UNPKG

@guardian/pan-domain-node

Version:

NodeJs implementation of Guardian pan-domain auth verification

github.com/guardian/pan-domain-authentication

guardian/pan-domain-authentication

84 lines (75 loc) 2.85 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
export { PanDomainAuthentication } from './panda'; // We continue to consider the request authenticated for // a period of time after the cookie expiry. This is to allow // API requests which cannot directly send the user for re-auth to // indicate to the user that they must take some action to refresh their // credentials (usually, refreshing the page). // Panda cookie: issued expires // | | // |--1 hour--| // Grace period: [------------- 24 hours ------] // `success`: --false-][-true-----------------------------------][-false--------> // `shouldRefreshCredentials` [-false---][-true------------------------] export const gracePeriodInMillis = 24 * 60 * 60 * 1000; // These are used to enforce the structure of the // `AuthenticationResult` union types, // but are not exported because they are too general. interface Result { success: boolean } interface Success extends Result { // `success` is true when both these are true: // 1. we've verified that the cookie is signed by the correct private key // and decoded a `User` from it // 2. we've validated the `User` using `ValidateUserFn` success: true, shouldRefreshCredentials: boolean, user: User } interface Failure extends Result { success: false, reason: string } // These are members of the `AuthenticationResult` union, // so they are exported for use by library consumers. export interface FreshSuccess extends Success { // Cookie has not expired yet, so no need to refresh credentials. shouldRefreshCredentials: false } export interface StaleSuccess extends Success { // Cookie has expired: we're in the grace period. // Endpoints that can refresh credentials should do so, // and those that cannot should tell the user to do so. shouldRefreshCredentials: true, mustRefreshByEpochTimeMillis: number } export interface UserValidationFailure extends Failure { reason: 'invalid-user', user: User } export interface CookieFailure extends Failure { reason: 'no-cookie' | 'invalid-cookie' | 'expired-cookie' } export interface UnknownFailure extends Failure { reason: 'unknown' } export type AuthenticationResult = FreshSuccess | StaleSuccess | CookieFailure | UserValidationFailure | UnknownFailure export interface User { firstName: string, lastName: string, email: string, avatarUrl?: string, authenticatingSystem: string, authenticatedIn: string[], expires: number, multifactor: boolean } export type ValidateUserFn = (user: User) => boolean; export function guardianValidation(user: User): boolean { const isGuardianUser = user.email.indexOf('guardian.co.uk') !== -1; return isGuardianUser && user.multifactor; }