refactor: verifyRequest => validateOauthSecurity

[csmig]

Resolves #1482

The existing verifyRequest() does too much work for a utility function (non-middleware) attached to EOV:

• validates tokens
• creates the request's userObject property
• creates/updates a user's lastClaims
• checks for improper use of the parameter elevate=true
• checks scopes for the request

This PR separates these tasks into two new Express middlewares and limits the renamed EOV utility function to checking scopes.

As far as handling OP outages, the current code actually does a fair job with that. There are three scenarios to handle:

1. OP host is gone (connection requests are ignored)
2. OP host is up but OP service is down (connection requests are actively refused by host OS)
3. OP host and service are up but are slow or unresponsive (connections accepted but slow/no data flows)

In real-world testing, the current code and this PR both handle scenario 2 well, although the error message has been improved in this PR. Scenarios 1 and 3 are handled better by this PR since the timeouts for the JWKS request were reduced from 30s to 5s.

Recommend refactoring our JWKS key fetch/cache/log/retrieve operations and consider moving much of it to local code and remove the jwks-rsa dependency. But that's for another day.

[sonarqubecloud]

Quality Gate passed for 'nuwcdivnpt_stig-manager-api'

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
79.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud