Fix/evault access guard permission issue

[coodos]

Description of change

Issue Number

closes #645

Type of change

• Fix (a change which fixes an issue)

How the change has been tested

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• New Features

  • Added Docker Compose configurations for core and socials service deployments.
  • Introduced JWT Bearer token authentication for API requests.

• Bug Fixes

  • Enhanced URL validation in webhook delivery logic.

• Documentation

  • Added GraphQL authorization testing guide with examples.

• Chores

  • Upgraded Node.js runtime from version 18 to 20.
  • Removed legacy provisioning and verification services.
  • Added Docker management scripts for streamlined deployment.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Introduces comprehensive infrastructure and authentication overhaul: adds Docker Compose configurations for core and social services with updated Node.js base images (18→20), adds Bearer token authentication to eVault-core GraphQL operations, removes provisioning-related entities and services, and expands Docker management scripts in package.json.

Changes

Cohort / File(s)	Summary
Docker Compose Configurations docker-compose.core.yml, docker-compose.socials.yml	New multi-service deployment stacks defining PostgreSQL, Neo4j, registry, eVault-core, and social platform services with networking, healthchecks, and inter-service dependencies.
Dockerfile Base Image & Tooling Updates docker/Dockerfile.blabsy, docker/Dockerfile.blabsy-w3ds-auth-api, docker/Dockerfile.evault-core, docker/Dockerfile.pictique, docker/Dockerfile.pictique-api, docker/Dockerfile.registry	Upgraded base images from node:18-alpine to node:20-alpine, added build dependencies (python3, make, g++), updated pnpm to 10.25.0 and turbo to ^2, restructured multi-stage builds with explicit builder/runner stages, added healthchecks, and replaced dev commands with production execution.
Dockerfile Deletions docker/Dockerfile.cerberus, docker/Dockerfile.dreamsync-api, docker/Dockerfile.eVoting, docker/Dockerfile.ereputation, docker/Dockerfile.evault, docker/Dockerfile.evault-prod, docker/Dockerfile.evoting-api, docker/Dockerfile.group-charter-manager, docker/Dockerfile.group-charter-manager-api, docker/Dockerfile.marketplace	Removed entire multi-stage Dockerfile configurations for 10 services, eliminating all build orchestration, dependency installation, and runtime setup for these containers.
eVault-core Authentication infrastructure/evault-core/src/core/protocol/vault-access-guard.ts	Added validateAuthentication() method to enforce Bearer token validation for non-store operations and X-ENAME header requirement for storeMetaEnvelope operations.
eVault-core Protocol Updates infrastructure/evault-core/src/core/protocol/graphql-server.ts	Added try/catch around URL normalization in webhook filtering to gracefully handle invalid requestingPlatform URLs.
eVault-core Testing & Documentation infrastructure/evault-core/src/core/protocol/graphql-server.spec.ts, infrastructure/evault-core/src/core/protocol/vault-access-guard.spec.ts, infrastructure/evault-core/GRAPHQL_TEST_POCS.md, infrastructure/evault-core/src/test-utils/mock-registry-server.ts	Added JWT-based Bearer token generation in tests, expanded authentication test coverage with multiple security scenarios, added GraphQL authorization test proof-of-concepts guide, and replaced mock tokens with real signed JWTs.
eVault-core Provisioning Removal infrastructure/evault-core/src/core/provisioning/config/database.ts, infrastructure/evault-core/src/core/provisioning/entities/Verification.ts, infrastructure/evault-core/src/core/provisioning/services/ProvisioningService.ts, infrastructure/evault-core/src/core/provisioning/services/VerificationService.ts	Removed ProvisioningDataSource, Verification entity, ProvisioningService class with provisionEVault method, and VerificationService class with all CRUD operations.
Configuration & Build infrastructure/evault-core/tsconfig.json, infrastructure/w3id/tests/utils/codec.test.ts, package.json	Excluded e2e tests from TypeScript build, fixed minor test indentation, and added docker:core/docker:socials scripts for Docker Compose orchestration.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant GraphQL as GraphQL Server
    participant Guard as VaultAccessGuard
    participant Resolver as Resolver Logic
    participant DB as Database

    Client->>GraphQL: GraphQL Query/Mutation
    Note over GraphQL: Inspect operation type

    alt Store Operation (storeMetaEnvelope)
        GraphQL->>Guard: validateAuthentication(context, true)
        Guard->>Guard: Check X-ENAME header
        alt X-ENAME present & non-empty
            Guard->>Guard: Extract eName
            rect rgb(200, 220, 200)
                Note over Guard: Optional: parse Bearer token
            end
            Guard->>GraphQL: ✓ Auth passed
        else X-ENAME missing/empty
            Guard->>GraphQL: ✗ Throw error
            GraphQL->>Client: 401 Unauthorized
        end
    else Read/Update Operation
        GraphQL->>Guard: validateAuthentication(context, false)
        Guard->>Guard: Check Authorization header
        alt Valid Bearer token
            Guard->>Guard: Validate JWT
            rect rgb(200, 220, 200)
                Note over Guard: Extract tokenPayload
            end
            Guard->>GraphQL: ✓ Auth passed
            GraphQL->>Resolver: Execute resolver
            Resolver->>DB: Perform operation
            DB->>Resolver: Return data
            Resolver->>GraphQL: Return result
            GraphQL->>Client: 200 Result
        else No token or invalid token
            Guard->>GraphQL: ✗ Throw error
            GraphQL->>Client: 401 Unauthorized
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Feat/evault provisioning via phone #188 — Removes Verification entity and ProvisioningService logic alongside provisioning database config, directly related to provisioning code removal in this PR.
• Feat/evault core #100 — Modifies vault-access-guard.ts and graphql-server.ts authentication/authorization logic, same code areas as the Bearer token authentication additions.
• Chore/evault pitstop refactor #395 — Modifies provisioning surface (ProvisioningService, Verification entity, database config), shares the same code artifacts being removed in this PR.

Suggested labels

evault-refactor

Suggested reviewers

• sosweetham
• xPathin

Poem

🐰 Dockerfiles renovated, node twenty takes the stage,
Bearer tokens guard the gates in auth's bright new age,
Provisioning fades away, provisions rest their case,
GraphQL queries now authenticate their place! ✨

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b5b420 and 080759f.

📒 Files selected for processing (31)

• docker-compose.core.yml
• docker-compose.socials.yml
• docker/Dockerfile.blabsy
• docker/Dockerfile.blabsy-w3ds-auth-api
• docker/Dockerfile.cerberus
• docker/Dockerfile.dreamsync-api
• docker/Dockerfile.eVoting
• docker/Dockerfile.ereputation
• docker/Dockerfile.evault
• docker/Dockerfile.evault-core
• docker/Dockerfile.evault-prod
• docker/Dockerfile.evoting-api
• docker/Dockerfile.group-charter-manager
• docker/Dockerfile.group-charter-manager-api
• docker/Dockerfile.marketplace
• docker/Dockerfile.pictique
• docker/Dockerfile.pictique-api
• docker/Dockerfile.registry
• infrastructure/evault-core/GRAPHQL_TEST_POCS.md
• infrastructure/evault-core/src/core/protocol/graphql-server.spec.ts
• infrastructure/evault-core/src/core/protocol/graphql-server.ts
• infrastructure/evault-core/src/core/protocol/vault-access-guard.spec.ts
• infrastructure/evault-core/src/core/protocol/vault-access-guard.ts
• infrastructure/evault-core/src/core/provisioning/config/database.ts
• infrastructure/evault-core/src/core/provisioning/entities/Verification.ts
• infrastructure/evault-core/src/core/provisioning/services/ProvisioningService.ts
• infrastructure/evault-core/src/core/provisioning/services/VerificationService.ts
• infrastructure/evault-core/src/test-utils/mock-registry-server.ts
• infrastructure/evault-core/tsconfig.json
• infrastructure/w3id/tests/utils/codec.test.ts
• package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}