djkato/saleor-app-sdk-REDIS_APL
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add withJWTVerified middleware

Browse source
This commit is contained in:
Krzysztof Wolski 2022-08-03 20:51:37 +02:00
parent aba71916c0
commit 345238e9ee
1 changed files with 86 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

90
src/middleware.ts
View file

@ -1,6 +1,8 @@
import crypto from "crypto"; import crypto from "crypto";
import * as jose from "jose"; import * as jose from "jose";
import type { Middleware } from "retes"; import jwt, { JwtPayload } from "jsonwebtoken";
import jwks, { CertSigningKey, RsaSigningKey } from "jwks-rsa";
import type { Middleware, Request } from "retes";
import { Response } from "retes/response"; import { Response } from "retes/response";
import { SALEOR_DOMAIN_HEADER, SALEOR_EVENT_HEADER } from "./const"; import { SALEOR_DOMAIN_HEADER, SALEOR_EVENT_HEADER } from "./const";
@ -33,7 +35,6 @@ export const withSaleorEventMatch =
(handler) => (handler) =>
async (request) => { async (request) => {
const receivedEvent = request.headers[SALEOR_EVENT_HEADER]; const receivedEvent = request.headers[SALEOR_EVENT_HEADER];
if (receivedEvent !== expectedEvent) { if (receivedEvent !== expectedEvent) {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
@ -90,12 +91,12 @@ export const withWebhookSignatureVerified =
signature, signature,
}; };
const jwks = jose.createRemoteJWKSet( const remoteJwks = jose.createRemoteJWKSet(
new URL(jwksUrl(saleorDomain)) new URL(jwksUrl(saleorDomain))
) as jose.FlattenedVerifyGetKey; ) as jose.FlattenedVerifyGetKey;
try { try {
await jose.flattenedVerify(jws, jwks); await jose.flattenedVerify(jws, remoteJwks);
} catch { } catch {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
@ -106,3 +107,84 @@ export const withWebhookSignatureVerified =
return handler(request); return handler(request);
}; };
export interface DashboardTokenPayload extends JwtPayload {
app: string;
}
export const withJWTVerified =
(getAppId: (request: Request) => Promise<string | undefined>): Middleware =>
(handler) =>
async (request) => {
const { [SALEOR_DOMAIN_HEADER]: saleorDomain, "authorization-bearer": token } = request.headers;
if (token === undefined) {
return Response.BadRequest({
success: false,
message: "Missing token.",
});
}
let tokenClaims;
try {
tokenClaims = jwt.decode(token as string);
} catch (e) {
console.error(e);
return Response.BadRequest({
success: false,
message: "Invalid token.",
});
}
if (tokenClaims === null) {
return Response.BadRequest({
success: false,
message: "Invalid token.",
});
}
if ((tokenClaims as DashboardTokenPayload).iss !== saleorDomain) {
return Response.BadRequest({
success: false,
message: "Invalid token.",
});
}
let appId: string | undefined;
try {
appId = await getAppId(request);
} catch (error) {
console.error("Error during getting the app ID.");
console.error(error);
return Response.BadRequest({
success: false,
message: "Error during token invalidation - could not obtain the app ID.",
});
}
if (!appId || (tokenClaims as DashboardTokenPayload).app !== appId) {
return Response.BadRequest({
success: false,
message: "Invalid token.",
});
}
const jwksClient = jwks({
jwksUri: `https://${saleorDomain}/.well-known/jwks.json`,
});
const signingKey = await jwksClient.getSigningKey();
const signingSecret =
(signingKey as CertSigningKey).publicKey || (signingKey as RsaSigningKey).rsaPublicKey;
try {
jwt.verify(token as string, signingSecret);
} catch (e) {
console.error(e);
return Response.BadRequest({
success: false,
message: "Invalid token.",
});
}
return handler(request);
};