UNPKG

@cipherstash/jseql

Version:

Encrypted Query Language JavaScript Library

github.com/cipherstash/jseql

cipherstash/jseql

115 lines (95 loc) 2.72 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
import { logger } from '../../../utils/logger' export type CtsRegions = 'ap-southeast-2' export type IdentifyOptions = { fetchFromCts?: boolean } export type CtsToken = { accessToken: string expiry: number } export type Context = { identityClaim: string[] } export type LockContextOptions = { context?: Context ctsToken?: CtsToken } export type GetLockContextResponse = | { success: boolean error: string ctsToken?: never context?: never } | { success: boolean error?: never ctsToken: CtsToken context: Context } export class LockContext { private ctsToken: CtsToken | undefined private workspaceId: string private context: Context constructor({ context = { identityClaim: ['sub'] }, ctsToken, }: LockContextOptions = {}) { if (!process.env.CS_WORKSPACE_ID) { const errorMessage = 'CS_WORKSPACE_ID environment variable is not set, and is required to initialize a LockContext.' logger.error(errorMessage) throw new Error(`[jseql]: ${errorMessage}`) } if (ctsToken) { this.ctsToken = ctsToken } this.workspaceId = process.env.CS_WORKSPACE_ID this.context = context logger.debug('Successfully initialized the EQL lock context.') } async identify(jwtToken: string): Promise<LockContext> { const workspaceId = this.workspaceId const ctsEndoint = process.env.CS_CTS_ENDPOINT || 'https://ap-southeast-2.aws.auth.viturhosted.net' const ctsResponse = await fetch(`${ctsEndoint}/api/authorize`, { method: 'POST', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify({ workspaceId, oidcToken: jwtToken, }), }) if (!ctsResponse.ok) { throw new Error( `[jseql]: Failed to fetch CTS token: ${ctsResponse.statusText}`, ) } const ctsToken = (await ctsResponse.json()) as CtsToken if (!ctsToken.accessToken) { const errorMessage = 'The response from the CipherStash API did not contain an access token. Please contact support.' logger.error(errorMessage) throw new Error(errorMessage) } this.ctsToken = ctsToken return this } getLockContext(): GetLockContextResponse { if (!this.ctsToken?.accessToken && !this.ctsToken?.expiry) { return { success: false, error: 'The CTS token is not set. Please call identify() with a users JWT token, or pass an existing CTS token to the LockContext constructor before calling getLockContext().', } } return { success: true, context: this.context, ctsToken: this.ctsToken, } } }