@bitblit/epsilon/http/auth/local-web-token-manipulator.js

Tiny adapter to simplify building API gateway Lambda APIS

"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.LocalWebTokenManipulator = void 0;
const logger_1 = require("@bitblit/ratchet/common/logger");
const unauthorized_error_1 = require("../error/unauthorized-error");
const string_ratchet_1 = require("@bitblit/ratchet/common/string-ratchet");
const require_ratchet_1 = require("@bitblit/ratchet/common/require-ratchet");
const common_1 = require("@bitblit/ratchet/common");
/**
 * Service for handling jwt tokens
 */
class LocalWebTokenManipulator {
    constructor(encryptionKeys, issuer) {
        this.encryptionKeys = encryptionKeys;
        this.issuer = issuer;
        require_ratchet_1.RequireRatchet.notNullOrUndefined(encryptionKeys, 'encryptionKeys');
        require_ratchet_1.RequireRatchet.noNullOrUndefinedValuesInArray(encryptionKeys, encryptionKeys.length);
        this._ratchet = new common_1.JwtRatchet(Promise.resolve(encryptionKeys));
    }
    withExtraDecryptionKeys(keys) {
        require_ratchet_1.RequireRatchet.notNullOrUndefined(keys, 'keys');
        require_ratchet_1.RequireRatchet.noNullOrUndefinedValuesInArray(keys, keys.length);
        this._ratchet = new common_1.JwtRatchet(this._ratchet.encryptionKeyPromise, Promise.resolve(keys), this._ratchet.jtiGenerator, this._ratchet.decryptOnlyKeyUseLogLevel, this._ratchet.parseFailureLogLevel);
        return this;
    }
    withParseFailureLogLevel(logLevel) {
        this._ratchet = new common_1.JwtRatchet(this._ratchet.encryptionKeyPromise, this._ratchet.decryptKeysPromise, this._ratchet.jtiGenerator, this._ratchet.decryptOnlyKeyUseLogLevel, logLevel);
        return this;
    }
    withOldKeyUseLogLevel(logLevel) {
        this._ratchet = new common_1.JwtRatchet(this._ratchet.encryptionKeyPromise, this._ratchet.decryptKeysPromise, this._ratchet.jtiGenerator, logLevel, this._ratchet.parseFailureLogLevel);
        return this;
    }
    get jwtRatchet() {
        return this._ratchet;
    }
    get selectRandomEncryptionKey() {
        return this._ratchet.selectRandomEncryptionKey();
    }
    createRefreshedJWTString(tokenString, expirationSeconds, allowExpired) {
        return this._ratchet.refreshJWTString(tokenString, allowExpired || false, expirationSeconds);
    }
    parseAndValidateJWTStringAsync(tokenString) {
        return __awaiter(this, void 0, void 0, function* () {
            const payload = yield this._ratchet.decodeToken(tokenString, 2 /* ExpiredJwtHandling.ADD_FLAG */);
            if (common_1.JwtRatchet.hasExpiredFlag(payload)) {
                throw new unauthorized_error_1.UnauthorizedError('Failing JWT token read/validate - token expired on ' + payload.exp);
            }
            else {
                return payload;
            }
        });
    }
    createJWTStringAsync(principal, userObject, roles = ['USER'], expirationSeconds = 3600, proxyUser = null) {
        return __awaiter(this, void 0, void 0, function* () {
            logger_1.Logger.info('Creating JWT token for %s  that expires in %s', principal, expirationSeconds);
            const now = new Date().getTime();
            const expires = now + expirationSeconds * 1000;
            // Build token data and add claims
            const tokenData = {
                exp: expires,
                iss: this.issuer,
                sub: principal,
                iat: now,
                user: userObject,
                proxy: proxyUser,
                roles: roles,
            };
            const token = yield this._ratchet.createTokenString(tokenData, expirationSeconds);
            return token;
        });
    }
    extractTokenFromAuthorizationHeader(header) {
        return __awaiter(this, void 0, void 0, function* () {
            let tokenString = string_ratchet_1.StringRatchet.trimToEmpty(header);
            if (tokenString.toLowerCase().startsWith('bearer ')) {
                tokenString = tokenString.substring(7);
            }
            const validated = !!tokenString ? yield this.parseAndValidateJWTStringAsync(tokenString) : null;
            if (!validated && 'test-msg' === tokenString) {
                // For testing
                throw new common_1.RestfulApiHttpError('Found token string but could not extract a token from ' + tokenString).withHttpStatusCode(444);
            }
            return validated;
        });
    }
}
exports.LocalWebTokenManipulator = LocalWebTokenManipulator;
//# sourceMappingURL=local-web-token-manipulator.js.map