@bitblit/ratchet-epsilon-common
Version:
Tiny adapter to simplify building API gateway Lambda APIS
62 lines • 2.27 kB
JavaScript
import { Logger } from '@bitblit/ratchet-common/logger/logger';
import { StringRatchet } from '@bitblit/ratchet-common/lang/string-ratchet';
import jwt from 'jsonwebtoken';
import jwks from 'jwks-rsa';
export class Auth0WebTokenManipulator {
clientId;
jwksUri;
issuer;
jwksClient;
constructor(clientId, jwksUri, issuer) {
this.clientId = clientId;
this.jwksUri = jwksUri;
this.issuer = issuer;
}
async extractTokenFromAuthorizationHeader(authHeader) {
let tokenString = StringRatchet.trimToEmpty(authHeader);
if (tokenString.toLowerCase().startsWith('bearer ')) {
tokenString = tokenString.substring(7);
}
const validated = tokenString ? await this.parseAndValidateAuth0Token(tokenString, false) : null;
return validated;
}
async parseAndValidateAuth0Token(auth0Token, allowExpired = false) {
Logger.debug('Validating Auth0 token : %s', StringRatchet.obscure(auth0Token, 4));
const fullToken = jwt.decode(auth0Token, { complete: true });
const kid = fullToken?.header?.kid;
const nowEpochSeconds = Math.floor(new Date().getTime() / 1000);
const pubKey = await this.fetchSigningKey(kid);
const validated = jwt.verify(auth0Token, pubKey, {
audience: this.clientId,
issuer: this.issuer,
ignoreExpiration: allowExpired,
clockTimestamp: nowEpochSeconds,
});
return validated;
}
async fetchSigningKey(kid) {
const jClient = await this.fetchJwksClient();
return new Promise((res, rej) => {
jClient.getSigningKey(kid, (err, key) => {
if (err) {
rej(err);
}
else {
res(key.publicKey || key.rsaPublicKey);
}
});
});
}
async fetchJwksClient() {
if (!this.jwksClient) {
this.jwksClient = jwks({
cache: true,
cacheMaxEntries: 5,
cacheMaxAge: 1000 * 60 * 60 * 10,
jwksUri: this.jwksUri,
});
}
return this.jwksClient;
}
}
//# sourceMappingURL=auth0-web-token-manipulator.js.map