UNPKG

node-nlp

Version:

Library for NLU (Natural Language Understanding) done in Node.js

github.com/axa-group/nlp.js

axa-group/nlp.js

99 lines 6.23 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
"use strict"; var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; Object.defineProperty(exports, "__esModule", { value: true }); const channelValidation_1 = require("./channelValidation"); const constants_1 = require("./constants"); const jwtTokenExtractor_1 = require("./jwtTokenExtractor"); var EnterpriseChannelValidation; (function (EnterpriseChannelValidation) { /** * TO BOT FROM CHANNEL: Token validation parameters when connecting to a bot */ EnterpriseChannelValidation.ToBotFromEnterpriseChannelTokenValidationParameters = { issuer: [constants_1.Constants.ToBotFromChannelTokenIssuer], audience: undefined, clockTolerance: 5 * 60, ignoreExpiration: false }; /** * Validate the incoming Auth Header as a token sent from the Bot Framework Service. * A token issued by the Bot Framework emulator will FAIL this check. * @param {string} authHeader The raw HTTP header in the format: "Bearer [longString]" * @param {ICredentialProvider} credentials The user defined set of valid credentials, such as the AppId. * @param {string} serviceUrl The ServiceUrl Claim value that must match in the identity. * @returns {Promise<ClaimsIdentity>} A valid ClaimsIdentity. */ function authenticateChannelTokenWithServiceUrl(authHeader, credentials, serviceUrl, channelId, channelService) { return __awaiter(this, void 0, void 0, function* () { const identity = yield authenticateChannelToken(authHeader, credentials, channelId, channelService); const serviceUrlClaim = identity.getClaimValue(constants_1.Constants.ServiceUrlClaim); if (serviceUrlClaim !== serviceUrl) { // Claim must match. Not Authorized. throw new Error('Unauthorized. ServiceUrl claim do not match.'); } return identity; }); } EnterpriseChannelValidation.authenticateChannelTokenWithServiceUrl = authenticateChannelTokenWithServiceUrl; /** * Validate the incoming Auth Header as a token sent from the Bot Framework Service. * A token issued by the Bot Framework emulator will FAIL this check. * @param {string} authHeader The raw HTTP header in the format: "Bearer [longString]" * @param {ICredentialProvider} credentials The user defined set of valid credentials, such as the AppId. * @returns {Promise<ClaimsIdentity>} A valid ClaimsIdentity. */ function authenticateChannelToken(authHeader, credentials, channelId, channelService) { return __awaiter(this, void 0, void 0, function* () { const tokenExtractor = new jwtTokenExtractor_1.JwtTokenExtractor(EnterpriseChannelValidation.ToBotFromEnterpriseChannelTokenValidationParameters, channelValidation_1.ChannelValidation.OpenIdMetadataEndpoint ? channelValidation_1.ChannelValidation.OpenIdMetadataEndpoint : constants_1.Constants.ToBotFromEnterpriseChannelOpenIdMetadataUrlFormat.replace('{channelService}', channelService), constants_1.Constants.AllowedSigningAlgorithms); const identity = yield tokenExtractor.getIdentityFromAuthHeader(authHeader, channelId); return yield validateIdentity(identity, credentials); }); } EnterpriseChannelValidation.authenticateChannelToken = authenticateChannelToken; /** * Validate the ClaimsIdentity to ensure it came from the channel service. * @param {ClaimsIdentity} identity The identity to validate * @param {ICredentialProvider} credentials The user defined set of valid credentials, such as the AppId. * @returns {Promise<ClaimsIdentity>} A valid ClaimsIdentity. */ function validateIdentity(identity, credentials) { return __awaiter(this, void 0, void 0, function* () { if (!identity) { // No valid identity. Not Authorized. throw new Error('Unauthorized. No valid identity.'); } if (!identity.isAuthenticated) { // The token is in some way invalid. Not Authorized. throw new Error('Unauthorized. Is not authenticated'); } // Now check that the AppID in the claimset matches // what we're looking for. Note that in a multi-tenant bot, this value // comes from developer code that may be reaching out to a service, hence the // Async validation. // Look for the "aud" claim, but only if issued from the Bot Framework if (identity.getClaimValue(constants_1.Constants.IssuerClaim) !== constants_1.Constants.ToBotFromChannelTokenIssuer) { // The relevant Audiance Claim MUST be present. Not Authorized. throw new Error('Unauthorized. Issuer Claim MUST be present.'); } // The AppId from the claim in the token must match the AppId specified by the developer. // In this case, the token is destined for the app, so we find the app ID in the audience claim. const audClaim = identity.getClaimValue(constants_1.Constants.AudienceClaim); if (!(yield credentials.isValidAppId(audClaim || ''))) { // The AppId is not valid or not present. Not Authorized. throw new Error(`Unauthorized. Invalid AppId passed on token: ${audClaim}`); } return identity; }); } EnterpriseChannelValidation.validateIdentity = validateIdentity; })(EnterpriseChannelValidation = exports.EnterpriseChannelValidation || (exports.EnterpriseChannelValidation = {})); //# sourceMappingURL=enterpriseChannelValidation.js.map