UNPKG

@kronos-integration/service-http

Version:

http server

github.com/Kronos-Integration/service-http

Kronos-Integration/service-http

97 lines (86 loc) 2.41 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
import { Interceptor } from "@kronos-integration/interceptor"; import { prepareAttributesDefinitions, string_collection_attribute_writable } from "pacc"; import { verifyJWT } from "./util.mjs"; import { TEXT_PLAIN } from "./constants.mjs"; /** * Only forward requests if a valid JWT token is present. */ export class CTXJWTVerifyInterceptor extends Interceptor { /** * @return {string} 'ctx-jwt-verify' */ static get name() { return "ctx-jwt-verify"; } static attributes = prepareAttributesDefinitions({ requiredEntitlements: { ...string_collection_attribute_writable, description: "entitlements to be present in the token", prepareValue: value => new Set(value), default: new Set() }, ...Interceptor.attributes }); async receive(endpoint, next, ctx, ...args) { const token = tokenFromAuthorizationHeader(ctx.req.headers); if (token) { try { const key = endpoint.owner.jwt?.public; const decoded = await verifyJWT(token, key); if ( !this.requiredEntitlements.isSubsetOf(new Set(decoded.entitlements)) ) { reportError( ctx, 403, new Error("Insufficient entitlements", { cause: decoded.entitlements }) ); return; } } catch (error) { reportError(ctx, 401, error); return; } return await next(ctx, ...args); } else { reportError(ctx, 401); } } } function tokenFromAuthorizationHeader(headers) { if (headers.authorization) { const parts = headers.authorization.split(" "); if (parts.length === 2) { const [scheme, credentials] = parts; if (/^Bearer$/i.test(scheme)) { return credentials; } } } } /** * Write WWW-Authenticate header. * * @param {*} ctx * @param {number} error code * @param {Error} [error] * @param {string} [description] */ function reportError(ctx, code, error, description) { const entries = Object.entries({ error: error?.message || "Missing token", description }).filter(([name, value]) => value !== undefined); ctx.res.writeHead(code, { "WWW-Authenticate": "Bearer," + entries.map(([name, value]) => `${name}="${value}"`).join(","), ...TEXT_PLAIN }); ctx.res.end(entries.map(([name, value]) => `${name}: ${value}`).join("\n")); }