kyle
868f7efc23
Some checks failed
CI/CD Pipeline / Backend Tests (push) Has been cancelled
CI/CD Pipeline / Frontend Tests (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (push) Has been cancelled
CI/CD Pipeline / Security Scan (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Complete rewrite from Express to NestJS with enterprise-grade features: ## Backend Improvements - Migrated from Express to NestJS 11.0.1 with TypeScript - Implemented Prisma ORM 7.3.0 for type-safe database access - Added CASL authorization system replacing role-based guards - Created global exception filters with structured logging - Implemented Auth0 JWT authentication with Passport.js - Added vehicle management with conflict detection - Enhanced event scheduling with driver/vehicle assignment - Comprehensive error handling and logging ## Frontend Improvements - Upgraded to React 19.2.0 with Vite 7.2.4 - Implemented CASL-based permission system - Added AbilityContext for declarative permissions - Created ErrorHandler utility for consistent error messages - Enhanced API client with request/response logging - Added War Room (Command Center) dashboard - Created VIP Schedule view with complete itineraries - Implemented Vehicle Management UI - Added mock data generators for testing (288 events across 20 VIPs) ## New Features - Vehicle fleet management (types, capacity, status tracking) - Complete 3-day Jamboree schedule generation - Individual VIP schedule pages with PDF export (planned) - Real-time War Room dashboard with auto-refresh - Permission-based navigation filtering - First user auto-approval as administrator ## Documentation - Created CASL_AUTHORIZATION.md (comprehensive guide) - Created ERROR_HANDLING.md (error handling patterns) - Updated CLAUDE.md with new architecture - Added migration guides and best practices ## Technical Debt Resolved - Removed custom authentication in favor of Auth0 - Replaced role checks with CASL abilities - Standardized error responses across API - Implemented proper TypeScript typing - Added comprehensive logging Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
158 lines
6.1 KiB
JavaScript
158 lines
6.1 KiB
JavaScript
"use strict";
|
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
};
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.jwtKeyManager = void 0;
|
|
const crypto_1 = __importDefault(require("crypto"));
|
|
const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
|
|
class JWTKeyManager {
|
|
constructor() {
|
|
this.previousSecret = null;
|
|
this.rotationInterval = null;
|
|
this.gracePeriodTimeout = null;
|
|
console.log('🔑 Initializing JWT Key Manager with automatic rotation');
|
|
this.currentSecret = this.generateSecret();
|
|
this.startRotation();
|
|
}
|
|
generateSecret() {
|
|
const secret = crypto_1.default.randomBytes(64).toString('hex');
|
|
console.log('🔄 Generated new JWT signing key (length:', secret.length, 'chars)');
|
|
return secret;
|
|
}
|
|
startRotation() {
|
|
// Rotate every 24 hours (86400000 ms)
|
|
this.rotationInterval = setInterval(() => {
|
|
this.rotateKey();
|
|
}, 24 * 60 * 60 * 1000);
|
|
console.log('⏰ JWT key rotation scheduled every 24 hours');
|
|
// Also rotate on startup after 1 hour to test the system
|
|
setTimeout(() => {
|
|
console.log('🧪 Performing initial key rotation test...');
|
|
this.rotateKey();
|
|
}, 60 * 60 * 1000); // 1 hour
|
|
}
|
|
rotateKey() {
|
|
console.log('🔄 Rotating JWT signing key...');
|
|
// Store current secret as previous
|
|
this.previousSecret = this.currentSecret;
|
|
// Generate new current secret
|
|
this.currentSecret = this.generateSecret();
|
|
console.log('✅ JWT key rotation completed. Grace period: 24 hours');
|
|
// Clear any existing grace period timeout
|
|
if (this.gracePeriodTimeout) {
|
|
clearTimeout(this.gracePeriodTimeout);
|
|
}
|
|
// Clean up previous secret after 24 hours (grace period)
|
|
this.gracePeriodTimeout = setTimeout(() => {
|
|
this.previousSecret = null;
|
|
console.log('🧹 Grace period ended. Previous JWT key cleaned up');
|
|
}, 24 * 60 * 60 * 1000);
|
|
}
|
|
generateToken(user) {
|
|
const payload = {
|
|
id: user.id,
|
|
google_id: user.google_id,
|
|
email: user.email,
|
|
name: user.name,
|
|
profile_picture_url: user.profile_picture_url,
|
|
role: user.role,
|
|
status: user.status,
|
|
approval_status: user.approval_status,
|
|
onboardingData: user.onboardingData,
|
|
iat: Math.floor(Date.now() / 1000) // Issued at time
|
|
};
|
|
return jsonwebtoken_1.default.sign(payload, this.currentSecret, {
|
|
expiresIn: '24h',
|
|
issuer: 'vip-coordinator',
|
|
audience: 'vip-coordinator-users'
|
|
});
|
|
}
|
|
verifyToken(token) {
|
|
try {
|
|
// Try current secret first
|
|
const decoded = jsonwebtoken_1.default.verify(token, this.currentSecret, {
|
|
issuer: 'vip-coordinator',
|
|
audience: 'vip-coordinator-users'
|
|
});
|
|
return {
|
|
id: decoded.id,
|
|
google_id: decoded.google_id,
|
|
email: decoded.email,
|
|
name: decoded.name,
|
|
profile_picture_url: decoded.profile_picture_url,
|
|
role: decoded.role,
|
|
status: decoded.status,
|
|
approval_status: decoded.approval_status,
|
|
onboardingData: decoded.onboardingData
|
|
};
|
|
}
|
|
catch (error) {
|
|
// Try previous secret during grace period
|
|
if (this.previousSecret) {
|
|
try {
|
|
const decoded = jsonwebtoken_1.default.verify(token, this.previousSecret, {
|
|
issuer: 'vip-coordinator',
|
|
audience: 'vip-coordinator-users'
|
|
});
|
|
console.log('🔄 Token verified using previous key (grace period)');
|
|
return {
|
|
id: decoded.id,
|
|
google_id: decoded.google_id,
|
|
email: decoded.email,
|
|
name: decoded.name,
|
|
profile_picture_url: decoded.profile_picture_url,
|
|
role: decoded.role,
|
|
status: decoded.status,
|
|
approval_status: decoded.approval_status,
|
|
onboardingData: decoded.onboardingData
|
|
};
|
|
}
|
|
catch (gracePeriodError) {
|
|
console.log('❌ Token verification failed with both current and previous keys');
|
|
return null;
|
|
}
|
|
}
|
|
console.log('❌ Token verification failed:', error instanceof Error ? error.message : 'Unknown error');
|
|
return null;
|
|
}
|
|
}
|
|
// Get status for monitoring/debugging
|
|
getStatus() {
|
|
return {
|
|
hasCurrentKey: !!this.currentSecret,
|
|
hasPreviousKey: !!this.previousSecret,
|
|
rotationActive: !!this.rotationInterval,
|
|
gracePeriodActive: !!this.gracePeriodTimeout
|
|
};
|
|
}
|
|
// Cleanup on shutdown
|
|
destroy() {
|
|
console.log('🛑 Shutting down JWT Key Manager...');
|
|
if (this.rotationInterval) {
|
|
clearInterval(this.rotationInterval);
|
|
this.rotationInterval = null;
|
|
}
|
|
if (this.gracePeriodTimeout) {
|
|
clearTimeout(this.gracePeriodTimeout);
|
|
this.gracePeriodTimeout = null;
|
|
}
|
|
console.log('✅ JWT Key Manager shutdown complete');
|
|
}
|
|
// Manual rotation for testing/emergency
|
|
forceRotation() {
|
|
console.log('🚨 Manual key rotation triggered');
|
|
this.rotateKey();
|
|
}
|
|
}
|
|
// Singleton instance
|
|
exports.jwtKeyManager = new JWTKeyManager();
|
|
// Graceful shutdown handling
|
|
process.on('SIGTERM', () => {
|
|
exports.jwtKeyManager.destroy();
|
|
});
|
|
process.on('SIGINT', () => {
|
|
exports.jwtKeyManager.destroy();
|
|
});
|
|
exports.default = exports.jwtKeyManager;
|
|
//# sourceMappingURL=jwtKeyManager.js.map
|