UNPKG

@microsoft/agents-hosting

Version:

Microsoft 365 Agents SDK for JavaScript

github.com/microsoft/Agents-for-js

microsoft/Agents-for-js

101 lines (91 loc) 3.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/** * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ import { AuthConfiguration } from './authConfiguration' import { Response, NextFunction } from 'express' import { Request } from './request' import jwksRsa, { JwksClient, SigningKey } from 'jwks-rsa' import jwt, { JwtHeader, JwtPayload, SignCallback, GetPublicKeyOrSecret } from 'jsonwebtoken' import { debug } from '@microsoft/agents-activity/logger' const logger = debug('agents:jwt-middleware') /** * Verifies the JWT token. * @param raw The raw JWT token. * @param config The authentication configuration. * @returns A promise that resolves to the JWT payload. */ const verifyToken = async (raw: string, config: AuthConfiguration): Promise<JwtPayload> => { const getKey: GetPublicKeyOrSecret = (header: JwtHeader, callback: SignCallback) => { const payload = jwt.decode(raw) as JwtPayload logger.debug('jwt.decode ', JSON.stringify(payload)) const jwksUri: string = payload.iss === 'https://api.botframework.com' ? 'https://login.botframework.com/v1/.well-known/keys' : `${config.authority}/${config.tenantId}/discovery/v2.0/keys` logger.debug(`fetching keys from ${jwksUri}`) const jwksClient: JwksClient = jwksRsa({ jwksUri }) jwksClient.getSigningKey(header.kid, (err: Error | null, key: SigningKey | undefined): void => { if (err != null) { logger.error('jwksClient.getSigningKey ', JSON.stringify(err)) logger.error(JSON.stringify(err)) callback(err, undefined) return } const signingKey = key?.getPublicKey() callback(null, signingKey) }) } return await new Promise((resolve, reject) => { const verifyOptions: jwt.VerifyOptions = { issuer: config.issuers as [string, ...string[]], audience: [config.clientId!, 'https://api.botframework.com'], ignoreExpiration: false, algorithms: ['RS256'], clockTolerance: 300 } jwt.verify(raw, getKey, verifyOptions, (err, user) => { if (err != null) { logger.error('jwt.verify ', JSON.stringify(err)) reject(err) return } const tokenClaims = user as JwtPayload resolve(tokenClaims) }) }) } /** * Middleware to authorize JWT tokens. * @param authConfig The authentication configuration. * @returns An Express middleware function. */ export const authorizeJWT = (authConfig: AuthConfiguration) => { return async function (req: Request, res: Response, next: NextFunction) { let failed = false logger.debug('authorizing jwt') const authHeader = req.headers.authorization as string if (authHeader) { const token: string = authHeader.split(' ')[1] // Extract the token from the Bearer string try { const user = await verifyToken(token, authConfig) logger.debug('token verified for ', user) req.user = user } catch (err: Error | any) { failed = true logger.error(err) res.status(401).send({ 'jwt-auth-error': err.message }) } } else { if (!authConfig.clientId && process.env.NODE_ENV !== 'production') { logger.info('using anonymous auth') req.user = { name: 'anonymous' } } else { logger.error('authorization header not found') res.status(401).send({ 'jwt-auth-error': 'authorization header not found' }) } } if (!failed) { next() } } }