feat: otp provider setup with cicd and terraform (#440)

* fix: local development and build funcs

* feat: otp provider with database

* fix: issues with the migration files not being compiled

* fix: removed unwanted volume from docker compose

* feat: terrafrom project and minor db updates

* feat: update image name in gh action

* feat: add permissions to gh action

* feat: add working directory to find dockerfile

* feat: run terraform in gh action

* feat: setup terraform

* feat: add custom domain name

* feat: enable db http endpoint for query editor to work

* feat: enable terraform apply

* feat: remove feature branch name

* fix: remove terraform lock file

* fix: upgrade tflint

* feat: use env var for cors origins

Author: NithinKuruba

.github/workflows/publish-otp-provider-image.yml

@@ -0,0 +1,96 @@
+name: Create and publish Otp Provider Docker image
+
+on:
+  push:
+    branches:
+      - 'dev'
+
+env:
+  IMAGE_NAME: bcgov-sso/otp-provider
+  TF_VERSION: 1.2.0
+
+jobs:
+  build-and-push-image:
+    permissions: write-all
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Set env to development
+        if: (github.ref == 'refs/heads/dev' && github.event_name == 'push')
+        run: |
+          cat >> $GITHUB_ENV <<EOF
+          TF_STATE_BUCKET=xgr00q-dev-sso-otp-provider
+          TF_STATE_BUCKET_KEY=sso-otp-provider.tfstate
+          TF_STATE_DYNAMODB_TABLE=xgr00q-dev-otp-state-locking
+          CUSTOM_DOMAIN_NAME=otp-sandbox.loginproxy.gov.bc.ca
+          CORS_ORIGINS=https://dev.sandbox.loginproxy.gov.bc.ca,https://test.sandbox.loginproxy.gov.bc.ca,https://sandbox.loginproxy.gov.bc.ca,https://sso-playground.apps.gold.devops.gov.bc.ca
+
+          EOF
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - uses: hashicorp/setup-terraform@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_OTP_TF_DEPLOY_ROLE_ARN }}
+          aws-region: ca-central-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build, tag, and push docker image to Amazon ECR
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ${{ env.IMAGE_NAME }}
+          IMAGE_TAG: latest
+        run: |
+          echo "Building and pushing Docker image to ECR..."
+          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+          docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
+        working-directory: ./docker/otp-provider
+
+      - name: Terraform Variables
+        run: |
+          cat >"config.tf" <<EOF
+          terraform {
+            backend "s3" {
+              bucket         = "${{ env.TF_STATE_BUCKET }}"
+              key            = "${{ env.TF_STATE_BUCKET_KEY }}"
+              region         = "ca-central-1"
+              dynamodb_table = "${{ env.TF_STATE_DYNAMODB_TABLE }}"
+            }
+          }
+          EOF
+
+          cat >"ci.auto.tfvars" <<EOF
+          aws_ecr_uri="${{ steps.login-ecr.outputs.registry }}"
+          ches_username="${{ secrets.CHES_USERNAME }}"
+          ches_password="${{ secrets.CHES_PASSWORD }}"
+          custom_domain_name="${{ env.CUSTOM_DOMAIN_NAME }}"
+          cors_origins="${{ env.CORS_ORIGINS }}"
+          EOF
+
+        working-directory: ./docker/otp-provider/terraform
+
+      - name: Terraform Init
+        id: init
+        run: terraform init -upgrade
+        working-directory: ./docker/otp-provider/terraform
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color
+        working-directory: ./docker/otp-provider/terraform
+        continue-on-error: true
+
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.event_name == 'push'
+        run: terraform apply -auto-approve
+        working-directory: ./docker/otp-provider/terraform

.gitignore

@@ -58,3 +58,5 @@ mds.json
 __pycache__
 site
 venv
+build
+secrets.auto.tfvars

.tool-versions

@@ -7,7 +7,7 @@ yarn 1.22.4
 k6 0.34.1
 terraform 1.2.0
 terraform-docs 0.12.1
-tflint 0.28.1
+tflint 0.43.0
 java openjdk-21.0.1
 gradle 7.3.1
 postgres 14.2

docker/otp-provider/.env.example

@@ -1,5 +1,15 @@
+DB_NAME=
+DB_USERNAME=
+DB_PASSWORD=
+DB_HOSTNAME=localhost
+DB_PORT=5432
+NODE_ENV=development
+APP_URL=http://localhost:8080
 CHES_USERNAME=
 CHES_PASSWORD=
-CHES_EMAIL_URL=
+CHES_API_URL=
 CHES_TOKEN_URL=
 LOG_LEVEL=info
+COOKIE_SECRETS="s3cr3t1,s3cr3t1,s3cr3t2"
+JWKS=
+CORS_ORIGINS=*

docker/otp-provider/.tool-versions

@@ -0,0 +1,4 @@
+nodejs 22.15.0
+yarn 1.22.22
+postgres 15.13
+tflint 0.43.0

docker/otp-provider/Dockerfile

@@ -0,0 +1,18 @@
+FROM node:22-alpine
+
+# install yarn
+RUN apk add --no-cache yarn
+
+# Set the working directory
+WORKDIR /app
+
+# Copy the rest of the application code
+COPY . .
+
+# Install dependencies
+RUN yarn install
+
+# Build the application
+RUN yarn build
+
+ENTRYPOINT [ "yarn", "start" ]

docker/otp-provider/README.md

@@ -1,10 +1,55 @@
 # One Time Password (OTP) Provider
 
+The One-Time Password (OTP) identity provider offers a low-assurance, passwordless authentication method. It verifies end-users by sending a temporary code to their email address and validating it against the code entered by the user.
+
+## Architecture Overview
+
+Client Application -> Authenticates via Keycloak
+Keycloak (Broker) -> Delegates authentication to Email OTP Identity Provider
+OTP Provider -> Authenticates user via email-based OTP and returns identity assertion
+
+## Authentication Flow
+
+- User accesses the client application, which redirects to Keycloak for authentication.
+- Keycloak presents the Email OTP provider as a login option (configured as an external identity provider).
+- User selects the OTP provider, and Keycloak redirects the user to the provider’s login page.
+- User enters their email address, and the provider sends an OTP to that address.
+- User enters the OTP, and the provider validates it.
+- Upon success, the provider redirects back to Keycloak with an identity token (OIDC or SAML).
+- Keycloak maps the external identity to a local user (via mappers or first-login flow).
+- Keycloak issues its own tokens (access, ID, refresh) to the client application.
+
 ## Installation
 
 - Create `.env` from `.env.example` and update all the values
 - Run `yarn` to install all the dependencies
 - Run `yarn dev` to start a local server
+- Run `yarn build` to create a javascript bundle for production deployment
+- Run `yarn start` to run the javascript bundle
+
+## Test Data
+
+- Given the application and database are up and database migration is successfully complete, run below SQL to add a client for testing purposes.
+  ```sql
+  INSERT
+  	INTO
+  	"ClientConfig" ("clientId",
+  	"clientSecret",
+  	"grantTypes",
+  	"redirectUris",
+  	"scope",
+  	"responseTypes",
+  	"clientUri",
+  	"postLogoutRedirectUris")
+  VALUES('conf-client',
+  's3cr3t',
+  '{authorization_code, refresh_token}',
+  '{http://localhost:3001}',
+  'openid email',
+  '{code}',
+  'http://localhost:3001',
+  '{http://localhost:3001}');
+  ```
 
 ## References
 

docker/otp-provider/docker-compose.yaml

@@ -0,0 +1,43 @@
+version: '3.9'
+services:
+  otp-db:
+    image: postgres:15
+    container_name: otp-db
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_DB: otp
+    ports:
+      - '5432:5432'
+    volumes:
+      - otp-db-data:/var/lib/postgresql/data
+    networks:
+      - sso-otp-network
+  otp-provider:
+    image: sso-otp-provider:dev
+    container_name: otp-provider
+    environment:
+      DB_HOSTNAME: otp-db
+      DB_PORT: 5432
+      DB_USERNAME: postgres
+      DB_PASSWORD: postgres
+      DB_NAME: otp
+      NODE_ENV: development
+      APP_URL: http://localhost:8080
+      CHES_EMAIL_URL: https://ches.api.gov.bc.ca/api/v1/email
+      CHES_TOKEN_URL: https://loginproxy.gov.bc.ca/auth/realms/comsvcauth/protocol/openid-connect/token
+      LOG_LEVEL: debug
+      COOKIE_SECRETS: 's3cr3t1,s3cr3t1,s3cr3t2'
+    ports:
+      - '8080:8080'
+    depends_on:
+      - otp-db
+    networks:
+      - sso-otp-network
+
+volumes:
+  otp-db-data:
+    driver: local
+
+networks:
+  sso-otp-network: {}

docker/otp-provider/nodemon.json

@@ -1,6 +1,6 @@
 {
-  "watch": ["src"],
+  "watch": ["src", ".env"],
   "ext": "ts",
   "ignore": ["build"],
-  "exec": "ts-node --esm src/server.ts"
+  "exec": "tsx --env-file=.env src/server.ts"
 }

docker/otp-provider/package.json

@@ -5,23 +5,28 @@
   "license": "MIT",
   "type": "module",
   "scripts": {
-    "build": "npx tsc -p .",
-    "start:prod": "node .",
+    "build": "tsup --config src/tsup.config.ts",
+    "start": "node ./build/server.js",
     "dev": "nodemon"
   },
   "dependencies": {
     "axios": "^1.8.4",
-    "body-parser": "^2.2.0",
     "cors": "^2.8.5",
     "crypto": "^1.0.1",
     "desm": "^1.3.1",
     "dotenv": "^16.4.7",
     "ejs": "^3.1.10",
     "express": "^4.21.2",
+    "express-rate-limit": "^7.5.0",
     "express-session": "^1.18.1",
+    "helmet": "^8.1.0",
     "https": "^1.0.0",
+    "keygrip": "^1.1.0",
     "lodash.isempty": "^4.4.0",
     "oidc-provider": "^8.8.1",
+    "pg": "^8.16.0",
+    "sequelize": "^6.37.7",
+    "umzug": "^3.8.2",
     "winston": "^3.17.0"
   },
   "devDependencies": {
@@ -31,6 +36,8 @@
     "@types/morgan": "^1.9.9",
     "@types/nodemailer": "^6.4.17",
     "@types/oidc-provider": "^8.8.1",
+    "@types/pg": "^8.15.2",
+    "esbuild": "^0.25.4",
     "eslint": "^9.23.0",
     "eslint-config-prettier": "^10.1.1",
     "eslint-plugin-node": "^11.1.0",
@@ -39,6 +46,8 @@
     "nodemon": "^3.1.9",
     "prettier": "^3.5.3",
     "ts-node": "^10.9.2",
+    "tsup": "^8.5.0",
+    "tsx": "^4.19.4",
     "typescript": "^5.8.2"
   }
 }