Pr comments

island-is · Oct 7, 2024 · a813739 · a813739
1 parent 1c1d384
commit a813739
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 23 deletions.
diff --git a/apps/services/auth/admin-api/src/app/app.module.ts b/apps/services/auth/admin-api/src/app/app.module.ts
@@ -3,7 +3,6 @@ import { ConfigModule } from '@nestjs/config'
 import { SequelizeModule } from '@nestjs/sequelize'
 
 import {
-  DelegationApiUserSystemNotificationConfig,
   DelegationConfig,
   SequelizeConfigService,
 } from '@island.is/auth-api-lib'

diff --git a/apps/services/auth/admin-api/src/app/v2/delegations/delegation-admin.controller.ts b/apps/services/auth/admin-api/src/app/v2/delegations/delegation-admin.controller.ts
@@ -32,20 +32,9 @@ import { Audit, AuditService } from '@island.is/nest/audit'
 import { DelegationAdminScopes } from '@island.is/auth/scopes'
 import { isDefined } from '@island.is/shared/utils'
 
-const namespace = '@island.is/auth/delegation-admin'
-
-const ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE =
-  process.env.ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE
+import env from '../../../environments/environment'
 
-if (!ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE) {
-  throw new Error(
-    'Environment variable ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE must be set',
-  )
-}
-
-const ZendeskAuthGuardInstance = new ZendeskAuthGuard(
-  ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE,
-)
+const namespace = '@island.is/auth/delegation-admin'
 
 @UseGuards(IdsUserGuard, ScopesGuard)
 @ApiTags('delegation-admin')
@@ -108,7 +97,7 @@ export class DelegationAdminController {
   }
 
   @BypassAuth()
-  @UseGuards(ZendeskAuthGuardInstance)
+  @UseGuards(new ZendeskAuthGuard(env.zendeskGeneralMandateWebhookSecret))
   @Post('/zendesk')
   @Documentation({
     response: { status: 200 },

diff --git a/apps/services/auth/admin-api/src/environments/environment.ts b/apps/services/auth/admin-api/src/environments/environment.ts
@@ -12,6 +12,9 @@ const devConfig = {
   port: 6333,
   clientSecretEncryptionKey:
     process.env.CLIENT_SECRET_ENCRYPTION_KEY ?? 'secret',
+  zendeskGeneralMandateWebhookSecret:
+    process.env.ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE ??
+    'dGhpc19zZWNyZXRfaXNfZm9yX3Rlc3Rpbmdfb25seQ==',
 }
 
 const prodConfig = {
@@ -27,6 +30,8 @@ const prodConfig = {
   },
   port: 3333,
   clientSecretEncryptionKey: process.env.CLIENT_SECRET_ENCRYPTION_KEY,
+  zendeskGeneralMandateWebhookSecret:
+    process.env.ZENDESK_WEBHOOK_SECRET_GENERAL_MANDATE,
 }
 
 export default process.env.NODE_ENV === 'production' ? prodConfig : devConfig
diff --git a/libs/auth-nest-tools/src/lib/zendeskAuth.guard.ts b/libs/auth-nest-tools/src/lib/zendeskAuth.guard.ts
@@ -7,14 +7,10 @@ const SIGNING_SECRET_ALGORITHM = 'sha256'
 
 @Injectable()
 export class ZendeskAuthGuard implements CanActivate {
-  private readonly signingSecret: string
-
-  constructor(signingSecret: string | undefined) {
-    if (!signingSecret) {
-      throw new Error('No signing secret provided')
+  constructor(private secret: string | undefined) {
+    if (!secret) {
+      throw new Error('ZendeskAuthGuard: secret is required')
     }
-
-    this.signingSecret = signingSecret
   }
 
   canActivate(context: ExecutionContext): boolean {
@@ -34,7 +30,10 @@ export class ZendeskAuthGuard implements CanActivate {
     body: string,
     timestamp: string,
   ): boolean {
-    const hmac = crypto.createHmac(SIGNING_SECRET_ALGORITHM, this.signingSecret)
+    const hmac = crypto.createHmac(
+      SIGNING_SECRET_ALGORITHM,
+      this.secret as string,
+    )
     const sig = hmac.update(timestamp + body).digest('base64')
 
     return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(sig))