-        },
+        headers: generateAuthenticatedUserRequestHeaders(),
         method: 'POST',
         url: `/api/admin/certification-centers/${certificationCenterId}/certification-center-memberships`,
         payload: { email },
@@ -236,7 +228,7 @@ describe('Acceptance | API | Certification Center', function () {
     context('when user is not SuperAdmin', function () {
       it('should return 403 HTTP status code ', async function () {
         // given
-        request.headers.authorization = generateValidRequestAuthorizationHeader(1111);
+        request.headers = generateAuthenticatedUserRequestHeaders({ userId: 1111 });
 
         // when
         const response = await server.inject(request);
@@ -339,7 +331,7 @@ describe('Acceptance | API | Certification Center', function () {
         method: 'POST',
         url: `/api/certif/certification-centers/${certificationCenterId}/update-referer`,
         payload,
-        headers: { authorization: generateValidRequestAuthorizationHeader(certificationCenterMemberId) },
+        headers: generateAuthenticatedUserRequestHeaders({ userId: certificationCenterMemberId }),
       };
 
       // when
@@ -382,7 +374,7 @@ describe('Acceptance | API | Certification Center', function () {
           method: 'POST',
           url: `/api/certification-centers/${certificationCenterId}/session`,
           payload,
-          headers: { authorization: generateValidRequestAuthorizationHeader(userId) },
+          headers: generateAuthenticatedUserRequestHeaders({ userId }),
         };
 
         // when
@@ -433,7 +425,7 @@ describe('Acceptance | API | Certification Center', function () {
           method: 'POST',
           url: `/api/certification-centers/${certificationCenterId}/session`,
           payload,
-          headers: { authorization: generateValidRequestAuthorizationHeader(userId) },
+          headers: generateAuthenticatedUserRequestHeaders({ userId }),
         };
 
         // when

diff --git a/api/tests/acceptance/application/countries/countries-controller_test.js b/api/tests/acceptance/application/countries/countries-controller_test.js
@@ -1,4 +1,4 @@
-import { createServer, expect, generateValidRequestAuthorizationHeader } from '../../../test-helper.js';
+import { createServer, expect, generateAuthenticatedUserRequestHeaders } from '../../../test-helper.js';
 
 describe('Acceptance | API | countries-controller', function () {
   let server;
@@ -13,9 +13,7 @@ describe('Acceptance | API | countries-controller', function () {
       const options = {
         method: 'GET',
         url: '/api/countries',
-        headers: {
-          authorization: generateValidRequestAuthorizationHeader({ userId: 12345 }),
-        },
+        headers: generateAuthenticatedUserRequestHeaders({ userId: 12345 }),
       };
 
       // when