-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathjwt.ts
112 lines (94 loc) · 2.63 KB
/
jwt.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import { ErrorType, NotAuthenticatedError, NotAuthorizedError } from "../error";
import { isAdmin, isContributor, UserRole } from "./role";
import { JWTPayload, jwtVerify } from "jose";
import { NextFunction, Request, Response } from "express";
// Middleware for routes that require a contributor role
const ensureAdminRouteMiddleware = async (
req: Request,
res: Response,
next: NextFunction
) => {
await handleMiddlewareCheck(req, res, ensureAdmin);
next();
};
// Middleware for routes that require a contributor role
const ensureContributorRouteMiddleware = (
req: Request,
res: Response,
next: NextFunction
) => {
handleMiddlewareCheck(req, res, ensureContributor).then(next);
};
const handleMiddlewareCheck = async (
req: Request,
res: Response,
assertion: Function
) => {
try {
const token = await decodeJwtFromRequest(req);
const roles: UserRole[] = rolesFromJwtPayload(token);
console.debug("Roles:", roles);
if (roles.length == 0) {
throw NotAuthorizedError();
}
assertion(roles);
} catch (e: any) {
handleError(e, res);
}
};
const handleError = (err: Error, res: Response) => {
if (err.name == ErrorType.NotAuthenticated) {
res.status(403).json({ error: err.message });
}
if (err.name == ErrorType.NotAuthorized) {
res.status(401).json({ error: err.message });
}
console.debug(err);
res.status(500).json({ error: "Internal server error" });
};
const ensureAdmin = (roles: UserRole[]) => {
roles.forEach((role) => {
if (!isAdmin(role)) {
throw NotAuthorizedError();
}
});
};
const ensureContributor = (roles: UserRole[]) => {
roles.forEach((role) => {
if (!isContributor(role)) {
throw NotAuthorizedError();
}
});
};
const rolesFromJwtPayload = (payload: JWTPayload): UserRole[] => {
const aud = payload.aud;
if (!aud) {
return [];
}
if (typeof aud == "string") {
return [UserRole[aud as UserRole]];
}
return (aud as string[]).map((i: string) => {
return UserRole[i as UserRole];
});
};
const decodeJwtFromRequest = async (req: Request): Promise<JWTPayload> => {
const token = req.headers.authorization;
if (!token) {
throw NotAuthenticatedError("missing API token");
}
try {
const result = await jwtVerify(
token,
new TextEncoder().encode(process.env.JWT_SIGNING_KEY)
);
const payload = result.payload;
if (!Object.hasOwn(payload, "aud")) {
throw NotAuthenticatedError("API token invalid");
}
return payload;
} catch (err) {
throw NotAuthenticatedError("API token invalid");
}
};
export { ensureAdminRouteMiddleware, ensureContributorRouteMiddleware };