Merge pull request #17 from veracity/feature/rc1

Updated samples, docs and readme

Author: rudfoss

README.md

@@ -16,6 +16,7 @@ Version `1.0.0` is the first officially released and supported implementation of
 
 - [Quick Start](#quick-start)
   * [onVerify / Verifier](#onverify--verifier)
+- [Encrypting session](#encrypting-session)
 - [Passing state](#passing-state)
 - [Error handling](#error-handling)
 - [Authentication process](#authentication-process)
@@ -97,6 +98,39 @@ const verifier = async (tokenData, req, done) => {
 passport.use("veracity", new VIDPOpenIDCStrategy(strategySettings, verifier))
 ```
 
+## Encrypting session
+When configuring authentication you need to provide a place to store session data. This is done through the `store` configuration for `express-session`. In the samples we use a MemoryStore instance that keeps the data in memory, but this is not suitable to for production as it does not scale. For such systems you would probably go with a database or cache of some kind such as MySQL or Redis.
+
+Once you set up such a session storage mechanism, however there are some considerations you need to take into account. Since the access tokens for individual users are stored as session data it means that anyone with access to the session storage database can extract any token for a currently logged in user and use it themselves. Since the token is the only key needed to perform actions on behalf of the user it is considered sensitive information and must therefore be protected accordingly.
+
+This library comes with a helper function to deal with just this scenario called `createEncryptedSessionStore`. This function uses the **AES-256-CBC** algorithm to encrypt and decrypt a subset of session data on-the-fly preventing someone with access to the store from seeing the plain access tokens. They will only see an encrypted blob of text.
+
+The way `createEncryptedSessionStore` works is that it replaces the read and write functions of an `express-session` compatible store with augmented versions that decrypt and encrypt a set of specified properties (if present on the session object) respectively. This means that you can still use any of the compatible store connectors and simply pass it through the helper function to get a version that provides encryption.
+
+Using the Redis connector you can configure an encrypted session like this:
+```javascript
+const session = require("express-session")
+const { createEncryptedSessionStore } = require("@veracity/node-auth")
+const redisStore = require("connect-redis")(session)
+
+// You should NOT hard-code the encryption key. It should be served from a secure store such as Azure KeyVault or similar
+const encryptedRedisStore = createEncryptedSessionStore("encryption key")(redisStore)
+
+// We can now use the encryptedRedisStore in place of a regular store to configure authentication
+setupWebAppAuth({
+	app,
+	strategy: {
+		clientId: "",
+		clientSecret: "",
+		replyUrl: ""
+	},
+	session: {
+		secret: "ce4dd9d9-cac3-4728-a7d7-d3e6157a06d9",
+		store: encryptedRedisStore // Use encrypted version of redis store
+	}
+})
+```
+
 ## Passing state
 Sometimes it is useful to be able to pass data from before the login begins all the way through the authentication process until control is returned back to your code. This library supports this in two ways for web and native applications (the bearer token validation strategy does not support this):
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@veracity/node-auth",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "A library for authenticating with Veracity and retrieving one or more access tokens for communicating with APIs.",
   "scripts": {
     "build:copy-files": "ts-node -T scripts/copy-files.ts",

package.json

@@ -1,7 +1,7 @@
 # JS Helper example
 This example implements Veracity authentication using the `setupWebAppAuth` helper function. For details see the `start.js` file.
 
-You need to fill in application credentials on line 14-16 in `start.js` before this sample will run. Visit the [Veracity for Developers project portal](https://developer.veracity.com/projects) to create them.
+You need to fill in application credentials on line 23-25 in `start.js` before this sample will run. Visit the [Veracity for Developers project portal](https://developer.veracity.com/projects) to create them.
 
 To run the sample:
 ```javascript

samples/101-JS-Auth/README.md

@@ -23,6 +23,7 @@
   },
   "homepage": "https://developer.veracity.com",
   "dependencies": {
+    "@veracity/node-auth": "^1.0.0",
     "body-parser": "^1.19.0",
     "express": "^4.17.1",
     "express-session": "^1.16.2",

samples/101-JS-Auth/package.json

@@ -0,0 +1,20 @@
+# TypeScript Helper example
+This example implements Veracity authentication using the `setupWebAppAuth` helper function and TypeScript. For details see the `start.ts` file.
+
+You need to fill in application credentials on line 23-25 in `start.ts` before this sample will run. Visit the [Veracity for Developers project portal](https://developer.veracity.com/projects) to create them.
+
+To run the sample:
+```javascript
+npm i
+npm start
+```
+
+## HTTPS
+This sample uses `node-forge` along with the `generateCertificate` utility to create a self-signed certificate for local development. This is **not** suitable for production and should be replaced with a more secure certificate signed by a trusted third-party. For example: [https://letsencrypt.org/](https://letsencrypt.org/)
+
+## Dependencies
+- `@veracity/node-auth`
+- `express`
+- `express-session`
+- `passport`
+- `node-forge`

samples/102-TS-Auth/README.md

@@ -1,5 +1,5 @@
 {
-  "name": "@veracity/node-auth-js-helper-example",
+  "name": "@veracity/node-auth-ts-helper-example",
   "private": true,
   "version": "1.0.0",
   "description": "",
@@ -29,6 +29,7 @@
     "typescript": "^3.6.3"
   },
   "dependencies": {
+    "@veracity/node-auth": "^1.0.0",
     "body-parser": "^1.19.0",
     "express": "^4.17.1",
     "express-session": "^1.16.2",

samples/102-TS-Auth/package.json

@@ -0,0 +1,20 @@
+# JS Passport example
+This example implements Veracity authentication using the `VIDPWebAppStrategy` passport strategy directly. This is intended for more advanced scenarios where your code or structure makes it hard or impossible to use the simpler helper function. This sample ends up with the same features as the ones using the helper, but with more code as we have to implement everything ourselves.
+
+You need to fill in application credentials on line 33-35 in `start.js` before this sample will run. Visit the [Veracity for Developers project portal](https://developer.veracity.com/projects) to create them.
+
+To run the sample:
+```javascript
+npm i
+npm start
+```
+
+## HTTPS
+This sample uses `node-forge` along with the `generateCertificate` utility to create a self-signed certificate for local development. This is **not** suitable for production and should be replaced with a more secure certificate signed by a trusted third-party. For example: [https://letsencrypt.org/](https://letsencrypt.org/)
+
+## Dependencies
+- `@veracity/node-auth`
+- `express`
+- `express-session`
+- `passport`
+- `node-forge`

samples/103-JS-Passport/README.md

@@ -0,0 +1,33 @@
+{
+  "name": "@veracity/node-strategy-js-helper-example",
+  "private": true,
+  "version": "1.0.0",
+  "description": "",
+  "scripts": {
+    "start": "node start.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/veracity/node-auth.git"
+  },
+  "keywords": [
+    "veracity",
+    "authentication",
+    "openid",
+    "typescript"
+  ],
+  "author": "Veracity",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/veracity/node-auth/issues"
+  },
+  "homepage": "https://developer.veracity.com",
+  "dependencies": {
+    "@veracity/node-auth": "^1.0.0",
+    "body-parser": "^1.19.0",
+    "express": "^4.17.1",
+    "express-session": "^1.16.2",
+    "node-forge": "^0.9.1",
+    "passport": "^0.4.0"
+  }
+}

samples/103-JS-Passport/package.json

@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport" content="width=device-width, initial-scale=1.0">
+	<meta http-equiv="X-UA-Compatible" content="ie=edge">
+	<title>Veracity node-auth - sample app</title>
+	<style>
+		nav a{
+			display: inline-block;
+			padding: 3px 10px;
+		}
+		nav a:first-child{
+			padding-left: 0;
+		}
+	</style>
+</head>
+<body>
+	<h1>Veracity Authentication with node</h1>
+	<p>
+		This example demonstrates how to set up basic authentication with Veracity and viewing the response.
+	</p>
+	<nav>
+		<a href="/login?returnTo=/user">Login now</a>
+		<a href="/user">View user data</a>
+		<a href="/refresh">Refresh token</a>
+		<a href="/logout">Logout</a>
+	</nav>
+</body>
+</html>