[$250] Priority - Validate v3jwt token

[jmgasper]

@ThomasKranitsas - In src/app.js, we use the given cookie for the tcv3jwt token:

    actions.push((req, res, next) => {
      const v3jwt = _.get(req.cookies, constants.JWT_V3_NAME);
      if (v3jwt) {
        const decoded = jwtDecode(v3jwt);
        req.currentUser = {
          handle: decoded.handle.toLowerCase(),
          roles: decoded.roles,
        };
      }
      req.signature = `${def.controller}#${def.method}`;
      next();
    });

The problem is we aren't VALIDATING the JWT. This means that a user can login on x.topcoder-dev.com, change the domain for the token, and gain access to x.topcoder.com, which is obviously very, very bad.

I have taken down x.topcoder.com while we add JWT validation.

Let's do the following:

1. Add a new config value for JWT_SIGNATURE that allows us to set the JWT signature to use to validate
2. Using the signature, add code to validate the JWT before we use it anywhere on the site.

Dev and prod have different signatures for the JWT, so that should fix the problem.

Please use the code linked below https://github.com/appirio-tech/tc-core-library-js

[jmgasper]

Contest https://www.topcoder.com/challenges/30090376 has been created for this ticket.

This is an automated message for ghostar via Topcoder X

[mtwomey]

@jmgasper @ThomasKranitsas This is already fully implemented and standardized for all our node applications here: https://github.com/appirio-tech/tc-core-library-js

They should use this library as HS256 tokens (which is what you're using now) won't be supported very much longer. By using this lib, this application will get a "free" update when we move to RS256.

See this app for an example on using it: https://github.com/topcoder-platform/tc-email-service/

[jmgasper]

Contest https://www.topcoder.com/challenges/30090376 has been updated - the new changes has been updated for this ticket.

This is an automated message for ghostar via Topcoder X

[jmgasper]

Contest https://www.topcoder.com/challenges/30090376 has been updated - the new changes has been updated for this ticket.

This is an automated message for ghostar via Topcoder X

[jmgasper]

Contest https://www.topcoder.com/challenges/30090376 has been updated - it has been assigned to thomaskranitsas.

This is an automated message for ghostar via Topcoder X

[ThomasKranitsas]

#137

[jmgasper]

@ThomasKranitsas - Seeing issues here with validation, but that probably means things are working. Will close this out once we get the configuration corrected / figure out what's going on.

[jmgasper]

Contest https://www.topcoder.com/challenges/30090376 has been updated - the new changes has been updated for this ticket.

This is an automated message for ghostar via Topcoder X