fix: reach authz service directly on refresh flow

snyk · Feb 4, 2025 · e42858d · e42858d
1 parent c2b79bc
commit e42858d
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 8 deletions.
diff --git a/lib/client/auth/brokerServerConnection.ts b/lib/client/auth/brokerServerConnection.ts
@@ -40,12 +40,13 @@ export const renewBrokerServerConnection = async (
   const req: PostFilterPreparedRequest = {
     url: url.toString(),
     headers: {
-      authorization: brokerServerConnectionParams.authorization,
+      Authorization: brokerServerConnectionParams.authorization,
       'user-agent': `Snyk Broker Client ${version}`,
       'Content-type': 'application/vnd.api+json',
     },
     method: 'POST',
     body: JSON.stringify(body),
   };
+  console.dir(req);
   return await makeRequestToDownstream(req);
 };
diff --git a/lib/client/socket.ts b/lib/client/socket.ts
@@ -194,7 +194,7 @@ export const createWebSocket = (
           },
           'Renewing auth.',
         );
-
+        console.log(clientOpts.accessToken!.authHeader);
         const renewResponse = await renewBrokerServerConnection(
           {
             connectionIdentifier: identifyingMetadata.identifier!,

diff --git a/lib/server/auth/authHelpers.ts b/lib/server/auth/authHelpers.ts
@@ -8,6 +8,7 @@ export const validateBrokerClientCredentials = async (
   authHeaderValue: string,
   brokerClientId: string,
   brokerConnectionIdentifier: string,
+  isInternalJwt = false,
 ) => {
   const body = {
     data: {
@@ -18,10 +19,11 @@ export const validateBrokerClientCredentials = async (
     },
   };
 
+  const serviceHostname = isInternalJwt
+    ? `${getConfig().authorizationService}`
+    : `${getConfig().apiHostname}`;
   const req: PostFilterPreparedRequest = {
-    url: `${
-      getConfig().apiHostname
-    }/hidden/brokers/connections/${brokerConnectionIdentifier}/auth/validate?version=2024-02-08~experimental`,
+    url: `${serviceHostname}/hidden/brokers/connections/${brokerConnectionIdentifier}/auth/validate?version=2024-02-08~experimental`,
     headers: {
       authorization: authHeaderValue,
       'Content-type': 'application/vnd.api+json',
@@ -30,7 +32,11 @@ export const validateBrokerClientCredentials = async (
     body: JSON.stringify(body),
   };
   logger.debug(
-    { maskToken: maskToken(brokerConnectionIdentifier) },
+    {
+      url: `${serviceHostname}/hidden/brokers/connections/${brokerConnectionIdentifier}/auth/validate?version=2024-02-08~experimental`,
+      maskToken: maskToken(brokerConnectionIdentifier),
+      creds: authHeaderValue,
+    },
     `Validate Broker Client Credentials request`,
   );
   const response = await makeSingleRawRequestToDownstream(req);

diff --git a/lib/server/routesHandlers/authHandlers.ts b/lib/server/routesHandlers/authHandlers.ts
@@ -45,12 +45,13 @@ export const authRefreshHandler = async (req: Request, res: Response) => {
       { identifier, brokerClientId, role, credentials },
       'Invalid credentials',
     );
-    return res.status(401).send('Invalid credentials.');
+    return res.status(401).send('Invalid Empty credentials.');
   } else {
     const credsCheckResponse = await validateBrokerClientCredentials(
       credentials,
       brokerClientId as string,
       identifier,
+      true,
     );
     logger.debug(
       { credsCheckResponse: credsCheckResponse },
@@ -75,7 +76,7 @@ export const authRefreshHandler = async (req: Request, res: Response) => {
         'Invalid credentials - Creds check response returned false',
       );
       currentClient.socket!.end();
-      return res.status(401).send('Invalid credentials.');
+      return res.status(401).send('Credentials failed validation');
     }
   }
 };