feat: implement Redis-based temp token exchange for better security

Author: brennalaurentan

collaboration-service/collaboration-service/package-lock.json

@@ -14,6 +14,7 @@
     "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "express": "^4.19.2",
+    "jsonwebtoken": "^9.0.2",
     "node-fetch": "^3.3.2",
     "redis": "^5.8.3",
     "uuid": "^9.0.1",

collaboration-service/collaboration-service/package.json

@@ -3,6 +3,7 @@ import { applyOp } from "../services/documentService.js";
 import { touchPresence } from "../services/presenceService.js";
 import { generateAIResponse } from "../services/aiService.js";
 import { z } from "zod";
+import { verifyCollabTokenOrThrow } from "./tokenHelper.js";
 
 // WebSocket rooms (in-memory connection maps; lightweight, ephemeral)
 const wsRooms = new Map();
@@ -28,18 +29,37 @@ export function initGateway(wss) {
     const url = new URL(req.url, `http://${req.headers.host}`);
     let sessionId = url.searchParams.get("sessionId") || "";
     let userId = url.searchParams.get("userId") || "";
+    let token = url.searchParams.get("token") || "";
 
     console.log("[WS] Extracted params - sessionId:", sessionId, "userId:", userId);
 
-    if (!sessionId) sessionId = String(req.headers["x-session-id"] || "");
-    if (!userId) userId = String(req.headers["x-user-id"] || "");
-
-    if (!sessionId || !userId) {
-      console.log("[WS] Missing params - closing connection");
-      return ws.close(1008, "missing params");
+    // if (!sessionId) sessionId = String(req.headers["x-session-id"] || "");
+    // if (!userId) userId = String(req.headers["x-user-id"] || "");
+    // if (!token) token = String(req.headers["x-auth-token"] || "");
+
+    // if (!sessionId || !userId) {
+    //   console.log("[WS] Missing params - closing connection");
+    //   return ws.close(1008, "missing params");
+    // } else if (!token) {
+    //   console.log("[WS] Missing auth token - closing connection");
+    //   return ws.close(1008, "missing auth token");
+    // }
+
+    if (!sessionId) {
+      sessionId = String(req.headers["x-session-id"] || "");
+      console.log("[WS] Missing sessionId - closing connection");
+      return ws.close(1008, "missing sessionId");
+    } else if (!userId) {
+      userId = String(req.headers["x-user-id"] || "");
+      console.log("[WS] Missing userId - closing connection");
+      return ws.close(1008, "missing userId");
+    } else if (!token) {
+      token = String(req.headers["x-auth-token"] || "");
+      console.log("[WS] Missing auth token - closing connection");
+      return ws.close(1008, "missing auth token");
     }
 
-    // Authorization check
+    // User authorization check
     try {
       console.log("[WS] Checking authorization for user:", userId, "session:", sessionId);
       const allowed = await redisRepo.sIsMember(
@@ -67,11 +87,23 @@ export function initGateway(wss) {
       return ws.close(1011, "auth check error");
     }
 
+    // Token authorization check
+    try {
+      const dec = verifyCollabTokenOrThrow(token, sessionId);
+      if (dec.userId) userId = String(dec.userId);
+      ws.isAuthenticated = true;
+      ws.userId = userId;
+    } catch (err) {
+      console.warn("[WS] JWT verification failed:", err);
+      return ws.close(1008, "invalid token");
+    }
+
     if (!wsRooms.has(sessionId)) wsRooms.set(sessionId, new Set());
     wsRooms.get(sessionId).add(ws);
 
     console.log(`[WS] ${userId} connected to ${sessionId}`);
 
+    // Send initial state
     const doc = (await redisRepo.getJson(`collab:document:${sessionId}`)) || { version: 0, text: "" };
     const chat = (await redisRepo.getList(`collab:chat:${sessionId}`)) || [];
     const aiChat = (await redisRepo.getList(`collab:ai-chat:${sessionId}`)) || [];

collaboration-service/collaboration-service/src/ws/gateway.js

@@ -0,0 +1,19 @@
+import jwt from "jsonwebtoken";
+
+function verifyCollabTokenOrThrow(token, expectedSessionId) {
+  const secret = process.env.JWT_ACCESS_TOKEN_SECRET;
+  if (!secret) throw new Error("JWT_ACCESS_TOKEN_SECRET not configured");
+
+  const decoded = jwt.verify(token, secret); // will throw if invalid/expired
+
+  // Optional hardening: assert audience and session binding if present
+  if (decoded.aud && decoded.aud !== "collab") {
+    throw new Error("invalid audience");
+  }
+  if (decoded.sessionId && expectedSessionId && decoded.sessionId !== expectedSessionId) {
+    throw new Error("session mismatch");
+  }
+  return decoded;
+}
+
+export { verifyCollabTokenOrThrow };

collaboration-service/collaboration-service/src/ws/tokenHelper.js

@@ -1,6 +1,7 @@
 // src/ws/yjsGateway.js
 import * as Y from "yjs";
 import { redisRepo } from "../repos/redisRepo.js";
+import { verifyCollabTokenOrThrow } from "./tokenHelper.js";
 
 /**
  * Rooms: sessionId -> { doc: Y.Doc, conns: Set<WebSocket> }
@@ -95,8 +96,22 @@ export function initYjsGateway(yws) {
   yws.on("connection", async (ws, req) => {
     console.log("[YJS Gateway] New connection:", req.url);
     const { searchParams } = new URL(req.url, `http://${req.headers.host}`);
-    const sessionId = searchParams.get("sessionId") || "default";
-    const userId = searchParams.get("userId") || "anon";
+    const sessionId = searchParams.get("sessionId") || "";
+    let userId = searchParams.get("userId") || "";
+    const token = searchParams.get("token") || "";
+    
+    // Token authorization check
+    try {
+      if (!token) throw new Error("missing token");
+      const dec = verifyCollabTokenOrThrow(token, sessionId);
+      if (dec.userId) userId = String(dec.userId);
+      ws.isAuthenticated = true;
+      ws.userId = userId;
+    } catch (err) {
+      console.warn("[YJS Gateway] JWT verification failed:", err.message);
+      ws.close(1008, "Unauthorized");
+      return;
+    }
 
     const room = await getRoom(sessionId);
     room.conns.add(ws);