@guardian/pan-domain-node/dist/src/utils.js

NodeJs implementation of Guardian pan-domain auth verification

"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    var desc = Object.getOwnPropertyDescriptor(m, k);
    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
      desc = { enumerable: true, get: function() { return m[k]; } };
    }
    Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
    o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
    var ownKeys = function(o) {
        ownKeys = Object.getOwnPropertyNames || function (o) {
            var ar = [];
            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
            return ar;
        };
        return ownKeys(o);
    };
    return function (mod) {
        if (mod && mod.__esModule) return mod;
        var result = {};
        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
        __setModuleDefault(result, mod);
        return result;
    };
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.decodeBase64 = decodeBase64;
exports.parseCookie = parseCookie;
exports.verifySignature = verifySignature;
exports.sign = sign;
exports.base64ToPEM = base64ToPEM;
exports.httpGet = httpGet;
exports.parseUser = parseUser;
const crypto = __importStar(require("crypto"));
const https = __importStar(require("https"));
const url_1 = require("url");
function decodeBase64(data) {
    return Buffer.from(data, 'base64').toString('utf8');
}
/**
 * Check if a string is valid base64
 */
function isBase64(str) {
    try {
        return Buffer.from(str, 'base64').toString('base64') === str;
    }
    catch (err) {
        return false;
    }
}
/**
 * Parse a pan-domain user cookie in to data and signature
 * Validates that the cookie is properly formatted (two base64 strings separated by '.')
 */
function parseCookie(cookie) {
    const cookieRegex = /^([\w\W]*)\.([\w\W]*)$/;
    const match = cookie.match(cookieRegex);
    if (!match) {
        return undefined;
    }
    const [, data, signature] = match;
    if (!isBase64(data) || !isBase64(signature)) {
        return undefined;
    }
    return {
        data: decodeBase64(data),
        signature: signature
    };
}
/**
 * Verify signed data using nodeJs crypto library
 */
function verifySignature(message, signature, pandaPublicKey) {
    return crypto.createVerify('sha256WithRSAEncryption')
        .update(message, 'utf8')
        .verify(pandaPublicKey, signature, 'base64');
}
function sign(message, privateKey) {
    const sign = crypto.createSign("sha256WithRSAEncryption");
    sign.write(message);
    sign.end();
    return sign.sign(privateKey, 'base64');
}
const ASCII_NEW_LINE = String.fromCharCode(10);
function base64ToPEM(key, headerFooter) {
    const PEM_HEADER = `-----BEGIN ${headerFooter} KEY-----`;
    const PEM_FOOTER = `-----END ${headerFooter} KEY-----`;
    let tmp = [];
    const ret = [Buffer.from(PEM_HEADER).toString('ascii')];
    for (let i = 0, len = key.length; i < len; i++) {
        if (i > 0 && i % 64 === 0) {
            ret.push(tmp.join(''));
            tmp = [];
        }
        tmp.push(key[i]);
    }
    ret.push(tmp.join(''));
    ret.push(Buffer.from(PEM_FOOTER).toString('ascii'));
    return ret.join(ASCII_NEW_LINE);
}
function httpGet(path) {
    return new Promise((resolve, reject) => {
        const data = [];
        https.get(path, res => {
            res.on('data', chunk => data.push(chunk.toString('utf8')));
            res.on('error', err => reject(err));
            res.on('end', () => {
                const body = data.join('');
                if (res.statusCode == 200) {
                    resolve(body);
                }
                else {
                    // Response might be XML
                    const match = body.match(/<message>(.*)<\/message>/i);
                    const error = new Error(match ? match[1] : 'Invalid public key response');
                    reject(error);
                }
            });
        });
    });
}
function parseUser(data) {
    const params = new url_1.URLSearchParams(data);
    function stringField(name) {
        const value = params.get(name);
        if (!value) {
            throw new Error(`Missing ${name}`);
        }
        return value;
    }
    function numberField(name) {
        const value = params.get(name);
        if (!value) {
            throw new Error(`Missing ${name}`);
        }
        return parseInt(value);
    }
    function booleanField(name) {
        return params.get(name) === 'true';
    }
    function stringListField(name) {
        const value = params.get(name);
        if (!value) {
            throw new Error(`Missing ${name}`);
        }
        return value.split(",");
    }
    const avatarUrl = params.get("avatarUrl");
    return {
        firstName: stringField("firstName"),
        lastName: stringField("lastName"),
        email: stringField("email"),
        avatarUrl: avatarUrl ? avatarUrl : undefined,
        authenticatingSystem: stringField("system"),
        authenticatedIn: stringListField("authedIn"),
        expires: numberField("expires"),
        multifactor: booleanField("multifactor")
    };
}