chore(vendor): update @lightbasenl/backend (#95)

_This PR is created by sync and will be force-pushed daily. Overwriting
any manual changes done to this PR._

- feat(backend): fix digid xml signature checks
(lightbasenl/platform-components@b335a6c)
- chore(deps): Bump the production group across 1 directory with 2
updates (lightbasenl/platform-components#1320)
(lightbasenl/platform-components@cb23ae0)
- feat(backend): add feature-flag and tenant cache
(lightbasenl/platform-components@2bd3d58)
- chore(deps-dev): Bump the development group across 1 directory with 11
updates (lightbasenl/platform-components#1319)
(lightbasenl/platform-components@1e0a999)-
Failed to execute `npx compas lint`. Sync is not able to correct this,
so human checks and fixes are necessary for this PR.

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

Author: mathijslightbase

package-lock.json

@@ -13,9 +13,10 @@
   ],
   "scripts": {},
   "dependencies": {
+    "@lightbase/pull-through-cache": "0.1.2",
     "@xmldom/xmldom": "0.8.10",
     "bcrypt": "5.1.1",
-    "rate-limiter-flexible": "5.0.0",
+    "rate-limiter-flexible": "5.0.3",
     "speakeasy": "2.0.0",
     "xml-crypto": "6.0.0",
     "xpath": "0.0.34"
@@ -29,5 +30,5 @@
     "url": "https://github.com/lightbasenl/platform-components.git",
     "directory": "packages/backend"
   },
-  "gitHead": "10d17891e252e6f8d231a26057f41ea8189ee3ea"
+  "gitHead": "b335a6c8aa6f5e14489b582b02b6fa45beda00b6"
 }

vendor/backend/package.json

@@ -37,13 +37,6 @@ const cryptoSignAlgorithm = "RSA-SHA256";
  */
 let certificateChain = undefined;
 
-/**
- * Public key used to verify payload signatures that we got from DigiD
- *
- * @type {string|undefined}
- */
-let digidPublicKey = undefined;
-
 /**
  * @typedef {object} AuthDigidBasedRegisterBody
  * @property {string} bsn
@@ -552,7 +545,9 @@ async function authDigidBasedVerifySignaturesForXmlPayload(event, payload) {
 
   for (const sig of signatures) {
     const xmlSigner = new xmlCrypto.SignedXml({
-      publicCert: getDigidPublicKey(),
+      getCertFromKeyInfo: xmlCrypto.SignedXml.getCertFromKeyInfo,
+      canonicalizationAlgorithm: "http://www.w3.org/2001/10/xml-exc-c14n#",
+      signatureAlgorithm,
     });
 
     xmlSigner.loadSignature(sig);
@@ -670,12 +665,22 @@ function authDigidBasedVerifyArtifactStatus(
   subStatus,
   subSubStatus,
 ) {
+  const errInfo = AppError.serverError({
+    mainStatus,
+    subStatus,
+    subSubStatus,
+  });
+
   if (mainStatus.indexOf("urn:oasis:names:tc:SAML:2.0:status:Success") !== -1) {
     if (
       subSubStatus.indexOf("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed") !==
       -1
     ) {
-      throw new AppError("authDigidBased.resolveArtifact.aborted", 401);
+      throw new AppError(
+        "authDigidBased.resolveArtifact.aborted",
+        401,
+        errInfo,
+      );
     }
     return;
   }
@@ -690,7 +695,7 @@ function authDigidBasedVerifyArtifactStatus(
   if (
     subStatus.indexOf("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed") !== -1
   ) {
-    throw new AppError("authDigidBased.resolveArtifact.aborted", 401);
+    throw new AppError("authDigidBased.resolveArtifact.aborted", 401, errInfo);
   }
 
   if (
@@ -700,19 +705,27 @@ function authDigidBasedVerifyArtifactStatus(
     throw new AppError(
       "authDigidBased.resolveArtifact.insufficientSecurityLevel",
       401,
+      errInfo,
     );
   }
 
   if (
     subStatus.indexOf("urn:oasis:names:tc:SAML:2.0:status:RequestDenied") !== -1
   ) {
-    throw new AppError("authDigidBased.resolveArtifact.invalidSAMLArt", 401);
+    throw new AppError(
+      "authDigidBased.resolveArtifact.invalidSAMLArt",
+      401,
+      errInfo,
+    );
   }
 
-  throw AppError.serverError({
-    message: "Unknown DigiD SAML error when resolving artifact",
-    ourError,
-  });
+  throw AppError.serverError(
+    {
+      message: "Unknown DigiD SAML error when resolving artifact",
+      ourError,
+    },
+    errInfo,
+  );
 }
 
 /**
@@ -755,26 +768,3 @@ function getCertificateChain() {
 
   return certificateChain;
 }
-
-/**
- * Sync read operation, since it only happens once.
- *
- * @returns {string}
- */
-function getDigidPublicKey() {
-  if (isNil(digidPublicKey)) {
-    if (isStaging()) {
-      digidPublicKey = readFileSync(
-        pathJoin(dirnameForModule(import.meta), "assets/digid-dev.pub.pem"),
-        "utf-8",
-      );
-    } else {
-      digidPublicKey = readFileSync(
-        pathJoin(dirnameForModule(import.meta), "assets/digid-prod.pub.pem"),
-        "utf-8",
-      );
-    }
-  }
-
-  return digidPublicKey;
-}

vendor/backend/src/auth/digid-based/assets/digid-dev.pub.pem

@@ -0,0 +1,40 @@
+import { AppError } from "@compas/stdlib";
+import { PullThroughCache } from "@lightbase/pull-through-cache";
+import { queryFeatureFlag, sql } from "../services.js";
+
+/**
+ * Short TTL feature flag cache. Keeps all flags for 5 seconds in memory,
+ *
+ * @type {PullThroughCache<FeatureFlagIdentifier, BackendFeatureFlag>}
+ */
+export const featureFlagCache = new PullThroughCache()
+  .withTTL({
+    // Note the value is in milliseconds.
+    // We don't want to expand this value too much. This could enable
+    // race-conditions between the TTL in different instances.
+    ttl: 5 * 1000,
+  })
+  .withFetcher({
+    fetcher: featureFlagFetcher,
+  });
+
+/**
+ *
+ * @param {PullThroughCache<FeatureFlagIdentifier, BackendFeatureFlag>} _cache
+ * @param {FeatureFlagIdentifier} key
+ * @returns {Promise<BackendFeatureFlag>}
+ */
+async function featureFlagFetcher(_cache, key) {
+  const flags = await queryFeatureFlag({}).exec(sql);
+  _cache.setMany(flags.map((it) => [it.name, it]));
+
+  const foundValue = flags.find((it) => it.name === key);
+  if (!foundValue) {
+    throw AppError.serverError({
+      message: "Received a feature flag identifier that doesn't exist.",
+      identifier: key,
+    });
+  }
+
+  return foundValue;
+}

vendor/backend/src/auth/digid-based/assets/digid-prod.pub.pem

@@ -1,5 +1,6 @@
 import { AppError, eventStart, eventStop, isNil } from "@compas/stdlib";
 import { featureFlags, queries, queryFeatureFlag, sql } from "../services.js";
+import { featureFlagCache } from "./cache.js";
 
 /**
  * Get current feature flags.
@@ -11,7 +12,19 @@ import { featureFlags, queries, queryFeatureFlag, sql } from "../services.js";
 export async function featureFlagCurrent(event, tenant) {
   eventStart(event, "featureFlag.current");
 
-  const flags = await queryFeatureFlag({}).exec(sql);
+  let flags = featureFlagCache.getAll();
+  if (!featureFlagCache.isEnabled()) {
+    flags = await queryFeatureFlag({}).exec(sql);
+  }
+
+  if (
+    featureFlagCache.isEnabled() &&
+    flags.length !== featureFlags.availableFlags.length
+  ) {
+    // The cache is empty / everything expired, fetch a single key to prime the cache.
+    await featureFlagCache.get(featureFlags.availableFlags[0]);
+    flags = featureFlagCache.getAll();
+  }
 
   /**
    * @type {FeatureFlagCurrentResponse}
@@ -94,19 +107,7 @@ export async function featureFlagSyncAvailableFlags(event, sql) {
 export async function featureFlagGetDynamic(event, tenant, user, identifier) {
   eventStart(event, "featureFlag.getDynamic");
 
-  const [flag] = await queryFeatureFlag({
-    where: {
-      name: identifier,
-    },
-  }).exec(sql);
-
-  if (isNil(flag) || flag.name !== identifier) {
-    throw AppError.serverError({
-      message: "Received a feature flag identifier that doesn't exist.",
-      identifier,
-    });
-  }
-
+  const flag = await featureFlagCache.get(identifier);
   const tenantSpecificValue = flag?.tenantValues?.[tenant?.tenant?.name];
 
   eventStop(event);
@@ -155,5 +156,11 @@ export async function featureFlagSetDynamic(
     },
   });
 
+  if (featureFlagCache.isEnabled()) {
+    // Clear the cache if enabled. This method function is often only used in test code, which most likely disables the cache anyways.
+    featureFlagCache.disable();
+    featureFlagCache.enable();
+  }
+
   eventStop(event);
 }

vendor/backend/src/auth/digid-based/events.js

@@ -7,6 +7,7 @@ export { backendGetTenantAndUser } from "./events.js";
 export { extendWithManagement } from "./management/structure.js";
 export { managementInvalidateUsers } from "./management/jobs.js";
 
+export { tenantCache } from "./multitenant/cache.js";
 export {
   multitenantConfigForTenant,
   multitenantEnabledTenantNames,
@@ -17,6 +18,7 @@ export {
 } from "./multitenant/events.js";
 
 export { extendWithFeatureFlag } from "./feature-flag/structure.js";
+export { featureFlagCache } from "./feature-flag/cache.js";
 export {
   featureFlagGetDynamic,
   featureFlagSetDynamic,