feat: create SecurityContext class and add signing alg verification to the auth interceptor

OmegaCreations · OmegaCreations · commit 37e43ece2626 · 2025-09-28T14:56:05.000+02:00
diff --git a/Tokenization/backend/wrapper/src/client/ConnectionManager/Interceptors/grpc.auth.interceptor.ts b/Tokenization/backend/wrapper/src/client/ConnectionManager/Interceptors/grpc.auth.interceptor.ts
@@ -139,10 +139,17 @@ export const gRPCAuthInterceptor = async (
       pub
     );
 
-    // Optional: Additional check to ensure correct signing algorithm was used
-    // if (protectedHeader.alg !== "EdDSA" && protectedHeader.alg !== "Ed25519") {
-    //   throw new Error("JWS signed with an unexpected algorithm.");
-    // }
+    // Additional check to ensure correct signing algorithm was used
+    if (protectedHeader.alg !== "EdDSA" && protectedHeader.alg !== "Ed25519") {
+      const error = {
+        name: "AuthenticationError",
+        message: "Incorrect signing algorithm for JWS.",
+        code: grpc.status.UNAUTHENTICATED,
+      };
+
+      callback(error, null);
+      return { isAuthenticated: false, conn };
+    }
 
     // Decode and parse the JWT payload
     const payloadString = new TextDecoder().decode(jwtPayload);
@@ -188,7 +195,7 @@ export const gRPCAuthInterceptor = async (
 
   // Authentication and Authorization successful
   // Update Connection state with SN and status
-  conn.handleSuccessfulAuth(payload as any);
+  conn.handleSuccessfulAuth(payload);
   return { isAuthenticated: true, conn };
 };
 
diff --git a/Tokenization/backend/wrapper/src/utils/security/SecurityContext.ts b/Tokenization/backend/wrapper/src/utils/security/SecurityContext.ts
@@ -0,0 +1,44 @@
+/**
+ * @license
+ * Copyright 2019-2020 CERN and copyright holders of ALICE O2.
+ * See http://alice-o2.web.cern.ch/copyright for details of the copyright holders.
+ * All rights not expressly granted are reserved.
+ *
+ * This software is distributed under the terms of the GNU General Public
+ * License v3 (GPL Version 3), copied verbatim in the file "COPYING".
+ *
+ * In applying this license CERN does not waive the privileges and immunities
+ * granted to it by virtue of its status as an Intergovernmental Organization
+ * or submit itself to any jurisdiction.
+ */
+
+/**
+ * @description Stores every keys and certificates needed for gRPC mTLS communication and token verifications (JWE/JWS)
+ */
+export class SecurityContext {
+  // mTLS keys (RSA)
+  public readonly caCert: Buffer;
+  public readonly clientSenderCert: Buffer;
+  public readonly clientListenerCert: Buffer;
+  public readonly clientPublicKey: Buffer;
+  // RSA Private Key (PKCS8) for JWE decryption
+  public readonly clientPrivateKey: Buffer;
+
+  // Public Ed25519 key for JWS verification
+  public static readonly JWS_PUBLIC_KEY =
+    "VqkcxlpJYVZI/SxgWH/VqVNeKhMGIbUfHn0okzdGs2E=";
+
+  constructor(
+    caCert: Buffer,
+    clientSenderCert: Buffer,
+    clientListenerCert: Buffer,
+    clientPrivateKey: Buffer,
+    clientPublicKey: Buffer
+  ) {
+    this.caCert = caCert;
+    this.clientSenderCert = clientSenderCert;
+    this.clientListenerCert = clientListenerCert;
+    this.clientPrivateKey = clientPrivateKey;
+    this.clientPublicKey = clientPublicKey;
+  }
+}
