keycloak-lambda-authorizer
Version:
104 lines • 4.56 kB
JavaScript
;
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.transformRequestToRefresh = exports.transformResfreshToRequest = exports.isExpired = exports.verifyToken = exports.decodeToken = void 0;
const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore
const get_keycloak_public_key_1 = __importDefault(require("get-keycloak-public-key"));
const KeycloakUtils_1 = require("./KeycloakUtils");
function decodeToken(tokenString) {
const token = jsonwebtoken_1.default.decode(tokenString, { complete: true });
if (!token || !token.header) {
throw new Error('invalid token (header part)');
}
else {
const { kid } = token.header;
const { alg } = token.header;
if (alg.toLowerCase() === 'none' || !kid) {
throw new Error('invalid token');
}
token.tokenString = tokenString;
}
return token;
}
exports.decodeToken = decodeToken;
function getKeyFromKeycloak0(requestContent, options, kid) {
return __awaiter(this, void 0, void 0, function* () {
const kJson = yield options.keycloakJson(options, requestContent);
const keycloakUrl = new URL((0, KeycloakUtils_1.getKeycloakUrl)(kJson));
keycloakUrl.pathname = keycloakUrl.pathname.replace('/auth', '');
const publicKey = yield (0, get_keycloak_public_key_1.default)((0, KeycloakUtils_1.getUrl)(keycloakUrl.toString()), kJson.realm).fetch(kid);
return publicKey;
});
}
function getKeyFromKeycloak(requestContent, options, kid) {
return __awaiter(this, void 0, void 0, function* () {
const cache = options.cache;
let publicKey = yield cache.get('publicKey', kid);
if (!publicKey) {
publicKey = yield getKeyFromKeycloak0(requestContent, options, kid);
yield cache.put('publicKey', kid, publicKey);
}
return publicKey;
});
}
function verifyToken(requestContent, options) {
return __awaiter(this, void 0, void 0, function* () {
const { kid } = requestContent.token.header;
const { alg } = requestContent.token.header;
// eslint-disable-next-line no-negated-condition
if (!alg.toLowerCase().startsWith('hs')) {
// fetch the PEM Public Key
const key = yield getKeyFromKeycloak(requestContent, options, kid);
try {
// Verify and decode the token
jsonwebtoken_1.default.verify(requestContent.token.tokenString, key);
options.logger.debug('token verified successfully ');
return requestContent.token;
}
catch (error) {
// Token is not valid
throw new Error(`invalid token: ${error}`);
}
}
else {
throw new Error('invalid token');
}
});
}
exports.verifyToken = verifyToken;
function isExpired(token) {
const clockTimestamp = Math.floor(Date.now() / 1000);
return clockTimestamp > token.exp - 30;
}
exports.isExpired = isExpired;
function transformResfreshToRequest(refreshContext) {
return {
tokenString: refreshContext.token.access_token,
token: decodeToken(refreshContext.token.access_token),
request: refreshContext.request,
realm: refreshContext.realm,
};
}
exports.transformResfreshToRequest = transformResfreshToRequest;
function transformRequestToRefresh(token, requestContext) {
return {
token,
request: requestContext.request,
realm: requestContext.realm,
};
}
exports.transformRequestToRefresh = transformRequestToRefresh;
//# sourceMappingURL=TokenUtils.js.map