UNPKG

@localsecurity/cf-access-service

Version:

A utility to parse Cloudflare Access user identity inside Cloudflare Workers

91 lines 3.87 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
/** * This User Identity object is returned from https://\<your-team-name\>.cloudflareaccess.com/cdn-cgi/access/get-identity */ type CFAccessUserIdentity = { /** The IP address of the user. */ ip: string; /** Data from your identity provider. */ idp: string; /** The country where the user authenticated from. */ geo: string; /** The timestamp indicating when the user logged in. */ iat: number; /** The email address of the user. */ email: string; /** True if the user enabled WARP. */ is_warp: boolean; /** The version of the get-identity object. */ version: string; /** The ID of the user. */ user_uuid: string; /** The ID of the device used for authentication. */ device_id: string; /** The account ID for your organization. */ account_id: string; /** True if the user enabled WARP and authenticated to a Zero Trust team. */ is_gateway: boolean; /** The status if authenticating with mTLS. */ auth_status: string; /** The common name on the mTLS client certificate. */ common_name: string; /** The device posture attributes. */ devicePosture: string; /** A list of all sessions initiated by the user. */ device_sessions: object; /** The Client ID of the service token used for authentication. */ service_token_id: string; /** An ID generated by the WARP client when authenticated to a Zero Trust team. */ gateway_account_id: string; /** True if authentication was through a service token instead of an IdP. */ service_token_status: string; }; /** * Parsed CF_Authorization (cookie and header) token */ type CFAccessUserToken = { /** Application audience (AUD) tag of the Access application. */ aud: string; /** The expiration timestamp for the token (Unix time). */ exp: number; /** The issuance timestamp for the token (Unix time). */ iat: number; /** The not-before timestamp for the token (Unix time), used to check if the token was received before it should be used. */ nbf: number; /** The Cloudflare Access domain URL for the application. */ iss: string; /** The ID of the user. This value is unique to an email address per account. The user would get a different sub if they are removed and re-added to your Zero Trust organization, or if they log into a different organization. */ sub: string; /** The type of Access token (app for application token or org for global session token). */ type: string; /** The email address of the authenticated user, verified by the identity provider. */ email: string; /** The country where the user authenticated from. */ country: string; /** A cache key used to get the user's identity. */ identity_nonce: string; }; /** * A class to validate incomming requests * @method getIdentity - Returns a parsed CFAccessUserIdentity object if the user is logged in * @method getEmail - Returns the users Email if the user is logged in */ declare class CFAccessService { /** * Returns a parsed CFAccessUserIdentity object if the user is logged in * @param {Request} request - the incomming request to validate * @param {Env} env - environment object * @returns {Partial<CFAccessUserIdentity>} The users identity */ getIdentity(request: Request | any, env: any): Promise<Partial<CFAccessUserIdentity>>; /** * Returns the users Email if the user is logged in * @param {Request} request - the incomming request to validate * @param {Env} env - environment object * @returns The users email or null */ getEmail(request: Request | any, env: any): Promise<string | null>; } export { CFAccessService }; export type { CFAccessUserIdentity, CFAccessUserToken }; export default CFAccessService; //# sourceMappingURL=cf-access-service.d.ts.map