Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2022 Savoir-faire Linux Inc. |
| 3 | * |
| 4 | * This program is free software; you can redistribute it and/or modify |
| 5 | * it under the terms of the GNU Affero General Public License as |
| 6 | * published by the Free Software Foundation; either version 3 of the |
| 7 | * License, or (at your option) any later version. |
| 8 | * |
| 9 | * This program is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | * GNU Affero General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU Affero General Public |
| 15 | * License along with this program. If not, see |
| 16 | * <https://www.gnu.org/licenses/>. |
| 17 | */ |
| 18 | import { NextFunction, Request, Response } from 'express'; |
Misha Krieger-Raynauld | 2f5d1ce | 2022-10-23 21:13:33 -0400 | [diff] [blame] | 19 | import { HttpStatusCode } from 'jami-web-common'; |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 20 | import { jwtVerify } from 'jose'; |
| 21 | import { Container } from 'typedi'; |
| 22 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 23 | import { Vault } from '../vault.js'; |
| 24 | |
Misha Krieger-Raynauld | 6f9c7ae | 2022-10-28 11:41:45 -0400 | [diff] [blame] | 25 | function createAuthenticationMiddleware(isAuthenticationRequired: boolean) { |
| 26 | return async (req: Request, res: Response, next: NextFunction) => { |
| 27 | const publicKey = Container.get(Vault).publicKey; |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 28 | |
Misha Krieger-Raynauld | 6f9c7ae | 2022-10-28 11:41:45 -0400 | [diff] [blame] | 29 | const authorizationHeader = req.headers.authorization; |
| 30 | if (!authorizationHeader) { |
| 31 | if (isAuthenticationRequired) { |
| 32 | res.status(HttpStatusCode.Unauthorized).send('Missing Authorization header'); |
| 33 | } else { |
| 34 | // Skip authentication if it is optional, in which case the Authorization header should not have been set |
| 35 | res.locals.accountId = undefined; |
| 36 | next(); |
| 37 | } |
| 38 | return; |
| 39 | } |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 40 | |
Misha Krieger-Raynauld | 6f9c7ae | 2022-10-28 11:41:45 -0400 | [diff] [blame] | 41 | const token = authorizationHeader.split(' ')[1]; |
| 42 | if (token === undefined) { |
| 43 | res.status(HttpStatusCode.BadRequest).send('Missing JSON web token'); |
| 44 | return; |
| 45 | } |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 46 | |
Misha Krieger-Raynauld | 6f9c7ae | 2022-10-28 11:41:45 -0400 | [diff] [blame] | 47 | try { |
| 48 | const { payload } = await jwtVerify(token, publicKey, { |
| 49 | issuer: 'urn:example:issuer', |
| 50 | audience: 'urn:example:audience', |
| 51 | }); |
| 52 | res.locals.accountId = payload.id as string; |
| 53 | next(); |
| 54 | } catch (err) { |
| 55 | res.sendStatus(HttpStatusCode.Unauthorized); |
| 56 | } |
| 57 | }; |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 58 | } |
Misha Krieger-Raynauld | 6f9c7ae | 2022-10-28 11:41:45 -0400 | [diff] [blame] | 59 | |
| 60 | export const authenticateToken = createAuthenticationMiddleware(true); |
| 61 | |
| 62 | export const authenticateOptionalToken = createAuthenticationMiddleware(false); |