refactor: Use the Docker Compose Keycloak instance by default

lamppu · lamppu · commit c33f33a71c1e · 2025-03-28T18:01:24.000+02:00
Signed-off-by: Johanna Lamppu &lt;johanna.lamppu@doubleopen.org&gt;
diff --git a/.env.example b/.env.example
@@ -10,14 +10,6 @@
 # Prisma doesn't currently support giving a default value in case DATABASE_URL is empty, see https://github.com/prisma/prisma/issues/222
 DATABASE_URL=
 
-# Keycloak variables for the API and UI
-KEYCLOAK_URL=
-KEYCLOAK_REALM=
-KEYCLOAK_CLIENT_ID_API=
-KEYCLOAK_CLIENT_SECRET_API=
-KEYCLOAK_CLIENT_ID_UI=
-KEYCLOAK_CLIENT_SECRET_UI=
-
 # API URL
 NEXT_PUBLIC_API_URL=http://localhost:5000/api/
 
@@ -32,6 +24,14 @@ E2E_USER_PASSWORD=
 # Compulsory in production (aka when NODE_ENV=production):
 ##########################################################################
 
+# Keycloak variables for the API and UI
+KEYCLOAK_URL=
+KEYCLOAK_REALM=
+KEYCLOAK_CLIENT_ID_API=
+KEYCLOAK_CLIENT_SECRET_API=
+KEYCLOAK_CLIENT_ID_UI=
+KEYCLOAK_CLIENT_SECRET_UI=
+
 # NEXTAUTH specific settings
 NEXTAUTH_URL= # http://localhost:3000
 NEXTAUTH_SECRET=
diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml
@@ -41,10 +41,6 @@ jobs:
               env:
                   NODE_ENV: test
                   NEXT_PUBLIC_API_URL: http://localhost:5000
-                  KEYCLOAK_URL: https://keycloak.example.com
-                  KEYCLOAK_REALM: example
-                  KEYCLOAK_CLIENT_ID_UI: example-ui
-                  KEYCLOAK_CLIENT_SECRET_UI: example-ui-secret
 
             - name: Run tests
               run: npm run test
diff --git a/README.md b/README.md
@@ -42,12 +42,6 @@ To run this project you will need Node.js, npm and Docker installed.
 
     ```shell
     DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres
-    KEYCLOAK_URL=
-    KEYCLOAK_REALM=
-    KEYCLOAK_CLIENT_ID_API=
-    KEYCLOAK_CLIENT_SECRET_API=
-    KEYCLOAK_CLIENT_ID_UI=
-    KEYCLOAK_CLIENT_SECRET_UI=
     E2E_USER_USERNAME=
     E2E_USER_PASSWORD=
     ```
diff --git a/apps/api/package.json b/apps/api/package.json
@@ -16,6 +16,7 @@
         "adm-zip": "0.5.16",
         "braces": "^3.0.3",
         "bull": "4.16.5",
+        "common-helpers": "*",
         "compression": "1.8.0",
         "connect-pg-simple": "10.0.0",
         "cookie-parser": "1.4.7",
diff --git a/apps/api/src/@types/express.d.ts b/apps/api/src/@types/express.d.ts
@@ -31,7 +31,8 @@ declare namespace Express {
                             roles: string[];
                         };
                         resource_access: {
-                            [process.env.KEYCLOAK_CLIENT_ID_API]: {
+                            [process.env.KEYCLOAK_CLIENT_ID_API ||
+                                "dos-dev-api"]: {
                                 roles: string[];
                             };
                             account: {
diff --git a/apps/api/src/config/keycloak.ts b/apps/api/src/config/keycloak.ts
@@ -2,6 +2,7 @@
 //
 // SPDX-License-Identifier: MIT
 
+import { authConfig } from "common-helpers";
 import genFunc from "connect-pg-simple";
 import type { Request, Response } from "express";
 import session from "express-session";
@@ -20,9 +21,9 @@ const memoryStore = new PostgresqlStore({
 });
 
 const keycloakConfig: KeycloakConfig = {
-    realm: process.env.KEYCLOAK_REALM!,
-    resource: process.env.KEYCLOAK_CLIENT_ID_API!,
-    "auth-server-url": process.env.KEYCLOAK_URL!,
+    realm: authConfig.realm,
+    resource: authConfig.clientIdAPI,
+    "auth-server-url": authConfig.url,
     "bearer-only": true,
     "confidential-port": 0,
     "ssl-required": "external",
diff --git a/apps/api/src/helpers/keycloak_queries.ts b/apps/api/src/helpers/keycloak_queries.ts
@@ -4,14 +4,12 @@
 
 import { Zodios, ZodiosResponseByAlias } from "@zodios/core";
 import { isAxiosError } from "axios";
+import { authConfig } from "common-helpers";
 import NodeCache from "node-cache";
 import { keycloakAPI, type ClientCredentialsToken } from "validation-helpers";
 import { CustomError } from "./custom_error";
 
-const kcClient = new Zodios(
-    process.env.KEYCLOAK_URL || "https://auth.dev.doubleopen.io/",
-    keycloakAPI,
-);
+const kcClient = new Zodios(authConfig.url, keycloakAPI);
 
 const cache = new NodeCache({ stdTTL: 5 * 60, checkperiod: 60 });
 
@@ -34,16 +32,16 @@ export const getAccessToken = async (): Promise<ClientCredentialsToken> => {
         try {
             const accessToken = (await kcClient.PostToken(
                 {
-                    client_id: process.env.KEYCLOAK_CLIENT_ID_API!,
+                    client_id: authConfig.clientIdAPI,
                     grant_type: "client_credentials",
-                    client_secret: process.env.KEYCLOAK_CLIENT_SECRET_API!,
+                    client_secret: authConfig.clientSecretAPI,
                 },
                 {
                     headers: {
                         "Content-Type": "application/x-www-form-urlencoded",
                     },
                     params: {
-                        realm: process.env.KEYCLOAK_REALM!,
+                        realm: authConfig.realm,
                     },
                 },
             )) as ClientCredentialsToken; // The endpoint provides a union type, but we know it's a ClientCredentialsToken with this type of request
@@ -100,7 +98,7 @@ export const logoutUser = async (
             const token = await getAccessToken();
             await kcClient.LogoutUser(undefined, {
                 params: {
-                    realm: process.env.KEYCLOAK_REALM!,
+                    realm: authConfig.realm,
                     id: userId,
                 },
                 headers: {
@@ -173,7 +171,7 @@ export const createUser = async (data: {
             const token = await getAccessToken();
             await kcClient.CreateUser(data, {
                 params: {
-                    realm: process.env.KEYCLOAK_REALM!,
+                    realm: authConfig.realm,
                 },
                 headers: {
                     Authorization: "Bearer " + token.access_token,
@@ -239,7 +237,7 @@ export const deleteUser = async (userId: string): Promise<boolean> => {
             const token = await getAccessToken();
             await kcClient.DeleteUser(undefined, {
                 params: {
-                    realm: process.env.KEYCLOAK_REALM!,
+                    realm: authConfig.realm,
                     id: userId,
                 },
                 headers: {
@@ -294,7 +292,7 @@ export const getRealmRoles = async (): Promise<RealmRole[]> => {
             const token = await getAccessToken();
             roles = await kcClient.GetRealmRoles({
                 params: {
-                    realm: process.env.KEYCLOAK_REALM!,
+                    realm: authConfig.realm,
                 },
                 headers: {
                     Authorization: "Bearer " + token.access_token,
@@ -360,7 +358,7 @@ export const addRealmRolesToUser = async (
 
             await kcClient.AddRealmRoleToUser(roles, {
                 params: {
-                    realm: process.env.KEYCLOAK_REALM!,
+                    realm: authConfig.realm,
                     id: userId,
                 },
                 headers: {
@@ -420,7 +418,7 @@ export const getUsers = async (
             const token = await getAccessToken();
             users = await kcClient.GetUsers({
                 params: {
-                    realm: process.env.KEYCLOAK_REALM!,
+                    realm: authConfig.realm,
                 },
                 queries: {
                     username: username,
@@ -496,7 +494,7 @@ export const updateUser = async (
             const token = await getAccessToken();
             await kcClient.UpdateUser(data, {
                 params: {
-                    realm: process.env.KEYCLOAK_REALM!,
+                    realm: authConfig.realm,
                     id: userId,
                 },
                 headers: {
diff --git a/apps/api/src/middlewares/authz_permission.ts b/apps/api/src/middlewares/authz_permission.ts
@@ -2,6 +2,7 @@
 //
 // SPDX-License-Identifier: MIT
 
+import { authConfig } from "common-helpers";
 import { NextFunction, Request, Response } from "express";
 import { authorizationByPermission } from "keycloak-authorization-services";
 import log from "loglevel";
@@ -16,13 +17,13 @@ export const authzPermission = (permission: {
     scopes: string[];
 }) => {
     const config = {
-        baseUrl: process.env.KEYCLOAK_URL!,
-        realm: process.env.KEYCLOAK_REALM!,
+        baseUrl: authConfig.url,
+        realm: authConfig.realm,
     };
 
     const options = {
         permission,
-        audience: process.env.KEYCLOAK_CLIENT_ID_API!,
+        audience: authConfig.clientIdAPI,
     };
 
     return async function customAuthorizationMiddleware(
diff --git a/apps/api/src/server.ts b/apps/api/src/server.ts
@@ -18,16 +18,14 @@ import { onStartUp } from "./helpers/on_start_up";
 import { adminRouter, authRouter, scannerRouter, userRouter } from "./routes";
 import QueueService from "./services/queue";
 
-const requiredEnvVars: string[] = [
-    "DATABASE_URL",
-    "KEYCLOAK_URL",
-    "KEYCLOAK_REALM",
-    "KEYCLOAK_CLIENT_ID_API",
-    "KEYCLOAK_CLIENT_SECRET_API",
-];
+const requiredEnvVars: string[] = ["DATABASE_URL"];
 
 if (process.env.NODE_ENV === "production") {
     requiredEnvVars.push(
+        "KEYCLOAK_URL",
+        "KEYCLOAK_REALM",
+        "KEYCLOAK_CLIENT_ID_API",
+        "KEYCLOAK_CLIENT_SECRET_API",
         "SESSION_SECRET",
         "COOKIE_SECRET",
         "SPACES_ENDPOINT",
diff --git a/apps/clearance_ui/package.json b/apps/clearance_ui/package.json
@@ -43,6 +43,7 @@
         "class-variance-authority": "0.7.1",
         "clsx": "2.1.1",
         "cmdk": "1.1.1",
+        "common-helpers": "*",
         "generate-password": "1.7.1",
         "js-yaml": "4.1.0",
         "lodash.debounce": "4.0.8",
diff --git a/apps/clearance_ui/src/pages/api/auth/[...nextauth].ts b/apps/clearance_ui/src/pages/api/auth/[...nextauth].ts
@@ -11,34 +11,16 @@
 
 import { Zodios } from "@zodios/core";
 import { isAxiosError } from "axios";
+import { authConfig } from "common-helpers";
 import NextAuth from "next-auth";
 import type { JWT } from "next-auth/jwt";
 import KeycloakProvider from "next-auth/providers/keycloak";
 import { keycloakAPI, type Token } from "validation-helpers";
 
-const keycloakUrl = process.env.KEYCLOAK_URL;
-
-if (!keycloakUrl) {
-    throw new Error("KEYCLOAK_URL not set");
-}
-
-const keycloakRealm = process.env.KEYCLOAK_REALM;
-
-if (!keycloakRealm) {
-    throw new Error("KEYCLOAK_REALM not set");
-}
-
-const keycloakClientIdUi = process.env.KEYCLOAK_CLIENT_ID_UI;
-
-if (!keycloakClientIdUi) {
-    throw new Error("KEYCLOAK_CLIENT_ID_UI not set");
-}
-
-const keycloakClientSecretUi = process.env.KEYCLOAK_CLIENT_SECRET_UI;
-
-if (!keycloakClientSecretUi) {
-    throw new Error("KEYCLOAK_CLIENT_SECRET_UI not set");
-}
+const keycloakUrl = authConfig.url;
+const keycloakRealm = authConfig.realm;
+const keycloakClientIdUi = authConfig.clientIdUI;
+const keycloakClientSecretUi = authConfig.clientSecretUI;
 
 const kcClient = new Zodios(keycloakUrl, keycloakAPI);
 
@@ -49,12 +31,6 @@ const kcClient = new Zodios(keycloakUrl, keycloakAPI);
  */
 async function refreshAccessToken(token: JWT) {
     let retries = 3;
-    if (!keycloakClientIdUi) {
-        throw new Error("KEYCLOAK_CLIENT_ID_UI not set");
-    }
-    if (!keycloakRealm) {
-        throw new Error("KEYCLOAK_REALM not set");
-    }
 
     while (retries > 0) {
         try {
diff --git a/apps/clearance_ui/src/pages/api/authz/permissions.ts b/apps/clearance_ui/src/pages/api/authz/permissions.ts
@@ -4,6 +4,7 @@
 
 import { Zodios } from "@zodios/core";
 import { isAxiosError } from "axios";
+import { authConfig } from "common-helpers";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { NextResponse } from "next/server";
 import NodeCache from "node-cache";
@@ -12,30 +13,13 @@ import { keycloakAPI, type Permissions } from "validation-helpers";
 // Use a cache to store the permissions for a short time
 const cache = new NodeCache({ stdTTL: 5 * 60, checkperiod: 60 });
 
-const keycloakUrl = process.env.KEYCLOAK_URL;
-
-if (!keycloakUrl) {
-    throw new Error("KEYCLOAK_URL not set");
-}
-
-const kcClient = new Zodios(keycloakUrl, keycloakAPI);
+const kcClient = new Zodios(authConfig.url, keycloakAPI);
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse<Permissions>,
 ) {
     try {
-        const keycloakClientIdApi = process.env.KEYCLOAK_CLIENT_ID_API;
-
-        if (!keycloakClientIdApi) {
-            throw new Error("KEYCLOAK_CLIENT_ID_API not set");
-        }
-
-        const keycloakRealm = process.env.KEYCLOAK_REALM;
-
-        if (!keycloakRealm) {
-            throw new Error("KEYCLOAK_REALM not set");
-        }
         // Check if the permissions are in the cache
         let permissions: Permissions | undefined = cache.get(
             req.headers.authorization as string,
@@ -45,12 +29,12 @@ export default async function handler(
             permissions = (await kcClient.PostToken(
                 {
                     grant_type: "urn:ietf:params:oauth:grant-type:uma-ticket",
-                    audience: keycloakClientIdApi,
+                    audience: authConfig.clientIdAPI,
                     response_mode: "permissions",
                 },
                 {
                     params: {
-                        realm: keycloakRealm,
+                        realm: authConfig.realm,
                     },
                     headers: {
                         "Content-Type": "application/x-www-form-urlencoded",
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/common-helpers/index.d.ts b/packages/common-helpers/index.d.ts
@@ -4,4 +4,13 @@
 
 declare const getCurrentDateTime: () => string;
 
-export { getCurrentDateTime };
+declare const authConfig: {
+    url: string;
+    realm: string;
+    clientIdAPI: string;
+    clientSecretAPI: string;
+    clientIdUI: string;
+    clientSecretUI: string;
+};
+
+export { authConfig, getCurrentDateTime };
diff --git a/packages/common-helpers/src/authConfig.ts b/packages/common-helpers/src/authConfig.ts
diff --git a/packages/common-helpers/src/index.ts b/packages/common-helpers/src/index.ts
