'use strict'; module.exports.create = function (cli, engine/*, dnsd*/) { var subparts = (cli.subject || '').split('@'); /* { "kty": "EC", "use": "sig", "crv": "P-256", "x": "ogbK2nP6SiEIIp4w8oXBn3dcs6kljFfTbgZYG591tUU", "y": "sB0AekMYwpvbQfAoW-2LlEWdapNhxynfj1zBtWpE9lo", "alg": "ES256" } */ var jwt; var jwk; var privpem; var pubpem; if (!subparts[1]) { subparts = [ 'root', 'localhost' ]; // TODO generate new random key and store it jwk = { //"kid": "thumbnail(pubkey)", "kty": "EC", "d": "GRIT-yJVlhAsgIChbNanxv41iCxbZszbHHgK8kbZovs", "use": "sig", "crv": "P-256", "x": "ogbK2nP6SiEIIp4w8oXBn3dcs6kljFfTbgZYG591tUU", "y": "sB0AekMYwpvbQfAoW-2LlEWdapNhxynfj1zBtWpE9lo", "alg": "ES256" }; jwt = require('jsonwebtoken'); privpem = require('jwk-to-pem')(jwk, { private: true }); pubpem = require('jwk-to-pem')(jwk, { private: false }); console.log(privpem); console.log("================================"); console.log(" JWT Write Authorization Token: "); console.log("================================"); console.log(jwt.sign( { sub: subparts[0] , iss: subparts[1] , aud: 'localhost' , scp: '+rw@adns.org' } , privpem , { notBefore: 0 // from now , expiresIn: '2h' , algorithm: 'ES256' } )); // expressed as "from now" /* { NotBeforeError: jwt not active at Object.module.exports [as verify] (digd.js/node_modules/jsonwebtoken/verify.js:117:19) at digd.js/lib/httpd.js:112:15 at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13) at digd.js/node_modules/express/lib/router/index.js:284:7 at Function.process_params (digd.js/node_modules/express/lib/router/index.js:335:12) at next (digd.js/node_modules/express/lib/router/index.js:275:10) at expressInit (digd.js/node_modules/express/lib/middleware/init.js:40:5) at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13) name: 'NotBeforeError', message: 'jwt not active', date: +050046-12-28T01:12:58.000Z } */ console.log("==============================="); console.log(" JWT Read Authorization Token: "); console.log("==============================="); console.log(jwt.sign( { sub: subparts[0] , iss: subparts[1] , aud: 'localhost' , scp: '+r@adns.org' } , privpem , { notBefore: 0 // from now , algorithm: 'ES256' } )); console.log("=========================="); } function runHttp() { var path = require('path'); var express = require('express'); var app = express(); var httpServer = require('http').createServer(app); function hasClaim(claim) { return function (req, res, next) { if ((req.token.scp||'').split(/[\s,]/g).some(function (c) { return claim === c; })) { next(); } else { next(new Error("no claim to '" + claim + "' in token")); } }; } app.use('/api', function (req, res, next) { var auth = (req.headers.authorization || req.query.token || '').split(/\s+/)[1]; var token; if (!auth) { res.statusCode = 403; res.send({ error: { message: "need authorization" } }); return; } jwt = jwt || require('jsonwebtoken'); try { token = jwt.decode(auth); } catch (e) { token = null; } if (!token || !token.iss) { res.statusCode = 403; res.send({ error: { message: "need jwt-format authorization" } }); return; } if (subparts[0] === token.sub && subparts[1] === token.iss) { try { /* // { algorithm: 'ES256' } { JsonWebTokenError: invalid algorithm at Object.module.exports [as verify] (digd.js/node_modules/jsonwebtoken/verify.js:90:17) at digd.js/lib/httpd.js:82:15 at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13) at digd.js/node_modules/express/lib/router/index.js:284:7 at Function.process_params (digd.js/node_modules/express/lib/router/index.js:335:12) at next (digd.js/node_modules/express/lib/router/index.js:275:10) at expressInit (digd.js/node_modules/express/lib/middleware/init.js:40:5) at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13) name: 'JsonWebTokenError', message: 'invalid algorithm' } */ // could be that it's private but expecting public, or public but expecting private /* Error: error:0906D06C:PEM routines:PEM_read_bio:no start line at Verify.verify (crypto.js:381:23) at verify (digd.js/node_modules/jwa/index.js:68:21) at Object.verify (digd.js/node_modules/jwa/index.js:85:18) at Object.jwsVerify [as verify] (digd.js/node_modules/jws/lib/verify-stream.js:54:15) at Object.module.exports [as verify] (digd.js/node_modules/jsonwebtoken/verify.js:96:17) at digd.js/lib/httpd.js:82:15 at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13) at digd.js/node_modules/express/lib/router/index.js:284:7 at Function.process_params (digd.js/node_modules/express/lib/router/index.js:335:12) */ jwt.verify(auth, pubpem, { algorithms: [ 'ES256' ] }); } catch(e) { res.statusCode = 403; console.error(e); console.log(auth); console.log(jwt.decode(auth, { complete: true })); res.send({ error: { message: "jwt was not verified authorization" } }); return; } } req.auth = auth; req.token = token; next(); }); app.get('/api/verify-auth', function (req, res) { res.send({ success: true }); }); app.get('/api/peers', function (req, res) { engine.peers.all(function (err, peers) { res.send({ peers: peers }); }); }); app.get('/api/zones', function (req, res) { engine.zones.all(function (err, zones) { res.send({ zones: zones }); }); }); function mapRecord(r) { return { id: r.id , zone: r.zone , name: r.name , tld: r.tld , type: r.type , class: r.class , ttl: r.ttl , data: r.data , address: r.address , exchange: r.exchange , priority: r.priority , value: r.value , aname: r.aname , flag: r.flag , tag: r.tag , weight: r.weight , port: r.port , target: r.target }; } app.get('/api/zones/:zone/records', function (req, res) { var zonename = req.params.zone; engine.zones.get({ names: [ zonename ] }, function (err, zones) { var zone = engine.zoneToSoa(zones[0]); zone.class = zone.className; zone.type = zone.typeName; engine.records.all(function (err, records) { records = records.filter(function (r) { return r.zone === zonename; }).map(mapRecord); records.unshift(zone); res.send({ records: records }); }); }); }); app.get('/api/records', function (req, res) { engine.records.all(function (err, records) { res.send({ records: records.map(mapRecord) }); }); }); app.get('/api/records/:name', function (req, res) { engine.records.all(function (err, records) { res.send({ records: records.filter(function (r) { if (r.name === req.params.name) { return true; } var parts = req.params.name.split('.'); parts.shift(); if ('*.' + parts.join('.') === r.name) { return true; } }).map(mapRecord) }); }); }); app.post('/api/records/:id?', hasClaim('+rw@adns.org'), function (req, res) { console.log('req.body:', req.body); var record = req.body || {}; record.id = req.params.id || record.id; if ('SOA' === record.type) { // TODO be strict about what can be edited engine.records.save(record, function (err, record) { res.send({ success: true }); }); } else { engine.records.save(record, function (err, record) { res.send({ success: true }); }); } }); app.use('/', express.static(path.join(__dirname, 'public'))); httpServer.listen(cli.http, function () { console.log(httpServer.address().address + '#' + httpServer.address().port + ' (http)'); }); } runHttp(); };