Add withJWTVerified middleware
This commit is contained in:
Krzysztof Wolski
parent
aba71916c0
commit
345238e9ee
1 changed files with 86 additions and 4 deletions
|
|
@ -1,6 +1,8 @@
|
|||
import crypto from "crypto";
|
||||
import * as jose from "jose";
|
||||
import type { Middleware } from "retes";
|
||||
import jwt, { JwtPayload } from "jsonwebtoken";
|
||||
import jwks, { CertSigningKey, RsaSigningKey } from "jwks-rsa";
|
||||
import type { Middleware, Request } from "retes";
|
||||
import { Response } from "retes/response";
|
||||
|
||||
import { SALEOR_DOMAIN_HEADER, SALEOR_EVENT_HEADER } from "./const";
|
||||
|
|
@ -33,7 +35,6 @@ export const withSaleorEventMatch =
|
|||
(handler) =>
|
||||
async (request) => {
|
||||
const receivedEvent = request.headers[SALEOR_EVENT_HEADER];
|
||||
|
||||
if (receivedEvent !== expectedEvent) {
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
|
|
@ -90,12 +91,12 @@ export const withWebhookSignatureVerified =
|
|||
signature,
|
||||
};
|
||||
|
||||
const jwks = jose.createRemoteJWKSet(
|
||||
const remoteJwks = jose.createRemoteJWKSet(
|
||||
new URL(jwksUrl(saleorDomain))
|
||||
) as jose.FlattenedVerifyGetKey;
|
||||
|
||||
try {
|
||||
await jose.flattenedVerify(jws, jwks);
|
||||
await jose.flattenedVerify(jws, remoteJwks);
|
||||
} catch {
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
|
|
@ -106,3 +107,84 @@ export const withWebhookSignatureVerified =
|
|||
|
||||
return handler(request);
|
||||
};
|
||||
|
||||
export interface DashboardTokenPayload extends JwtPayload {
|
||||
app: string;
|
||||
}
|
||||
|
||||
export const withJWTVerified =
|
||||
(getAppId: (request: Request) => Promise<string | undefined>): Middleware =>
|
||||
(handler) =>
|
||||
async (request) => {
|
||||
const { [SALEOR_DOMAIN_HEADER]: saleorDomain, "authorization-bearer": token } = request.headers;
|
||||
|
||||
if (token === undefined) {
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
message: "Missing token.",
|
||||
});
|
||||
}
|
||||
|
||||
let tokenClaims;
|
||||
try {
|
||||
tokenClaims = jwt.decode(token as string);
|
||||
} catch (e) {
|
||||
console.error(e);
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
message: "Invalid token.",
|
||||
});
|
||||
}
|
||||
|
||||
if (tokenClaims === null) {
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
message: "Invalid token.",
|
||||
});
|
||||
}
|
||||
|
||||
if ((tokenClaims as DashboardTokenPayload).iss !== saleorDomain) {
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
message: "Invalid token.",
|
||||
});
|
||||
}
|
||||
|
||||
let appId: string | undefined;
|
||||
try {
|
||||
appId = await getAppId(request);
|
||||
} catch (error) {
|
||||
console.error("Error during getting the app ID.");
|
||||
console.error(error);
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
message: "Error during token invalidation - could not obtain the app ID.",
|
||||
});
|
||||
}
|
||||
|
||||
if (!appId || (tokenClaims as DashboardTokenPayload).app !== appId) {
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
message: "Invalid token.",
|
||||
});
|
||||
}
|
||||
|
||||
const jwksClient = jwks({
|
||||
jwksUri: `https://${saleorDomain}/.well-known/jwks.json`,
|
||||
});
|
||||
const signingKey = await jwksClient.getSigningKey();
|
||||
const signingSecret =
|
||||
(signingKey as CertSigningKey).publicKey || (signingKey as RsaSigningKey).rsaPublicKey;
|
||||
|
||||
try {
|
||||
jwt.verify(token as string, signingSecret);
|
||||
} catch (e) {
|
||||
console.error(e);
|
||||
return Response.BadRequest({
|
||||
success: false,
|
||||
message: "Invalid token.",
|
||||
});
|
||||
}
|
||||
|
||||
return handler(request);
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue