@bitblit/epsilon
Version:
Tiny adapter to simplify building API gateway Lambda APIS
173 lines • 9.11 kB
JavaScript
;
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.GoogleWebTokenManipulator = void 0;
var logger_1 = require("@bitblit/ratchet/dist/common/logger");
var string_ratchet_1 = require("@bitblit/ratchet/dist/common/string-ratchet");
var jwt = require("jsonwebtoken");
var jwks = require("jwks-rsa");
var web_token_manipulator_util_1 = require("./web-token-manipulator-util");
var unauthorized_error_1 = require("../error/unauthorized-error");
var fetch = require("portable-fetch");
var GoogleWebTokenManipulator = /** @class */ (function () {
function GoogleWebTokenManipulator(clientId) {
this.clientId = clientId;
}
GoogleWebTokenManipulator.prototype.extractTokenFromStandardEvent = function (event) {
return __awaiter(this, void 0, void 0, function () {
var tokenString, validated, _a, err_1;
return __generator(this, function (_b) {
switch (_b.label) {
case 0:
_b.trys.push([0, 4, , 5]);
tokenString = web_token_manipulator_util_1.WebTokenManipulatorUtil.extractTokenStringFromStandardEvent(event);
if (!!!tokenString) return [3 /*break*/, 2];
return [4 /*yield*/, this.parseAndValidateGoogleToken(tokenString, false)];
case 1:
_a = _b.sent();
return [3 /*break*/, 3];
case 2:
_a = null;
_b.label = 3;
case 3:
validated = _a;
return [2 /*return*/, validated];
case 4:
err_1 = _b.sent();
logger_1.Logger.warn('Authentication of token failed : %s', err_1, err_1);
throw new unauthorized_error_1.UnauthorizedError('Failed to extract google token : ' + String(err_1));
case 5: return [2 /*return*/];
}
});
});
};
GoogleWebTokenManipulator.prototype.parseAndValidateGoogleToken = function (googleToken, allowExpired) {
if (allowExpired === void 0) { allowExpired = false; }
return __awaiter(this, void 0, void 0, function () {
var fullToken, kid, nowEpochSeconds, pubKey, validated;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
logger_1.Logger.debug('Auth : %s', string_ratchet_1.StringRatchet.obscure(googleToken, 4));
fullToken = jwt.decode(googleToken, { complete: true });
kid = fullToken.header.kid;
nowEpochSeconds = Math.floor(new Date().getTime() / 1000);
return [4 /*yield*/, this.fetchSigningKey(kid)];
case 1:
pubKey = _a.sent();
validated = jwt.verify(googleToken, pubKey, {
audience: this.clientId,
issuer: ['https://accounts.google.com', 'accounts.google.com'],
ignoreExpiration: allowExpired,
clockTimestamp: nowEpochSeconds
});
return [2 /*return*/, validated];
}
});
});
};
GoogleWebTokenManipulator.prototype.fetchSigningKey = function (kid) {
return __awaiter(this, void 0, void 0, function () {
var jClient;
return __generator(this, function (_a) {
switch (_a.label) {
case 0: return [4 /*yield*/, this.fetchJwksClient()];
case 1:
jClient = _a.sent();
return [2 /*return*/, new Promise(function (res, rej) {
jClient.getSigningKey(kid, function (err, key) {
if (err) {
rej(err);
}
else {
res(key.publicKey || key.rsaPublicKey);
}
});
})];
}
});
});
};
GoogleWebTokenManipulator.prototype.fetchJwksClient = function () {
return __awaiter(this, void 0, void 0, function () {
var discDoc, client;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
if (!!this.jwksClient) return [3 /*break*/, 2];
return [4 /*yield*/, this.fetchGoogleDiscoveryDocument()];
case 1:
discDoc = _a.sent();
client = jwks({
cache: true,
cacheMaxEntries: 5,
cacheMaxAge: 1000 * 60 * 60 * 10,
jwksUri: discDoc.jwks_uri
});
this.jwksClient = client;
_a.label = 2;
case 2: return [2 /*return*/, this.jwksClient];
}
});
});
};
GoogleWebTokenManipulator.prototype.fetchGoogleDiscoveryDocument = function () {
return __awaiter(this, void 0, void 0, function () {
var resp, doc;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
if (!!this.cacheGoogleDiscoveryDocument) return [3 /*break*/, 3];
return [4 /*yield*/, fetch(GoogleWebTokenManipulator.GOOGLE_DISCOVERY_DOCUMENT)];
case 1:
resp = _a.sent();
return [4 /*yield*/, resp.json()];
case 2:
doc = _a.sent();
this.cacheGoogleDiscoveryDocument = doc;
_a.label = 3;
case 3: return [2 /*return*/, this.cacheGoogleDiscoveryDocument];
}
});
});
};
GoogleWebTokenManipulator.GOOGLE_DISCOVERY_DOCUMENT = 'https://accounts.google.com/.well-known/openid-configuration';
return GoogleWebTokenManipulator;
}());
exports.GoogleWebTokenManipulator = GoogleWebTokenManipulator;
//# sourceMappingURL=google-web-token-manipulator.js.map