0xhexe / keycloak-hasura-connector Goto Github PK

WS-2019-0424 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/elliptic/package.json

Dependency Hierarchy:

• keycloak-connect-4.8.3.tgz (Root Library)
  • jwk-to-pem-2.0.1.tgz
    • ❌ elliptic-6.4.1.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/indutny/elliptic/pull/203/commits

Release Date: 2020-04-30

Fix Resolution: v6.5.2

Step up your Open Source Security Game with WhiteSource here

WS-2020-0068 - High Severity Vulnerability

Vulnerable Libraries - yargs-parser-11.0.0.tgz, yargs-parser-11.1.1.tgz

yargs-parser-11.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.0.0.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• convict-4.4.1.tgz (Root Library)
  • ❌ yargs-parser-11.0.0.tgz (Vulnerable Library)

yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/yargs/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • yargs-12.0.5.tgz
      • ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Publish Date: 2020-05-01

URL: WS-2020-0068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/yargs-parser

Release Date: 2020-05-04

Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1

Step up your Open Source Security Game with WhiteSource here

Even though the document says that X-Hasura-Admin-Secret will override the Hasura GraphQL Headers. But, when I give a header like X-Hasura-User-Id or X-Hasura-Organization-Id, the over ride is not happening and the query results contain filters done according to the User-Id and Organization-Id.

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • jest-util-24.8.0.tgz
      • mkdirp-0.5.1.tgz
        • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/optimist/node_modules/minimist/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • core-24.8.0.tgz
      • reporters-24.8.0.tgz
        • istanbul-reports-2.2.6.tgz
          • handlebars-4.5.3.tgz
            • optimist-0.6.1.tgz
              • ❌ minimist-0.0.10.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/minimist/package.json

Dependency Hierarchy:

• convict-4.4.1.tgz (Root Library)
  • json5-1.0.1.tgz
    • ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with WhiteSource here

I'm getting error from image

Stack Trace:

auth_1            | 
auth_1            | > [email protected] start /usr/src/app
auth_1            | > node src/main.js
auth_1            | 
auth_1            | /usr/src/app/node_modules/convict/lib/convict.js:686
auth_1            |           throw new Error(output);
auth_1            |           ^
auth_1            | 
auth_1            | Error: AnonymousRole: must be of type String
auth_1            |     at Object.validate (/usr/src/app/node_modules/convict/lib/convict.js:686:17)
auth_1            |     at Object.<anonymous> (/usr/src/app/src/config.js:80:8)
auth_1            |     at Module._compile (internal/modules/cjs/loader.js:936:30)
auth_1            |     at Object.Module._extensions..js (internal/modules/cjs/loader.js:947:10)
auth_1            |     at Module.load (internal/modules/cjs/loader.js:790:32)
auth_1            |     at Function.Module._load (internal/modules/cjs/loader.js:703:12)
auth_1            |     at Module.require (internal/modules/cjs/loader.js:830:19)
auth_1            |     at require (internal/modules/cjs/helpers.js:68:18)
auth_1            |     at Object.<anonymous> (/usr/src/app/src/main.js:3:16)
auth_1            |     at Module._compile (internal/modules/cjs/loader.js:936:30)
auth_1            | npm ERR! code ELIFECYCLE
auth_1            | npm ERR! errno 1
auth_1            | npm ERR! [email protected] start: `node src/main.js`
auth_1            | npm ERR! Exit status 1
auth_1            | npm ERR! 
auth_1            | npm ERR! Failed at the [email protected] start script.
auth_1            | npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
auth_1            | 
auth_1            | npm ERR! A complete log of this run can be found in:
auth_1            | npm ERR!     /root/.npm/_logs/2019-12-04T20_22_20_529Z-debug.log

.env

KEYCLOAK_USERNAME=keycloak
KEYCLOAK_PASSWORD=keycloak
AUTH_MODE=single
KEYCLOAK_URL=http://localhost:8080/auth/
KEYCLOAK_REALM=hasura
KEYCLOAK_CLIENT_ID=Keycloak-hasura-connector
KEYCLOAK_SECRET=7741f5c8-dd5b-4bae-a838-e970c6ecc005

docker-compose.yml

version: '3'
services:
  postgres:
    image: postgres
    restart: always
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak

    volumes:
      - auth_db_keycloak_connector:/var/lib/postgresql/data

  keycloak:
    image: jboss/keycloak:latest
    ports:
      - "8080:8080"
    depends_on:
      - postgres
    environment:
      KEYCLOAK_USER: ${KEYCLOAK_USERNAME}
      KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
      DB_VENDOR: postgres
      DB_ADDR: postgres
      DB_USER: keycloak
      DB_PASSWORD: keycloak

  auth:
    image: httpsomkar/keycloak-hasura-connector:latest
    depends_on:
      - "keycloak"
    environment:
      KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID}
      KEYCLOAK_SERVER_URL: ${KEYCLOAK_URL}
      KEYCLOAK_REALM: ${KEYCLOAK_REALM}
      KEYCLOAK_SECRET: ${KEYCLOAK_SECRET}
      KEYCLOAK_DEBUG: "true"

  postgres_db:
    image: postgres
    restart: always
    volumes:
      - db_data:/var/lib/postgresql/data

  graphql-engine:
    image: hasura/graphql-engine:v1.0.0-alpha42
    ports:
      - "8081:8080"
    depends_on:
      - "postgres_db"
      - "auth"
      - "keycloak"
    restart: always
    environment:
      HASURA_GRAPHQL_DATABASE_URL: postgres://postgres:@postgres_db:5432/postgres
      HASURA_GRAPHQL_ENABLE_TELEMETRY: "false" # https://docs.hasura.io/1.0/graphql/manual/guides/telemetry.html
      HASURA_GRAPHQL_ENABLE_CONSOLE: "true" # set to "false" to disable console
      HASURA_GRAPHQL_ADMIN_SECRET: admin
      HASURA_GRAPHQL_AUTH_HOOK: http://auth:3000

volumes:
  db_data:
  auth_db_keycloak_connector:

WS-2020-0070 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.14.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/lodash/package.json

Dependency Hierarchy:

• jshint-2.10.2.tgz (Root Library)
  • ❌ lodash-4.17.14.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Is your feature request related to a problem? Please describe.
From what I have read (and deduced, because this is not clarified in the docs) and from what I have tried with some sample code, I see some kind of duplication as far as assigning roles is concerned.

Assuming that I have:

• a client id of my-app (that acts as the main Keycloak client that my app logs against and where I have defined all my roles)
• a client id if hasura-auth-client that keycloak-hasura-connector is using to validate credentials.

Both these keycloak clients are created according to the docs of the repo here.

Now it seems that all the roles I have defined in my my-app client will have to be duplicated under the hasura-auth-client client too, because this is the array that the connector is trying to pull roles from.

Example:

  "resource_access": {
    "my-app": {
      "roles": [
        "roleA"
      ]
    },
    "hasura-auth-client": {
      "roles": [
        "roleA"
      ]
    },
  }

Using a hasura-auth-client Keycloak with no roles assigned is not working, as no roles are passed to Hasura

One suggestion might be to define roles only in hasura-auth-client but please note that for my business logic I need to use these roles in other parts of my application, and it does not make sense to be reading them from the hasura-auth-client client id, as I would like to have them grouped under my-app

Describe the solution you'd like

My suggestion would be to initialize the connector with an additional Keycloak client that the connector could pull roles from.

Like:

KEYCLOAK_ROLES_CLIENT_ID: my-app

Describe alternatives you've considered

I have forked to project and tried something like this and it seems to be working

Additional context

I am just trying to verify if I am not seeing anything obvious here, or if I have not setup something correctly, or I am doing something weird or abusing with this suggestion. I'm no Keycloak expert.

What do you think?

In previous version of the documents screenshots existed that showed how the flow of not just keycloak but also the hasura backend. Was this a mistake or on purpose?

I noticed in your setup steps you add a mapper to put the user's ID in the token to populate the X-Hasura-User-Id here.

Is it possible to use the sub attribute of the token instead? Could simply keycloak setup process if so.

Error from images,
hasura docker yaml file
according to above example hasura graphql engine image was old so i updated the image versions
Docker-compose.yaml file

version: '3.6'
services:
  postgres:
    image: postgres:12
    restart: always
    volumes:
      - db_data:/var/lib/postgresql/data
  graphql-engine:
    image: hasura/graphql-engine:v1.3.0
    ports:
      - "8080:8080"
    depends_on:
      - "postgres"
    restart: always
    environment:
      HASURA_GRAPHQL_DATABASE_URL: postgres://postgres:postgrespassword@postgres:5432/postgres
      HASURA_GRAPHQL_ENABLE_CONSOLE: "true" # set to "false" to disable console
      HASURA_GRAPHQL_DEV_MODE: "true"
      HASURA_GRAPHQL_ENABLED_LOG_TYPES: startup, http-log, webhook-log, websocket-log, query-log
      HASURA_GRAPHQL_ADMIN_SECRET: supersecret
      HASURA_GRAPHQL_AUTH_HOOK: http://auth:3000
  auth:
    image: httpsomkar/keycloak-hasura-connector:latest
    environment:
      KEYCLOAK_CLIENT_ID: hasura-keycloak-connector # Keycloak backend client id from the keycloak setup.
      KEYCLOAK_SERVER_URL: http://192.168.0.113:8081/auth # Keycloak url in term of http://keycloak.COMPANY.com/auth
      KEYCLOAK_REALM: Customer-Portal # Default to master if any new create change to it
      KEYCLOAK_SECRET: 87fdcdd0-9ad8-4f18-86d9-950e2fb9c0d6 # Secret copied from the backend client -> Credentials
      KEYCLOAK_DEBUG: "true" # If testing enable mention this file

volumes:
  db_data:

Error from docker container logs:

[email protected] start /usr/src/app
node src/main.js

/usr/src/app/node_modules/convict/lib/convict.js:686
throw new Error(output);
^

Error: AnonymousRole: must be of type String
at Object.validate (/usr/src/app/node_modules/convict/lib/convict.js:686:17)
at Object. (/usr/src/app/src/config.js:80:8)
at Module._compile (internal/modules/cjs/loader.js:1176:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1196:10)
at Module.load (internal/modules/cjs/loader.js:1040:32)
at Function.Module._load (internal/modules/cjs/loader.js:929:14)
at Module.require (internal/modules/cjs/loader.js:1080:19)
at require (internal/modules/cjs/helpers.js:72:18)
at Object. (/usr/src/app/src/main.js:3:16)
at Module._compile (internal/modules/cjs/loader.js:1176:30)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] start: node src/main.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2020-08-11T16_58_11_866Z-debug.log
PS D:\Keycloak\Docker\hasura>

is it possible to see an example with vue somewhere?

Describe the bug
realm_access property on accessToken is optional https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_accesstoken. realm_access is no longer included in JWT by default.

To Reproduce
Steps to reproduce the behavior:

1. Follow the setup steps detailed in https://github.com/httpsOmkar/keycloak-hasura-connector/tree/master/docs and try to use the connector to authorize a hasura query.

Expected behavior
realm_access property on accessToken should be guarded with accessToken.hasRealmRole() in src/token.js. https://www.keycloak.org/keycloak-nodejs-auth-utils/token.js.html#hasRealmRole.

Desktop (please complete the following information):

• OS: Windows 10 running docker images found in https://github.com/httpsOmkar/keycloak-hasura-connector/tree/master/install-manifests
• Browser: chrome

https://lists.jboss.org/pipermail/keycloak-user/2018-July/014922.html

Is your feature request related to a problem? Please describe.
A working example with Nuxt Hasura would be awesome, everything working in harmony with docker-compose (Hasura + security) and running on Heroku? could you ask for more?

image: httpsomkar/keycloak-hasura-connector:latest
environment:
  KEYCLOAK_CLIENT_ID: nextjs
  KEYCLOAK_SERVER_URL: http://localhost:8080/auth //
  KEYCLOAK_REALM: master
  KEYCLOAK_SECRET: 6ff6bffd-21fe-486e-b183-6d68 // fake secret 

Does this look like you would expect?
I'm not sure what this repo does and I'm not sure what you mean about organizations. I have not been able to understand to get keycloak + hasura integrated. Could you explain in more details?

hello
am trying to use this package, but it always returns unauthorized 401. I followed the documentation examples.

I noted in README you mentioned

Environment variables

KEYCLOAK_USERNAME=YOUR_KEYCLOAK_USER_NAME
KEYCLOAK_PASSWORD=YOUR_KEYCLOAK_PSSWORD
KEYCLOAK_CLIENT_ID=YOUR_KEYCLOAK_CLIENT_ID

but I didn't any information about these environment variables in the documentation.

how to use these Environment variables? are they necessary?

Do you have any idea how to get the authorization token from nextjs and use it in the headers?

🚨 You need to enable Continuous Integration on Greenkeeper branches of this repository. 🚨

To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because it uses your CI build statuses to figure out when to notify you about breaking changes.

Since we didn’t receive a CI status on the greenkeeper/initial branch, it’s possible that you don’t have CI set up yet. We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.

If you have already set up a CI for this repository, you might need to check how it’s configured. Make sure it is set to run on all new branches. If you don’t want it to run on absolutely every branch, you can whitelist branches starting with greenkeeper/.

Once you have installed and configured CI on this repository correctly, you’ll need to re-trigger Greenkeeper’s initial pull request. To do this, please click the 'fix repo' button on account.greenkeeper.io.

Thank you for this repo.

Please post road map or ideas and I will contribute the best I can.

Describe the bug
I created the two clients as described in the documentation. Nevertheless, access to the GraphQL API is denied. I have debugged the connector and found out that the access token of the client in the connector is not validated and therefore access is denied (kauth = {}). Is keycloak-connect suitable for a bearer only api? The two articles on Stackoverflow do not read like this:

• https://stackoverflow.com/questions/42394475/authenticate-a-rest-api-using-keycloak-access-token-received-from-authorization

• https://stackoverflow.com/questions/48274251/keycloak-access-token-validation-end-point/51047525#51047525

To Reproduce
Steps to reproduce the behavior:

1. Create clients as described in docu

Expected behavior
The access token of the frontend_app can be used to access the graphql api.

Desktop (please complete the following information):

• OS: Ubuntu 16.04
• Browser: Firefox
• Version: 71.0

Setup

• Keycloak Server: 7.0.0
• Hasura: 1.0.0

Hi,

I've followed the tutorial and succeed to attached my token to my Hasura reauests from my frontend.

I have a question where user informations are store in Hasura after the decode done by Keycloak-hasura-connector ?
I would like to update some fields of my data model with those informations and use Hasura roles manager.

Thanks !
Maurice

CVE-2020-7608 - High Severity Vulnerability

Vulnerable Libraries - yargs-parser-11.0.0.tgz, yargs-parser-11.1.1.tgz

yargs-parser-11.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.0.0.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• convict-4.4.1.tgz (Root Library)
  • ❌ yargs-parser-11.0.0.tgz (Vulnerable Library)

yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/yargs/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • yargs-12.0.5.tgz
      • ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

Describe the bug
After struggling to get example client to work, decided to focus on core functions.
Deploying app per instructions; when I use Hasura api explorer, and use ‘authorization’ header with Bearer deduced from keycloak login, connector always seems to fail validation of token, and returning Anonymous role string

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Hasura ./auth/realm/master/account' and login. Inspect headers to get bearer token.
   Inspect to insure it has appropriate realm roles.
2. In Hasura api explorer, use authorization header.
3. Attempt query. If Defined anonymous role doesn’t have access, an error results
4. See error

Expected behavior
Bearer token privileges are confirmed

Screenshots

Desktop (please complete the following information):

• attempted in local docker and kibernetes environments

WS-2019-0381 - Medium Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/kind-of/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • core-24.8.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Publish Date: 2019-12-30

URL: WS-2019-0381

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of@975c13a

Release Date: 2020-03-18

Fix Resolution: kind-of - 6.0.3

Step up your Open Source Security Game with WhiteSource here

CVE-2019-20149 - High Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/kind-of/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • core-24.8.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

Step up your Open Source Security Game with WhiteSource here

An example with a demo angular does not start. Missing .ks file in directory app/utils/
import {kcConfig} from './kc';

Error from images:

auth_1            | > node src/main.js
auth_1            | 
auth_1            | /usr/src/app/node_modules/convict/lib/convict.js:686
auth_1            |           throw new Error(output);
auth_1            |           ^
auth_1            | 
auth_1            | Error: authMode: must be of type String

version: '3.6'
services:


  postgres:
    image: postgres
    restart: always
    volumes:
      - ./data:/data
      - db_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak
      
  auth:
    image: httpsomkar/keycloak-hasura-connector:latest
    environment:
      KEYCLOAK_CLIENT_ID: hasura
      KEYCLOAK_SERVER_URL: https://localhost
      KEYCLOAK_REALM: master
      KEYCLOAK_SECRET: dsfsdafsdfasdfasdfasd
      ANONYMOUS_ROLE: "anonymous" # (optional) Use this variable to set anonymous role name for unauthorized users as shown in the documentation: https://docs.hasura.io/1.0/graphql/manual/auth/authorization/common-roles-auth-examples.html#anonymous-not-logged-in-users
      USER_ID_FIELD: "sub" #The name of the token field that will be mapped to X-Hasura-User-Id
      KEYCLOAK_DEBUG: "true" # If testing enable mention this file

  graphql-engine:
    image: hasura/graphql-engine:latest
    ports:
      - "9090:8080"
    depends_on:
      - "postgres"
      - "auth"
    restart: always
    environment:
      HASURA_GRAPHQL_DATABASE_URL: postgres://postgres:@postgres:5432/postgres
      HASURA_GRAPHQL_ENABLE_CONSOLE: "true" # set to "false" to disable console
      HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey # Your admin secret
      HASURA_GRAPHQL_AUTH_HOOK: http://auth:3000

volumes:
  db_data:

CVE-2019-10747 - High Severity Vulnerability

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/set-value/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • core-24.8.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • ❌ set-value-2.0.0.tgz (Vulnerable Library)

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /tmp/ws-scm/keycloak-hasura-connector/package.json

Path to vulnerable library: /tmp/ws-scm/keycloak-hasura-connector/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • core-24.8.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • union-value-1.0.0.tgz
                • ❌ set-value-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: f3cf95440a4519dcf915ebf5d0c9e3f00fa2f823

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Step up your Open Source Security Game with WhiteSource here