saleor-app-sdk-REDIS_APL/src/middleware.ts

import crypto from "crypto";
import * as jose from "jose";
import type { Middleware, Request } from "retes";
import { Response } from "retes/response";

import { SALEOR_AUTHORIZATION_BEARER_HEADER, SALEOR_SIGNATURE_HEADER } from "./const";
import { getSaleorHeaders } from "./headers";
import { getJwksUrl } from "./urls";

export const withBaseURL: Middleware = (handler) => async (request) => {
  const { host, "x-forwarded-proto": protocol = "http" } = request.headers;

  request.context.baseURL = `${protocol}://${host}`;

  return handler(request);
};

export const withSaleorDomainPresent: Middleware = (handler) => async (request) => {
  const { domain } = getSaleorHeaders(request.headers);

  if (!domain) {
    return Response.BadRequest({
      success: false,
      message: "Missing Saleor domain header.",
    });
  }

  return handler(request);
};

export const withSaleorEventMatch =
  <E extends string>(expectedEvent: `${Lowercase<E>}`): Middleware =>
  (handler) =>
  async (request) => {
    const { event } = getSaleorHeaders(request.headers);

    if (event !== expectedEvent) {
      return Response.BadRequest({
        success: false,
        message: `Invalid Saleor event. Expecting ${expectedEvent}.`,
      });
    }

    return handler(request);
  };

export const withAuthTokenRequired: Middleware = (handler) => async (request) => {
  const authToken = request.params.auth_token;
  if (!authToken) {
    return Response.BadRequest({
      success: false,
      message: "Missing auth token.",
    });
  }

  return handler(request);
};

export const withWebhookSignatureVerified =
  (secretKey: string | undefined = undefined): Middleware =>
  (handler) =>
  async (request) => {
    const ERROR_MESSAGE = "Webhook signature verification failed:";

    if (request.rawBody === undefined) {
      return Response.InternalServerError({
        success: false,
        message: `${ERROR_MESSAGE} Request payload already parsed.`,
      });
    }

    const { domain: saleorDomain, signature: payloadSignature } = getSaleorHeaders(request.headers);

    if (!payloadSignature) {
      return Response.BadRequest({
        success: false,
        message: `${ERROR_MESSAGE} Missing ${SALEOR_SIGNATURE_HEADER} header.`,
      });
    }

    if (secretKey !== undefined) {
      const calculatedSignature = crypto
        .createHmac("sha256", secretKey)
        .update(request.rawBody)
        .digest("hex");

      if (calculatedSignature !== payloadSignature) {
        return Response.BadRequest({
          success: false,
          message: `${ERROR_MESSAGE} Verification using secret key has failed.`,
        });
      }
    } else {
      const [header, , signature] = payloadSignature.split(".");
      const jws = {
        protected: header,
        payload: request.rawBody,
        signature,
      };

      const remoteJwks = jose.createRemoteJWKSet(
        new URL(getJwksUrl(saleorDomain))
      ) as jose.FlattenedVerifyGetKey;

      try {
        await jose.flattenedVerify(jws, remoteJwks);
      } catch {
        return Response.BadRequest({
          success: false,
          message: `${ERROR_MESSAGE} Verification using public key has failed.`,
        });
      }
    }

    return handler(request);
  };

export interface DashboardTokenPayload extends jose.JWTPayload {
  app: string;
}

export const withJWTVerified =
  (getAppId: (request: Request) => Promise<string | undefined>): Middleware =>
  (handler) =>
  async (request) => {
    const { domain, authorizationBearer: token } = getSaleorHeaders(request.headers);
    const ERROR_MESSAGE = "JWT verification failed:";

    if (token === undefined) {
      return Response.BadRequest({
        success: false,
        message: `${ERROR_MESSAGE} Missing ${SALEOR_AUTHORIZATION_BEARER_HEADER} header.`,
      });
    }

    let tokenClaims: DashboardTokenPayload;
    try {
      tokenClaims = jose.decodeJwt(token as string) as DashboardTokenPayload;
    } catch (e) {
      return Response.BadRequest({
        success: false,
        message: `${ERROR_MESSAGE} Could not decode authorization token.`,
      });
    }

    if (tokenClaims.iss !== domain) {
      return Response.BadRequest({
        success: false,
        message: `${ERROR_MESSAGE} Token iss property is different than domain header.`,
      });
    }

    let appId: string | undefined;
    try {
      appId = await getAppId(request);
    } catch (error) {
      return Response.InternalServerError({
        success: false,
        message: `${ERROR_MESSAGE} Could not obtain the app ID.`,
      });
    }

    if (!appId) {
      return Response.InternalServerError({
        success: false,
        message: `${ERROR_MESSAGE} No value for app ID.`,
      });
    }

    if (tokenClaims.app !== appId) {
      return Response.BadRequest({
        success: false,
        message: `${ERROR_MESSAGE} Token's app property is different than app ID.`,
      });
    }

    try {
      const JWKS = jose.createRemoteJWKSet(new URL(getJwksUrl(domain)));
      await jose.jwtVerify(token, JWKS);
    } catch (e) {
      console.error(e);
      return Response.BadRequest({
        success: false,
        message: `${ERROR_MESSAGE} JWT signature verification failed.`,
      });
    }

    return handler(request);
  };
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`import crypto from "crypto";`
			`import * as jose from "jose";`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`import type { Middleware, Request } from "retes";`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`import { Response } from "retes/response";`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Unify error message for the middleware 2022-08-08 09:01:02 +00:00			`import { SALEOR_AUTHORIZATION_BEARER_HEADER, SALEOR_SIGNATURE_HEADER } from "./const";`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`import { getSaleorHeaders } from "./headers";`
Add test for urls 2022-08-08 14:55:57 +00:00			`import { getJwksUrl } from "./urls";`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
			`export const withBaseURL: Middleware = (handler) => async (request) => {`
			`const { host, "x-forwarded-proto": protocol = "http" } = request.headers;`

			request.context.baseURL = `${protocol}://${host}`;

Adds middleware test 2022-08-08 15:10:42 +00:00			`return handler(request);`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`};`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Rename variables to camelCase 2022-07-20 14:04:38 +00:00			`export const withSaleorDomainPresent: Middleware = (handler) => async (request) => {`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`const { domain } = getSaleorHeaders(request.headers);`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`if (!domain) {`
Rename variables to camelCase 2022-07-20 14:04:38 +00:00			`return Response.BadRequest({`
			`success: false,`
			`message: "Missing Saleor domain header.",`
			`});`
			`}`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Rename variables to camelCase 2022-07-20 14:04:38 +00:00			`return handler(request);`
			`};`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`export const withSaleorEventMatch =`
Replace string type with generic in withSaleorEventMatch middleware 2022-07-14 14:28:27 +00:00			<E extends string>(expectedEvent: `${Lowercase<E>}`): Middleware =>
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`(handler) =>`
			`async (request) => {`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`const { event } = getSaleorHeaders(request.headers);`

			`if (event !== expectedEvent) {`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`return Response.BadRequest({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `Invalid Saleor event. Expecting ${expectedEvent}.`,
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`});`
			`}`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`return handler(request);`
			`};`

Rename variables to camelCase 2022-07-20 14:04:38 +00:00			`export const withAuthTokenRequired: Middleware = (handler) => async (request) => {`
			`const authToken = request.params.auth_token;`
			`if (!authToken) {`
			`return Response.BadRequest({`
			`success: false,`
			`message: "Missing auth token.",`
			`});`
			`}`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00
Rename variables to camelCase 2022-07-20 14:04:38 +00:00			`return handler(request);`
			`};`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Rename variables to camelCase 2022-07-20 14:04:38 +00:00			`export const withWebhookSignatureVerified =`
			`(secretKey: string \| undefined = undefined): Middleware =>`
			`(handler) =>`
			`async (request) => {`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`const ERROR_MESSAGE = "Webhook signature verification failed:";`

Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`if (request.rawBody === undefined) {`
			`return Response.InternalServerError({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} Request payload already parsed.`,
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`});`
			`}`
Add Saleor specific middlewares 2022-05-26 12:14:13 +00:00
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`const { domain: saleorDomain, signature: payloadSignature } = getSaleorHeaders(request.headers);`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00
Handle missing webhook signature header 2022-08-04 10:27:45 +00:00			`if (!payloadSignature) {`
			`return Response.BadRequest({`
			`success: false,`
Unify error message for the middleware 2022-08-08 09:01:02 +00:00			message: `${ERROR_MESSAGE} Missing ${SALEOR_SIGNATURE_HEADER} header.`,
Handle missing webhook signature header 2022-08-04 10:27:45 +00:00			`});`
			`}`

Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`if (secretKey !== undefined) {`
			`const calculatedSignature = crypto`
			`.createHmac("sha256", secretKey)`
			`.update(request.rawBody)`
			`.digest("hex");`

			`if (calculatedSignature !== payloadSignature) {`
			`return Response.BadRequest({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} Verification using secret key has failed.`,
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`});`
			`}`
			`} else {`
Remove unused variable 2022-07-20 14:05:00 +00:00			`const [header, , signature] = payloadSignature.split(".");`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`const jws = {`
			`protected: header,`
			`payload: request.rawBody,`
			`signature,`
			`};`

Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`const remoteJwks = jose.createRemoteJWKSet(`
Add test for urls 2022-08-08 14:55:57 +00:00			`new URL(getJwksUrl(saleorDomain))`
Fix unhandled exception when JWS is malformed 2022-07-14 12:04:27 +00:00			`) as jose.FlattenedVerifyGetKey;`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00
			`try {`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`await jose.flattenedVerify(jws, remoteJwks);`
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`} catch {`
			`return Response.BadRequest({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} Verification using public key has failed.`,
Webhooks signature verification middleware 2022-07-06 14:03:35 +00:00			`});`
			`}`
			`}`

			`return handler(request);`
			`};`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`export interface DashboardTokenPayload extends jose.JWTPayload {`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`app: string;`
			`}`

			`export const withJWTVerified =`
			`(getAppId: (request: Request) => Promise<string \| undefined>): Middleware =>`
			`(handler) =>`
			`async (request) => {`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`const { domain, authorizationBearer: token } = getSaleorHeaders(request.headers);`
			`const ERROR_MESSAGE = "JWT verification failed:";`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00
			`if (token === undefined) {`
			`return Response.BadRequest({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} Missing ${SALEOR_AUTHORIZATION_BEARER_HEADER} header.`,
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`});`
			`}`

Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`let tokenClaims: DashboardTokenPayload;`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`try {`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`tokenClaims = jose.decodeJwt(token as string) as DashboardTokenPayload;`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`} catch (e) {`
			`return Response.BadRequest({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} Could not decode authorization token.`,
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`});`
			`}`

Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`if (tokenClaims.iss !== domain) {`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`return Response.BadRequest({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} Token iss property is different than domain header.`,
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`});`
			`}`

			`let appId: string \| undefined;`
			`try {`
			`appId = await getAppId(request);`
			`} catch (error) {`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`return Response.InternalServerError({`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} Could not obtain the app ID.`,
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`});`
			`}`

Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`if (!appId) {`
			`return Response.InternalServerError({`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} No value for app ID.`,
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`});`
			`}`

Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`if (tokenClaims.app !== appId) {`
			`return Response.BadRequest({`
			`success: false,`
			message: `${ERROR_MESSAGE} Token's app property is different than app ID.`,
			`});`
			`}`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00
			`try {`
Add test for urls 2022-08-08 14:55:57 +00:00			`const JWKS = jose.createRemoteJWKSet(new URL(getJwksUrl(domain)));`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			`await jose.jwtVerify(token, JWKS);`
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`} catch (e) {`
			`console.error(e);`
			`return Response.BadRequest({`
			`success: false,`
Migrate to Jose and better error messages 2022-08-04 16:37:31 +00:00			message: `${ERROR_MESSAGE} JWT signature verification failed.`,
Add withJWTVerified middleware 2022-08-03 18:51:37 +00:00			`});`
			`}`

			`return handler(request);`
			`};`