diff --git a/typegate/src/services/auth/mod.ts b/typegate/src/services/auth/mod.ts index 1e9240e26..5788f6627 100644 --- a/typegate/src/services/auth/mod.ts +++ b/typegate/src/services/auth/mod.ts @@ -97,7 +97,7 @@ export async function ensureJWT( const [context, nextAuth] = await auth.tokenMiddleware( token, - new URL(request.url), + request, ); if (nextAuth !== null) { // "" is valid as it signal to remove the token diff --git a/typegate/src/services/auth/protocols/basic.ts b/typegate/src/services/auth/protocols/basic.ts index ca70fece2..aad0ec295 100644 --- a/typegate/src/services/auth/protocols/basic.ts +++ b/typegate/src/services/auth/protocols/basic.ts @@ -35,7 +35,7 @@ export class BasicAuth extends Protocol { tokenMiddleware( jwt: string, - _url: URL, + _request: Request, ): Promise<[Record, string | null]> { try { const [username, token] = b64decode(jwt).split( diff --git a/typegate/src/services/auth/protocols/internal.ts b/typegate/src/services/auth/protocols/internal.ts index 0df74806e..90a321f4b 100644 --- a/typegate/src/services/auth/protocols/internal.ts +++ b/typegate/src/services/auth/protocols/internal.ts @@ -24,7 +24,7 @@ export class InternalAuth extends Protocol { async tokenMiddleware( token: string, - _url: URL, + _request: Request, ): Promise<[Record, string | null]> { try { const claims = await verifyJWT(token); diff --git a/typegate/src/services/auth/protocols/jwt.ts b/typegate/src/services/auth/protocols/jwt.ts index 0adcd1bae..9c17a872b 100644 --- a/typegate/src/services/auth/protocols/jwt.ts +++ b/typegate/src/services/auth/protocols/jwt.ts @@ -47,7 +47,7 @@ export class JWTAuth extends Protocol { async tokenMiddleware( token: string, - _url: URL, + _request: Request, ): Promise<[Record, string | null]> { try { const claims = await jwt.verify(token, this.signKey); diff --git a/typegate/src/services/auth/protocols/oauth2.ts b/typegate/src/services/auth/protocols/oauth2.ts index ea34d4bda..880820279 100644 --- a/typegate/src/services/auth/protocols/oauth2.ts +++ b/typegate/src/services/auth/protocols/oauth2.ts @@ -55,7 +55,10 @@ class AuthProfiler { }); } - async transform(profile: any, url: string) { + async transform( + profile: any, + request: Request, + ) { const { tg, runtimeReferences } = this.authParameters; const funcNode = tg.type(this.funcIndex, Type.FUNCTION); const mat = tg.materializer(funcNode.materializer); @@ -63,7 +66,15 @@ class AuthProfiler { const validatorInputWeak = generateWeakValidator(tg, funcNode.input); const validatorOutput = generateValidator(tg, funcNode.output); - const input = { ...profile, _: { info: { url } } }; + const input = { + ...profile, + _: { + info: { + url: new URL(request.url), + headers: Object.fromEntries(request.headers.entries()), + }, + }, + }; validatorInputWeak(input); // Note: this assumes func is a simple t.func(inp, out, mat) @@ -154,7 +165,7 @@ export class OAuth2Auth extends Protocol { this.typegraphName, ); const tokens = await client.code.getToken(url, { state, codeVerifier }); - const token = await this.createJWT(tokens); + const token = await this.createJWT(tokens, request); const headers = await setEncryptedSessionCookie( url.hostname, this.typegraphName, @@ -211,8 +222,9 @@ export class OAuth2Auth extends Protocol { async tokenMiddleware( token: string, - url: URL, + request: Request, ): Promise<[Record, string | null]> { + const url = new URL(request.url); const typegraphPath = `/${this.typegraphName}`; const client = new OAuth2Client({ ...this.clientData, @@ -236,7 +248,7 @@ export class OAuth2Auth extends Protocol { if (new Date().valueOf() / 1000 > claims.refreshAt) { try { const newClaims = await client.refreshToken.refresh(refreshToken); - const token = await this.createJWT(newClaims); + const token = await this.createJWT(newClaims, request); return [ claims, token ?? "", // token or clear @@ -252,6 +264,7 @@ export class OAuth2Auth extends Protocol { private async getProfile( token: Tokens, + request: Request, ): Promise> { if (!this.profileUrl) { return null; @@ -270,7 +283,7 @@ export class OAuth2Auth extends Protocol { let profile = await res.json(); if (this.authProfiler) { - profile = await this.authProfiler!.transform(profile, url); + profile = await this.authProfiler!.transform(profile, request); } return profile; @@ -279,8 +292,11 @@ export class OAuth2Auth extends Protocol { } } - private async createJWT(token: Tokens): Promise { - const profile = await this.getProfile(token); + private async createJWT( + token: Tokens, + request: Request, + ): Promise { + const profile = await this.getProfile(token, request); const profileClaims: ProfileClaims = profile ? mapKeys(profile, (k) => `profile.${k}`) : {}; diff --git a/typegate/src/services/auth/protocols/protocol.ts b/typegate/src/services/auth/protocols/protocol.ts index 12b5b2f29..0609c7b5e 100644 --- a/typegate/src/services/auth/protocols/protocol.ts +++ b/typegate/src/services/auth/protocols/protocol.ts @@ -12,6 +12,6 @@ export abstract class Protocol { abstract tokenMiddleware( token: string, - url: URL, + request: Request, ): Promise<[Record, string | null]>; }