UNPKG

auth0

Version:

Auth0 Node.js SDK for the Management API v2.

github.com/auth0/node-auth0

auth0/node-auth0

121 lines (120 loc) 7.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; import * as jose from "jose"; const DEFAULT_CLOCK_TOLERANCE = 60; // secs export class IdTokenValidatorError extends Error { } export class IDTokenValidator { constructor({ domain, clientId, clientSecret, headers, timeoutDuration, idTokenSigningAlg = "RS256", clockTolerance = DEFAULT_CLOCK_TOLERANCE, }) { this.jwks = jose.createRemoteJWKSet(new URL(`https://${domain}/.well-known/jwks.json`), { timeoutDuration, headers, }); this.alg = idTokenSigningAlg; this.audience = clientId; this.secret = new TextEncoder().encode(clientSecret); this.issuer = `https://${domain}/`; this.clockTolerance = clockTolerance; } validate(idToken_1) { return __awaiter(this, arguments, void 0, function* (idToken, { nonce, maxAge, organization } = {}) { const secret = this.alg === "HS256" ? this.secret : this.jwks; const header = jose.decodeProtectedHeader(idToken); const payload = jose.decodeJwt(idToken); // Check algorithm if (header.alg !== "RS256" && header.alg !== "HS256") { throw new Error(`Signature algorithm of "${header.alg}" is not supported. Expected the ID token to be signed with "RS256" or "HS256".`); } // Issuer if (!payload.iss || typeof payload.iss !== "string") { throw new IdTokenValidatorError("Issuer (iss) claim must be a string present in the ID token"); } if (payload.iss !== this.issuer) { throw new IdTokenValidatorError(`Issuer (iss) claim mismatch in the ID token; expected "${this.issuer}", found "${payload.iss}"`); } // Subject if (!payload.sub || typeof payload.sub !== "string") { throw new IdTokenValidatorError("Subject (sub) claim must be a string present in the ID token"); } // Audience if (!payload.aud || !(typeof payload.aud === "string" || Array.isArray(payload.aud))) { throw new IdTokenValidatorError("Audience (aud) claim must be a string or array of strings present in the ID token"); } if (Array.isArray(payload.aud) && !payload.aud.includes(this.audience)) { throw new IdTokenValidatorError(`Audience (aud) claim mismatch in the ID token; expected "${this.audience}" but was not one of "${payload.aud.join(", ")}"`); } else if (typeof payload.aud === "string" && payload.aud !== this.audience) { throw new IdTokenValidatorError(`Audience (aud) claim mismatch in the ID token; expected "${this.audience}" but found "${payload.aud}"`); } // Organization if (organization) { if (organization.indexOf("org_") === 0) { if (!payload.org_id || typeof payload.org_id !== "string") { throw new Error("Organization Id (org_id) claim must be a string present in the ID token"); } } else { if (!payload.org_name || typeof payload.org_name !== "string") { throw new Error("Organization Name (org_name) claim must be a string present in the ID token"); } } } // Time validation (epoch) const now = Math.floor(Date.now() / 1000); // Expires at if (!payload.exp || typeof payload.exp !== "number") { throw new IdTokenValidatorError("Expiration Time (exp) claim must be a number present in the ID token"); } const expTime = payload.exp + this.clockTolerance; if (now > expTime) { throw new IdTokenValidatorError(`Expiration Time (exp) claim error in the ID token; current time (${now}) is after expiration time (${expTime})`); } // Issued at if (!payload.iat || typeof payload.iat !== "number") { throw new IdTokenValidatorError("Issued At (iat) claim must be a number present in the ID token"); } // Nonce if (nonce || payload.nonce) { if (!payload.nonce || typeof payload.nonce !== "string") { throw new IdTokenValidatorError("Nonce (nonce) claim must be a string present in the ID token"); } if (payload.nonce !== nonce) { throw new IdTokenValidatorError(`Nonce (nonce) claim mismatch in the ID token; expected "${nonce}", found "${payload.nonce}"`); } } // Authorized party if (Array.isArray(payload.aud) && payload.aud.length > 1) { if (!payload.azp || typeof payload.azp !== "string") { throw new IdTokenValidatorError("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values"); } if (payload.azp !== this.audience) { throw new IdTokenValidatorError(`Authorized Party (azp) claim mismatch in the ID token; expected "${this.audience}", found "${payload.azp}"`); } } // Authentication time if (maxAge) { if (!payload.auth_time || typeof payload.auth_time !== "number") { throw new IdTokenValidatorError("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified"); } const authValidUntil = payload.auth_time + maxAge + this.clockTolerance; if (now > authValidUntil) { throw new IdTokenValidatorError(`Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Currrent time (${now}) is after last auth at ${authValidUntil}`); } } yield jose.jwtVerify(idToken, secret, { issuer: this.issuer, audience: this.audience, clockTolerance: this.clockTolerance, maxTokenAge: maxAge, algorithms: ["HS256", "RS256"], }); }); } }