@point3/logto-module/dist/token/verifier.js

포인트3 내부 logto Authentication 모듈입니다

"use strict";
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
    return c > 3 && r && Object.defineProperty(target, key, r), r;
};
var __metadata = (this && this.__metadata) || function (k, v) {
    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.LogtoTokenVerifier = exports.LogtoTokenVerifierToken = void 0;
const common_1 = require("@nestjs/common");
const jose_1 = require("jose");
exports.LogtoTokenVerifierToken = Symbol.for("LogtoTokenVerifier");
let LogtoTokenVerifier = class LogtoTokenVerifier {
    constructor(config) {
        this.config = config;
    }
    async verifyToken(token, requiredScopes, requiredRoles) {
        if (!token)
            throw new common_1.UnauthorizedException('엑세스 토큰이 존재하지 않습니다.');
        const { payload } = await (0, jose_1.jwtVerify)(token, (0, jose_1.createRemoteJWKSet)(new URL(this.config.jwksUri)), { issuer: this.config.issuer });
        const tokenPayload = payload;
        if (requiredScopes || requiredRoles) {
            this.shouldContainRequiredPrivileges(tokenPayload, requiredScopes, requiredRoles);
        }
        return tokenPayload;
    }
    async verifyIdToken(token) {
        const { payload } = await (0, jose_1.jwtVerify)(token, (0, jose_1.createRemoteJWKSet)(new URL(this.config.jwksUri)), { issuer: this.config.issuer });
        return payload;
    }
    shouldContainRequiredPrivileges(payload, requiredScopes, requiredRoles) {
        const { userScopes, userRoles } = payload;
        const scopes = userScopes?.flat() ?? [];
        if (this.hasInsufficientScopes(requiredScopes, scopes)) {
            throw new common_1.UnauthorizedException({ code: 'auth.insufficient_scope', status: 403 }, { cause: requiredScopes });
        }
        if (this.hasInsufficientRoles(requiredRoles, userRoles)) {
            throw new common_1.UnauthorizedException({ code: 'auth.role_mismatch', status: 403 }, { cause: requiredRoles });
        }
    }
    hasInsufficientScopes(requiredScopes, userScopes) {
        return !!(requiredScopes && requiredScopes.length > 0 && !requiredScopes.every(scope => userScopes.includes(scope)));
    }
    hasInsufficientRoles(requiredRoles, userRoles) {
        return !!(requiredRoles && requiredRoles.length > 0 && !requiredRoles.some(role => userRoles.includes(role)));
    }
};
exports.LogtoTokenVerifier = LogtoTokenVerifier;
exports.LogtoTokenVerifier = LogtoTokenVerifier = __decorate([
    (0, common_1.Injectable)(),
    __metadata("design:paramtypes", [Object])
], LogtoTokenVerifier);
//# sourceMappingURL=verifier.js.map