UNPKG

openam-agent-custom

Version:

Customized ForgeRock AM Policy Agent for Node.js from Zoltan Tarcsay

72 lines (61 loc) 2.29 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import * as basicAuth from 'basic-auth'; import { IncomingMessage, ServerResponse } from 'http'; import { ShieldEvaluationError } from '../error/shield-evaluation-error'; import { PolicyAgent } from '../policyagent/policy-agent'; import { Deferred } from '../utils/deferred'; import { sendResponse } from '../utils/http-utils'; import { SessionData } from './session-data'; import { Shield } from './shield'; export interface BasicAuthShieldOptions { realm?: string; service?: string; module?: string; } /** * Shield implementation for enforcing a basic auth header. The credentials in the Authorization will be sent to OpenAM. * No session will be created. */ export class BasicAuthShield implements Shield { constructor(readonly options: BasicAuthShieldOptions) {} /** * The returned Promise is wrapped in a Deferred object. This is because in case of a 401 challenge, the Promise * must not be resolved (if the Promise is resolved, the agent treats it as success). A challenge is neither success * nor failure. */ async evaluate(req: IncomingMessage, res: ServerResponse, agent: PolicyAgent): Promise<SessionData> { const user = basicAuth(req); const deferred = new Deferred<SessionData>(); if (user) { await this.authenticate(agent, user.name, user.pass); agent.logger.info('BasicAuthShield: %s => allow', req.url); deferred.resolve({ key: user.name, data: { username: user.name } }); } else { agent.logger.info('BasicAuthShield: %s => unauthenticated', req.url); this.sendChallenge(res); } return await deferred.promise; } private sendChallenge(res: ServerResponse): void { sendResponse(res, 401, null, { 'WWW-Authenticate': 'Basic realm=Authorization Required' }); } private async authenticate(agent: PolicyAgent, username: string, password: string): Promise<any> { try { await agent.amClient.authenticate( username, password, this.options.realm, this.options.service, this.options.module, true ); } catch (err) { throw new ShieldEvaluationError( err.statusCode || err.status || 500, err.name || err.message, err.stack + '\n' + JSON.stringify(err, null, 2) ); } } }