UNPKG

@blenz/middy-authorizer-middleware

Version:

JWT token validation

109 lines (93 loc) 4.39 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
import createError from 'http-errors'; import jwt, { TokenExpiredError, NotBeforeError, VerifyOptions } from 'jsonwebtoken'; import middy from '@middy/core'; import jwksRsa from 'jwks-rsa'; import { AuthMiddlewareConfig } from './auth.config'; import { AuthEvent } from './auth.response'; import authConfig from '../auth.config.json'; const authClient = jwksRsa({ cache: true, rateLimit: true, jwksUri: `https://${authConfig.domain}/.well-known/jwks.json`, }); /** * Middy middleware for token authentication * * ``` * handler.use(AuthorizeMiddleware({...})) * ``` */ export const AuthMiddleware = (config: AuthMiddlewareConfig) => { return ({ before: async (handler: any) => { // Authorization not required if (!config.credentialsRequired) { return; } // Get token from auth header and verify it exists const authHeader = handler.event.headers.authorization; if (!authHeader) { throw new createError.Forbidden('Missing authorization header'); } // Validate auth header format const authHeaderParts = authHeader.split(' '); if (authHeaderParts.length !== 2 || authHeaderParts[0] !== 'Bearer') { throw new createError.Forbidden('Authorization header malformed - expected `Bearer token`'); } // Get the token const authToken = authHeaderParts[1]; if (authToken === undefined) { throw new createError.Forbidden('Authorization token undefined'); } // Decode the token let decodedToken: any; try { decodedToken = jwt.decode(authToken, { complete: true }); } catch (err) { throw new createError.Forbidden(err.message); } // Validate token is not malformed if (!decodedToken || !decodedToken.header || !decodedToken.header.kid) { throw new createError.Forbidden('JWT token is malformed'); } const kid = decodedToken.header.kid; authClient.getSigningKey(kid, (err, key) => { if (err) { throw new createError.Forbidden(err.message); } const jwtOptions: VerifyOptions = { algorithms: ['RS256'], audience: authConfig.audience, issuer: `https://${authConfig.domain}` }; try { jwt.verify(authToken, key.getPublicKey(), jwtOptions, (err, decoded: any) => { if (err) { throw new createError.Forbidden(err.message); } // TODO: Don't use auth0 roles, instead design our own role structure if (config.acceptedRoles) { const roles: string[] = decoded[`https://${process.env.URL}/roles`]; if (!roles || !roles.length || !config.acceptedRoles.some(x => roles.includes(x))) { throw new createError.Forbidden('User is not permitted to access the requested resource'); } } // Attach decoded token to auth event handler.event.auth = { payload: decoded, token: authToken}; console.log("SDFSDZFF"); console.log(handler.event.auth); }); } catch (err) { if (err instanceof TokenExpiredError) { throw new createError.Forbidden(`Token expired: ${new Date(err.expiredAt).toUTCString()}`); } else if (err instanceof NotBeforeError) { throw new createError.Forbidden(`Token not valid until: ${err.date.toUTCString()}`); } else { throw new createError.Forbidden('Invalid token'); } } }); }, }); } export default AuthMiddleware;