feat(wabe): throw error if cookie session or csrfToken protection enabled without jwt secret (#267)

* feat(wabe): throw an error if no jwt secret is provided with cookie session

* feat: more tests

* fix: test helper

* feat: error before

* fix: ci

* fix: test

Author: coratgerl

packages/wabe-mongodb/utils/testHelper.ts

@@ -28,6 +28,9 @@ export const setupTests = async (
 			},
 		},
 		port,
+		security: {
+			disableCSRFProtection: true,
+		},
 		schema: {
 			classes: [
 				...additionalClasses,

packages/wabe-postgres-launcher/src/index.ts

@@ -64,6 +64,8 @@ export const startPostgres = async (): Promise<void> => {
 
 		console.info('PostgreSQL started')
 	} catch (error: any) {
+		console.error('An error occurred:', error)
+
 		if (error.message.includes('there a typo in the url or port')) {
 			console.error('You need to run Docker on your machine')
 			process.exit(1)
@@ -87,7 +89,5 @@ export const startPostgres = async (): Promise<void> => {
 		} catch (cleanupError) {
 			console.error('Error during cleanup:', cleanupError)
 		}
-
-		console.error('An error occurred:', error)
 	}
 }

packages/wabe-postgres/src/index.test.ts

@@ -440,6 +440,9 @@ describe('Postgres adapter', () => {
 				}),
 			},
 			port,
+			security: {
+				disableCSRFProtection: true,
+			},
 			schema: {
 				classes: [
 					{
@@ -466,6 +469,9 @@ describe('Postgres adapter', () => {
 					databaseName: databaseId,
 				}),
 			},
+			security: {
+				disableCSRFProtection: true,
+			},
 			port: port2,
 			schema: {
 				classes: [

packages/wabe-postgres/utils/testHelper.ts

@@ -30,6 +30,9 @@ export const setupTests = async (
 				cookieSession: true,
 			},
 		},
+		security: {
+			disableCSRFProtection: true,
+		},
 		port,
 		schema: {
 			classes: [

packages/wabe/src/graphql/GraphQLSchema.test.ts

@@ -28,6 +28,9 @@ const createWabe = async (schema: SchemaInterface<DevWabeTypes>) => {
 			// @ts-expect-error
 			adapter: await getDatabaseAdapter(databaseId),
 		},
+		security: {
+			disableCSRFProtection: true,
+		},
 	})
 
 	await wabe.start()

packages/wabe/src/server/index.test.ts

@@ -10,6 +10,85 @@ import { getDatabaseAdapter } from '../utils/testHelper'
 import { RoleEnum } from 'generated/wabe'
 
 describe('Server', () => {
+	it('should throw error if no jwt secret provided but cookie session choosen', async () => {
+		const databaseId = uuid()
+
+		const port = await getPort()
+		const wabe = new Wabe({
+			isProduction: false,
+			rootKey:
+				'eIUbb9abFa8PJGRfRwgiGSCU0fGnLErph2QYjigDRjLsbyNA3fZJ8Npd0FJNzxAc',
+			database: {
+				// @ts-expect-error
+				adapter: await getDatabaseAdapter(databaseId),
+			},
+			port,
+			authentication: {
+				// @ts-expect-error
+				session: {
+					cookieSession: true,
+				},
+			},
+			routes: [
+				{
+					handler: (ctx) => ctx.res.send('Hello World!'),
+					path: '/hello',
+					method: 'GET',
+				},
+			],
+			schema: {
+				classes: [
+					{
+						name: 'Collection1',
+						fields: { name: { type: 'String' } },
+					},
+				],
+			},
+		})
+
+		expect(wabe.start()).rejects.toThrow(
+			'Authentication with cookie needs jwt secret',
+		)
+	})
+
+	it('should throw error if no jwt secret provided but csrf protection is enabled', async () => {
+		const databaseId = uuid()
+
+		const port = await getPort()
+		const wabe = new Wabe({
+			isProduction: false,
+			rootKey:
+				'eIUbb9abFa8PJGRfRwgiGSCU0fGnLErph2QYjigDRjLsbyNA3fZJ8Npd0FJNzxAc',
+			database: {
+				// @ts-expect-error
+				adapter: await getDatabaseAdapter(databaseId),
+			},
+			port,
+			security: {
+				disableCSRFProtection: false,
+			},
+			routes: [
+				{
+					handler: (ctx) => ctx.res.send('Hello World!'),
+					path: '/hello',
+					method: 'GET',
+				},
+			],
+			schema: {
+				classes: [
+					{
+						name: 'Collection1',
+						fields: { name: { type: 'String' } },
+					},
+				],
+			},
+		})
+
+		expect(wabe.start()).rejects.toThrow(
+			'Authentication with cookie needs jwt secret',
+		)
+	})
+
 	it('should mask graphql errors message', async () => {
 		spyOn(console, 'error').mockReturnValue()
 		const databaseId = uuid()
@@ -25,6 +104,7 @@ describe('Server', () => {
 			},
 			security: {
 				hideSensitiveErrorMessage: true,
+				disableCSRFProtection: true,
 			},
 			port,
 			schema: {
@@ -68,6 +148,9 @@ describe('Server', () => {
 				// @ts-expect-error
 				adapter: await getDatabaseAdapter(databaseId),
 			},
+			security: {
+				disableCSRFProtection: true,
+			},
 			port,
 			routes: [
 				{
@@ -105,6 +188,9 @@ describe('Server', () => {
 				// @ts-expect-error
 				adapter: await getDatabaseAdapter(databaseId),
 			},
+			security: {
+				disableCSRFProtection: true,
+			},
 			port,
 			schema: {
 				classes: [
@@ -158,6 +244,9 @@ describe('Server', () => {
 				// @ts-expect-error
 				adapter: await getDatabaseAdapter(databaseId),
 			},
+			security: {
+				disableCSRFProtection: true,
+			},
 			port,
 			schema: {
 				classes: [
@@ -191,6 +280,9 @@ describe('Server', () => {
 				adapter: await getDatabaseAdapter(databaseId),
 			},
 			port,
+			security: {
+				disableCSRFProtection: true,
+			},
 			schema: {
 				classes: [
 					{
@@ -223,6 +315,9 @@ describe('Server', () => {
 						// @ts-expect-error
 						adapter: await getDatabaseAdapter(databaseId),
 					},
+					security: {
+						disableCSRFProtection: true,
+					},
 					port,
 					hooks: [
 						{
@@ -244,6 +339,9 @@ describe('Server', () => {
 						// @ts-expect-error
 						adapter: await getDatabaseAdapter(databaseId),
 					},
+					security: {
+						disableCSRFProtection: true,
+					},
 					port,
 					hooks: [],
 				}),
@@ -260,6 +358,9 @@ describe('Server', () => {
 						adapter: await getDatabaseAdapter(databaseId),
 					},
 					port,
+					security: {
+						disableCSRFProtection: true,
+					},
 					hooks: [
 						{
 							operationType: OperationType.BeforeCreate,
@@ -284,6 +385,9 @@ describe('Server', () => {
 				adapter: await getDatabaseAdapter(databaseId),
 			},
 			port,
+			security: {
+				disableCSRFProtection: true,
+			},
 		})
 
 		await wabe.start()
@@ -311,6 +415,9 @@ describe('Server', () => {
 				adapter: await getDatabaseAdapter(databaseId),
 			},
 			port,
+			security: {
+				disableCSRFProtection: true,
+			},
 			schema: {
 				classes: [
 					{
@@ -350,6 +457,9 @@ describe('Server', () => {
 				adapter: await getDatabaseAdapter(databaseId),
 			},
 			port,
+			security: {
+				disableCSRFProtection: true,
+			},
 			schema: {
 				classes: [
 					{
@@ -396,6 +506,9 @@ describe('Server', () => {
 				roles: ['Client'],
 			},
 			port,
+			security: {
+				disableCSRFProtection: true,
+			},
 		})
 
 		await wabeMain.start()
@@ -424,6 +537,9 @@ describe('Server', () => {
 					}
 				},
 			},
+			security: {
+				disableCSRFProtection: true,
+			},
 			schema: {
 				classes: [
 					{

packages/wabe/src/server/index.ts

@@ -218,6 +218,13 @@ export class Wabe<T extends WabeTypes> {
 	}
 
 	async start() {
+		if (
+			!this.config.authentication?.session?.jwtSecret &&
+			(this.config.authentication?.session?.cookieSession ||
+				!this.config.security?.disableCSRFProtection)
+		)
+			throw new Error('Authentication with cookie needs jwt secret')
+
 		const wabeSchema = new Schema(this.config)
 
 		this.config.schema = wabeSchema.schema