feat(oga-backend): Secure OGA File Downloads

[ginaxu1]

Closes #251

Summary

This PR transitions the OGA Portal from using unauthenticated direct links to a secure Token Forwarding model. By modifying the NSW Backend to accept multiple Client IDs, the system now allows OGA officers to access protected documents using their own WSO2 identity

Changes

NSW Token Validation Refactor

• Update backend/internal/auth/token_parser.go to support a multiple Client IDs validation to bridge the gap between TRADER_PORTAL_APP and the various OGA_PORTAL_APP_* client identifiers
• Refactor unit tests to pass []string when instantiating the TokenExtractor

Backend Configuration Strategy

• Modify backend/internal/config/config.go to automatically split a comma-separated AUTH_CLIENT_ID environment variable string
• Update the root docker-compose.yml backend service's AUTH_CLIENT_ID string to inject TRADER_PORTAL_APP,OGA_PORTAL_APP_NPQS,OGA_PORTAL_APP_FCAU,OGA_PORTAL_APP_IRD

OGA Service Refactor

• Add a new config string parameter, NSW_BACKEND_URL (defaulting to http://localhost:8080), passed through to
  OGAHandler
• Rewrite the HandleGetUploadURL handler to intercept OGA frontend download requests, attach the officer's Authorization: Bearer , issue the service-to-service GET to the NSW Backend's restricted /api/v1/uploads/{key} endpoint, and stream the response HTTP code and URL (either local filesystem endpoint or S3 presigned URL) back down to the caller UI

Testing

Unit Tests

cd oga/
go mod tidy && go build ./... && go test ./... 

Manual testing

1. upload a supporting document via Trader Portal works correctly
2. make sure the submitted document becomes a link on the OGA Portal Task Review UI
3. verify clicking the link successfully downloads the file locally via a generated presigned URL and works seamlessly even if the environment storage driver is switched to S3

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a critical feature for the OGA application: secure file downloads. It establishes a new API endpoint that acts as a secure proxy, forwarding authenticated requests to a backend service to retrieve sensitive files. This change significantly improves data security by preventing direct exposure of unauthenticated content routes. Additionally, the underlying authentication mechanism has been made more robust by allowing the system to validate tokens against a configurable list of client IDs, accommodating various OGA portal applications.

Highlights

• Secure File Download Endpoint: A new endpoint GET /api/oga/uploads/{key} has been added to the OGA application to facilitate secure file downloads by proxying requests to a backend service.
• Multiple Client ID Support: The authentication system has been enhanced to allow the TokenExtractor to validate JWTs against a list of multiple expected client IDs, rather than a single one.
• Configuration Updates: Configuration structures and environment variables have been updated to support the new multiple client ID authentication and to provide the OGA application with the backend URL for file downloads.

Changelog

• backend/internal/auth/auth_test.go
  • Updated test cases to reflect the change in NewTokenExtractor signature, now accepting a slice of client IDs.
• backend/internal/auth/middleware_test.go
  • Modified test cases to pass a slice of client IDs to NewTokenExtractor.
• backend/internal/auth/token_parser.go
  • Refactored the TokenExtractor struct to hold expectedClientIDs as a slice of strings.
  • Updated the NewTokenExtractor and NewTokenExtractorWithClient constructors to accept a slice of client IDs.
  • Adjusted the validateConfig method to check for an empty slice of client IDs.
  • Modified the ExtractClaimsFromHeader method to iterate and match the JWT's client ID against the list of expected client IDs.
• backend/internal/config/config.go
  • Changed the ClientID field in AuthConfig from a string to a slice of strings.
  • Updated the Load function to parse the AUTH_CLIENT_ID environment variable as a comma-separated list into a string slice.
  • Modified the Validate method to check if the ClientID slice is empty.
• docker-compose.yml
  • Explicitly set AUTH_ISSUER to https://localhost:8090/oauth2/token.
  • Updated AUTH_CLIENT_ID to a comma-separated list of multiple client IDs.
  • Explicitly set AUTH_AUDIENCE to TRADER_PORTAL_APP.
• oga/cmd/server/main.go
  • Modified the NewOGAHandler initialization to pass the cfg.BackendURL.
  • Registered a new HTTP handler for GET /api/oga/uploads/{key} to handle secure file downloads.
• oga/internal/config.go
  • Added a BackendURL field to the Config struct.
  • Updated LoadConfig to load the BackendURL from the NSW_BACKEND_URL environment variable.
• oga/internal/feedback/handler.go
  • Reformated a line of code for consistency.
• oga/internal/handler.go
  • Imported fmt and io packages.
  • Added a backendURL field to the OGAHandler struct.
  • Updated the NewOGAHandler constructor to accept and store the backendURL.
  • Implemented the HandleGetUploadURL method to proxy secure file download requests to the configured backend URL, forwarding authentication headers and response bodies.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces two significant improvements. Firstly, it refactors the authentication logic to support multiple client IDs, enhancing the flexibility of token validation. This change is consistently applied across configuration, token parsing, and test files. Secondly, it adds a secure file download endpoint to the OGA service, which acts as an authenticated proxy to the main backend. This is a solid security enhancement. My review focuses on improving the implementation of this new proxy endpoint for better performance and robustness.

[ginaxu1]

/gemini review

[gemini-code-assist]

Code Review

This pull request effectively transitions the OGA file download mechanism to a secure token forwarding model, which is a significant security improvement. The changes to support multiple client IDs in the backend are well-implemented across the configuration, token parsing, and testing layers. The new OGA handler for proxying download requests is a good approach to centralize access control in the NSW backend.

I have one suggestion in oga/internal/handler.go to improve the robustness and security of parsing the JWT for logging purposes. Overall, this is a solid pull request that enhances the security of the application.