UNPKG

authentic-service

Version:

This is the service component of Authentic. This will help decode tokens so that you can authenticate users within a microservice.

github.com/davidguttman/authentic-service

davidguttman/authentic-service

123 lines (102 loc) 3.12 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
const map = require('map-async') const jsonist = require('jsonist') const Corsify = require('corsify') const jwt = require('jsonwebtoken') const crypto = require('crypto') const AsyncCache = require('async-cache') const errors = { TokenExpiredError: 401, JsonWebTokenError: 401, NotBeforeError: 401, RemoteExpiryError: 401 } const cors = Corsify({ 'Access-Control-Allow-Headers': 'authorization, accept, content-type' }) module.exports = function (opts) { const prefix = opts.prefix || '/auth' const pubKeyUrl = opts.server + prefix + '/public-key' const expiredUrl = opts.server + prefix + '/expired' const checkExpiredList = opts.checkExpiredList || false const cache = createCache({ pubKeyUrl, expiredUrl }, opts.cacheDuration) const ops = ['pubKey'] if (checkExpiredList) ops.push('expired') function decode (token, cb) { map(ops, cache.get.bind(cache), function (err, [pubKey, expired]) { if (err) return cb(err) jwt.verify( token, pubKey, { algorithms: ['RS256'] }, function (err, data) { if (err) return cb(err) if (!checkExpiredList) return cb(null, data) if (isTokenExpiredByRemote(expired, data)) { const error = new CustomError('jwt expired by remote') error.name = 'RemoteExpiryError' return cb(error) } cb(null, data) } ) }) } function parseRequest (req, res, cb) { cors(function (req, res) { const authHeader = req.headers.authorization if (!authHeader) return setImmediate(cb) const token = authHeader.slice(7) decode(token, function (err, authData) { if (err) err.statusCode = errors[err.name] || 500 return cb(err, authData) }) })(req, res) } return parseRequest } function createCache (opts, cacheDuration) { const pubKeyUrl = opts.pubKeyUrl const expiredUrl = opts.expiredUrl return new AsyncCache({ maxAge: cacheDuration || 1000 * 60 * 60, load: function (key, cb) { if (key === 'pubKey') { loadPublicKey(pubKeyUrl, cb) } else if (key === 'expired') { loadExpired(expiredUrl, cb) } } }) } function loadPublicKey (url, cb) { jsonist.get(url, function (err, body) { if (err) return cb(err) const pubKey = ((body || {}).data || {}).publicKey if (!pubKey) return cb(new Error('Could not retrieve public key')) cb(null, pubKey) }) } function loadExpired (url, cb) { jsonist.get(url, function (err, body) { if (err) return cb(err) cb(null, body) }) } function hashEmail (email) { return crypto.createHash('sha256').update(email).digest('hex') } function isTokenExpiredByRemote (expired, data) { if (!expired) return false const emailHash = hashEmail(data.email) return expired[emailHash] > data.iat } class CustomError extends Error { constructor (message) { super(message) this.name = this.constructor.name Object.defineProperty(this, 'message', { value: message, enumerable: true // Make message enumerable }) } }