-
Notifications
You must be signed in to change notification settings - Fork 1
/
authenticateByJwt.ts
74 lines (69 loc) · 2.66 KB
/
authenticateByJwt.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import jwt, { JwtHeader } from "jsonwebtoken";
import jwkToPem, { JWK } from "jwk-to-pem";
import { NextFunction, Request, Response } from "express";
import fetch from "cross-fetch";
import { AuthenticationError } from "apollo-server-errors";
import { formatError } from "graphql";
interface CognitoPublicKeys {
keys: Array<JWK & JwtHeader>
}
export async function fetchCognitoPublicKeys(jwkUrl: string): Promise<CognitoPublicKeys> {
return fetch(jwkUrl).then((response: any) => {
if (!response.ok) {
throw new Error("Could not reach Cognito public keys URL.");
}
const jwk = response.json();
console.log("Cognito public keys loaded successfully.");
return jwk;
});
}
const verifyJwt = (token: string, jwk: CognitoPublicKeys) => {
const decodedJwt = jwt.decode(token, { complete: true });
if (!decodedJwt) {
throw new Error("Invalid token.");
}
const key = jwk.keys.find(key => {
return key.kid === decodedJwt.header.kid
});
if (!key) {
throw new Error("Signing key for token not found in Cognito public keys.");
}
const pem = jwkToPem(key);
const verifiedToken = jwt.verify(token, pem);
if (typeof verifiedToken !== "object") {
throw new Error("Token is not in expected format.");
}
return verifiedToken;
};
function getJwtToken(authHeader: string = "") {
if (!authHeader.startsWith("Bearer ")) {
return null;
}
return authHeader.substring('Bearer '.length);
}
export default async function authenticateByJwt(cognitoPublicKeys: CognitoPublicKeys, authHeader = "", isPreviewEnv: boolean) {
const token = getJwtToken(authHeader);
// Check if the authorization header exists and has a bearer token.
// If not, return null
if (!token) {
if (isPreviewEnv) {
// Reject all non-logged in queries in preview environment
console.log("No bearer token sent. In preview environment, so returning AuthenticationError.");
throw new AuthenticationError('You must sign in to SSO before accessing preview API.');
}
return {};
} else {
try {
return {
user: verifyJwt(token, cognitoPublicKeys)
};
} catch (e) {
console.log("Exception thrown while verifying user", e);
if (isPreviewEnv) {
// Reject all non-logged in queries in preview environment
console.log("In preview environment, so returning AuthenticationError.\n", e)
throw new AuthenticationError('You must sign in to SSO before accessing preview API.');
}
}
}
}