@bitblit/epsilon/http/auth/api-gateway-adapter-authentication-handler.js

Tiny adapter to simplify building API gateway Lambda APIS

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ApiGatewayAdapterAuthenticationHandler = void 0;
const logger_1 = require("@bitblit/ratchet/common/logger");
const local_web_token_manipulator_1 = require("./local-web-token-manipulator");
const epsilon_constants_1 = require("../../epsilon-constants");
/**
 * This class is to simplify if the user wants to use a AWS Gateway authorizer in conjunction with Epsilon
 */
class ApiGatewayAdapterAuthenticationHandler {
    constructor(issuer, encryptionKeys) {
        this.webTokenManipulator = new local_web_token_manipulator_1.LocalWebTokenManipulator([encryptionKeys], issuer);
    }
    /**
     * This is the default authorizer - parses the incoming JWT token and sticks it
     * into context (or blocks if none/invalid found)
     * @param event
     * @param {Context} context
     * @param {Callback} callback
     */
    lambdaHandler(event, context, callback) {
        logger_1.Logger.info('Got event : %j', event);
        const srcString = ApiGatewayAdapterAuthenticationHandler.extractTokenStringFromAuthorizerEvent(event);
        if (srcString) {
            const methodArn = event.methodArn;
            this.webTokenManipulator
                .parseAndValidateJWTStringAsync(srcString)
                .then((parsed) => {
                if (parsed) {
                    callback(null, this.createPolicy(methodArn, srcString, parsed));
                }
                else {
                    logger_1.Logger.info('Invalid bearer token');
                    callback(new Error('Unauthorized')); // Required by Lambda
                }
            })
                .catch((err) => {
                logger_1.Logger.error('Exception parsing token : %s', err);
                callback(new Error('Unauthorized')); // Required by Lambda
            });
        }
        else {
            logger_1.Logger.info('Token not supplied');
            callback(new Error('Unauthorized')); // Required by Lambda
        }
    }
    createPolicy(methodArn, srcString, userOb) {
        // If we reached here, create a policy document
        // parse the ARN from the incoming event
        const tmp = methodArn.split(':'); // event.methodArn;
        const apiGatewayArnTmp = tmp[5].split('/');
        const awsAccountId = tmp[4];
        const region = tmp[3];
        const stage = apiGatewayArnTmp[1];
        const restApiId = apiGatewayArnTmp[0];
        const response = {
            principalId: 'user',
            policyDocument: {
                Version: '2012-10-17',
                Statement: [
                    {
                        Action: 'execute-api:Invoke',
                        Effect: 'Allow',
                        Resource: ['arn:aws:execute-api:' + region + ':' + awsAccountId + ':' + restApiId + '/' + stage + '/*/*'],
                    },
                ],
            },
            // Context matches what would come in ExtendedAuthResponseContext if using epsilon auth
            context: {
                userJSON: JSON.stringify(userOb),
                srcData: srcString, // Put this in in-case we are doing a token update
            },
        };
        return response;
    }
    static extractTokenStringFromAuthorizerEvent(event) {
        logger_1.Logger.silly('Extracting token from event : %j', event);
        let rval = null;
        if (event && event.authorizationToken) {
            const token = event.authorizationToken;
            if (token && token.startsWith(epsilon_constants_1.EpsilonConstants.AUTH_HEADER_PREFIX)) {
                rval = token.substring(epsilon_constants_1.EpsilonConstants.AUTH_HEADER_PREFIX.length); // Strip "Bearer "
            }
        }
        return rval;
    }
}
exports.ApiGatewayAdapterAuthenticationHandler = ApiGatewayAdapterAuthenticationHandler;
//# sourceMappingURL=api-gateway-adapter-authentication-handler.js.map