Refactor the logic around handling public tokens

This introduces TokenSource interface which allows us to retrieve the
tokens either from cookies or from headers (or both).

When cookies are used it also adds additional security items like
fingerprints and setting some cookies as http-only and some not

Author: mvantellingen

README.md

@@ -20,3 +20,17 @@ When a federated services creates a new token (when non exist) it can also
 return a refresh token in the `x-refresh-token` header. The gateway will then
 encrypt all refresh tokens and encrypt them before passing them to the client
 as `x-refresh-token` header.
+
+
+# Token sources
+
+
+## Cookie Token Source
+This token source is used for browser clients to safely store the token. It is
+implemented via 4 cookies:
+ - accessToken - The JWT token
+ - tokenFingerprint - A random string that is used to protect the AccessToken
+   cookie from CSRF attacks. It is stored as HTTP_ONLY cookie.
+ - refreshToken - The refresh token, if any. It is stored as HTTP_ONLY cookie.
+ - refreshTokenExists - A boolean value that indicates if a refresh token exists
+   for the user. It is used to determine if the user is new or not.

package.json

@@ -43,12 +43,15 @@
 	"devDependencies": {
 		"@changesets/cli": "^2.26.2",
 		"@sentry/types": "7.55.0",
+		"@types/cookie-parser": "^1.4.3",
 		"@types/crypto-js": "4.1.1",
+		"@types/express": "^4.17.17",
 		"@types/lodash-es": "4.17.7",
 		"@typescript-eslint/eslint-plugin": "^5.60.1",
 		"@vitest/coverage-v8": "0.32.2",
 		"eslint": "^8.40.0",
 		"eslint-plugin-unused-imports": "^2.0.0",
+		"node-mocks-http": "^1.12.2",
 		"tsup": "^7.1.0",
 		"typescript": "^5.1.5",
 		"vitest": "0.32.2"

pnpm-lock.yaml

@@ -62,7 +62,7 @@ export class FederatedGraphQLDataSource extends RemoteGraphQLDataSource<PublicFe
 			if (!context.federatedToken) {
 				context.federatedToken = new PublicFederatedToken();
 			}
-			context.federatedToken.loadRefreshToken(refreshToken);
+			context.federatedToken.loadRefreshToken(refreshToken, true);
 		}
 		return response;
 	}

src/datasource.ts

@@ -0,0 +1,19 @@
+import { randomBytes } from "crypto";
+import { createHash } from "node:crypto";
+
+export const generateFingerprint = (): string => {
+  const length = 32;
+  const buffer = randomBytes(Math.ceil(length / 2));
+  return buffer.toString("hex").slice(0, length);
+};
+
+export const hashFingerprint = (fingerprint: string): string => {
+  const hash = createHash("sha256");
+  hash.update(fingerprint);
+  return hash.digest("hex");
+};
+
+export const validateFingerprint = (
+  fingerprint: string,
+  hashedFingerprint: string
+) => hashFingerprint(fingerprint) === hashedFingerprint;