Move .well-known/* endpoints from apiRouter to new wellKnownRouter

server/apiRouter.js

@@ -21,8 +21,6 @@ const createUserWithIdp = require('./api/auth/createUserWithIdp');
 const { authenticateFacebook, authenticateFacebookCallback } = require('./api/auth/facebook');
 const { authenticateGoogle, authenticateGoogleCallback } = require('./api/auth/google');
 
-const { openIdConfiguration, jwksUri } = require('./api-util/idToken');
-
 const router = express.Router();
 
 // ================ API router middleware: ================ //
@@ -82,20 +80,4 @@ router.get('/auth/google', authenticateGoogle);
 // loginWithIdp endpoint in Flex API to authenticate user to Flex
 router.get('/auth/google/callback', authenticateGoogleCallback);
 
-// These endpoints will be used if you FTW as OIDC proxy
-// https://www.sharetribe.com/docs/cookbook-social-logins-and-sso/setup-open-id-connect-proxy/
-// All identity providers should provide an OpenID Connect discovery document:
-// https://openid.net/specs/openid-connect-discovery-1_0.html
-// And in the discovery document we need to define jwks_uri attribute
-// which denotes the location of public signing keys
-
-const rsaSecretKey = process.env.RSA_SECRET_KEY;
-const rsaPublicKey = process.env.RSA_PUBLIC_KEY;
-const keyId = process.env.KEY_ID;
-
-if (rsaPublicKey && rsaSecretKey) {
-  router.get('/.well-known/openid-configuration', openIdConfiguration);
-  router.get('/.well-known/jwks.json', jwksUri([{ alg: 'RS256', rsaPublicKey, keyId }]));
-}
-
 module.exports = router;

server/apiServer.js

@@ -9,6 +9,7 @@ const cookieParser = require('cookie-parser');
 const bodyParser = require('body-parser');
 const cors = require('cors');
 const apiRouter = require('./apiRouter');
+const wellKnownRouter = require('./wellKnownRouter');
 
 const radix = 10;
 const PORT = parseInt(process.env.REACT_APP_DEV_API_SERVER_PORT, radix);
@@ -23,6 +24,7 @@ app.use(
   })
 );
 app.use(cookieParser());
+app.use('/.well-known', wellKnownRouter);
 app.use('/api', apiRouter);
 
 app.listen(PORT, () => {

server/index.js

@@ -33,6 +33,7 @@ const sitemap = require('express-sitemap');
 const passport = require('passport');
 const auth = require('./auth');
 const apiRouter = require('./apiRouter');
+const wellKnownRouter = require('./wellKnownRouter');
 const renderer = require('./renderer');
 const dataLoader = require('./dataLoader');
 const fs = require('fs');
@@ -131,6 +132,12 @@ app.use('/static', express.static(path.join(buildPath, 'static')));
 app.use('/robots.txt', express.static(path.join(buildPath, 'robots.txt')));
 app.use(cookieParser());
 
+// These .well-known/* endpoints will be enabled if you are using FTW as OIDC proxy
+// https://www.sharetribe.com/docs/cookbook-social-logins-and-sso/setup-open-id-connect-proxy/
+// We need to handle these endpoints separately so that they are accessible by Flex
+// even if you have enabled basic authentication e.g. in staging environment.
+app.use('/.well-known', wellKnownRouter);
+
 // Use basic authentication when not in dev mode. This is
 // intentionally after the static middleware to skip basic auth for
 // static resources.

server/wellKnownRouter.js

@@ -0,0 +1,17 @@
+const express = require('express');
+const { openIdConfiguration, jwksUri } = require('./api-util/idToken');
+
+const rsaPrivateKey = process.env.RSA_PRIVATE_KEY;
+const rsaPublicKey = process.env.RSA_PUBLIC_KEY;
+const keyId = process.env.KEY_ID;
+
+const router = express.Router();
+
+// These .well-known/* endpoints will be enabled if you are using FTW as OIDC proxy
+// https://www.sharetribe.com/docs/cookbook-social-logins-and-sso/setup-open-id-connect-proxy/
+if (rsaPublicKey && rsaPrivateKey) {
+  router.get('/openid-configuration', openIdConfiguration);
+  router.get('/jwks.json', jwksUri([{ alg: 'RS256', rsaPublicKey, keyId }]));
+}
+
+module.exports = router;