UNPKG

keycloak-lambda-authorizer

Version:
104 lines 4.56 kB
"use strict"; var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.transformRequestToRefresh = exports.transformResfreshToRequest = exports.isExpired = exports.verifyToken = exports.decodeToken = void 0; const jsonwebtoken_1 = __importDefault(require("jsonwebtoken")); // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore const get_keycloak_public_key_1 = __importDefault(require("get-keycloak-public-key")); const KeycloakUtils_1 = require("./KeycloakUtils"); function decodeToken(tokenString) { const token = jsonwebtoken_1.default.decode(tokenString, { complete: true }); if (!token || !token.header) { throw new Error('invalid token (header part)'); } else { const { kid } = token.header; const { alg } = token.header; if (alg.toLowerCase() === 'none' || !kid) { throw new Error('invalid token'); } token.tokenString = tokenString; } return token; } exports.decodeToken = decodeToken; function getKeyFromKeycloak0(requestContent, options, kid) { return __awaiter(this, void 0, void 0, function* () { const kJson = yield options.keycloakJson(options, requestContent); const keycloakUrl = new URL((0, KeycloakUtils_1.getKeycloakUrl)(kJson)); keycloakUrl.pathname = keycloakUrl.pathname.replace('/auth', ''); const publicKey = yield (0, get_keycloak_public_key_1.default)((0, KeycloakUtils_1.getUrl)(keycloakUrl.toString()), kJson.realm).fetch(kid); return publicKey; }); } function getKeyFromKeycloak(requestContent, options, kid) { return __awaiter(this, void 0, void 0, function* () { const cache = options.cache; let publicKey = yield cache.get('publicKey', kid); if (!publicKey) { publicKey = yield getKeyFromKeycloak0(requestContent, options, kid); yield cache.put('publicKey', kid, publicKey); } return publicKey; }); } function verifyToken(requestContent, options) { return __awaiter(this, void 0, void 0, function* () { const { kid } = requestContent.token.header; const { alg } = requestContent.token.header; // eslint-disable-next-line no-negated-condition if (!alg.toLowerCase().startsWith('hs')) { // fetch the PEM Public Key const key = yield getKeyFromKeycloak(requestContent, options, kid); try { // Verify and decode the token jsonwebtoken_1.default.verify(requestContent.token.tokenString, key); options.logger.debug('token verified successfully '); return requestContent.token; } catch (error) { // Token is not valid throw new Error(`invalid token: ${error}`); } } else { throw new Error('invalid token'); } }); } exports.verifyToken = verifyToken; function isExpired(token) { const clockTimestamp = Math.floor(Date.now() / 1000); return clockTimestamp > token.exp - 30; } exports.isExpired = isExpired; function transformResfreshToRequest(refreshContext) { return { tokenString: refreshContext.token.access_token, token: decodeToken(refreshContext.token.access_token), request: refreshContext.request, realm: refreshContext.realm, }; } exports.transformResfreshToRequest = transformResfreshToRequest; function transformRequestToRefresh(token, requestContext) { return { token, request: requestContext.request, realm: requestContext.realm, }; } exports.transformRequestToRefresh = transformRequestToRefresh; //# sourceMappingURL=TokenUtils.js.map