/
index.ts
205 lines (194 loc) · 5.44 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
import { Handler, NextFunction, Request, Response } from 'express';
import {
jwtVerifier,
JwtVerifierOptions,
claimCheck as _claimCheck,
ClaimCheck,
claimEquals as _claimEquals,
ClaimEquals,
claimIncludes as _claimIncludes,
ClaimIncludes,
requiredScopes as _requiredScopes,
RequiredScopes,
scopeIncludesAny as _scopeIncludesAny,
VerifyJwtResult as AuthResult,
} from 'access-token-jwt';
import type { JWTPayload } from 'access-token-jwt';
import { getToken } from 'oauth2-bearer';
export interface AuthOptions extends JwtVerifierOptions {
/**
* True if a valid Access Token JWT should be required for all routes.
* Defaults to true.
*/
authRequired?: boolean;
}
declare global {
namespace Express {
interface Request {
auth?: AuthResult;
}
}
}
/**
* Middleware that will return a 401 if a valid JWT bearer token is not provided
* in the request.
*
* Can be used in 2 ways:
*
* 1. Pass in an {@Link AuthOptions.issuerBaseURL} (or define the env
* variable `ISSUER_BASE_URL`)
*
* ```js
* app.use(auth({
* issuerBaseURL: 'http://issuer.example.com',
* audience: 'https://myapi.com'
* }));
* ```
*
* This uses the {@Link AuthOptions.issuerBaseURL} to find the OAuth 2.0
* Authorization Server Metadata to get the {@Link AuthOptions.jwksUri}
* and {@Link AuthOptions.issuer}.
*
* 2. You can also skip discovery and provide the {@Link AuthOptions.jwksUri} (or
* define the env variable `JWKS_URI`) and {@Link AuthOptions.issuer} (or define
* the env variable `ISSUER`) yourself.
*
* ```js
* app.use(auth({
* jwksUri: 'http://issuer.example.com/well-known/jwks.json',
* issuer: 'http://issuer.example.com',
* audience: 'https://myapi.com'
* }));
* ```
*
* You must provide the `audience` argument (or `AUDIENCE` environment variable)
* used to match against the Access Token's `aud` claim.
*
* Successful requests will have the following properties added to them:
*
* ```js
* app.get('/foo', auth(), (req, res, next) => {
* const auth = req.auth;
* auth.header; // The decoded JWT header.
* auth.payload; // The decoded JWT payload.
* auth.token; // The raw JWT token.
* });
* ```
*
*/
export const auth = (opts: AuthOptions = {}): Handler => {
const verifyJwt = jwtVerifier(opts);
return async (req: Request, res: Response, next: NextFunction) => {
try {
const jwt = getToken(
req.headers,
req.query,
req.body,
!!req.is('urlencoded')
);
req.auth = await verifyJwt(jwt);
next();
} catch (e) {
if (opts.authRequired === false) {
next();
} else {
next(e);
}
}
};
};
const toHandler =
(fn: (payload?: JWTPayload) => void): Handler =>
(req, res, next) => {
try {
fn(req.auth?.payload);
next();
} catch (e) {
next(e);
}
};
/**
* Check the token's claims using a custom method that receives the
* {@Link JWTPayload} and should return `true` if the token is valid. Raises
* a 401 `invalid_token` error if the function returns false. You can also
* customise the `error_description` which should be formatted per rfc6750.
*
* ```js
* app.use(auth());
*
* app.get('/admin/edit', claimCheck((claims) => {
* return claims.isAdmin && claims.roles.includes('editor');
* }, `Unexpected 'isAdmin' and 'roles' claims`), (req, res) => { ... });
* ```
*/
export const claimCheck: ClaimCheck<Handler> = (...args) =>
toHandler(_claimCheck(...args));
/**
* Check a token's claim to be equal a given {@Link JSONPrimitive}
* (`string`, `number`, `boolean` or `null`) raises a 401 `invalid_token`
* error if the value of the claim does not match.
*
* ```js
* app.use(auth());
*
* app.get('/admin', claimEquals('isAdmin', true), (req, res) => { ... });
* ```
*/
export const claimEquals: ClaimEquals<Handler> = (...args) =>
toHandler(_claimEquals(...args));
/**
* Check a token's claim to include a number of given {@Link JSONPrimitive}s
* (`string`, `number`, `boolean` or `null`) raises a 401 `invalid_token`
* error if the value of the claim does not include all the given values.
*
* ```js
* app.use(auth());
*
* app.get('/admin/edit', claimIncludes('role', 'admin', 'editor'),
* (req, res) => { ... });
* ```
*/
export const claimIncludes: ClaimIncludes<Handler> = (...args) =>
toHandler(_claimIncludes(...args));
/**
* Check a token's `scope` claim to include a number of given scopes, raises a
* 403 `insufficient_scope` error if the value of the `scope` claim does not
* include all the given scopes.
*
* ```js
* app.use(auth());
*
* app.get('/admin/edit', requiredScopes('read:admin write:admin'),
* (req, res) => { ... });
* ```
*/
export const requiredScopes: RequiredScopes<Handler> = (...args) =>
toHandler(_requiredScopes(...args));
/**
* Check a token's `scope` claim to include any of the given scopes, raises a
* 403 `insufficient_scope` error if the value of the `scope` claim does not
* include any of the given scopes.
*
* ```js
* app.use(auth());
*
* app.get('/admin/edit', scopeIncludesAny('read:msg read:admin'),
* (req, res) => { ... });
* ```
*/
export const scopeIncludesAny: RequiredScopes<Handler> = (...args) =>
toHandler(_scopeIncludesAny(...args));
export { AuthResult, JWTPayload };
export {
FunctionValidator,
Validator,
Validators,
JWTHeader,
JSONPrimitive,
} from 'access-token-jwt';
export {
UnauthorizedError,
InvalidRequestError,
InvalidTokenError,
InsufficientScopeError,
} from 'oauth2-bearer';