-
Notifications
You must be signed in to change notification settings - Fork 30
/
claim-check.ts
144 lines (125 loc) · 3.67 KB
/
claim-check.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import {
InvalidTokenError,
InsufficientScopeError,
UnauthorizedError,
} from 'oauth2-bearer';
import type { JWTPayload } from 'jose';
export type JSONPrimitive = string | number | boolean | null;
type ClaimChecker = (payload?: JWTPayload) => void;
const checkJSONPrimitive = (value: JSONPrimitive): void => {
if (
typeof value !== 'string' &&
typeof value !== 'number' &&
typeof value !== 'boolean' &&
value !== null
) {
throw new TypeError("'expected' must be a string, number, boolean or null");
}
};
const isClaimIncluded = (
claim: string,
expected: JSONPrimitive[],
matchAll = true
): ((payload: JWTPayload) => boolean) => (payload) => {
if (!(claim in payload)) {
throw new InvalidTokenError(`Missing '${claim}' claim`);
}
let actual = payload[claim];
if (typeof actual === 'string') {
actual = actual.split(' ');
} else if (!Array.isArray(actual)) {
return false;
}
actual = new Set(actual as JSONPrimitive[]);
return matchAll
? expected.every(Set.prototype.has.bind(actual))
: expected.some(Set.prototype.has.bind(actual));
};
export type RequiredScopes<R = ClaimChecker> = (scopes: string | string[]) => R;
export const requiredScopes: RequiredScopes = (scopes) => {
if (typeof scopes === 'string') {
scopes = scopes.split(' ');
} else if (!Array.isArray(scopes)) {
throw new TypeError("'scopes' must be a string or array of strings");
}
const fn = isClaimIncluded('scope', scopes);
return claimCheck((payload) => {
if (!('scope' in payload)) {
throw new InsufficientScopeError(
scopes as string[],
"Missing 'scope' claim"
);
}
if (!fn(payload)) {
throw new InsufficientScopeError(scopes as string[]);
}
return true;
});
};
export const scopeIncludesAny: RequiredScopes = (scopes) => {
if (typeof scopes === 'string') {
scopes = scopes.split(' ');
} else if (!Array.isArray(scopes)) {
throw new TypeError("'scopes' must be a string or array of strings");
}
const fn = isClaimIncluded('scope', scopes, false);
return claimCheck((payload) => {
if (!('scope' in payload)) {
throw new InsufficientScopeError(
scopes as string[],
"Missing 'scope' claim"
);
}
if (!fn(payload)) {
throw new InsufficientScopeError(scopes as string[]);
}
return true;
});
};
export type ClaimIncludes<R = ClaimChecker> = (
claim: string,
...expected: JSONPrimitive[]
) => R;
export const claimIncludes: ClaimIncludes = (claim, ...expected) => {
if (typeof claim !== 'string') {
throw new TypeError("'claim' must be a string");
}
expected.forEach(checkJSONPrimitive);
return claimCheck(
isClaimIncluded(claim, expected),
`Unexpected '${claim}' value`
);
};
export type ClaimEquals<R = ClaimChecker> = (
claim: string,
expected: JSONPrimitive
) => R;
export const claimEquals: ClaimEquals = (claim, expected) => {
if (typeof claim !== 'string') {
throw new TypeError("'claim' must be a string");
}
checkJSONPrimitive(expected);
return claimCheck((payload) => {
if (!(claim in payload)) {
throw new InvalidTokenError(`Missing '${claim}' claim`);
}
return payload[claim] === expected;
}, `Unexpected '${claim}' value`);
};
export type ClaimCheck<R = ClaimChecker> = (
fn: (payload: JWTPayload) => boolean,
errMsg?: string
) => R;
export const claimCheck: ClaimCheck = (fn, errMsg) => {
if (typeof fn !== 'function') {
throw new TypeError("'claimCheck' expects a function");
}
return (payload?: JWTPayload) => {
if (!payload) {
throw new UnauthorizedError();
}
if (!fn(payload)) {
throw new InvalidTokenError(errMsg);
}
};
};