@paroicms/server/dist/admin-backend/auth/auth.helper.js

The ParoiCMS server

import { isObj } from "@paroicms/public-anywhere-lib";
import { ApiError } from "@paroicms/public-server-lib";
import { type } from "arktype";
import passport from "passport";
import { jwtExpiresIn, jwtSecret, platformJwtSecret } from "../../context.js";
const { sign, verify } = (await import("jsonwebtoken")).default;
const BearerTokenPayloadAT = type({
    id: "string",
    email: "string",
    fqdn: "string",
    loginMethod: '"local"|"localDev"|"platform"|"platformAdmin"',
    "+": "ignore",
});
export function authGuard(httpContext) {
    const { req } = httpContext;
    const authorization = req.headers.authorization;
    if (!authorization || !authorization.startsWith("Bearer ")) {
        throw new ApiError("Unauthorized", 401);
    }
    const token = authorization.substring(7);
    let payload;
    try {
        payload = BearerTokenPayloadAT.assert(verify(token, jwtSecret));
    }
    catch {
        throw new ApiError("Unauthorized", 401);
    }
    if (payload.fqdn !== req.hostname) {
        throw new ApiError("Not the right token", 403);
    }
    return payload;
}
export function googleAuthGuard(req, res) {
    return new Promise((resolve, reject) => {
        passport.authenticate("google", { session: false }, (err, user, _info) => {
            if (err || !user || !isGoogleUser(user)) {
                reject(new ApiError("Unauthorized", 401));
                return;
            }
            resolve(user);
        })(req, res);
    });
}
function isGoogleUser(user) {
    return isObj(user) && typeof user.email === "string";
}
export function verifyAccessToken(token) {
    try {
        return BearerTokenPayloadAT.assert(verify(token, jwtSecret));
    }
    catch {
        throw new ApiError("Invalid token", 401);
    }
}
export function verifyPlatformToken(platformToken) {
    if (!platformJwtSecret) {
        throw new ApiError("Platform token not set", 401);
    }
    try {
        const payload = verify(platformToken, platformJwtSecret);
        if (!payload?.email) {
            throw new ApiError("email not found in token payload", 500);
        }
        return payload;
    }
    catch {
        throw new ApiError("Invalid  platform token", 401);
    }
}
export function generateAccessToken(payload) {
    return sign(payload, jwtSecret, { expiresIn: jwtExpiresIn });
}
export function generatePlatformToken(payload) {
    if (!platformJwtSecret) {
        throw new ApiError("Platform token not set", 401);
    }
    return sign(payload, platformJwtSecret, { expiresIn: "7d" });
}
//# sourceMappingURL=auth.helper.js.map