getCurrentUser given both decoded & access tokens

packages/api/src/auth/authDecoders/auth0.ts

@@ -0,0 +1,33 @@
+import { AuthenticationError } from 'apollo-server-lambda'
+import { verifyAuth0Token } from 'src/auth/verifyAuth0Token'
+import { getAuthorization } from 'src/auth/authHeaders'
+
+import type { AuthDecoder } from './'
+export type AuthDecoderAuth0 = AuthDecoder
+
+export const decode = async ({
+  event,
+}: {
+  event: APIGatewayProxyEvent
+}): Promise<AuthToken> => {
+  try {
+    const authorization = getAuthorization(event)
+    const token = authorization['token']
+    const decoded = await verifyAuth0Token(token)
+
+    return decoded
+  } catch {
+    throw new AuthenticationError(
+      'The authentication token could not be decoded.'
+    )
+  }
+}
+
+export const auth0 = (): AuthDecoderAuth0 => {
+  return {
+    type: 'auth0',
+    decodeToken: async ({ event }) => {
+      return decode({ event })
+    },
+  }
+}

packages/api/src/auth/authDecoders/index.ts

@@ -0,0 +1,26 @@
+import type { SupportedAuthTypes } from '@redwoodjs/auth'
+
+import { netlify } from './netlify'
+import { auth0 } from './auth0'
+import { token } from './token'
+
+const typesToDecoders = {
+  netlify: netlify,
+  auth0: auth0,
+  goTrue: netlify,
+  magicLink: token,
+  firebase: token,
+  /** Don't we support your auth client? Use the auth token in your own the `custom` client! */
+  custom: token,
+}
+
+export type AuthToken = null | object | string
+
+export interface AuthDecoder {
+  decodeToken({ type, event, context }): Promise<AuthToken>
+  type: SupportedAuthTypes
+}
+
+export const createAuthDecoder = (type: SupportedAuthTypes): AuthDecoder => {
+  return typesToDecoders[type]()
+}

packages/api/src/auth/authDecoders/netlify.ts

@@ -0,0 +1,55 @@
+import type {
+  APIGatewayProxyEvent,
+  Context as LambdaContext,
+  ClientContext,
+} from 'aws-lambda'
+import { AuthenticationError } from 'apollo-server-lambda'
+import jwt from 'jsonwebtoken'
+import { getAuthorization } from 'src/auth/authHeaders'
+
+import type { AuthDecoder } from './'
+export type AuthDecoderNetlify = AuthDecoder
+
+type NewClientContext = ClientContext & {
+  user?: object
+}
+
+export const decode = async ({
+  event,
+  context,
+}: {
+  event: APIGatewayProxyEvent
+  context: LambdaContext
+}): Promise<AuthToken> => {
+  try {
+    let decoded: AuthToken = null
+
+    // Netlify verifies and decodes a JWT before the request hits the Serverless
+    // function so the decoded JWT is already available in production
+    if (process.env.NODE_ENV === 'production') {
+      const clientContext = context.clientContext as NewClientContext
+      decoded = clientContext?.user || null
+    } else {
+      // We emulate the native Netlify experience in development mode.
+      // We just decode it since we don't have the signing key.
+      const authorization = getAuthorization(event)
+      const token = authorization['token']
+      decoded = jwt.decode(token)
+    }
+
+    return decoded
+  } catch {
+    throw new AuthenticationError(
+      'The authentication token could not be decoded.'
+    )
+  }
+}
+
+export const netlify = (): AuthDecoderNetlify => {
+  return {
+    type: 'netlify',
+    decodeToken: async ({ event, context }) => {
+      return decode({ event, context })
+    },
+  }
+}

packages/api/src/auth/authDecoders/token.ts

@@ -0,0 +1,33 @@
+import { AuthenticationError } from 'apollo-server-lambda'
+import { getAuthorization } from 'src/auth/authHeaders'
+
+import type { AuthDecoder } from './'
+export type AuthDecoderToken = AuthDecoder
+
+export const decode = async ({
+  event,
+}: {
+  event: APIGatewayProxyEvent
+  context: LambdaContext
+}): Promise<AuthToken> => {
+  try {
+    let decoded: AuthToken = null
+    const authorization = getAuthorization(event)
+    decoded = authorization['token']
+
+    return decoded
+  } catch {
+    throw new AuthenticationError(
+      'The authentication token could not be decoded.'
+    )
+  }
+}
+
+export const token = (): AuthDecoderToken => {
+  return {
+    type: 'token',
+    decodeToken: async ({ event }) => {
+      return decode({ event })
+    },
+  }
+}

packages/api/src/auth/authHeaders.ts

@@ -1,14 +1,8 @@
-import type {
-  APIGatewayProxyEvent,
-  Context as LambdaContext,
-  ClientContext,
-} from 'aws-lambda'
+import type { APIGatewayProxyEvent, Context as LambdaContext } from 'aws-lambda'
 import type { SupportedAuthTypes } from '@redwoodjs/auth'
-//
-import jwt from 'jsonwebtoken'
-import { AuthenticationError } from 'apollo-server-lambda'
 
-import { verifyAuth0Token } from './verifyAuth0Token'
+import type { AuthToken } from './authDecoders'
+import { createAuthDecoder } from './authDecoders'
 
 // This is shared by `@redwoodjs/web`
 const AUTH_PROVIDER_HEADER = 'auth-provider'
@@ -19,11 +13,40 @@ export const getAuthProviderType = (
   return event?.headers[AUTH_PROVIDER_HEADER] as SupportedAuthTypes
 }
 
-type NewClientContext = ClientContext & {
-  user?: object
+export interface AuthorizationHeader {
+  schema: 'Bearer' | 'Basic'
+  token: string
 }
 
-export type AuthToken = null | object | string
+/**
+ * This function returns the Authorization Header Schema and Token
+ * from the client request event headers in AuthorizationHeader
+ * to be decoded or otherwise used in token-based authentication
+ * when required to allow an application to access an API.
+ *
+ * @returns AuthorizationHeader
+ */
+export const getAuthorization = (event: {
+  event: APIGatewayProxyEvent
+}): AuthorizationHeader => {
+  try {
+    const authorizationHeader: AuthorizationHeader = {
+      schema: null,
+      token: null,
+    }
+    const mechanism = event.headers?.authorization?.split(' ')
+    authorizationHeader.schema = mechanism?.[0]
+    authorizationHeader.token = mechanism?.[1]
+
+    if (!mechanism.length === 2 || authorizationHeader.token.length === 0) {
+      throw new Error('Empty authorization token')
+    }
+
+    return authorizationHeader
+  } catch {
+    throw new Error('Error getting Authorization header')
+  }
+}
 
 /**
  * Redwood supports multiple authentication providers. We add headers to the client
@@ -45,54 +68,35 @@ export const decodeAuthToken = async ({
   event: APIGatewayProxyEvent
   context: LambdaContext
 }): Promise<AuthToken> => {
-  const token = event.headers?.authorization?.split(' ')?.[1]
-  if (!token && token.length === 0) {
-    throw new Error('Empty authorization token')
-  }
+  const authDecoder = createAuthDecoder(type)
+  const decoded = await authDecoder.decodeToken({ type, event, context })
 
-  let decoded: AuthToken = null
-  switch (type) {
-    case 'goTrue':
-    case 'netlify': {
-      // Netlify verifies and decodes a JWT before the request hits the Serverless
-      // function so the decoded jwt is already available in production
-      if (process.env.NODE_ENV === 'production') {
-        const clientContext = context.clientContext as NewClientContext
-        decoded = clientContext?.user || null
-      } else {
-        // We emualate the native Netlify experience in development mode.
-        // We just decode it since we don't have the signing key.
-        decoded = jwt.decode(token)
-      }
-      break
-    }
-    case 'auth0': {
-      decoded = await verifyAuth0Token(token)
-      break
-    }
+  return decoded
+}
 
-    case 'firebase':
-    case 'magicLink': {
-      decoded = token
-      break
-    }
+/**
+ * Get the authorization information from the request headers and request context.
+ * @returns [decoded, { type, token }]
+ **/
+export const getAuthenticationContext = async ({
+  event,
+  context,
+}: {
+  event: APIGatewayProxyEvent
+  context: GlobalContext & LambdaContext
+}) => {
+  const type = getAuthProviderType(event)
 
-    // These tokens require a 3rd party library for decoding that we don't want to
-    // bundle with each installation. We'll cover it in the documentation.
-    default: {
-      decoded = {
-        type,
-        token,
-      }
-      break
-    }
-  }
+  let decoded = null
+  let token = null
 
-  if (decoded === null) {
-    throw new AuthenticationError(
-      'The authentication token could not be decoded.'
-    )
+  // if type is undefined, then not using an auth provider
+  // ie, not "logged in"
+  if (typeof type !== 'undefined') {
+    decoded = await decodeAuthToken({ type, event, context })
+    const authorization = getAuthorization(event)
+    token = authorization['token']
   }
 
-  return decoded
+  return [decoded, { type, token }]
 }

packages/api/src/functions/graphql.ts

@@ -5,7 +5,7 @@ import type { AuthToken } from 'src/auth/authHeaders'
 import type { GlobalContext } from 'src/globalContext'
 //
 import { ApolloServer } from 'apollo-server-lambda'
-import { getAuthProviderType, decodeAuthToken } from 'src/auth/authHeaders'
+import { getAuthenticationContext } from 'src/auth/authHeaders'
 import { setContext } from 'src/globalContext'
 
 export type GetCurrentUser = (
@@ -37,14 +37,19 @@ export const createContextHandler = (
     // such as database connections, to be released before returning a reponse.
     context.callbackWaitsForEmptyEventLoop = false
 
-    // Get the authorization information from the request headers and request context.
-    const type = getAuthProviderType(event)
+    const [decoded, { type, token }] = await getAuthenticationContext({
+      event,
+      context,
+    })
+
     if (typeof type !== 'undefined') {
-      const authToken = await decodeAuthToken({ type, event, context })
       context.currentUser =
         typeof getCurrentUser == 'function'
-          ? await getCurrentUser(authToken)
-          : authToken
+          ? await getCurrentUser(decoded, {
+              token,
+              authType: type,
+            })
+          : decoded
     }
 
     // Sets the **global** context object, which can be imported with:

packages/cli/src/commands/generate/auth/templates/auth.js.template

@@ -7,8 +7,8 @@
 
 import { AuthenticationError } from '@redwoodjs/api'
 
-export const getCurrentUser = async (jwt) => {
-  return jwt
+export const getCurrentUser = async (decoded, { token, authType }) => {
+  return decoded
 }
 
 // Use this function in your services to check that a user is logged in, and

packages/cli/src/commands/generate/auth/templates/firebase.auth.js.template

@@ -22,7 +22,7 @@ const config = {
 
 const adminApp = admin.initializeApp(config)
 
-export const getCurrentUser = async (token) => {
+export const getCurrentUser = async (decoded, { token, authType }) => {
   const { email, uid } = await adminApp.auth().verifyIdToken(token)
   return { email, uid }
 }