UNPKG

hapi-auth-keycloak

Version:

JSON Web Token based Authentication powered by Keycloak

github.com/felixheck/hapi-auth-keycloak

felixheck/hapi-auth-keycloak

145 lines (132 loc) 3.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
const _ = require('lodash') const jwt = require('jsonwebtoken') /** * @function * @private * * Extract bearer token out of header. * https://tools.ietf.org/html/rfc7519 * * @param {string} field The header field to be scanned * @returns {string} The extracted header */ function getToken (field) { return /^(?:bearer) ([a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.([a-zA-Z0-9\-_]+)?)$/i.exec( field ) } /** * @function * @private * * Get function prefixing role with respective key. * * @param {string} clientId The current client its identifier * @param {string} key The role its key * @returns {Function} The composed prefixing function */ function prefixRole (clientId, key) { return (role) => (clientId === key ? role : `${key}:${role}`) } /** * @function * @private * * Get roles out of token content. * Exclude `account` roles and prefix realm roles * with `realm:`. Roles of other resources are prefixed * with their name. * * @param {string} clientId The current client its identifier * @param {Object} [realm={ roles: [] }] The realm access data * @param {Object} [resources={}] The resource access data * @param {Object} [auth={ permissions: [] }] The fine-grained access data * @returns {Array.<?string>} The list of roles */ function getRoles ( clientId, { realm_access: realm = { roles: [] }, resource_access: resources = {}, authorization: auth = { permissions: [] }, scope = '' } ) { const prefix = prefixRole.bind(undefined, clientId) const realmRoles = realm.roles.map(prefix('realm')) const clientscopes = scope .split(' ') .filter(Boolean) .map(prefix('clientscope')) const scopes = _.flatten(_.map(auth.permissions, 'scopes')).map( prefix('scope') ) const appRoles = Object.keys(resources).map((key) => resources[key].roles.map(prefix(key)) ) return _.flattenDepth([realmRoles, scopes, appRoles, clientscopes], 2) } /** * @function * @private * * Get expiration out of token content. * If `exp` is undefined just use 60 seconds as default. * * @param {number} exp The `expiration` timestamp in seconds * @returns {number} The expiration delta in milliseconds */ function getExpiration ({ exp }) { return exp ? exp * 1000 - Date.now() : 60 * 1000 } /** * @function * @private * * Get necessary user information out of token content. * * @param {Object} content The token its content * @param {Array.<?string>} [fields=[]] The necessary fields * @returns {Object} The collection of requested user info */ function getUserInfo (content, fields = []) { return _.pick(content, ['sub', ...fields]) } /** * @function * @public * * Get various data out of token content. * Get the current scope of the user and * when the token expires. * * @param {string} tkn The token to be checked * @param {string} clientId The current client its identifier * @param {Array.<?string>} [userInfo] The necessary user info fields * @returns {Object} The extracted data */ function getData (tkn, { clientId, userInfo }) { const content = jwt.decode(tkn) const scope = getRoles(clientId, content) return { expiresIn: getExpiration(content), credentials: Object.assign({ scope }, getUserInfo(content, userInfo)) } } /** * @function * @public * * Get token out of header field. * * @param {string} field The header field to be scanned * @returns {string|false} The token or `false` dependent on field */ function create (field) { const match = getToken(field) return match ? match[1] : false } module.exports = { create, getData }