Merge pull request #20352 from mozilla/PAY-3612

feat(payments-next): add OAuth strategy guard

Author: david1alvarez

apps/payments/api/.env

@@ -62,3 +62,9 @@ GLEAN_CONFIG__LOGGER_APP_NAME='fxa-payments-next'
 FXA_WEBHOOK_CONFIG__FXA_WEBHOOK_ISSUER=https://accounts.firefox.com/
 FXA_WEBHOOK_CONFIG__FXA_WEBHOOK_JWKS_URI=https://oauth.accounts.firefox.com/v1/jwks/
 FXA_WEBHOOK_CONFIG__FXA_WEBHOOK_AUDIENCE=
+
+# FXA OAuth Config
+FXA_O_AUTH_CONFIG__FXA_O_AUTH_JWKS_URI=http://localhost:9000/v1/jwks
+FXA_O_AUTH_CONFIG__FXA_O_AUTH_ISSUER=http://localhost:3030
+FXA_O_AUTH_CONFIG__FXA_O_AUTH_REQUIRED_SCOPE=https://identity.mozilla.com/account/subscriptions
+FXA_O_AUTH_CONFIG__FXA_O_AUTH_SERVER_URL=http://localhost:9000

apps/payments/api/src/app/app.module.ts

@@ -3,6 +3,7 @@ import { TypedConfigModule, dotenvLoader } from 'nest-typed-config';
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
 import { RootConfig } from '../config';
+import { AuthModule } from '@fxa/payments/auth';
 import {
   CmsWebhooksController,
   CmsWebhookService,
@@ -46,6 +47,7 @@ import { NimbusClient, NimbusClientConfig } from '@fxa/shared/experiments';
 
 @Module({
   imports: [
+    AuthModule,
     TypedConfigModule.forRoot({
       schema: RootConfig,
       load: dotenvLoader({

apps/payments/api/src/config/index.ts

@@ -10,6 +10,7 @@ import { MySQLConfig } from '@fxa/shared/db/mysql/core';
 import { FxaWebhookConfig, StripeEventConfig } from '@fxa/payments/webhooks';
 import { StatsDConfig } from '@fxa/shared/metrics/statsd';
 import { FirestoreConfig } from 'libs/shared/db/firestore/src/lib/firestore.config';
+import { FxaOAuthConfig } from '@fxa/payments/auth';
 
 export class RootConfig {
   @Type(() => MySQLConfig)
@@ -61,4 +62,9 @@ export class RootConfig {
   @ValidateNested()
   @IsDefined()
   public readonly fxaWebhookConfig!: Partial<FxaWebhookConfig>;
+
+  @Type(() => FxaOAuthConfig)
+  @ValidateNested()
+  @IsDefined()
+  public readonly fxaOAuthConfig!: Partial<FxaOAuthConfig>;
 }

libs/payments/auth/.eslintrc.json

@@ -0,0 +1,18 @@
+{
+  "extends": ["../../../.eslintrc.json"],
+  "ignorePatterns": ["!**/*"],
+  "overrides": [
+    {
+      "files": ["*.ts", "*.tsx", "*.js", "*.jsx"],
+      "rules": {}
+    },
+    {
+      "files": ["*.ts", "*.tsx"],
+      "rules": {}
+    },
+    {
+      "files": ["*.js", "*.jsx"],
+      "rules": {}
+    }
+  ]
+}

libs/payments/auth/jest.config.ts

@@ -0,0 +1,10 @@
+export default {
+  displayName: 'payments-auth',
+  preset: '../../../jest.preset.js',
+  testEnvironment: 'node',
+  transform: {
+    '^.+\\.[tj]s$': ['ts-jest', { tsconfig: '<rootDir>/tsconfig.spec.json' }],
+  },
+  moduleFileExtensions: ['ts', 'js', 'html'],
+  coverageDirectory: '../../../coverage/libs/payments/auth',
+};

libs/payments/auth/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "@fxa/payments/auth",
+  "version": "0.0.1"
+}

libs/payments/auth/project.json

@@ -0,0 +1,27 @@
+{
+  "name": "payments-auth",
+  "$schema": "../../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "libs/payments/auth/src",
+  "projectType": "library",
+  "tags": [],
+  "targets": {
+    "build": {
+      "executor": "@nx/esbuild:esbuild",
+      "outputs": ["{options.outputPath}"],
+      "options": {
+        "outputPath": "dist/libs/payments/auth",
+        "main": "libs/payments/auth/src/index.ts",
+        "tsConfig": "libs/payments/auth/tsconfig.lib.json",
+        "assets": ["libs/payments/auth/*.md"],
+        "format": ["cjs"]
+      }
+    },
+    "test-unit": {
+      "executor": "@nx/jest:jest",
+      "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
+      "options": {
+        "jestConfig": "libs/payments/auth/jest.config.ts"
+      }
+    }
+  }
+}

libs/payments/auth/src/index.ts

@@ -0,0 +1,8 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+export * from './lib/auth.module';
+export * from './lib/fxa-oauth-auth.guard';
+export * from './lib/fxa-access-token.schemas';
+export * from './lib/fxa-oauth.config';

libs/payments/auth/src/lib/auth.module.ts

@@ -0,0 +1,14 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { Module } from '@nestjs/common';
+
+import { FxaOAuthJwtStrategy } from './fxa-oauth-jwt.strategy';
+import { FxaOAuthVerifyStrategy } from './fxa-oauth-verify.strategy';
+
+@Module({
+  providers: [FxaOAuthJwtStrategy, FxaOAuthVerifyStrategy],
+  exports: [FxaOAuthJwtStrategy, FxaOAuthVerifyStrategy],
+})
+export class AuthModule {}

libs/payments/auth/src/lib/factories/fxa-access-token-claims.factory.ts

@@ -0,0 +1,15 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { faker } from '@faker-js/faker';
+import { FxaAccessTokenClaims } from '../fxa-access-token.schemas';
+
+export const FxaAccessTokenClaimsFactory = (
+  override?: Partial<FxaAccessTokenClaims>
+): FxaAccessTokenClaims => ({
+  sub: faker.string.hexadecimal({ length: 32, prefix: '' }),
+  client_id: faker.string.hexadecimal({ length: 16, prefix: '' }),
+  scope: 'profile',
+  ...override,
+});