gtoken
Version:
Node.js Google Authentication Service Account Tokens
450 lines (445 loc) • 24.1 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", {
value: true
});
exports.GoogleToken = void 0;
var fs = _interopRequireWildcard(require("fs"));
var _gaxios = require("gaxios");
var jws = _interopRequireWildcard(require("jws"));
var path = _interopRequireWildcard(require("path"));
var _util = require("util");
function _interopRequireWildcard(e, t) { if ("function" == typeof WeakMap) var r = new WeakMap(), n = new WeakMap(); return (_interopRequireWildcard = function _interopRequireWildcard(e, t) { if (!t && e && e.__esModule) return e; var o, i, f = { __proto__: null, "default": e }; if (null === e || "object" != _typeof(e) && "function" != typeof e) return f; if (o = t ? n : r) { if (o.has(e)) return o.get(e); o.set(e, f); } for (var _t3 in e) "default" !== _t3 && {}.hasOwnProperty.call(e, _t3) && ((i = (o = Object.defineProperty) && Object.getOwnPropertyDescriptor(e, _t3)) && (i.get || i.set) ? o(f, _t3, i) : f[_t3] = e[_t3]); return f; })(e, t); }
function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); }
function _classPrivateMethodInitSpec(e, a) { _checkPrivateRedeclaration(e, a), a.add(e); }
function _classPrivateFieldInitSpec(e, t, a) { _checkPrivateRedeclaration(e, t), t.set(e, a); }
function _checkPrivateRedeclaration(e, t) { if (t.has(e)) throw new TypeError("Cannot initialize the same private elements twice on an object"); }
function _classPrivateFieldSet(s, a, r) { return s.set(_assertClassBrand(s, a), r), r; }
function _classPrivateFieldGet(s, a) { return s.get(_assertClassBrand(s, a)); }
function _assertClassBrand(e, t, n) { if ("function" == typeof e ? e === t : e.has(t)) return arguments.length < 3 ? t : n; throw new TypeError("Private element is not present on this object"); }
function _defineProperties(e, r) { for (var t = 0; t < r.length; t++) { var o = r[t]; o.enumerable = o.enumerable || !1, o.configurable = !0, "value" in o && (o.writable = !0), Object.defineProperty(e, _toPropertyKey(o.key), o); } }
function _createClass(e, r, t) { return r && _defineProperties(e.prototype, r), t && _defineProperties(e, t), Object.defineProperty(e, "prototype", { writable: !1 }), e; }
function _classCallCheck(a, n) { if (!(a instanceof n)) throw new TypeError("Cannot call a class as a function"); }
function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? Reflect.construct(o, e || [], _getPrototypeOf(t).constructor) : o.apply(t, e)); }
function _possibleConstructorReturn(t, e) { if (e && ("object" == _typeof(e) || "function" == typeof e)) return e; if (void 0 !== e) throw new TypeError("Derived constructors may only return object or undefined"); return _assertThisInitialized(t); }
function _assertThisInitialized(e) { if (void 0 === e) throw new ReferenceError("this hasn't been initialised - super() hasn't been called"); return e; }
function _inherits(t, e) { if ("function" != typeof e && null !== e) throw new TypeError("Super expression must either be null or a function"); t.prototype = Object.create(e && e.prototype, { constructor: { value: t, writable: !0, configurable: !0 } }), Object.defineProperty(t, "prototype", { writable: !1 }), e && _setPrototypeOf(t, e); }
function _wrapNativeSuper(t) { var r = "function" == typeof Map ? new Map() : void 0; return _wrapNativeSuper = function _wrapNativeSuper(t) { if (null === t || !_isNativeFunction(t)) return t; if ("function" != typeof t) throw new TypeError("Super expression must either be null or a function"); if (void 0 !== r) { if (r.has(t)) return r.get(t); r.set(t, Wrapper); } function Wrapper() { return _construct(t, arguments, _getPrototypeOf(this).constructor); } return Wrapper.prototype = Object.create(t.prototype, { constructor: { value: Wrapper, enumerable: !1, writable: !0, configurable: !0 } }), _setPrototypeOf(Wrapper, t); }, _wrapNativeSuper(t); }
function _construct(t, e, r) { if (_isNativeReflectConstruct()) return Reflect.construct.apply(null, arguments); var o = [null]; o.push.apply(o, e); var p = new (t.bind.apply(t, o))(); return r && _setPrototypeOf(p, r.prototype), p; }
function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function () {})); } catch (t) {} return (_isNativeReflectConstruct = function _isNativeReflectConstruct() { return !!t; })(); }
function _isNativeFunction(t) { try { return -1 !== Function.toString.call(t).indexOf("[native code]"); } catch (n) { return "function" == typeof t; } }
function _setPrototypeOf(t, e) { return _setPrototypeOf = Object.setPrototypeOf ? Object.setPrototypeOf.bind() : function (t, e) { return t.__proto__ = e, t; }, _setPrototypeOf(t, e); }
function _getPrototypeOf(t) { return _getPrototypeOf = Object.setPrototypeOf ? Object.getPrototypeOf.bind() : function (t) { return t.__proto__ || Object.getPrototypeOf(t); }, _getPrototypeOf(t); }
function _defineProperty(e, r, t) { return (r = _toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; }
function _toPropertyKey(t) { var i = _toPrimitive(t, "string"); return "symbol" == _typeof(i) ? i : i + ""; }
function _toPrimitive(t, r) { if ("object" != _typeof(t) || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != _typeof(i)) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
function _regenerator() { /*! regenerator-runtime -- Copyright (c) 2014-present, Facebook, Inc. -- license (MIT): https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE */ var e, t, r = "function" == typeof Symbol ? Symbol : {}, n = r.iterator || "@@iterator", o = r.toStringTag || "@@toStringTag"; function i(r, n, o, i) { var c = n && n.prototype instanceof Generator ? n : Generator, u = Object.create(c.prototype); return _regeneratorDefine2(u, "_invoke", function (r, n, o) { var i, c, u, f = 0, p = o || [], y = !1, G = { p: 0, n: 0, v: e, a: d, f: d.bind(e, 4), d: function d(t, r) { return i = t, c = 0, u = e, G.n = r, a; } }; function d(r, n) { for (c = r, u = n, t = 0; !y && f && !o && t < p.length; t++) { var o, i = p[t], d = G.p, l = i[2]; r > 3 ? (o = l === n) && (u = i[(c = i[4]) ? 5 : (c = 3, 3)], i[4] = i[5] = e) : i[0] <= d && ((o = r < 2 && d < i[1]) ? (c = 0, G.v = n, G.n = i[1]) : d < l && (o = r < 3 || i[0] > n || n > l) && (i[4] = r, i[5] = n, G.n = l, c = 0)); } if (o || r > 1) return a; throw y = !0, n; } return function (o, p, l) { if (f > 1) throw TypeError("Generator is already running"); for (y && 1 === p && d(p, l), c = p, u = l; (t = c < 2 ? e : u) || !y;) { i || (c ? c < 3 ? (c > 1 && (G.n = -1), d(c, u)) : G.n = u : G.v = u); try { if (f = 2, i) { if (c || (o = "next"), t = i[o]) { if (!(t = t.call(i, u))) throw TypeError("iterator result is not an object"); if (!t.done) return t; u = t.value, c < 2 && (c = 0); } else 1 === c && (t = i["return"]) && t.call(i), c < 2 && (u = TypeError("The iterator does not provide a '" + o + "' method"), c = 1); i = e; } else if ((t = (y = G.n < 0) ? u : r.call(n, G)) !== a) break; } catch (t) { i = e, c = 1, u = t; } finally { f = 1; } } return { value: t, done: y }; }; }(r, o, i), !0), u; } var a = {}; function Generator() {} function GeneratorFunction() {} function GeneratorFunctionPrototype() {} t = Object.getPrototypeOf; var c = [][n] ? t(t([][n]())) : (_regeneratorDefine2(t = {}, n, function () { return this; }), t), u = GeneratorFunctionPrototype.prototype = Generator.prototype = Object.create(c); function f(e) { return Object.setPrototypeOf ? Object.setPrototypeOf(e, GeneratorFunctionPrototype) : (e.__proto__ = GeneratorFunctionPrototype, _regeneratorDefine2(e, o, "GeneratorFunction")), e.prototype = Object.create(u), e; } return GeneratorFunction.prototype = GeneratorFunctionPrototype, _regeneratorDefine2(u, "constructor", GeneratorFunctionPrototype), _regeneratorDefine2(GeneratorFunctionPrototype, "constructor", GeneratorFunction), GeneratorFunction.displayName = "GeneratorFunction", _regeneratorDefine2(GeneratorFunctionPrototype, o, "GeneratorFunction"), _regeneratorDefine2(u), _regeneratorDefine2(u, o, "Generator"), _regeneratorDefine2(u, n, function () { return this; }), _regeneratorDefine2(u, "toString", function () { return "[object Generator]"; }), (_regenerator = function _regenerator() { return { w: i, m: f }; })(); }
function _regeneratorDefine2(e, r, n, t) { var i = Object.defineProperty; try { i({}, "", {}); } catch (e) { i = 0; } _regeneratorDefine2 = function _regeneratorDefine(e, r, n, t) { if (r) i ? i(e, r, { value: n, enumerable: !t, configurable: !t, writable: !t }) : e[r] = n;else { var o = function o(r, n) { _regeneratorDefine2(e, r, function (e) { return this._invoke(r, n, e); }); }; o("next", 0), o("throw", 1), o("return", 2); } }, _regeneratorDefine2(e, r, n, t); }
function asyncGeneratorStep(n, t, e, r, o, a, c) { try { var i = n[a](c), u = i.value; } catch (n) { return void e(n); } i.done ? t(u) : Promise.resolve(u).then(r, o); }
function _asyncToGenerator(n) { return function () { var t = this, e = arguments; return new Promise(function (r, o) { var a = n.apply(t, e); function _next(n) { asyncGeneratorStep(a, r, o, _next, _throw, "next", n); } function _throw(n) { asyncGeneratorStep(a, r, o, _next, _throw, "throw", n); } _next(void 0); }); }; } /**
* Copyright 2018 Google LLC
*
* Distributed under MIT license.
* See file LICENSE for detail or copy at https://opensource.org/licenses/MIT
*/
var readFile = fs.readFile ? (0, _util.promisify)(fs.readFile) : /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee() {
return _regenerator().w(function (_context) {
while (1) switch (_context.n) {
case 0:
throw new ErrorWithCode('use key rather than keyFile.', 'MISSING_CREDENTIALS');
case 1:
return _context.a(2);
}
}, _callee);
}));
var GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
var GOOGLE_REVOKE_TOKEN_URL = 'https://oauth2.googleapis.com/revoke?token=';
var ErrorWithCode = /*#__PURE__*/function (_Error) {
function ErrorWithCode(message, code) {
var _this;
_classCallCheck(this, ErrorWithCode);
_this = _callSuper(this, ErrorWithCode, [message]);
_defineProperty(_this, "code", void 0);
_this.code = code;
return _this;
}
_inherits(ErrorWithCode, _Error);
return _createClass(ErrorWithCode);
}(/*#__PURE__*/_wrapNativeSuper(Error));
var _inFlightRequest = /*#__PURE__*/new WeakMap();
var _GoogleToken_brand = /*#__PURE__*/new WeakSet();
var GoogleToken = exports.GoogleToken = /*#__PURE__*/function () {
/**
* Create a GoogleToken.
*
* @param options Configuration object.
*/
function GoogleToken(_options) {
_classCallCheck(this, GoogleToken);
_classPrivateMethodInitSpec(this, _GoogleToken_brand);
_defineProperty(this, "expiresAt", void 0);
_defineProperty(this, "key", void 0);
_defineProperty(this, "keyFile", void 0);
_defineProperty(this, "iss", void 0);
_defineProperty(this, "sub", void 0);
_defineProperty(this, "scope", void 0);
_defineProperty(this, "rawToken", void 0);
_defineProperty(this, "tokenExpires", void 0);
_defineProperty(this, "email", void 0);
_defineProperty(this, "additionalClaims", void 0);
_defineProperty(this, "eagerRefreshThresholdMillis", void 0);
_defineProperty(this, "transporter", {
request: function request(opts) {
return (0, _gaxios.request)(opts);
}
});
_classPrivateFieldInitSpec(this, _inFlightRequest, void 0);
_assertClassBrand(_GoogleToken_brand, this, _configure).call(this, _options);
}
/**
* Returns whether the token has expired.
*
* @return true if the token has expired, false otherwise.
*/
return _createClass(GoogleToken, [{
key: "accessToken",
get: function get() {
return this.rawToken ? this.rawToken.access_token : undefined;
}
}, {
key: "idToken",
get: function get() {
return this.rawToken ? this.rawToken.id_token : undefined;
}
}, {
key: "tokenType",
get: function get() {
return this.rawToken ? this.rawToken.token_type : undefined;
}
}, {
key: "refreshToken",
get: function get() {
return this.rawToken ? this.rawToken.refresh_token : undefined;
}
}, {
key: "hasExpired",
value: function hasExpired() {
var now = new Date().getTime();
if (this.rawToken && this.expiresAt) {
return now >= this.expiresAt;
} else {
return true;
}
}
/**
* Returns whether the token will expire within eagerRefreshThresholdMillis
*
* @return true if the token will be expired within eagerRefreshThresholdMillis, false otherwise.
*/
}, {
key: "isTokenExpiring",
value: function isTokenExpiring() {
var _this$eagerRefreshThr;
var now = new Date().getTime();
var eagerRefreshThresholdMillis = (_this$eagerRefreshThr = this.eagerRefreshThresholdMillis) !== null && _this$eagerRefreshThr !== void 0 ? _this$eagerRefreshThr : 0;
if (this.rawToken && this.expiresAt) {
return this.expiresAt <= now + eagerRefreshThresholdMillis;
} else {
return true;
}
}
/**
* Returns a cached token or retrieves a new one from Google.
*
* @param callback The callback function.
*/
}, {
key: "getToken",
value: function getToken(callback) {
var opts = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
if (_typeof(callback) === 'object') {
opts = callback;
callback = undefined;
}
opts = Object.assign({
forceRefresh: false
}, opts);
if (callback) {
var cb = callback;
_assertClassBrand(_GoogleToken_brand, this, _getTokenAsync).call(this, opts).then(function (t) {
return cb(null, t);
}, callback);
return;
}
return _assertClassBrand(_GoogleToken_brand, this, _getTokenAsync).call(this, opts);
}
/**
* Given a keyFile, extract the key and client email if available
* @param keyFile Path to a json, pem, or p12 file that contains the key.
* @returns an object with privateKey and clientEmail properties
*/
}, {
key: "getCredentials",
value: (function () {
var _getCredentials = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee2(keyFile) {
var ext, key, body, privateKey, clientEmail, _privateKey, _t;
return _regenerator().w(function (_context2) {
while (1) switch (_context2.n) {
case 0:
ext = path.extname(keyFile);
_t = ext;
_context2.n = _t === '.json' ? 1 : _t === '.der' ? 4 : _t === '.crt' ? 4 : _t === '.pem' ? 4 : _t === '.p12' ? 6 : _t === '.pfx' ? 6 : 7;
break;
case 1:
_context2.n = 2;
return readFile(keyFile, 'utf8');
case 2:
key = _context2.v;
body = JSON.parse(key);
privateKey = body.private_key;
clientEmail = body.client_email;
if (!(!privateKey || !clientEmail)) {
_context2.n = 3;
break;
}
throw new ErrorWithCode('private_key and client_email are required.', 'MISSING_CREDENTIALS');
case 3:
return _context2.a(2, {
privateKey: privateKey,
clientEmail: clientEmail
});
case 4:
_context2.n = 5;
return readFile(keyFile, 'utf8');
case 5:
_privateKey = _context2.v;
return _context2.a(2, {
privateKey: _privateKey
});
case 6:
throw new ErrorWithCode('*.p12 certificates are not supported after v6.1.2. ' + 'Consider utilizing *.json format or converting *.p12 to *.pem using the OpenSSL CLI.', 'UNKNOWN_CERTIFICATE_TYPE');
case 7:
throw new ErrorWithCode('Unknown certificate type. Type is determined based on file extension. ' + 'Current supported extensions are *.json, and *.pem.', 'UNKNOWN_CERTIFICATE_TYPE');
case 8:
return _context2.a(2);
}
}, _callee2);
}));
function getCredentials(_x) {
return _getCredentials.apply(this, arguments);
}
return getCredentials;
}())
}, {
key: "revokeToken",
value: function revokeToken(callback) {
if (callback) {
_assertClassBrand(_GoogleToken_brand, this, _revokeTokenAsync).call(this).then(function () {
return callback();
}, callback);
return;
}
return _assertClassBrand(_GoogleToken_brand, this, _revokeTokenAsync).call(this);
}
}]);
}();
function _getTokenAsync(_x2) {
return _getTokenAsync2.apply(this, arguments);
}
function _getTokenAsync2() {
_getTokenAsync2 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee3(opts) {
return _regenerator().w(function (_context3) {
while (1) switch (_context3.n) {
case 0:
if (!(_classPrivateFieldGet(_inFlightRequest, this) && !opts.forceRefresh)) {
_context3.n = 1;
break;
}
return _context3.a(2, _classPrivateFieldGet(_inFlightRequest, this));
case 1:
_context3.p = 1;
_context3.n = 2;
return _classPrivateFieldSet(_inFlightRequest, this, _assertClassBrand(_GoogleToken_brand, this, _getTokenAsyncInner).call(this, opts));
case 2:
return _context3.a(2, _context3.v);
case 3:
_context3.p = 3;
_classPrivateFieldSet(_inFlightRequest, this, undefined);
return _context3.f(3);
case 4:
return _context3.a(2);
}
}, _callee3, this, [[1,, 3, 4]]);
}));
return _getTokenAsync2.apply(this, arguments);
}
function _getTokenAsyncInner(_x3) {
return _getTokenAsyncInner2.apply(this, arguments);
}
function _getTokenAsyncInner2() {
_getTokenAsyncInner2 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee4(opts) {
var creds;
return _regenerator().w(function (_context4) {
while (1) switch (_context4.n) {
case 0:
if (!(this.isTokenExpiring() === false && opts.forceRefresh === false)) {
_context4.n = 1;
break;
}
return _context4.a(2, Promise.resolve(this.rawToken));
case 1:
if (!(!this.key && !this.keyFile)) {
_context4.n = 2;
break;
}
throw new Error('No key or keyFile set.');
case 2:
if (!(!this.key && this.keyFile)) {
_context4.n = 4;
break;
}
_context4.n = 3;
return this.getCredentials(this.keyFile);
case 3:
creds = _context4.v;
this.key = creds.privateKey;
this.iss = creds.clientEmail || this.iss;
if (!creds.clientEmail) {
_assertClassBrand(_GoogleToken_brand, this, _ensureEmail).call(this);
}
case 4:
return _context4.a(2, _assertClassBrand(_GoogleToken_brand, this, _requestToken).call(this));
}
}, _callee4, this);
}));
return _getTokenAsyncInner2.apply(this, arguments);
}
function _ensureEmail() {
if (!this.iss) {
throw new ErrorWithCode('email is required.', 'MISSING_CREDENTIALS');
}
}
function _revokeTokenAsync() {
return _revokeTokenAsync2.apply(this, arguments);
}
function _revokeTokenAsync2() {
_revokeTokenAsync2 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee5() {
var url;
return _regenerator().w(function (_context5) {
while (1) switch (_context5.n) {
case 0:
if (this.accessToken) {
_context5.n = 1;
break;
}
throw new Error('No token to revoke.');
case 1:
url = GOOGLE_REVOKE_TOKEN_URL + this.accessToken;
_context5.n = 2;
return this.transporter.request({
url: url,
retry: true
});
case 2:
_assertClassBrand(_GoogleToken_brand, this, _configure).call(this, {
email: this.iss,
sub: this.sub,
key: this.key,
keyFile: this.keyFile,
scope: this.scope,
additionalClaims: this.additionalClaims
});
case 3:
return _context5.a(2);
}
}, _callee5, this);
}));
return _revokeTokenAsync2.apply(this, arguments);
}
/**
* Configure the GoogleToken for re-use.
* @param {object} options Configuration object.
*/
function _configure() {
var options = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
this.keyFile = options.keyFile;
this.key = options.key;
this.rawToken = undefined;
this.iss = options.email || options.iss;
this.sub = options.sub;
this.additionalClaims = options.additionalClaims;
if (_typeof(options.scope) === 'object') {
this.scope = options.scope.join(' ');
} else {
this.scope = options.scope;
}
this.eagerRefreshThresholdMillis = options.eagerRefreshThresholdMillis;
if (options.transporter) {
this.transporter = options.transporter;
}
}
/**
* Request the token from Google.
*/
function _requestToken() {
return _requestToken2.apply(this, arguments);
}
function _requestToken2() {
_requestToken2 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee6() {
var iat, additionalClaims, payload, signedJWT, r, _response, _response2, body, desc, _t2;
return _regenerator().w(function (_context6) {
while (1) switch (_context6.n) {
case 0:
iat = Math.floor(new Date().getTime() / 1000);
additionalClaims = this.additionalClaims || {};
payload = Object.assign({
iss: this.iss,
scope: this.scope,
aud: GOOGLE_TOKEN_URL,
exp: iat + 3600,
iat: iat,
sub: this.sub
}, additionalClaims);
signedJWT = jws.sign({
header: {
alg: 'RS256'
},
payload: payload,
secret: this.key
});
_context6.p = 1;
_context6.n = 2;
return this.transporter.request({
method: 'POST',
url: GOOGLE_TOKEN_URL,
data: new URLSearchParams({
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: signedJWT
}),
responseType: 'json',
retryConfig: {
httpMethodsToRetry: ['POST']
}
});
case 2:
r = _context6.v;
this.rawToken = r.data;
this.expiresAt = r.data.expires_in === null || r.data.expires_in === undefined ? undefined : (iat + r.data.expires_in) * 1000;
return _context6.a(2, this.rawToken);
case 3:
_context6.p = 3;
_t2 = _context6.v;
this.rawToken = undefined;
this.tokenExpires = undefined;
body = _t2.response && (_response = _t2.response) !== null && _response !== void 0 && _response.data ? (_response2 = _t2.response) === null || _response2 === void 0 ? void 0 : _response2.data : {};
if (body.error) {
desc = body.error_description ? ": ".concat(body.error_description) : '';
_t2.message = "".concat(body.error).concat(desc);
}
throw _t2;
case 4:
return _context6.a(2);
}
}, _callee6, this, [[1, 3]]);
}));
return _requestToken2.apply(this, arguments);
}