@axway/amplify-sdk/dist/authenticators/signed-jwt.js

Axway Amplify SDK for Node.js

import Authenticator from './authenticator.js';
import errors from '../errors.js';
import fs from 'fs';
import jws from 'jws';
import { isFile } from '@axway/amplify-utils';
import { v4 } from 'uuid';
import 'ejs';
import 'fs-extra';
import '../endpoints.js';
import 'open';
import 'path';
import 'snooplogg';
import '../stores/token-store.js';
import 'pluralize';
import '../environments-C3ppEMBw.js';
import '@axway/amplify-request';
import '../server.js';
import 'crypto';
import 'get-port';
import 'http';
import 'url';
import '../util.js';

const { JWTAssertion, ClientCredentials } = Authenticator.GrantTypes;

/**
 * Authentication scheme using a JSON Web Token (JWT).
 */
class SignedJWT extends Authenticator {
	/**
	 * Initializes an PKCE authentication instance.
	 *
	 * @param {Object} opts - Various options.
	 * @param {String} [opts.secret] - The private key when `secretFile` is not set.
	 * @param {String} [opts.secretFile] - The path to the private key file when `secret` is not set.
	 * @access public
	 */
	constructor(opts) {
		if (!opts || typeof opts !== 'object') {
			throw errors.INVALID_ARGUMENT('Expected options to be an object');
		}

		let { secret, secretFile } = opts;

		if (!secret && !secretFile) {
			throw errors.INVALID_ARGUMENT('Expected either a private key or private key file to be an object');
		} else if (secret !== undefined && typeof secret !== 'string') {
			throw errors.INVALID_ARGUMENT('Expected private key to be a string');
		} else if (secretFile !== undefined) {
			if (typeof secretFile !== 'string') {
				throw errors.INVALID_ARGUMENT('Expected private key file path to be a string');
			}
			if (!fs.existsSync(secretFile)) {
				throw new Error(`Specified private key file does not exist: ${secretFile}`);
			}
			if (!isFile(secretFile)) {
				throw new Error(`Specified private key is not a file: ${secretFile}`);
			}
			secret = fs.readFileSync(secretFile, 'utf-8');
		}

		super(opts);

		this.shouldFetchOrgs = false;

		if (!/^-----BEGIN (RSA )?PRIVATE KEY-----/.test(secret)) {
			throw new Error(`Private key file ${opts.secretFile} is not a PEM formatted file`);
		}
		Object.defineProperty(this, 'secret', { value: secret });
	}

	/**
	 * Generates the signed JWT.
	 *
	 * @returns {String}
	 * @access private
	 */
	getSignedJWT() {
		if (this.signedJWT) {
			return this.signedJWT;
		}

		const issuedAt = Math.floor(Date.now() / 1000);

		try {
			return this.signedJWT = jws.sign({
				header:  { alg: 'RS256', typ: 'JWT' },
				payload: {
					aud: this.endpoints.token,
					exp: issuedAt + (60 * 60), // 1 hour (exp is in seconds)
					iat: issuedAt,
					iss: this.clientId,
					jti: v4(),
					sub: this.clientId
				},
				secret:  this.secret
			});
		} catch (err) {
			err.message = `Bad secret file "${this.secretFile}" (${err.message})`;
			throw err;
		}
	}

	/**
	 * Parameters to include in the authenticated account object. Note that these values are
	 * stripped when the Amplify SDK returns the account object.
	 *
	 * @type {Object}
	 * @access private
	 */
	get authenticatorParams() {
		return {
			secret: this.secret
		};
	}

	/**
	 * Parameters to base the authenticator hash on.
	 *
	 * @type {Object}
	 * @access private
	 */
	get hashParams() {
		return {
			secret: this.secret
		};
	}

	/**
	 * Parameters to include with refresh requests.
	 *
	 * @type {Object}
	 * @access private
	 */
	get refreshTokenParams() {
		return {
			clientAssertion:     this.getSignedJWT(),
			clientAssertionType: JWTAssertion
		};
	}

	/**
	 * Parameters to include with authentication requests.
	 *
	 * @type {Object}
	 * @access private
	 */
	get tokenParams() {
		return {
			clientAssertion:     this.getSignedJWT(),
			clientAssertionType: JWTAssertion,
			grantType:           ClientCredentials
		};
	}
}

export { SignedJWT as default };
//# sourceMappingURL=signed-jwt.js.map