feat: middleware on /continue endpoint

interledger · Aug 16, 2022 · 57e30fe · 57e30fe
1 parent c542fe5
commit 57e30fe
Showing 1 changed file with 31 additions and 52 deletions.
diff --git a/packages/auth/src/client/service.ts b/packages/auth/src/client/service.ts
@@ -64,13 +64,6 @@ export interface ClientService {
     jwk: JWKWithRequired,
     challenge: string
   ): Promise<boolean>
-  verifySigFromBoundKey(
-    sig: string,
-    sigInput: string,
-    accessTokenKey: string,
-    accessTokenValue: string,
-    ctx: AppContext
-  ): Promise<VerifySigFromBoundKeyResult>
   validateClientWithRegistry(clientInfo: ClientInfo): Promise<boolean>
   getRegistryDataByKid(kid: string): Promise<RegistryData>
   sigInputToChallenge(sigInput: string, ctx: AppContext): string | null
@@ -97,21 +90,6 @@ export async function createClientService({
   return {
     verifySig: (sig: string, jwk: JWKWithRequired, challenge: string) =>
       verifySig(deps, sig, jwk, challenge),
-    verifySigFromBoundKey: (
-      sig: string,
-      sigInput: string,
-      accessTokenKey: string,
-      accessTokenValue: string,
-      ctx: AppContext
-    ) =>
-      verifySigFromBoundKey(
-        deps,
-        sig,
-        sigInput,
-        accessTokenKey,
-        accessTokenValue,
-        ctx
-      ),
     validateClientWithRegistry: (clientInfo: ClientInfo) =>
       validateClientWithRegistry(deps, clientInfo),
     getRegistryDataByKid: (kid: string) => getRegistryDataByKid(deps, kid),
@@ -179,24 +157,9 @@ async function verifySigFromBoundKey(
   deps: ServiceDependencies,
   sig: string,
   sigInput: string,
-  accessTokenKey: string,
-  accessTokenValue: string,
+  grant: Grant,
   ctx: AppContext
 ): Promise<VerifySigFromBoundKeyResult> {
-  const accessToken = await AccessToken.query().findOne(
-    accessTokenKey,
-    accessTokenValue
-  )
-  if (!accessToken) {
-    return {
-      success: false,
-      error: 'invalid_client',
-      status: 404,
-      message: 'token not found'
-    }
-  }
-  const grant = await Grant.query().findById(accessToken.grantId)
-
   const registryData = await getRegistryDataByKid(deps, grant.clientKeyId)
   if (!registryData)
     return {
@@ -339,30 +302,46 @@ async function tokenHttpsigMiddleware(
   }
 
   const { body } = ctx.request
-  let keyName = '',
-    value = ''
   const { path, method } = ctx
   // TODO: replace with HttpMethod types instead of string literals
+  let grant: Grant
   if (path.includes('/introspect') && method === 'POST') {
-    keyName = 'value'
-    value = body['access_token']
+    const accessToken = await AccessToken.query().findOne(
+      'value',
+      body['access_token']
+    )
+    if (!accessToken) {
+      ctx.status = 404
+      ctx.body = {
+        error: 'invalid_client',
+        message: 'token not found'
+      }
+    }
+
+    grant = await Grant.query().findById(accessToken.grantId)
   } else if (path.includes('/token') && method === 'DELETE') {
-    keyName = 'managementId'
-    value = ctx.params['managementId']
+    const accessToken = await AccessToken.query().findOne(
+      'managementId',
+      ctx.params['managementId']
+    )
+    if (!accessToken) {
+      ctx.status = 404
+      ctx.body = {
+        error: 'invalid_client',
+        message: 'token not found'
+      }
+    }
+
+    grant = await Grant.query().findById(accessToken.grantId)
+  } else if (path.includes('/continue')) {
+    grant = await Grant.query().findOne('interactId', ctx.params['interactId'])
   } else {
     // Is not a route that requires httpsig validation, somehow
     next()
     return
   }
 
-  const verified = await verifySigFromBoundKey(
-    deps,
-    sig,
-    sigInput,
-    keyName,
-    value,
-    ctx
-  )
+  const verified = await verifySigFromBoundKey(deps, sig, sigInput, grant, ctx)
 
   if (!verified.success) {
     ctx.status = verified.status || 401