@okta-dfuhriman/okta-auth-js
Version:
The Okta Auth SDK
72 lines (67 loc) • 3.08 kB
text/typescript
/* eslint-disable complexity */
/*!
* Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
* The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
*
* You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
* See the License for the specific language governing permissions and limitations under the License.
*
*/
import { isFunction } from '../util';
import { AuthSdkError, OAuthError } from '../errors';
import { httpRequest } from '../http';
import { AccessToken, IDToken, UserClaims, isAccessToken, isIDToken, CustomUserClaims } from './types';
export async function getUserInfo<T extends CustomUserClaims = CustomUserClaims>(
sdk, accessTokenObject: AccessToken,
idTokenObject: IDToken
): Promise<UserClaims<T>> {
// If token objects were not passed, attempt to read from the TokenManager
if (!accessTokenObject) {
accessTokenObject = (await sdk.tokenManager.getTokens()).accessToken as AccessToken;
}
if (!idTokenObject) {
idTokenObject = (await sdk.tokenManager.getTokens()).idToken as IDToken;
}
if (!accessTokenObject || !isAccessToken(accessTokenObject)) {
return Promise.reject(new AuthSdkError('getUserInfo requires an access token object'));
}
if (!idTokenObject || !isIDToken(idTokenObject)) {
return Promise.reject(new AuthSdkError('getUserInfo requires an ID token object'));
}
return httpRequest(sdk, {
url: accessTokenObject.userinfoUrl,
method: 'GET',
accessToken: accessTokenObject.accessToken
})
.then(userInfo => {
// Only return the userinfo response if subjects match to mitigate token substitution attacks
if (userInfo.sub === idTokenObject.claims.sub) {
return userInfo;
}
return Promise.reject(new AuthSdkError('getUserInfo request was rejected due to token mismatch'));
})
.catch(function (err) {
if (err.xhr && (err.xhr.status === 401 || err.xhr.status === 403)) {
var authenticateHeader;
if (err.xhr.headers && isFunction(err.xhr.headers.get) && err.xhr.headers.get('WWW-Authenticate')) {
authenticateHeader = err.xhr.headers.get('WWW-Authenticate');
} else if (isFunction(err.xhr.getResponseHeader)) {
authenticateHeader = err.xhr.getResponseHeader('WWW-Authenticate');
}
if (authenticateHeader) {
var errorMatches = authenticateHeader.match(/error="(.*?)"/) || [];
var errorDescriptionMatches = authenticateHeader.match(/error_description="(.*?)"/) || [];
var error = errorMatches[1];
var errorDescription = errorDescriptionMatches[1];
if (error && errorDescription) {
err = new OAuthError(error, errorDescription);
}
}
}
throw err;
});
}