Fix of broken API Auth (#8338)

Fix done this morning with @FelixMalfait from #8295 --------- Co-authored-by: guillim <guillaume@twenty.com> Co-authored-by: Félix Malfait <felix@twenty.com>
2024-11-06 14:45:33 +01:00
parent 24656e777e
commit 4b5d096441
11 changed files with 309 additions and 67 deletions
--- a/packages/twenty-server/src/engine/core-modules/jwt/services/jwt-wrapper.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/jwt/services/jwt-wrapper.service.ts
@ -11,13 +11,14 @@ import {
 } from 'src/engine/core-modules/auth/auth.exception';
 import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';

-type WorkspaceTokenType =
+export type WorkspaceTokenType =
  | 'ACCESS'
  | 'LOGIN'
  | 'REFRESH'
  | 'FILE'
  | 'POSTGRES_PROXY'
-  | 'REMOTE_SERVER';
+  | 'REMOTE_SERVER'
+  | 'API_KEY';

@Injectable()
 export class JwtWrapperService {
@ -58,6 +59,13 @@ export class JwtWrapperService {
    }

    try {
+      if (!type && !payload.workspaceId) {
+        return this.jwtService.verify(token, {
+          ...options,
+          secret: this.generateAppSecretLegacy(type, payload.workspaceId),
+        });
+      }
+
      return this.jwtService.verify(token, {
        ...options,
        secret: this.generateAppSecret(type, payload.workspaceId),
@ -93,4 +101,21 @@ export class JwtWrapperService {
      .update(`${appSecret}${workspaceId}${type}`)
      .digest('hex');
  }
+
+  generateAppSecretLegacy(
+    type: WorkspaceTokenType,
+    workspaceId?: string,
+  ): string {
+    const accessTokenSecret = this.environmentService.get(
+      'ACCESS_TOKEN_SECRET',
+    );
+
+    if (!accessTokenSecret) {
+      throw new Error('ACCESS_TOKEN_SECRET is not set');
+    }
+
+    return createHash('sha256')
+      .update(`${accessTokenSecret}${workspaceId}${type}`)
+      .digest('hex');
+  }
 }