[extension] Use dedicated audience for dust api. Add scopes verification

[tdraier]

Description

This introduces the usage of a custom auth0 API for our public api. The audience is set in an env var , DUST_API_AUDIENCE which should be https://dust-dev.tt/api/v1 in development or https://dust.tt/api/v1 in production.

This API defines scopes in auth0 configuration, that will need to be extended, for checking particular endpoints in the api. All scopes used by the app are set - we'll have to add/define other ones in another PR.

The scopes required by the app must be specified when requesting authorization, which will result in displaying a consent screen :

(This consent screen can be skipped for 1st party apps , i.e. our own apps registered in our auth0 tenant, but must be shown for 3rd party apps)

The 2 wrappers withPublicAPIAuthentication and withAuth0TokenAuthentication are extended to support new option "resourceName" that can be used to create the scope.

Scope are only checked against oauth tokens . sk- keys are considered system and do not include any scope (no scope check).

Risk

For oauth users, some routes now require scope.

Deploy Plan

• Set up prod API on auth0
• Set DUST_API_AUDIENCE env vars
• Deploy front

[github-actions]

	Warnings
⚠️	Files in **/api/v1/ have been modified and the PR has the documentation-ack label. Don't forget to run npm run docs and use the Deploy OpenAPI Docs Github action to update https://docs.dust.tt/reference.

Generated by 🚫 dangerJS against 9490661

[flvndvd]

LGTM, left one last comment.

[flvndvd]

Why do we need to return an array here? If it's expected maybe it should be getRequiredScopes and let's define the return type.

[Fraggle]

Note: are they all required ?
Usually it's one of them, not all of them as scopes are granular.

[Fraggle]

If one of them, i would rename as getAllowedScopes()

[tdraier]

right, I don't think we need an array for now

[tdraier]

i was expecting all required, but yes could be an array of "at least one", that's probably more useful. For now i think we can stick with one single value

[Fraggle]

Love that !
Quick question: did you define the scopes in auth0 dev env as well ? (saw that you did)
Seems like the scopes values are not type checked, can you add it if not ?

[Fraggle]

nit: from the screenshot, the user facing description of the scopes in the consent screen are not amazing, can you update ? (saw that you did)

[Fraggle]

@tdraier but I'm wondering if you are not going to break the raycast extension.

[Fraggle]

I'm putting a request change because I'm worried that it breaks the raycast extension.
Let's talk before merging.

[Fraggle]

don't you need to check if the audience matches too ?

(and maybe skip the checks if not the right audience, as a temporary measure not to break the raycast extension)

[tdraier]

The audience is checked along with the expiration and issuer by jwt.verify

[Fraggle]

I believe it's checked for consistency / signature but not for a specific value (may be wrong)

My point here is twofold:

• do the checks on scope only if the audience match the expected audience
• TEMPORARY, otherwise, let it go thru (so the raycast extension still works)

After the extension is updated, we'll wait a few days and then remove the temporary passthru.

[tdraier]

( jwt.verify checks that the audience matches the one passed in parameter )

[Fraggle]

imho, the typing of that arg should be more strict (POST|GET|PATCH|DELETE: scopes that exists)

[tdraier]

req.method is not typed (it's a string), so in theory I can receive anything in here

[Fraggle]

...but in practice we know what we use (and we can extends if needed)

[tdraier]

i was afraid of the typings, but ok, done 😛

[Fraggle]

see my comment required vs allowed.

[tdraier]

@tdraier but I'm wondering if you are not going to break the raycast extension.

this definitely require changes in raycast extension

[Fraggle]

@tdraier but I'm wondering if you are not going to break the raycast extension.

this definitely require changes in raycast extension

I can do it swiftly but there is a delay for them to approve, and for users to update. We need an intermediary step where the extension still work.

[Fraggle]

LGTM !