UNPKG

@kronos-integration/service-http

Version:

http server

github.com/Kronos-Integration/service-http

Kronos-Integration/service-http

92 lines (79 loc) 2.35 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
import { Interceptor } from "@kronos-integration/interceptor"; import { prepareAttributesDefinitions } from "pacc"; import { verifyJWT } from "./util.mjs"; import { TEXT_PLAIN } from "./constants.mjs"; /** * Only forward requests if a valid JWT token is present. */ export class CTXJWTVerifyInterceptor extends Interceptor { /** * @return {string} 'ctx-jwt-verify' */ static get name() { return "ctx-jwt-verify"; } static attributes = prepareAttributesDefinitions({ requiredEntitlements: { description: "entitlements to be present in the token" }, ...Interceptor.attributes }); //requiredEntitlements = new Set(); async receive(endpoint, next, ctx, ...args) { const token = tokenFromAuthorizationHeader(ctx.req.headers); if (token) { try { const key = endpoint.owner.jwt?.public; const decoded = await verifyJWT(token, key); if (this.requiredEntitlements) { const entitlements = new Set(decoded.entitlements); for (const e of this.requiredEntitlements) { if (!entitlements.has(e)) { reportError(ctx, 403, new Error("Insufficient entitlements")); return; } } } // ctx.state[tokenKey] = decoded; } catch (error) { reportError(ctx, 401, error); return; } return await next(ctx, ...args); } else { reportError(ctx, 401); } } } function tokenFromAuthorizationHeader(headers) { if (headers.authorization) { const parts = headers.authorization.split(" "); if (parts.length === 2) { const [scheme, credentials] = parts; if (/^Bearer$/i.test(scheme)) { return credentials; } } } } /** * Write WWW-Authenticate header. * * @param {*} ctx * @param {number} error code * @param {*} [error] * @param {string} [description] */ function reportError(ctx, code, error, description) { const entries = Object.entries({ error: error?.message || "Missing token", description }).filter(([name, value]) => value !== undefined); ctx.res.writeHead(code, { "WWW-Authenticate": "Bearer," + entries.map(([name, value]) => `${name}="${value}"`).join(","), ...TEXT_PLAIN }); ctx.res.end(entries.map(([name, value]) => `${name}: ${value}`).join("\n")); }