feat: Add webhooks

Allow calling application server for authorizing some operations,
and send notifications after they succeed.

Also add a global flag to disable signups compltetely
on demo instances.

Author: franky47

packages/server/src/env.ts

@@ -30,6 +30,8 @@ const envSchema = z.object({
     ),
 
   // Optional variables
+  ENABLE_SIGNUP: booleanSchema.optional().default('true'),
+  WEBHOOK_URL: z.string().url().optional(),
   DEBUG: booleanSchema.default('false'),
   CORS_FORCE_ENABLE: booleanSchema.default('false'),
   DATABASE_MAX_SIZE_BYTES: z

packages/server/src/plugins/pkg.ts

@@ -0,0 +1,34 @@
+import type { FastifyPluginAsync } from 'fastify'
+import fp from 'fastify-plugin'
+import fs from 'node:fs/promises'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+import { z } from 'zod'
+import type { App } from '../types'
+
+const packageJsonSchema = z.object({
+  name: z.string(),
+  version: z.string(),
+  license: z.string(),
+  description: z.string(),
+})
+
+declare module 'fastify' {
+  interface FastifyInstance {
+    pkg: z.infer<typeof packageJsonSchema>
+  }
+}
+
+const pkgPlugin: FastifyPluginAsync = async (app: App) => {
+  const packageJsonPath = path.resolve(
+    path.dirname(fileURLToPath(import.meta.url)),
+    '../../package.json'
+  )
+  const packageJson = await fs.readFile(packageJsonPath, { encoding: 'utf8' })
+  app.decorate('pkg', packageJsonSchema.parse(JSON.parse(packageJson)))
+}
+
+export default fp(pkgPlugin, {
+  fastify: '4.x',
+  name: 'pkg',
+})

packages/server/src/plugins/swagger.ts

@@ -2,13 +2,10 @@ import swagger from '@fastify/swagger'
 import swaggerUI from '@fastify/swagger-ui'
 import type { FastifyPluginAsync } from 'fastify'
 import fp from 'fastify-plugin'
-import { createRequire } from 'node:module'
 import { env } from '../env.js'
 import type { App } from '../types'
 
 const swaggerPlugin: FastifyPluginAsync = async (app: App) => {
-  const require = createRequire(import.meta.url)
-  const pkg = require('../../package.json')
   await app.register(swagger, {
     openapi: {
       tags: [
@@ -18,18 +15,17 @@ const swaggerPlugin: FastifyPluginAsync = async (app: App) => {
         { name: 'permissions', description: 'Managing authorization' },
       ],
       info: {
-        title: pkg.name,
-        version: `${pkg.version} (${env.DEPLOYMENT_TAG})`,
-        description: pkg.description,
+        title: app.pkg.name,
+        version: `${app.pkg.version} (${env.DEPLOYMENT_TAG})`,
+        description: app.pkg.description,
         license: {
-          name: pkg.license,
+          name: app.pkg.license,
           url: 'https://github.com/SocialGouv/e2esdk/blob/main/LICENSE',
         },
       },
       externalDocs: {
-        // todo: Use source URL in sceau
         description: 'GitHub repository',
-        url: 'https://github.com/SocialGouv/e2esdk',
+        url: app.codeSignature.sourceURL,
       },
     },
   })
@@ -42,4 +38,8 @@ const swaggerPlugin: FastifyPluginAsync = async (app: App) => {
 export default fp(swaggerPlugin, {
   fastify: '4.x',
   name: 'swagger',
+  dependencies: ['pkg', 'codeSignature'],
+  decorators: {
+    fastify: ['pkg', 'codeSignature'],
+  },
 })

packages/server/src/plugins/webhook.ts

@@ -0,0 +1,187 @@
+import {
+  Identity,
+  PostKeychainItemRequestBody,
+  PostSharedKeyBody,
+} from '@socialgouv/e2esdk-api'
+import { signAuth } from '@socialgouv/e2esdk-crypto'
+import type { FastifyPluginAsync, FastifyRequest } from 'fastify'
+import fp from 'fastify-plugin'
+import { env } from 'process'
+import type { App } from '../types'
+
+type Decoration = {
+  // Authorization
+  authorizeSignup(req: FastifyRequest): Promise<boolean>
+  authorizeKeyShare(
+    req: FastifyRequest,
+    sharedKey: PostSharedKeyBody
+  ): Promise<boolean>
+
+  // Notifications
+  notifySignup(req: FastifyRequest, identity: Identity): void
+  notifyKeyAdded(
+    req: FastifyRequest,
+    item: Omit<
+      PostKeychainItemRequestBody,
+      'name' | 'payload' | 'subkeyIndex' | 'signature'
+    >
+  ): void
+}
+
+declare module 'fastify' {
+  interface FastifyInstance {
+    webhook: Decoration
+  }
+}
+
+// --
+
+type WebhookAPICallArgs = {
+  name: keyof Decoration
+  req: FastifyRequest
+  path: string
+  body?: any
+}
+
+// --
+
+const webhookPlugin: FastifyPluginAsync = async (app: App) => {
+  const baseURL = env.WEBHOOK_URL
+  if (!baseURL) {
+    const decoration: Decoration = {
+      authorizeSignup() {
+        return Promise.resolve(true)
+      },
+      authorizeKeyShare() {
+        return Promise.resolve(true)
+      },
+      notifySignup() {},
+      notifyKeyAdded() {},
+    }
+    app.decorate('webhook', decoration)
+    return
+  }
+  app.log.info({ msg: 'Setting up webhook', url: baseURL })
+
+  async function webhookApiCall({
+    req,
+    path,
+    name,
+    body: payload,
+  }: WebhookAPICallArgs) {
+    try {
+      const method = 'POST'
+      const url = baseURL + path
+      const timestamp = new Date().toISOString()
+      const userId = encodeURIComponent(req.identity.userId)
+      const body = payload ? JSON.stringify(payload) : undefined
+      const referrer =
+        typeof req.headers.referrer === 'string'
+          ? req.headers.referrer
+          : undefined
+      const signature = signAuth(
+        app.sodium,
+        app.sodium.from_base64(env.SIGNATURE_PRIVATE_KEY),
+        {
+          clientId: req.clientId,
+          method,
+          userId,
+          url,
+          timestamp,
+          body,
+          recipientPublicKey: 'none',
+        }
+      )
+      req.auditLog.trace({
+        msg: `webhook:${name}:fetch:request`,
+        method,
+        url,
+        referrer,
+        timestamp,
+        signature,
+        body,
+      })
+      const response = await fetch(url, {
+        method,
+        mode: 'no-cors',
+        cache: 'no-store',
+        credentials: 'omit',
+        redirect: 'error',
+        referrer,
+        body,
+        headers: {
+          ...(body ? { 'content-type': 'application/json' } : {}),
+          origin: env.DEPLOYMENT_URL,
+          'user-agent': `${app.pkg.name}@${app.pkg.version} Webhook`,
+          'x-e2esdk-user-id': userId,
+          'x-e2esdk-request-id': req.id,
+          'x-e2esdk-client-id': req.clientId,
+          'x-e2esdk-timestamp': timestamp,
+          'x-e2esdk-signature': signature,
+          'x-e2esdk-server-pubkey': env.SIGNATURE_PUBLIC_KEY,
+        },
+      })
+      req.auditLog.trace({
+        msg: `webhook:${name}:fetch:response`,
+        status: response.status,
+      })
+      return response
+    } catch (error) {
+      req.auditLog.trace({
+        msg: `webhook:${name}:error`,
+        error,
+      })
+      return null
+    }
+  }
+
+  const decoration: Decoration = {
+    async authorizeSignup(req) {
+      const userId = encodeURIComponent(req.identity.userId)
+      const response = await webhookApiCall({
+        req,
+        name: 'authorizeSignup',
+        path: '/authorize/signup',
+        body: {
+          userId,
+        },
+      })
+      return response?.status === 200
+    },
+    async authorizeKeyShare(req, sharedKey) {
+      const response = await webhookApiCall({
+        req,
+        name: 'authorizeKeyShare',
+        path: '/authorize/key-share',
+        body: sharedKey,
+      })
+      return response?.status === 200
+    },
+    notifySignup(req, identity) {
+      webhookApiCall({
+        req,
+        name: 'notifySignup',
+        path: '/notify/signup',
+        body: identity,
+      })
+    },
+    notifyKeyAdded(req, item) {
+      webhookApiCall({
+        req,
+        name: 'notifyKeyAdded',
+        path: '/notify/key-added',
+        body: item,
+      })
+    },
+  }
+  app.decorate('webhook', decoration)
+}
+
+export default fp(webhookPlugin, {
+  fastify: '4.x',
+  name: 'webhook',
+  dependencies: ['pkg'],
+  decorators: {
+    fastify: ['pkg'],
+  },
+})

packages/server/src/routes/auth.ts

@@ -6,6 +6,7 @@ import {
 } from '@socialgouv/e2esdk-api'
 import { zodToJsonSchema } from 'zod-to-json-schema'
 import { createIdentity } from '../database/models/identity.js'
+import { env } from '../env.js'
 import { App } from '../types'
 
 export default async function authRoutes(app: App) {
@@ -38,12 +39,23 @@ export default async function authRoutes(app: App) {
       },
     },
     async function signup(req, res) {
+      if (!env.ENABLE_SIGNUP) {
+        const reason = 'Signup is not allowed on this server'
+        req.auditLog.warn({ msg: 'signup:forbidden', body: req.body, reason })
+        throw app.httpErrors.forbidden(reason)
+      }
+      if (!(await app.webhook.authorizeSignup(req))) {
+        const reason = 'Signup not allowed by application server'
+        req.auditLog.warn({ msg: 'signup:forbidden', body: req.body, reason })
+        throw app.httpErrors.forbidden(reason)
+      }
       try {
         await createIdentity(app.db, req.body)
       } catch {
         req.auditLog.warn({ msg: 'signup:conflict', body: req.body })
         throw app.httpErrors.conflict('This account was already registered')
       }
+      app.webhook.notifySignup(req, req.body)
       req.auditLog.info({ msg: 'signup:success', body: req.body })
       return res.status(201).send(req.body)
     }

packages/server/src/routes/info.ts

@@ -1,6 +1,3 @@
-import fs from 'node:fs/promises'
-import path from 'node:path'
-import { fileURLToPath } from 'node:url'
 import { z } from 'zod'
 import { zodToJsonSchema } from 'zod-to-json-schema'
 import { env } from '../env.js'
@@ -19,25 +16,11 @@ const infoResponseBody = z.object({
 })
 type InfoResponseBody = z.infer<typeof infoResponseBody>
 
-async function readVersion() {
-  const packageJsonPath = path.resolve(
-    path.dirname(fileURLToPath(import.meta.url)),
-    '../../package.json'
-  )
-  try {
-    const packageJson = await fs.readFile(packageJsonPath, { encoding: 'utf8' })
-    return JSON.parse(packageJson).version
-  } catch {
-    return Promise.resolve('local')
-  }
-}
-
 // --
 
 export default async function infoRoutes(app: App) {
-  const version = await readVersion()
   const serverInfo: InfoResponseBody = {
-    version,
+    version: app.pkg.version,
     builtAt: app.codeSignature.timestamp,
     buildURL: app.codeSignature.buildURL,
     sourceURL: app.codeSignature.sourceURL,

packages/server/src/routes/keychain.ts

@@ -128,6 +128,14 @@ export default async function keychainRoutes(app: App) {
           body: req.body,
           isAuthor: true,
         })
+        app.webhook.notifyKeyAdded(req, {
+          createdAt: req.body.createdAt,
+          expiresAt: req.body.expiresAt,
+          nameFingerprint: req.body.nameFingerprint,
+          payloadFingerprint: req.body.payloadFingerprint,
+          ownerId: req.body.ownerId,
+          sharedBy: req.body.sharedBy,
+        })
         return res.status(201).send()
       }
 
@@ -174,6 +182,14 @@ export default async function keychainRoutes(app: App) {
         isAuthor: false,
         sharedKey,
       })
+      app.webhook.notifyKeyAdded(req, {
+        createdAt: req.body.createdAt,
+        expiresAt: req.body.expiresAt,
+        nameFingerprint: req.body.nameFingerprint,
+        payloadFingerprint: req.body.payloadFingerprint,
+        ownerId: req.body.ownerId,
+        sharedBy: req.body.sharedBy,
+      })
       return res.status(201).send()
     }
   )

packages/server/src/routes/sharedKeys.ts

@@ -104,6 +104,16 @@ export default async function sharedKeysRoutes(app: App) {
         })
         throw app.httpErrors.forbidden(reason)
       }
+      // Finally, ask the application server through a webhook
+      if (!(await app.webhook.authorizeKeyShare(req, req.body))) {
+        const reason = 'You are not allowed to share this key'
+        req.auditLog.warn({
+          msg: 'postSharedKey:forbidden',
+          reason,
+          body: req.body,
+        })
+        throw app.httpErrors.forbidden(reason)
+      }
       await storeSharedKey(app.db, req.body)
       req.auditLog.info({ msg: 'postSharedKey:success', body: req.body })
       return res.status(201).send()