@foal/jwt/lib/http/set-auth-cookie.js

Authentication with JWT for FoalTS

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.setAuthCookie = setAuthCookie;
// 3p
const core_1 = require("@foal/core");
const jsonwebtoken_1 = require("jsonwebtoken");
// FoalTS
const constants_1 = require("./constants");
const core_2 = require("../core");
async function setAuthCookie(response, token) {
    const cookieName = core_1.Config.get('settings.jwt.cookie.name', 'string', constants_1.JWT_DEFAULT_COOKIE_NAME);
    const csrfEnabled = core_1.Config.get('settings.jwt.csrf.enabled', 'boolean', false);
    let sameSite = core_1.Config.get('settings.jwt.cookie.sameSite', 'string');
    if (csrfEnabled && sameSite === undefined) {
        sameSite = constants_1.JWT_DEFAULT_SAME_SITE_ON_CSRF_ENABLED;
    }
    const options = {
        domain: core_1.Config.get('settings.jwt.cookie.domain', 'string'),
        path: core_1.Config.get('settings.jwt.cookie.path', 'string', constants_1.JWT_DEFAULT_COOKIE_PATH),
        sameSite,
        secure: core_1.Config.get('settings.jwt.cookie.secure', 'boolean'),
    };
    const decodedToken = (0, jsonwebtoken_1.decode)(token, { complete: true });
    if (typeof decodedToken === 'string' || decodedToken === null) {
        throw new Error('The given token is not a valid JWT.');
    }
    const { header, payload } = decodedToken;
    if (payload.exp !== undefined) {
        options.expires = new Date(payload.exp * 1000);
    }
    response.setCookie(cookieName, token, {
        ...options,
        httpOnly: core_1.Config.get('settings.jwt.cookie.httpOnly', 'boolean'),
    });
    if (!csrfEnabled) {
        return;
    }
    const jwtOptions = {
        algorithm: header.alg
    };
    const csrfPayload = {
        csrfToken: await (0, core_1.generateToken)(),
        sub: payload.sub,
    };
    if (payload.exp !== undefined) {
        csrfPayload.exp = payload.exp;
    }
    const jwt = await new Promise((resolve, reject) => (0, jsonwebtoken_1.sign)(csrfPayload, (0, core_2.getSecretOrPrivateKey)(), jwtOptions, (err, encoded) => {
        // TODO: test this line.
        if (err) {
            return reject(err);
        }
        resolve(encoded);
    }));
    const csrfCookieName = core_1.Config.get('settings.jwt.csrf.cookie.name', 'string', constants_1.JWT_DEFAULT_CSRF_COOKIE_NAME);
    response.setCookie(csrfCookieName, jwt, {
        ...options,
        httpOnly: false,
    });
}