feat(api): implement self-host secret guard and update auth controller for self-hosted login

Author: djabarovgeorge

apps/api/src/app/auth/auth.controller.ts

@@ -42,6 +42,7 @@ import { SwitchOrganizationCommand } from './usecases/switch-organization/switch
 import { SwitchOrganization } from './usecases/switch-organization/switch-organization.usecase';
 import { AuthService } from './services/auth.service';
 import { SelfHostUsecase } from './usecases/self-host/self-host.usecase';
+import { SelfHostSecretGuard } from './framework/self-host-secret.guard';
 
 @ApiCommonResponses()
 @Controller('/auth')
@@ -192,6 +193,7 @@ export class AuthController {
   }
 
   @Get('/self-hosted')
+  @UseGuards(SelfHostSecretGuard)
   async logMeIn() {
     return this.selfHostUsecase.execute();
   }

apps/api/src/app/auth/framework/self-host-secret.guard.ts

@@ -0,0 +1,23 @@
+import { CanActivate, ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
+import { HttpRequestHeaderKeysEnum } from '@novu/application-generic';
+
+@Injectable()
+export class SelfHostSecretGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const secretKey = process.env.SELF_HOSTED_SECRET_KEY;
+    if (!secretKey) return true;
+
+    const request = context.switchToHttp().getRequest();
+    const headerKey = request.headers[HttpRequestHeaderKeysEnum.NOVU_SELF_HOSTED_SECRET_KEY.toLowerCase()];
+
+    if (!headerKey) {
+      throw new UnauthorizedException('Missing self-host secret key');
+    }
+
+    if (headerKey !== secretKey) {
+      throw new UnauthorizedException('Invalid self-host secret key');
+    }
+
+    return true;
+  }
+}

apps/dashboard/src/api/api.client.ts

@@ -81,10 +81,10 @@ const request = async <T>(
   }
 };
 
-type RequestOptions = { body?: unknown; environment?: IEnvironment; signal?: AbortSignal };
+type RequestOptions = { body?: unknown; environment?: IEnvironment; signal?: AbortSignal; headers?: HeadersInit };
 
-export const get = <T>(endpoint: string, { environment, signal }: RequestOptions = {}) =>
-  request<T>(endpoint, { method: 'GET', environment, signal });
+export const get = <T>(endpoint: string, { environment, signal, headers }: RequestOptions = {}) =>
+  request<T>(endpoint, { method: 'GET', environment, signal, headers });
 export const post = <T>(endpoint: string, options: RequestOptions) =>
   request<T>(endpoint, { method: 'POST', ...options });
 export const put = <T>(endpoint: string, options: RequestOptions) =>

apps/dashboard/src/config/index.ts

@@ -12,11 +12,11 @@ export const CLERK_PUBLISHABLE_KEY = import.meta.env.VITE_CLERK_PUBLISHABLE_KEY
 
 export const APP_ID = import.meta.env.VITE_NOVU_APP_ID || '';
 
-export const API_HOSTNAME = window._env_.VITE_API_HOSTNAME || import.meta.env.VITE_API_HOSTNAME;
+export const API_HOSTNAME = window._env_?.VITE_API_HOSTNAME || import.meta.env.VITE_API_HOSTNAME;
 
 export const IS_EU = API_HOSTNAME === 'https://eu.api.novu.co';
 
-export const WEBSOCKET_HOSTNAME = window._env_.VITE_WEBSOCKET_HOSTNAME || import.meta.env.VITE_WEBSOCKET_HOSTNAME;
+export const WEBSOCKET_HOSTNAME = window._env_?.VITE_WEBSOCKET_HOSTNAME || import.meta.env.VITE_WEBSOCKET_HOSTNAME;
 
 export const INTERCOM_APP_ID = import.meta.env.VITE_INTERCOM_APP_ID;
 
@@ -32,6 +32,8 @@ export const ONBOARDING_DEMO_WORKFLOW_ID = 'onboarding-demo-workflow';
 
 export const IS_SELF_HOSTED = import.meta.env.VITE_SELF_HOSTED;
 
+export const SELF_HOSTED_SECRET_KEY = import.meta.env.VITE_SELF_HOSTED_SECRET_KEY;
+
 if (!IS_SELF_HOSTED && !CLERK_PUBLISHABLE_KEY) {
   throw new Error('Missing Clerk Publishable Key');
 }

apps/dashboard/src/utils/self-hosted/jwt-manager.tsx

@@ -1,10 +1,14 @@
 import { get } from '../../api/api.client';
+import { SELF_HOSTED_SECRET_KEY } from '../../config';
 
 const JWT_STORAGE_KEY = 'self-hosted-jwt';
 
 export async function refreshJwt(): Promise<string | null> {
   try {
-    const result = await get<{ data: { token: string } }>('/auth/self-hosted');
+    const headers: HeadersInit = SELF_HOSTED_SECRET_KEY
+      ? { 'novu-self-hosted-secret-key': SELF_HOSTED_SECRET_KEY }
+      : {};
+    const result = await get<{ data: { token: string } }>('/auth/self-hosted', { headers });
     const token = result?.data?.token;
 
     if (token) {

libs/application-generic/src/http/headers.types.ts

@@ -12,6 +12,7 @@ export enum HttpRequestHeaderKeysEnum {
   NOVU_USER_AGENT = 'Novu-User-Agent',
   BYPASS_TUNNEL_REMINDER = 'Bypass-Tunnel-Reminder',
   IDEMPOTENCY_KEY = 'Idempotency-Key',
+  NOVU_SELF_HOSTED_SECRET_KEY = 'Novu-Self-Hosted-Secret-Key',
 }
 testHttpHeaderEnumValidity(HttpRequestHeaderKeysEnum);
 

libs/application-generic/src/http/utils.types.ts

@@ -2,18 +2,6 @@
 import * as nestSwagger from '@nestjs/swagger';
 import { ApiHeaderOptions } from '@nestjs/swagger';
 
-export enum HttpRequestHeaderKeysEnum {
-  AUTHORIZATION = 'Authorization',
-  USER_AGENT = 'User-Agent',
-  CONTENT_TYPE = 'Content-Type',
-  SENTRY_TRACE = 'Sentry-Trace',
-  NOVU_ENVIRONMENT_ID = 'Novu-Environment-Id',
-  NOVU_API_VERSION = 'Novu-API-Version',
-  NOVU_USER_AGENT = 'Novu-User-Agent',
-  BYPASS_TUNNEL_REMINDER = 'Bypass-Tunnel-Reminder',
-}
-testHttpHeaderEnumValidity(HttpRequestHeaderKeysEnum);
-
 export enum HttpResponseHeaderKeysEnum {
   CONTENT_TYPE = 'Content-Type',
   RATELIMIT_REMAINING = 'RateLimit-Remaining',
@@ -54,22 +42,20 @@ export type DeepRequired<T> = T extends object
 /**
  * Transform S to CONSTANT_CASE.
  */
-export type ConvertToConstantCase<S extends string> =
-  S extends `${infer T}-${infer U}`
-    ? `${Uppercase<T>}_${ConvertToConstantCase<U>}`
-    : Uppercase<S>;
+export type ConvertToConstantCase<S extends string> = S extends `${infer T}-${infer U}`
+  ? `${Uppercase<T>}_${ConvertToConstantCase<U>}`
+  : Uppercase<S>;
 
 /**
  * Validate that S is in Http-Header-Case, and return S if valid, otherwise never.
  */
-export type ValidateHttpHeaderCase<S extends string> =
-  S extends `${infer U}-${infer V}`
-    ? U extends Capitalize<U>
-      ? `${U}-${ValidateHttpHeaderCase<V>}`
-      : never
-    : S extends Capitalize<S>
-      ? `${S}` // necessary to cast to string literal type for non-hyphenated enum validation
-      : never;
+export type ValidateHttpHeaderCase<S extends string> = S extends `${infer U}-${infer V}`
+  ? U extends Capitalize<U>
+    ? `${U}-${ValidateHttpHeaderCase<V>}`
+    : never
+  : S extends Capitalize<S>
+    ? `${S}` // necessary to cast to string literal type for non-hyphenated enum validation
+    : never;
 
 /**
  * Helper function to test that Header enum keys and values match correct format.
@@ -102,14 +88,11 @@ export type ValidateHttpHeaderCase<S extends string> =
 export function testHttpHeaderEnumValidity<
   TEnum extends IConstants,
   TValue extends TEnum[keyof TEnum] & string,
-  IConstants = Record<
-    ConvertToConstantCase<TValue>,
-    ValidateHttpHeaderCase<TValue>
-  >,
+  IConstants = Record<ConvertToConstantCase<TValue>, ValidateHttpHeaderCase<TValue>>,
 >(
   testEnum: TEnum &
     Record<
       Exclude<keyof TEnum, keyof IConstants>,
       ['Key must be the CONSTANT_CASED version of the Capital-Cased value']
-    >,
+    >
 ) {}