Two ways to reach forms-api locally

Author: magnurh-cx

README.md

@@ -98,6 +98,18 @@ til url til den lokale instansen av innsending-api i miljøvariabelen `SEND_INN_
 
     SEND_INN_HOST=http://127.0.0.1:9064
 
+## Kjøre Bygger lokalt med integrasjon mot forms-api
+
+For kontinuerlig utvikling mot forms-api er det best å hente ned og kjøre https://github.com/navikt/forms-api lokalt.
+Sett miljøvariabelen `FORMS_API_URL` i byggeren sin `.env`-fil til riktig port på localhost. F.eks:
+
+    FORMS_API_URL=http://localhost:8082
+
+Alternativt kan du bruke [azure-token-generator](https://azure-token-generator.intern.dev.nav.no/api/obo?aud=dev-gcp:fyllut-sendinn:forms-api) (krever trygdeetaten-bruker) til å generere et midlertidig access token for å nå forms-api i preprod. Merk at tokenet kun er gyldig en begrenset periode. Legg til følgende miljøvariabler for å få tilgang.
+
+    FORMS_API_URL=https://forms-api.intern.dev.nav.no
+    FORMS_API_ACCESS_TOKEN=<access-token> // Bruk access_token fra responsen til azure-token-generator
+
 ## Teste publisering av skjema på lokal maskin
 
 Byggeren er konfigurert med default-verdier lokalt som sørger for at eventuelle publiseringer blir gjort mot en

packages/bygger-backend/src/config/index.ts

@@ -37,6 +37,8 @@ const optionalEnv = (name: string): string | undefined => {
 };
 
 const naisClusterName = env('NAIS_CLUSTER_NAME') as 'dev-gcp' | 'prod-gcp' | undefined;
+const isProduction = nodeEnv === 'production';
+const isDevelopment = nodeEnv === 'development';
 
 const config: ConfigType = {
   azure: {
@@ -95,6 +97,7 @@ const config: ConfigType = {
       user: env('FORMS_API_AD_GROUP_USER', devFormsApi.adGroups.user),
       admin: env('FORMS_API_AD_GROUP_ADMIN', devFormsApi.adGroups.admin),
     },
+    devToken: isDevelopment ? optionalEnv('FORMS_API_ACCESS_TOKEN') : undefined,
   },
   pusher: {
     cluster: env('PUSHER_CLUSTER', devPusher.cluster),
@@ -104,8 +107,8 @@ const config: ConfigType = {
   },
   nodeEnv,
   port: parseInt(process.env.PORT || '8080'),
-  isProduction: nodeEnv === 'production',
-  isDevelopment: nodeEnv === 'development',
+  isProduction,
+  isDevelopment,
   featureToggles: featureUtils.toFeatureToggles(env('ENABLED_FEATURES', devEnabledFeatures)),
   naisClusterName,
   frontendLoggerConfig: configUtils.loadJsonFromEnv('BYGGER_FRONTEND_LOGCONFIG'),

packages/bygger-backend/src/config/types.d.ts

@@ -40,6 +40,7 @@ export type FormsApiConfig = {
     user: string;
     admin: string;
   };
+  devToken?: string;
 };
 
 export type PusherConfig = {

packages/bygger-backend/src/routers/api/helpers/authHandlers.ts

@@ -2,11 +2,11 @@ import appConfig from '../../../config';
 import authorizedPublisher from './authorizedPublisher';
 import azureOnBehalfOfTokenHandler from './azureOnBehalfOfTokenHandler';
 
-const { naisClusterName } = appConfig;
+const { naisClusterName, formsApi } = appConfig;
 
 const authHandlers = {
   authorizedPublisher,
-  formsApiAuthHandler: azureOnBehalfOfTokenHandler(`${naisClusterName}.fyllut-sendinn.forms-api`),
+  formsApiAuthHandler: azureOnBehalfOfTokenHandler(`${naisClusterName}.fyllut-sendinn.forms-api`, formsApi.devToken),
 };
 
 export default authHandlers;

packages/bygger-backend/src/routers/api/helpers/azureOnBehalfOfTokenHandler.ts

@@ -7,38 +7,44 @@ import { UnauthorizedError } from './errors';
 
 const { azure, isDevelopment } = config;
 
-const azureOnBehalfOfTokenHandler = (scope: string) => async (req: Request, res: Response, next: NextFunction) => {
-  const accessToken = req.get('Authorization')?.replace('Bearer ', '');
+const azureOnBehalfOfTokenHandler =
+  (scope: string, devToken?: string) => async (req: Request, res: Response, next: NextFunction) => {
+    const accessToken = req.get('Authorization')?.replace('Bearer ', '');
 
-  if (isDevelopment) {
-    logger.info(`Skipping Azure access token fetch (scope='${scope}')`);
-    return next();
-  }
-
-  try {
-    const response = await fetchWithErrorHandling(azure.openidTokenEndpoint, {
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      method: 'POST',
-      body: qs.stringify({
-        assertion: accessToken,
-        client_id: azure.clientId,
-        client_secret: azure.clientSecret,
-        grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-        requested_token_use: 'on_behalf_of',
-        scope: `api://${scope}/.default`,
-      }),
-    });
-    req.headers.AzureAccessToken = (response.data as any).access_token;
-    next();
-  } catch (error: any) {
-    if (error.http_response_body) {
-      next(new UnauthorizedError(`Access token failed with: ${JSON.stringify(error.http_response_body)}`));
-    } else {
-      next(new UnauthorizedError(`Access token failed with: ${JSON.stringify(error)}`));
+    if (isDevelopment) {
+      if (devToken) {
+        req.headers.AzureAccessToken = devToken;
+        logger.info('Using pre-generated access token to fetch');
+      } else {
+        logger.info(`Skipping Azure access token fetch (scope='${scope}')`);
+      }
+      return next();
     }
 
-    next(error);
-  }
-};
+    try {
+      const response = await fetchWithErrorHandling(azure.openidTokenEndpoint, {
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        method: 'POST',
+        body: qs.stringify({
+          assertion: accessToken,
+          client_id: azure.clientId,
+          client_secret: azure.clientSecret,
+          grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          requested_token_use: 'on_behalf_of',
+          scope: `api://${scope}/.default`,
+        }),
+      });
+      req.headers.AzureAccessToken = (response.data as any).access_token;
+      next();
+    } catch (error: any) {
+      if (error.http_response_body) {
+        next(new UnauthorizedError(`Access token failed with: ${JSON.stringify(error.http_response_body)}`));
+      } else {
+        next(new UnauthorizedError(`Access token failed with: ${JSON.stringify(error)}`));
+      }
+
+      next(error);
+    }
+  };
 
 export default azureOnBehalfOfTokenHandler;