@guardian/pan-domain-node

import * as cookie from 'cookie'; import {parseCookie, parseUser, sign, verifySignature} from './utils'; import {User, AuthenticationResult, ValidateUserFn, gracePeriodInMillis} from './api'; import { fetchPublicKey, PublicKeyHolder } from './fetch-public-key'; import { S3 } from "@aws-sdk/client-s3"; import { fromNodeProviderChain } from "@aws-sdk/credential-providers"; import { AwsCredentialIdentityProvider } from "@aws-sdk/types"; export function createCookie(user: User, privateKey: string): string { let queryParams: string[] = []; queryParams.push("firstName=" + user.firstName); queryParams.push("lastName=" + user.lastName); queryParams.push("email=" + user.email); user.avatarUrl && queryParams.push("avatarUrl=" + user.avatarUrl); queryParams.push("system=" + user.authenticatingSystem); queryParams.push("authedIn=" + user.authenticatedIn.join(",")); queryParams.push("expires=" + user.expires.toString()); queryParams.push("multifactor=" + String(user.multifactor)); const combined = queryParams.join("&"); const queryParamsString = Buffer.from(combined).toString('base64'); const signature = sign(combined, privateKey); return queryParamsString + "." + signature } export function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult { if (!pandaCookie) { return { success: false, reason: 'no-cookie' }; } const parsedCookie = parseCookie(pandaCookie); if (!parsedCookie) { return { success: false, reason: 'invalid-cookie' }; } const { data, signature } = parsedCookie; if (!verifySignature(data, signature, publicKey)) { return { success: false, reason: 'invalid-cookie' }; } const currentTimestampInMillis = currentTime.getTime(); try { const user: User = parseUser(data); const isExpired = user.expires < currentTimestampInMillis; if (isExpired) { const gracePeriodEndsAtEpochTimeMillis = user.expires + gracePeriodInMillis; if (gracePeriodEndsAtEpochTimeMillis < currentTimestampInMillis) { return { success: false, reason: 'expired-cookie' }; } else { return { success: true, shouldRefreshCredentials: true, mustRefreshByEpochTimeMillis: gracePeriodEndsAtEpochTimeMillis, user } } } if (!validateUser(user)) { return { success: false, reason: 'invalid-user', user }; } return { success: true, shouldRefreshCredentials: false, user }; } catch (error) { console.error(error); return { success: false, reason: 'unknown' }; } } export class PanDomainAuthentication { cookieName: string; region: string; bucket: string; keyFile: string; validateUser: ValidateUserFn; publicKey: Promise<PublicKeyHolder>; keyCacheTimeInMillis: number = 60 * 1000; // 1 minute keyUpdateTimer?: NodeJS.Timeout; s3Client: S3; constructor(cookieName: string, region: string, bucket: string, keyFile: string, validateUser: ValidateUserFn, credentialsProvider: AwsCredentialIdentityProvider = fromNodeProviderChain()) { this.cookieName = cookieName; this.region = region; this.bucket = bucket; this.keyFile = keyFile; this.validateUser = validateUser; const standardAwsConfig = { region: region, credentials: credentialsProvider, }; this.s3Client = new S3(standardAwsConfig); this.publicKey = fetchPublicKey(this.s3Client, bucket, keyFile); this.keyUpdateTimer = setInterval(() => this.getPublicKey(), this.keyCacheTimeInMillis); } stop(): void { if(this.keyUpdateTimer) { clearInterval(this.keyUpdateTimer); this.keyUpdateTimer = undefined; } } getPublicKey(): Promise<string> { return this.publicKey.then(({ key, lastUpdated }) => { const now = new Date(); const diff = now.getTime() - lastUpdated.getTime(); if(diff > this.keyCacheTimeInMillis) { this.publicKey = fetchPublicKey(this.s3Client, this.bucket, this.keyFile); return this.publicKey.then(({ key }) => key); } else { return key; } }); } verify(requestCookies: string | undefined): Promise<AuthenticationResult> { return this.getPublicKey().then(publicKey => { const cookies = cookie.parse(requestCookies ?? ''); const pandaCookie = cookies[this.cookieName]; return verifyUser(pandaCookie, publicKey, new Date(), this.validateUser); }); } }