feat: use client application repo

Co-authored-by: Guillaume Lagorce <guillaume.lagorce@pix.fr>
Co-authored-by: Nicolas Lepage <19571875+nlepage@users.noreply.github.com>

Author: 3 people

Diff for: api/db/database-builder/factory/build-client-application.js

@@ -1,3 +1,4 @@
+import { cryptoService } from '../../../src/shared/domain/services/crypto-service.js';
 import { databaseBuffer } from '../database-buffer.js';
 
 export function buildClientApplication({
@@ -7,13 +8,15 @@ export function buildClientApplication({
   clientSecret = 'super-secret',
   scopes = ['scope1', 'scope2'],
 } = {}) {
+  // eslint-disable-next-line no-sync
+  const hashedSecret = cryptoService.hashPasswordSync(clientSecret);
   return databaseBuffer.pushInsertable({
     tableName: 'client_applications',
     values: {
       id,
       name,
       clientId,
-      clientSecret,
+      clientSecret: hashedSecret,
       scopes,
     },
   });

Diff for: api/lib/domain/usecases/authenticate-application.js

@@ -1,46 +1,50 @@
-import lodash from 'lodash';
-
 import { config } from '../../../src/shared/config.js';
 import {
   ApplicationScopeNotAllowedError,
   ApplicationWithInvalidClientIdError,
   ApplicationWithInvalidClientSecretError,
 } from '../../../src/shared/domain/errors.js';
-const { apimRegisterApplicationsCredentials, jwtConfig } = config;
-
-const { find } = lodash;
 
-const authenticateApplication = async function ({ clientId, clientSecret, scope, tokenService }) {
-  const application = find(apimRegisterApplicationsCredentials, { clientId });
-  _checkClientId(application, clientId);
-  _checkClientSecret(application, clientSecret);
+const { authentication } = config;
+
+export async function authenticateApplication({
+  clientId,
+  clientSecret,
+  scope,
+  tokenService,
+  clientApplicationRepository,
+  cryptoService,
+}) {
+  const application = await clientApplicationRepository.findByClientId(clientId);
+  _checkApplication(application, clientId);
+  await _checkClientSecret(application, clientSecret, cryptoService);
   _checkAppScope(application, scope);
 
   return tokenService.createAccessTokenFromApplication(
     clientId,
-    application.source,
+    application.name,
     scope,
-    jwtConfig[application.source].secret,
-    jwtConfig[application.source].tokenLifespan,
+    authentication.secret,
+    authentication.accessTokenLifespanMs,
   );
-};
+}
 
-function _checkClientId(application, clientId) {
-  if (!application || application.clientId !== clientId) {
+function _checkApplication(application) {
+  if (!application) {
     throw new ApplicationWithInvalidClientIdError('The client ID is invalid.');
   }
 }
 
-function _checkClientSecret(application, clientSecret) {
-  if (application.clientSecret !== clientSecret) {
+async function _checkClientSecret(application, clientSecret, cryptoService) {
+  try {
+    await cryptoService.checkPassword({ password: clientSecret, passwordHash: application.clientSecret });
+  } catch {
     throw new ApplicationWithInvalidClientSecretError('The client secret is invalid.');
   }
 }
 
 function _checkAppScope(application, scope) {
-  if (application.scope !== scope) {
+  if (!application.scopes.includes(scope)) {
     throw new ApplicationScopeNotAllowedError('The scope is invalid.');
   }
 }
-
-export { authenticateApplication };

Diff for: api/lib/domain/usecases/index.js

@@ -79,6 +79,7 @@ import * as resetPasswordService from '../../../src/identity-access-management/d
 import { scoAccountRecoveryService } from '../../../src/identity-access-management/domain/services/sco-account-recovery.service.js';
 import { accountRecoveryDemandRepository } from '../../../src/identity-access-management/infrastructure/repositories/account-recovery-demand.repository.js';
 import * as authenticationMethodRepository from '../../../src/identity-access-management/infrastructure/repositories/authentication-method.repository.js';
+import { clientApplicationRepository } from '../../../src/identity-access-management/infrastructure/repositories/client-application.repository.js';
 import { emailValidationDemandRepository } from '../../../src/identity-access-management/infrastructure/repositories/email-validation-demand.repository.js';
 // Not used in lib
 import { userAnonymizedEventLoggingJobRepository } from '../../../src/identity-access-management/infrastructure/repositories/jobs/user-anonymized-event-logging-job-repository.js';
@@ -244,6 +245,7 @@ const dependencies = {
   certificationCpfCityRepository,
   certificationOfficerRepository,
   challengeRepository,
+  clientApplicationRepository,
   codeGenerator,
   codeUtils,
   competenceEvaluationRepository,

Diff for: api/tests/acceptance/application/authentication/authentication-route_test.js

@@ -133,6 +133,14 @@ describe('Acceptance | Controller | authentication-controller', function () {
           'x-forwarded-host': 'app.pix.fr',
         },
       };
+
+      databaseBuilder.factory.buildClientApplication({
+        name: 'osmose',
+        clientId: OSMOSE_CLIENT_ID,
+        clientSecret: OSMOSE_CLIENT_SECRET,
+        scopes: [SCOPE],
+      });
+      await databaseBuilder.commit();
     });
 
     it('should return an 200 with accessToken when clientId, client secret and scope are registred', async function () {

Diff for: api/tests/prescription/organization-place/acceptance/application/get-data-organization-places_test.js

@@ -1,39 +1,31 @@
 import querystring from 'node:querystring';
 
-import { createServer, expect } from '../../../../test-helper.js';
+import {
+  createServer,
+  databaseBuilder,
+  expect,
+  generateValidRequestAuthorizationHeaderForApplication,
+} from '../../../../test-helper.js';
 
 describe('Acceptance | Route | Get Data Organization Places', function () {
   describe('GET /api/data/organization-places', function () {
     it('should return 200 HTTP status code', async function () {
       // given
       const PIX_DATA_CLIENT_ID = 'test-pixDataCliendId';
-      const PIX_DATA_CLIENT_SECRET = 'pixDataClientSecret';
       const PIX_DATA_SCOPE = 'statistics';
 
       const server = await createServer();
 
-      const optionsForToken = {
-        method: 'POST',
-        url: `/api/application/token`,
-        headers: {
-          'content-type': 'application/x-www-form-urlencoded',
-        },
-        payload: querystring.stringify({
-          grant_type: 'client_credentials',
-          client_id: PIX_DATA_CLIENT_ID,
-          client_secret: PIX_DATA_CLIENT_SECRET,
-          scope: PIX_DATA_SCOPE,
-        }),
-      };
-      const tokenResponse = await server.inject(optionsForToken);
-      const accessToken = tokenResponse.result.access_token;
-
       // when
       const options = {
         method: 'GET',
         url: `/api/data/organization-places`,
         headers: {
-          authorization: `Bearer ${accessToken}`,
+          authorization: generateValidRequestAuthorizationHeaderForApplication(
+            PIX_DATA_CLIENT_ID,
+            'pix-data',
+            PIX_DATA_SCOPE,
+          ),
         },
       };
 

Diff for: api/tests/unit/domain/usecases/authenticate-application_test.js

@@ -1,20 +1,27 @@
 import { authenticateApplication } from '../../../../lib/domain/usecases/authenticate-application.js';
+import { PasswordNotMatching } from '../../../../src/identity-access-management/domain/errors.js';
+import { config } from '../../../../src/shared/config.js';
 import {
   ApplicationScopeNotAllowedError,
   ApplicationWithInvalidClientIdError,
   ApplicationWithInvalidClientSecretError,
 } from '../../../../src/shared/domain/errors.js';
-import { catchErr, expect, sinon } from '../../../test-helper.js';
+import { catchErr, domainBuilder, expect, sinon } from '../../../test-helper.js';
 
 describe('Unit | Usecase | authenticate-application', function () {
   context('when application is not found', function () {
     it('should throw an error', async function () {
-      const client = {
+      const payload = {
         clientId: Symbol('id'),
         clientSecret: Symbol('secret'),
       };
 
-      const err = await catchErr(authenticateApplication)(client);
+      const clientApplicationRepository = {
+        findByClientId: sinon.stub(),
+      };
+      clientApplicationRepository.findByClientId.withArgs(payload.clientId).resolves(undefined);
+
+      const err = await catchErr(authenticateApplication)({ ...payload, clientApplicationRepository });
 
       expect(err).to.be.instanceOf(ApplicationWithInvalidClientIdError);
     });
@@ -23,48 +30,111 @@ describe('Unit | Usecase | authenticate-application', function () {
   context('when application is found', function () {
     context('when client secrets are different', function () {
       it('should throw an error', async function () {
-        const client = {
+        const payload = {
           clientId: 'test-apimOsmoseClientId',
-          clientSecret: Symbol('toto'),
+          clientSecret: 'mauvais-secret',
+        };
+
+        const clientApplicationRepository = {
+          findByClientId: sinon.stub(),
         };
+        const application = domainBuilder.buildClientApplication({
+          name: 'test-apimOsmoseClientId',
+          clientSecret: 'mon-secret',
+          scopes: [],
+        });
+        clientApplicationRepository.findByClientId.withArgs(payload.clientId).resolves(application);
 
-        const err = await catchErr(authenticateApplication)(client);
+        const cryptoService = {
+          checkPassword: sinon.stub(),
+        };
+        cryptoService.checkPassword
+          .withArgs({ password: payload.clientSecret, passwordHash: application.clientSecret })
+          .rejects(new PasswordNotMatching());
+
+        const err = await catchErr(authenticateApplication)({ ...payload, clientApplicationRepository, cryptoService });
 
         expect(err).to.be.instanceOf(ApplicationWithInvalidClientSecretError);
       });
     });
 
     context('when client scopes are different', function () {
       it('should throw an error', async function () {
-        const client = {
+        const payload = {
           clientId: 'test-apimOsmoseClientId',
-          clientSecret: 'test-apimOsmoseClientSecret',
+          clientSecret: 'bon-secret',
           scope: 'mauvais-scope',
         };
 
-        const err = await catchErr(authenticateApplication)(client);
+        const clientApplicationRepository = {
+          findByClientId: sinon.stub(),
+        };
+        const application = domainBuilder.buildClientApplication({
+          name: 'test-apimOsmoseClientId',
+          clientSecret: 'bon-secret',
+          scopes: ['bon-scope'],
+        });
+        clientApplicationRepository.findByClientId.withArgs(payload.clientId).resolves(application);
+
+        const cryptoService = {
+          checkPassword: sinon.stub(),
+        };
+        cryptoService.checkPassword
+          .withArgs({ password: payload.clientSecret, passwordHash: application.clientSecret })
+          .resolves();
+
+        const err = await catchErr(authenticateApplication)({ ...payload, clientApplicationRepository, cryptoService });
 
         expect(err).to.be.instanceOf(ApplicationScopeNotAllowedError);
       });
     });
 
     context('when given information is correct', function () {
       it('should return created token', async function () {
-        const client = {
+        const payload = {
           clientId: 'test-apimOsmoseClientId',
-          clientSecret: 'test-apimOsmoseClientSecret',
-          scope: 'organizations-certifications-result',
+          clientSecret: 'bon-secret',
+          scope: 'bon-scope',
+        };
+
+        const clientApplicationRepository = {
+          findByClientId: sinon.stub(),
+        };
+        const application = domainBuilder.buildClientApplication({
+          name: 'mon-application',
+          clientId: 'test-apimOsmoseClientId',
+          clientSecret: 'bon-secret',
+          scopes: ['bon-scope'],
+        });
+        clientApplicationRepository.findByClientId.withArgs(payload.clientId).resolves(application);
+
+        const cryptoService = {
+          checkPassword: sinon.stub(),
         };
+        cryptoService.checkPassword
+          .withArgs({ password: payload.clientSecret, passwordHash: application.clientSecret })
+          .resolves();
 
         const tokenService = {
           createAccessTokenFromApplication: sinon.stub(),
         };
         const expectedToken = Symbol('Mon Super token');
         tokenService.createAccessTokenFromApplication
-          .withArgs(client.clientId, 'livretScolaire', client.scope, 'test-secretOsmose', '4h')
+          .withArgs(
+            application.clientId,
+            application.name,
+            payload.scope,
+            config.authentication.secret,
+            config.authentication.accessTokenLifespanMs,
+          )
           .resolves(expectedToken);
 
-        const token = await authenticateApplication({ ...client, tokenService });
+        const token = await authenticateApplication({
+          ...payload,
+          tokenService,
+          clientApplicationRepository,
+          cryptoService,
+        });
 
         expect(token).to.be.equal(expectedToken);
       });