UNPKG

remix-utils

Version:

This package contains simple utility functions to use with [React Router](https://reactrouter.com/).

github.com/sergiodxa/remix-utils

sergiodxa/remix-utils

207 lines 7.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
/** * > This depends on `@edgefirst-dev/jwt`. * * The JWK Auth middleware let's you add a JSON Web Key authentication to your routes, this can be useful to protect routes that need to be private and will be accessed by other services. * * > **Warning**: JWK Auth is more secure than Basic Auth, but it should be used with HTTPS to ensure the token is encrypted. * * ```ts * import { unstable_createJWKAuthMiddleware } from "remix-utils/middleware/jwk-auth"; * * export const [jwkAuthMiddleware, getJWTPayload] = * unstable_createJWKAuthMiddleware({ * jwksUri: "https://auth.example.com/.well-known/jwks.json", * }); * ``` * * The `jwksUri` option let's you set the URL to the JWKS endpoint, this is the URL where the public keys are stored. * * To use the middleware, you need to add it to the `unstable_middleware` array in the route where you want to use it. * * ```ts * import { jwkAuthMiddleware } from "~/middleware/jwk-auth"; * export const unstable_middleware = [jwkAuthMiddleware]; * ``` * * Now, when you access the route it will check the JWT token in the `Authorization` header. * * In case of an invalid token the middleware will return a `401` status code with a `WWW-Authenticate` header. * * ```http * HTTP/1.1 401 Unauthorized * WWW-Authenticate: Bearer realm="Secure Area" * * Unauthorized * ``` * * The `realm` option let's you set the realm for the authentication, this is the name of the protected area. * * ```ts * import { unstable_createJWKAuthMiddleware } from "remix-utils/middleware/jwk-auth"; * * export const [jwkAuthMiddleware] = unstable_createJWKAuthMiddleware({ * realm: "My Realm", * jwksUri: "https://auth.example.com/.well-known/jwks.json", * }); * ``` * * If you want to customize the message sent when the token is invalid you can use the `invalidTokenMessage` option. * * ```ts * import { unstable_createJWKAuthMiddleware } from "remix-utils/middleware/jwk-auth"; * * export const [jwkAuthMiddleware] = unstable_createJWKAuthMiddleware({ * invalidTokenMessage: "Invalid token", * jwksUri: "https://auth.example.com/.well-known/jwks.json", * }); * ``` * * And this will be the response when the token is invalid. * * ```http * HTTP/1.1 401 Unauthorized * WWW-Authenticate: Bearer realm="Secure Area" * * Invalid token * ``` * * You can also customize the `invalidTokenMessage` by passing a function which will receive the Request and context objects. * * ```ts * import { unstable_createJWKAuthMiddleware } from "remix-utils/middleware/jwk-auth"; * * export const [jwkAuthMiddleware] = unstable_createJWKAuthMiddleware({ * invalidTokenMessage({ request, context }) { * // do something with request or context here * return { message: `Invalid token` }; * }, * jwksUri: "https://auth.example.com/.well-known/jwks.json", * }); * ``` * * In both cases, with a hard-coded value or a function, the invalid message can be a string or an object, if it's an object it will be converted to JSON. * * ```http * HTTP/1.1 401 Unauthorized * WWW-Authenticate: Bearer realm="Secure Area" * * {"message":"Invalid token"} * ``` * * If you want to get the JWT payload in your loaders, actions, or other middleware you can use the `getJWTPayload` function. * * ```ts * import { getJWTPayload } from "~/middleware/jwk-auth.server"; * * export async function loader({ request }: LoaderFunctionArgs) { * let payload = getJWTPayload(); * // ... * } * ``` * * And you can use the payload to get the subject, scope, issuer, audience, or any other information stored in the token. * * ## With a Custom Header * * If your app receives the JWT in a custom header instead of the `Authorization` header you can tell the middleware to look for the token in that header. * * ```ts * import { unstable_createJWKAuthMiddleware } from "remix-utils/middleware/jwk-auth"; * * export const [jwkAuthMiddleware, getJWTPayload] = * unstable_createJWKAuthMiddleware({ header: "X-API-Key" }); * ``` * * Now use the middleware as usual, but now instead of looking for the token in the `Authorization` header it will look for it in the `X-API-Key` header. * * ```ts * import { jwkAuthMiddleware } from "~/middleware/jwk-auth"; * * export const unstable_middleware = [jwkAuthMiddleware]; * ``` * * ## With a Cookie * * If you save a JWT in a cookie using React Router's Cookie API, you can tell the middleware to look for the token in the cookie instead of the `Authorization` header. * * ```ts * import { unstable_createJWKAuthMiddleware } from "remix-utils/middleware/jwk-auth"; * import { createCookie } from "react-router"; * * export const cookie = createCookie("jwt", { * path: "/", * sameSite: "lax", * httpOnly: true, * secure: process.env.NODE_ENV === "true", * }); * * export const [jwkAuthMiddleware, getJWTPayload] = * unstable_createJWKAuthMiddleware({ cookie }); * ``` * * Then use the middleware as usual, but now instead of looking for the token in the `Authorization` header it will look for it in the cookie. * * ```ts * import { jwkAuthMiddleware } from "~/middleware/jwk-auth"; * * export const unstable_middleware = [jwkAuthMiddleware]; * ``` * @author [Sergio Xalambrí](https://sergiodxa.com) * @module Middleware/JWK Auth */ import { JWK, JWT } from "@edgefirst-dev/jwt"; import { unstable_RouterContextProvider, unstable_createContext, } from "react-router"; export function unstable_createJWKAuthMiddleware({ jwksUri, realm = "Secure Area", alg = JWK.Algoritm.ES256, invalidUserMessage = "Unauthorized", ...options }) { const tokenContext = unstable_createContext(); const remote = JWK.importRemote(new URL(jwksUri), { alg }); const cookieInOptions = "cookie" in options; return [ async function jwkAuthMiddleware({ request, context }, next) { let token = null; if (cookieInOptions) { token = await options.cookie.parse(request.headers.get("Cookie")); } if (!cookieInOptions) { let authorization = request.headers.get(options.headerName ?? "Authorization"); if (!authorization) throw await unauthorized(request, context); let [type, ...rest] = authorization.split(" "); if (type?.toLowerCase() !== "bearer") { throw await unauthorized(request, context); } token = rest[0] ?? null; } if (!token) throw await unauthorized(request, context); try { context.set(tokenContext, await JWT.verify(token, await remote, options.verifyOptions)); } catch { throw await unauthorized(request, context); } return await next(); }, function getJWTPayload(context) { return context.get(tokenContext); }, ]; async function getInvalidUserMessage(args) { if (invalidUserMessage === undefined) return "Unauthorized"; if (typeof invalidUserMessage === "string") return invalidUserMessage; if (typeof invalidUserMessage === "function") { return await invalidUserMessage(args); } return invalidUserMessage; } async function unauthorized(request, context) { let message = await getInvalidUserMessage({ request, context }); return Response.json(message, { status: 401, statusText: "Unauthorized", headers: { "WWW-Authenticate": `Bearer realm="${realm}"` }, }); } } //# sourceMappingURL=jwk-auth.js.map