2022-07-06 14:03:35 +00:00
|
|
|
import crypto from "crypto";
|
|
|
|
|
import * as jose from "jose";
|
2022-08-03 18:51:37 +00:00
|
|
|
import jwt, { JwtPayload } from "jsonwebtoken";
|
|
|
|
|
import jwks, { CertSigningKey, RsaSigningKey } from "jwks-rsa";
|
|
|
|
|
import type { Middleware, Request } from "retes";
|
2022-07-06 14:03:35 +00:00
|
|
|
import { Response } from "retes/response";
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-06 14:03:35 +00:00
|
|
|
import { SALEOR_DOMAIN_HEADER, SALEOR_EVENT_HEADER } from "./const";
|
|
|
|
|
import { jwksUrl } from "./urls";
|
2022-05-26 12:14:13 +00:00
|
|
|
|
|
|
|
|
export const withBaseURL: Middleware = (handler) => async (request) => {
|
|
|
|
|
const { host, "x-forwarded-proto": protocol = "http" } = request.headers;
|
|
|
|
|
|
|
|
|
|
request.context.baseURL = `${protocol}://${host}`;
|
|
|
|
|
|
|
|
|
|
const response = await handler(request);
|
|
|
|
|
return response;
|
2022-07-06 14:03:35 +00:00
|
|
|
};
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-20 14:04:38 +00:00
|
|
|
export const withSaleorDomainPresent: Middleware = (handler) => async (request) => {
|
|
|
|
|
const saleorDomain = request.headers[SALEOR_DOMAIN_HEADER];
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-20 14:04:38 +00:00
|
|
|
if (!saleorDomain) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Missing Saleor domain header.",
|
|
|
|
|
});
|
|
|
|
|
}
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-20 14:04:38 +00:00
|
|
|
return handler(request);
|
|
|
|
|
};
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-06 14:03:35 +00:00
|
|
|
export const withSaleorEventMatch =
|
2022-07-14 14:28:27 +00:00
|
|
|
<E extends string>(expectedEvent: `${Lowercase<E>}`): Middleware =>
|
2022-07-06 14:03:35 +00:00
|
|
|
(handler) =>
|
|
|
|
|
async (request) => {
|
|
|
|
|
const receivedEvent = request.headers[SALEOR_EVENT_HEADER];
|
|
|
|
|
if (receivedEvent !== expectedEvent) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid Saleor Event",
|
|
|
|
|
});
|
|
|
|
|
}
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-06 14:03:35 +00:00
|
|
|
return handler(request);
|
|
|
|
|
};
|
|
|
|
|
|
2022-07-20 14:04:38 +00:00
|
|
|
export const withAuthTokenRequired: Middleware = (handler) => async (request) => {
|
|
|
|
|
const authToken = request.params.auth_token;
|
|
|
|
|
if (!authToken) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Missing auth token.",
|
|
|
|
|
});
|
|
|
|
|
}
|
2022-07-06 14:03:35 +00:00
|
|
|
|
2022-07-20 14:04:38 +00:00
|
|
|
return handler(request);
|
|
|
|
|
};
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-20 14:04:38 +00:00
|
|
|
export const withWebhookSignatureVerified =
|
|
|
|
|
(secretKey: string | undefined = undefined): Middleware =>
|
|
|
|
|
(handler) =>
|
|
|
|
|
async (request) => {
|
2022-07-06 14:03:35 +00:00
|
|
|
if (request.rawBody === undefined) {
|
|
|
|
|
return Response.InternalServerError({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Request payload already parsed.",
|
|
|
|
|
});
|
|
|
|
|
}
|
2022-05-26 12:14:13 +00:00
|
|
|
|
2022-07-20 14:04:38 +00:00
|
|
|
const { [SALEOR_DOMAIN_HEADER]: saleorDomain, "saleor-signature": payloadSignature } =
|
|
|
|
|
request.headers;
|
2022-07-06 14:03:35 +00:00
|
|
|
|
|
|
|
|
if (secretKey !== undefined) {
|
|
|
|
|
const calculatedSignature = crypto
|
|
|
|
|
.createHmac("sha256", secretKey)
|
|
|
|
|
.update(request.rawBody)
|
|
|
|
|
.digest("hex");
|
|
|
|
|
|
|
|
|
|
if (calculatedSignature !== payloadSignature) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid signature.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2022-07-20 14:05:00 +00:00
|
|
|
const [header, , signature] = payloadSignature.split(".");
|
2022-07-06 14:03:35 +00:00
|
|
|
const jws = {
|
|
|
|
|
protected: header,
|
|
|
|
|
payload: request.rawBody,
|
|
|
|
|
signature,
|
|
|
|
|
};
|
|
|
|
|
|
2022-08-03 18:51:37 +00:00
|
|
|
const remoteJwks = jose.createRemoteJWKSet(
|
2022-07-06 14:03:35 +00:00
|
|
|
new URL(jwksUrl(saleorDomain))
|
2022-07-14 12:04:27 +00:00
|
|
|
) as jose.FlattenedVerifyGetKey;
|
2022-07-06 14:03:35 +00:00
|
|
|
|
|
|
|
|
try {
|
2022-08-03 18:51:37 +00:00
|
|
|
await jose.flattenedVerify(jws, remoteJwks);
|
2022-07-06 14:03:35 +00:00
|
|
|
} catch {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid signature.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return handler(request);
|
|
|
|
|
};
|
2022-08-03 18:51:37 +00:00
|
|
|
|
|
|
|
|
export interface DashboardTokenPayload extends JwtPayload {
|
|
|
|
|
app: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export const withJWTVerified =
|
|
|
|
|
(getAppId: (request: Request) => Promise<string | undefined>): Middleware =>
|
|
|
|
|
(handler) =>
|
|
|
|
|
async (request) => {
|
|
|
|
|
const { [SALEOR_DOMAIN_HEADER]: saleorDomain, "authorization-bearer": token } = request.headers;
|
|
|
|
|
|
|
|
|
|
if (token === undefined) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Missing token.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let tokenClaims;
|
|
|
|
|
try {
|
|
|
|
|
tokenClaims = jwt.decode(token as string);
|
|
|
|
|
} catch (e) {
|
|
|
|
|
console.error(e);
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid token.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (tokenClaims === null) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid token.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((tokenClaims as DashboardTokenPayload).iss !== saleorDomain) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid token.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let appId: string | undefined;
|
|
|
|
|
try {
|
|
|
|
|
appId = await getAppId(request);
|
|
|
|
|
} catch (error) {
|
|
|
|
|
console.error("Error during getting the app ID.");
|
|
|
|
|
console.error(error);
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Error during token invalidation - could not obtain the app ID.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!appId || (tokenClaims as DashboardTokenPayload).app !== appId) {
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid token.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const jwksClient = jwks({
|
|
|
|
|
jwksUri: `https://${saleorDomain}/.well-known/jwks.json`,
|
|
|
|
|
});
|
|
|
|
|
const signingKey = await jwksClient.getSigningKey();
|
|
|
|
|
const signingSecret =
|
|
|
|
|
(signingKey as CertSigningKey).publicKey || (signingKey as RsaSigningKey).rsaPublicKey;
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
jwt.verify(token as string, signingSecret);
|
|
|
|
|
} catch (e) {
|
|
|
|
|
console.error(e);
|
|
|
|
|
return Response.BadRequest({
|
|
|
|
|
success: false,
|
|
|
|
|
message: "Invalid token.",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return handler(request);
|
|
|
|
|
};
|
