azure-ad-verify-token-commonjs/dist/verify.js

Verify JWT issued by Azure Active Directory B2C.

"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.verify = void 0;
const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
const node_fetch_1 = __importDefault(require("node-fetch"));
const rsa_pem_from_mod_exp_1 = __importDefault(require("rsa-pem-from-mod-exp"));
const cache_js_1 = require("./cache.js");
/**
 * Get public key.
 *
 * @param jwksUri Json web key set URI.
 * @param kid Public key to get.
 */
function getPublicKey(jwksUri, kid) {
    let item = (0, cache_js_1.getItem)(kid);
    if (item) {
        return item.result;
    }
    // immediately defer to prevent duplicate calls to get jwks
    (0, cache_js_1.setDeferredItem)(kid);
    return (0, node_fetch_1.default)(jwksUri)
        .then((res) => res.json())
        .then((res) => {
        res.keys.forEach((key) => {
            const existing = (0, cache_js_1.getItem)(key.kid);
            const pem = (0, rsa_pem_from_mod_exp_1.default)(key.n, key.e);
            if (existing && existing.done) {
                // deferred item
                existing.done(pem);
            }
            else {
                (0, cache_js_1.setItem)(key.kid, pem);
            }
        });
        item = (0, cache_js_1.getItem)(kid);
        if (!item) {
            throw new Error('public key not found');
        }
        return item.result;
    });
}
/**
 * Verify token.
 *
 * @param token Token to verify.
 * @param options Configuration options.
 */
function verify(token, options) {
    const { jwksUri, audience, issuer } = options;
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
    let decoded;
    let kid;
    try {
        decoded = jsonwebtoken_1.default.decode(token, { complete: true, json: true });
        kid = decoded.header.kid;
        if (!kid) {
            throw new Error('kid missing from token header');
        }
    }
    catch (error) {
        return Promise.reject('invalid token');
    }
    return getPublicKey(jwksUri, kid).then((key) => jsonwebtoken_1.default.verify(token, key, {
        algorithms: ['RS256'],
        audience,
        issuer,
    }));
}
exports.verify = verify;
//# sourceMappingURL=verify.js.map