@bitblit/epsilon/dist/http/auth/auth-handler.js

Tiny adapter to simplify building API gateway Lambda APIS

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
var logger_1 = require("@bitblit/ratchet/dist/common/logger");
var local_web_token_manipulator_1 = require("./local-web-token-manipulator");
var web_token_manipulator_util_1 = require("./web-token-manipulator-util");
/**
 * This class is to simplify if the user wants to use a AWS Gateway authorizer in conjunction with Epsilon
 */
var AuthHandler = /** @class */ (function () {
    function AuthHandler(issuer, encryptionKey) {
        this.webTokenManipulator = new local_web_token_manipulator_1.LocalWebTokenManipulator(encryptionKey, issuer);
    }
    /**
     * This is the default authorizer - parses the incoming JWT token and sticks it
     * into context (or blocks if none/invalid found)
     * @param event
     * @param {Context} context
     * @param {Callback} callback
     */
    AuthHandler.prototype.lambdaHandler = function (event, context, callback) {
        logger_1.Logger.info('Got event : %j', event);
        var srcString = web_token_manipulator_util_1.WebTokenManipulatorUtil.extractTokenStringFromAuthorizerEvent(event);
        if (srcString) {
            var methodArn = event.methodArn;
            var parsed = this.webTokenManipulator.parseAndValidateJWTString(srcString);
            if (parsed) {
                callback(null, this.createPolicy(methodArn, srcString, parsed));
            }
            else {
                logger_1.Logger.info('Invalid bearer token');
                callback(new Error('Unauthorized')); // Required by Lambda
            }
        }
        else {
            logger_1.Logger.info('Token not supplied');
            callback(new Error('Unauthorized')); // Required by Lambda
        }
    };
    AuthHandler.prototype.createPolicy = function (methodArn, srcString, userOb) {
        // If we reached here, create a policy document
        // parse the ARN from the incoming event
        var tmp = methodArn.split(':'); // event.methodArn;
        var apiGatewayArnTmp = tmp[5].split('/');
        var awsAccountId = tmp[4];
        var region = tmp[3];
        var stage = apiGatewayArnTmp[1];
        var restApiId = apiGatewayArnTmp[0];
        var response = {
            principalId: 'user',
            policyDocument: {
                Version: '2012-10-17',
                Statement: [
                    {
                        Action: 'execute-api:Invoke',
                        Effect: 'Allow',
                        Resource: ['arn:aws:execute-api:' + region + ':' + awsAccountId + ':' + restApiId + '/' + stage + '/*/*']
                    }
                ]
            },
            // Context matches what would come in ExtendedAuthResponseContext if using epsilon auth
            context: {
                userJSON: JSON.stringify(userOb),
                srcData: srcString // Put this in in-case we are doing a token update
            }
        };
        return response;
    };
    return AuthHandler;
}());
exports.AuthHandler = AuthHandler;
//# sourceMappingURL=auth-handler.js.map