UNPKG

hono

Version:

Web framework built on Web Standards

hono.dev

honojs/hono

109 lines (108 loc) 3.51 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
// src/middleware/jwk/jwk.ts import { getCookie, getSignedCookie } from "../../helper/cookie/index.js"; import { HTTPException } from "../../http-exception.js"; import { Jwt } from "../../utils/jwt/index.js"; import "../../context.js"; var jwk = (options, init) => { const verifyOpts = options.verification || {}; if (!options || !(options.keys || options.jwks_uri)) { throw new Error('JWK auth middleware requires options for either "keys" or "jwks_uri" or both'); } if (!crypto.subtle || !crypto.subtle.importKey) { throw new Error("`crypto.subtle.importKey` is undefined. JWK auth middleware requires it."); } return async function jwk2(ctx, next) { const headerName = options.headerName || "Authorization"; const credentials = ctx.req.raw.headers.get(headerName); let token; if (credentials) { const parts = credentials.split(/\s+/); if (parts.length !== 2) { const errDescription = "invalid credentials structure"; throw new HTTPException(401, { message: errDescription, res: unauthorizedResponse({ ctx, error: "invalid_request", errDescription }) }); } else { token = parts[1]; } } else if (options.cookie) { if (typeof options.cookie == "string") { token = getCookie(ctx, options.cookie); } else if (options.cookie.secret) { if (options.cookie.prefixOptions) { token = await getSignedCookie( ctx, options.cookie.secret, options.cookie.key, options.cookie.prefixOptions ); } else { token = await getSignedCookie(ctx, options.cookie.secret, options.cookie.key); } } else { if (options.cookie.prefixOptions) { token = getCookie(ctx, options.cookie.key, options.cookie.prefixOptions); } else { token = getCookie(ctx, options.cookie.key); } } } if (!token) { if (options.allow_anon) { return next(); } const errDescription = "no authorization included in request"; throw new HTTPException(401, { message: errDescription, res: unauthorizedResponse({ ctx, error: "invalid_request", errDescription }) }); } let payload; let cause; try { const keys = typeof options.keys === "function" ? await options.keys(ctx) : options.keys; const jwks_uri = typeof options.jwks_uri === "function" ? await options.jwks_uri(ctx) : options.jwks_uri; payload = await Jwt.verifyWithJwks(token, { keys, jwks_uri, verification: verifyOpts }, init); } catch (e) { cause = e; } if (!payload) { if (cause instanceof Error && cause.constructor === Error) { throw cause; } throw new HTTPException(401, { message: "Unauthorized", res: unauthorizedResponse({ ctx, error: "invalid_token", statusText: "Unauthorized", errDescription: "token verification failure" }), cause }); } ctx.set("jwtPayload", payload); await next(); }; }; function unauthorizedResponse(opts) { return new Response("Unauthorized", { status: 401, statusText: opts.statusText, headers: { "WWW-Authenticate": `Bearer realm="${opts.ctx.req.url}",error="${opts.error}",error_description="${opts.errDescription}"` } }); } export { jwk };