Add required authorization header to queue-status endpoint, using new shared secret.

Author: lukemelia

packages/matrix/helpers/isolated-realm-server.ts

@@ -27,6 +27,7 @@ export async function startServer() {
   process.env.PGPORT = '5435';
   process.env.PGDATABASE = `test_db_${Math.floor(10000000 * Math.random())}`;
   process.env.NODE_NO_WARNINGS = '1';
+  process.env.REALM_SERVER_SECRET_SEED = "mum's the word";
   process.env.REALM_SECRET_SEED = "shhh! it's a secret";
   process.env.MATRIX_URL = 'http://localhost:8008';
   process.env.REALM_SERVER_MATRIX_USERNAME = 'realm_server';

packages/realm-server/handlers/handle-create-session.ts

@@ -16,11 +16,11 @@ const log = logger('realm-server');
 
 export default function handleCreateSessionRequest({
   matrixClient,
-  secretSeed,
+  realmSecretSeed,
 }: CreateRoutesArgs): (ctxt: Koa.Context, next: Koa.Next) => Promise<void> {
   let matrixBackendAuthentication = new MatrixBackendAuthentication(
     matrixClient,
-    secretSeed,
+    realmSecretSeed,
     {
       badRequest: function (message: string) {
         return new Response(JSON.stringify({ errors: message }), {
@@ -36,7 +36,7 @@ export default function handleCreateSessionRequest({
         return new Response(body, init);
       },
       createJWT: async (user: string, sessionRoom: string) =>
-        createJWT({ user, sessionRoom }, secretSeed),
+        createJWT({ user, sessionRoom }, realmSecretSeed),
     } as Utils,
   );
 

packages/realm-server/handlers/handle-queue-status.ts

@@ -2,11 +2,30 @@ import Koa from 'koa';
 import { query, SupportedMimeType } from '@cardstack/runtime-common';
 import { setContextResponse } from '../middleware';
 import { CreateRoutesArgs } from '../routes';
+import { monitoringAuthToken } from '../utils/monitoring';
 
+function isAuthorizedToViewMonitoring(
+  request: Koa.Request,
+  realmServerSecretSeed: string,
+): boolean {
+  return (
+    request.headers['authorization'] ===
+    `Bearer ${monitoringAuthToken(realmServerSecretSeed)}`
+  );
+}
 export default function handleQueueStatusRequest({
   dbAdapter,
+  realmServerSecretSeed,
 }: CreateRoutesArgs): (ctxt: Koa.Context, next: Koa.Next) => Promise<void> {
   return async function (ctxt: Koa.Context, _next: Koa.Next) {
+    if (!isAuthorizedToViewMonitoring(ctxt.request, realmServerSecretSeed)) {
+      return setContextResponse(
+        ctxt,
+        new Response('Unauthorized', {
+          status: 401,
+        }),
+      );
+    }
     let [{ pending_job_count }] = (await query(dbAdapter, [
       `SELECT COUNT(*) as pending_job_count FROM jobs WHERE status='unfulfilled'`,
     ])) as {

packages/realm-server/main.ts

@@ -23,6 +23,14 @@ if (process.env.NODE_ENV === 'test') {
   (globalThis as any).__environment = 'test';
 }
 
+const REALM_SERVER_SECRET_SEED = process.env.REALM_SERVER_SECRET_SEED;
+if (!REALM_SERVER_SECRET_SEED) {
+  console.error(
+    `The REALM_SERVER_SECRET_SEED environment variable is not set. Please make sure this env var has a value`,
+  );
+  process.exit(-1);
+}
+
 const REALM_SECRET_SEED = process.env.REALM_SECRET_SEED;
 if (!REALM_SECRET_SEED) {
   console.error(
@@ -253,7 +261,8 @@ let autoMigrate = migrateDB || undefined;
     virtualNetwork,
     matrixClient,
     realmsRootPath,
-    secretSeed: REALM_SECRET_SEED,
+    realmServerSecretSeed: REALM_SERVER_SECRET_SEED,
+    realmSecretSeed: REALM_SECRET_SEED,
     dbAdapter,
     queue,
     assetsURL: dist,

packages/realm-server/package.json

@@ -3,6 +3,7 @@
   "version": "0.0.0",
   "license": "MIT",
   "devDependencies": {
+    "@aws-crypto/sha256-js": "^5.2.0",
     "@cardstack/billing": "workspace:*",
     "@cardstack/boxel-icons": "workspace:*",
     "@cardstack/boxel-ui": "workspace:*",

packages/realm-server/routes.ts

@@ -15,7 +15,8 @@ import handleQueueStatusRequest from './handlers/handle-queue-status';
 export type CreateRoutesArgs = {
   dbAdapter: DBAdapter;
   matrixClient: MatrixClient;
-  secretSeed: string;
+  realmServerSecretSeed: string;
+  realmSecretSeed: string;
   virtualNetwork: VirtualNetwork;
   createRealm: ({
     ownerUserId,
@@ -45,20 +46,20 @@ export function createRoutes(args: CreateRoutesArgs) {
   router.post('/_server-session', handleCreateSessionRequest(args));
   router.post(
     '/_create-realm',
-    jwtMiddleware(args.secretSeed),
+    jwtMiddleware(args.realmSecretSeed),
     handleCreateRealmRequest(args),
   );
   router.get('/_catalog-realms', handleFetchCatalogRealmsRequest(args));
   router.get('/_queue-status', handleQueueStatusRequest(args));
   router.post('/_stripe-webhook', handleStripeWebhookRequest(args));
   router.get(
     '/_user',
-    jwtMiddleware(args.secretSeed),
+    jwtMiddleware(args.realmSecretSeed),
     handleFetchUserRequest(args),
   );
   router.post(
     '/_user',
-    jwtMiddleware(args.secretSeed),
+    jwtMiddleware(args.realmSecretSeed),
     handleCreateUserRequest(args),
   );
   router.get('/_stripe-links', handleStripeLinksRequest());

packages/realm-server/scripts/start-base.sh

@@ -13,6 +13,7 @@ NODE_ENV=development \
   NODE_NO_WARNINGS=1 \
   PGPORT=5435 \
   PGDATABASE=boxel_base \
+  REALM_SERVER_SECRET_SEED="mum's the word" \
   REALM_SECRET_SEED="shhh! it's a secret" \
   MATRIX_URL=http://localhost:8008 \
   REALM_SERVER_MATRIX_USERNAME=realm_server \

packages/realm-server/scripts/start-development.sh

@@ -14,6 +14,7 @@ NODE_ENV=development \
   PGPORT=5435 \
   PGDATABASE=boxel \
   LOG_LEVELS='*=info' \
+  REALM_SERVER_SECRET_SEED="mum's the word" \
   REALM_SECRET_SEED="shhh! it's a secret" \
   MATRIX_URL=http://localhost:8008 \
   REALM_SERVER_MATRIX_USERNAME=realm_server \

packages/realm-server/scripts/start-test-realms.sh

@@ -13,6 +13,7 @@ NODE_ENV=test \
   PGPORT=5435 \
   PGDATABASE=boxel_test \
   NODE_NO_WARNINGS=1 \
+  REALM_SERVER_SECRET_SEED="mum's the word" \
   REALM_SECRET_SEED="shhh! it's a secret" \
   MATRIX_URL=http://localhost:8008 \
   REALM_SERVER_MATRIX_USERNAME=realm_server \

packages/realm-server/server.ts

@@ -59,7 +59,8 @@ export class RealmServer {
   private realms: Realm[];
   private virtualNetwork: VirtualNetwork;
   private matrixClient: MatrixClient;
-  private secretSeed: string;
+  private realmServerSecretSeed: string;
+  private realmSecretSeed: string;
   private realmsRootPath: string;
   private dbAdapter: DBAdapter;
   private queue: QueuePublisher;
@@ -79,7 +80,8 @@ export class RealmServer {
     realms,
     virtualNetwork,
     matrixClient,
-    secretSeed,
+    realmServerSecretSeed,
+    realmSecretSeed,
     realmsRootPath,
     dbAdapter,
     queue,
@@ -94,7 +96,8 @@ export class RealmServer {
     realms: Realm[];
     virtualNetwork: VirtualNetwork;
     matrixClient: MatrixClient;
-    secretSeed: string;
+    realmServerSecretSeed: string;
+    realmSecretSeed: string;
     realmsRootPath: string;
     dbAdapter: DBAdapter;
     queue: QueuePublisher;
@@ -116,7 +119,8 @@ export class RealmServer {
     this.serverURL = serverURL;
     this.virtualNetwork = virtualNetwork;
     this.matrixClient = matrixClient;
-    this.secretSeed = secretSeed;
+    this.realmSecretSeed = realmSecretSeed;
+    this.realmServerSecretSeed = realmServerSecretSeed;
     this.realmsRootPath = realmsRootPath;
     this.seedPath = seedPath;
     this.seedRealmURL = seedRealmURL;
@@ -164,7 +168,8 @@ export class RealmServer {
         createRoutes({
           dbAdapter: this.dbAdapter,
           matrixClient: this.matrixClient,
-          secretSeed: this.secretSeed,
+          realmServerSecretSeed: this.realmServerSecretSeed,
+          realmSecretSeed: this.realmSecretSeed,
           virtualNetwork: this.virtualNetwork,
           createRealm: this.createRealm,
           serveIndex: this.serveIndex,
@@ -326,7 +331,7 @@ export class RealmServer {
       matrixURL: this.matrixClient.matrixURL,
       displayname: username,
       username,
-      password: await passwordFromSeed(username, this.secretSeed),
+      password: await passwordFromSeed(username, this.realmSecretSeed),
       registrationSecret: await this.getMatrixRegistrationSecret(),
     });
     this.log.debug(`created realm bot user '${userId}' for new realm ${url}`);
@@ -370,7 +375,7 @@ export class RealmServer {
       {
         url,
         adapter,
-        secretSeed: this.secretSeed,
+        secretSeed: this.realmSecretSeed,
         virtualNetwork: this.virtualNetwork,
         dbAdapter: this.dbAdapter,
         queue: this.queue,
@@ -430,7 +435,7 @@ export class RealmServer {
           let realm = new Realm({
             url,
             adapter,
-            secretSeed: this.secretSeed,
+            secretSeed: this.realmSecretSeed,
             virtualNetwork: this.virtualNetwork,
             dbAdapter: this.dbAdapter,
             queue: this.queue,

packages/realm-server/tests/helpers/index.ts

@@ -61,7 +61,8 @@ export const realmServerTestMatrix: MatrixConfig = {
   url: matrixURL,
   username: 'node-test_realm-server',
 };
-export const secretSeed = `shhh! it's a secret`;
+export const realmServerSecretSeed = "mum's the word";
+export const realmSecretSeed = `shhh! it's a secret`;
 export const matrixRegistrationSecret: string =
   getSynapseConfig()!.registration_shared_secret; // as long as synapse has been started at least once, this will always exist
 
@@ -236,14 +237,14 @@ export async function createRealm({
       indexRunner,
       virtualNetwork,
       matrixURL: matrixConfig.url,
-      secretSeed,
+      secretSeed: realmSecretSeed,
     });
   }
   let realm = new Realm({
     url: realmURL,
     adapter,
     matrix: matrixConfig,
-    secretSeed,
+    secretSeed: realmSecretSeed,
     virtualNetwork,
     dbAdapter,
     queue: publisher,
@@ -299,7 +300,7 @@ export async function runBaseRealmServer(
     indexRunner,
     virtualNetwork,
     matrixURL,
-    secretSeed,
+    secretSeed: realmSecretSeed,
   });
   let testBaseRealm = await createRealm({
     dir: basePath,
@@ -316,13 +317,14 @@ export async function runBaseRealmServer(
   let matrixClient = new MatrixClient({
     matrixURL: realmServerTestMatrix.url,
     username: realmServerTestMatrix.username,
-    seed: secretSeed,
+    seed: realmSecretSeed,
   });
   let testBaseRealmServer = new RealmServer({
     realms: [testBaseRealm],
     virtualNetwork,
     matrixClient,
-    secretSeed,
+    realmServerSecretSeed,
+    realmSecretSeed,
     matrixRegistrationSecret,
     realmsRootPath,
     dbAdapter,
@@ -367,7 +369,7 @@ export async function runTestRealmServer({
     indexRunner,
     virtualNetwork,
     matrixURL,
-    secretSeed,
+    secretSeed: realmSecretSeed,
   });
   await worker.run();
   let testRealm = await createRealm({
@@ -402,13 +404,14 @@ export async function runTestRealmServer({
   let matrixClient = new MatrixClient({
     matrixURL: realmServerTestMatrix.url,
     username: realmServerTestMatrix.username,
-    seed: secretSeed,
+    seed: realmSecretSeed,
   });
   let testRealmServer = new RealmServer({
     realms,
     virtualNetwork,
     matrixClient,
-    secretSeed,
+    realmServerSecretSeed,
+    realmSecretSeed,
     matrixRegistrationSecret,
     realmsRootPath,
     dbAdapter,

packages/realm-server/tests/realm-endpoints-test.ts

@@ -39,7 +39,8 @@ import {
   setupDB,
   createRealm,
   realmServerTestMatrix,
-  secretSeed,
+  realmServerSecretSeed,
+  realmSecretSeed,
   createVirtualNetwork,
   createVirtualNetworkAndLoader,
   matrixURL,
@@ -3756,14 +3757,15 @@ module(basename(__filename), function () {
         let matrixClient = new MatrixClient({
           matrixURL: realmServerTestMatrix.url,
           username: realmServerTestMatrix.username,
-          seed: secretSeed,
+          seed: realmSecretSeed,
         });
         let getIndexHTML = (await getFastbootState()).getIndexHTML;
         testRealmServer = new RealmServer({
           realms: [base, testRealm],
           virtualNetwork,
           matrixClient,
-          secretSeed,
+          realmServerSecretSeed,
+          realmSecretSeed,
           matrixRegistrationSecret,
           realmsRootPath: dir.name,
           dbAdapter,