@bitblit/epsilon/http/auth/auth0-web-token-manipulator.js

Tiny adapter to simplify building API gateway Lambda APIS

"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.Auth0WebTokenManipulator = void 0;
const common_1 = require("@bitblit/ratchet/common");
const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
class Auth0WebTokenManipulator {
    constructor(clientId, jwksUri, issuer) {
        this.clientId = clientId;
        this.jwksUri = jwksUri;
        this.issuer = issuer;
    }
    extractTokenFromAuthorizationHeader(authHeader) {
        return __awaiter(this, void 0, void 0, function* () {
            let tokenString = common_1.StringRatchet.trimToEmpty(authHeader);
            if (tokenString.toLowerCase().startsWith('bearer ')) {
                tokenString = tokenString.substring(7);
            }
            const validated = tokenString ? yield this.parseAndValidateAuth0Token(tokenString, false) : null;
            return validated;
        });
    }
    parseAndValidateAuth0Token(auth0Token, allowExpired = false) {
        var _a;
        return __awaiter(this, void 0, void 0, function* () {
            common_1.Logger.debug('Validating Auth0 token : %s', common_1.StringRatchet.obscure(auth0Token, 4));
            const fullToken = jsonwebtoken_1.default.decode(auth0Token, { complete: true });
            const kid = (_a = fullToken === null || fullToken === void 0 ? void 0 : fullToken.header) === null || _a === void 0 ? void 0 : _a.kid;
            const nowEpochSeconds = Math.floor(new Date().getTime() / 1000);
            const pubKey = yield this.fetchSigningKey(kid);
            const validated = jsonwebtoken_1.default.verify(auth0Token, pubKey, {
                audience: this.clientId,
                issuer: this.issuer,
                ignoreExpiration: allowExpired,
                clockTimestamp: nowEpochSeconds,
            });
            return validated;
        });
    }
    fetchSigningKey(kid) {
        return __awaiter(this, void 0, void 0, function* () {
            const jClient = yield this.fetchJwksClient();
            return new Promise((res, rej) => {
                jClient.getSigningKey(kid, (err, key) => {
                    if (err) {
                        rej(err);
                    }
                    else {
                        res(key.publicKey || key.rsaPublicKey);
                    }
                });
            });
        });
    }
    fetchJwksClient() {
        return __awaiter(this, void 0, void 0, function* () {
            if (!this.jwksClient) {
                this.jwksClient = (0, jwks_rsa_1.default)({
                    cache: true,
                    cacheMaxEntries: 5,
                    cacheMaxAge: 1000 * 60 * 60 * 10,
                    jwksUri: this.jwksUri,
                });
            }
            return this.jwksClient;
        });
    }
}
exports.Auth0WebTokenManipulator = Auth0WebTokenManipulator;
//# sourceMappingURL=auth0-web-token-manipulator.js.map