diff --git a/models.js b/models.js new file mode 100644 index 0000000..47d54eb --- /dev/null +++ b/models.js @@ -0,0 +1,13 @@ +'use strict'; + +var apiname = 'issuer_oauth3_org'; +var baseFields = [ 'createdAt', 'updatedAt', 'deletedAt' ]; + +module.exports = [ + { + tablename: apiname + '_jwks', + idname: 'id', + unique: ['id'], + indices: baseFields.concat([ 'kty', 'kid' ]), + } +]; diff --git a/package.json b/package.json new file mode 100644 index 0000000..306abf5 --- /dev/null +++ b/package.json @@ -0,0 +1,16 @@ +{ + "name": "issuer_oauth3.org", + "version": "1.0.0-placeholder", + "description": "Implementation of server-side RESTful OAuth3 issuer APIs", + "main": "rest.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "repository": { + "type": "git", + "url": "git+https://git.daplie.com/Oauth3/issuer_oauth3.org.git" + }, + "dependencies": { + "bluebird": "^3.5.0" + } +} diff --git a/rest.js b/rest.js new file mode 100644 index 0000000..09788b9 --- /dev/null +++ b/rest.js @@ -0,0 +1,84 @@ +'use strict'; + +var PromiseA = require('bluebird'); +var crypto = require('crypto'); + +module.exports.create = function (bigconf, deps, app) { + var Jwks = { restful: {} }; + + function attachModels(req, res, next) { + return req.getSiteStore().then(function (models) { + req.Models = models; + next(); + }); + } + + Jwks.thumbprint = function (jwk) { + // To produce a thumbprint we need to create a JSON string with only the required keys for + // the key type, with the keys sorted lexicographically and no white space. We then need + // run it through a SHA-256 and encode the result in url safe base64. + // https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk + var keys; + if (jwk.kty === 'EC') { + keys = ['crv', 'x', 'y']; + } else if (jwk.kty === 'RSA') { + keys = ['e', 'n']; + } else { + return PromiseA.reject(new Error('invalid JWK key type ' + jwk.kty)); + } + keys.push('kty'); + keys.sort(); + + var missing = keys.filter(function (name) { return !jwk.hasOwnProperty(name); }); + if (missing.length > 0) { + return PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing)); + } + + // I'm not 100% sure this behavior is guaranteed by a real standard, but when we use an array + // as the replacer argument the keys are always in the order they appeared in the array. + var jwkStr = JSON.stringify(jwk, keys); + var hash = crypto.createHash('sha256').update(jwkStr).digest('base64'); + return PromiseA.resolve(hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, '')); + }; + + Jwks.restful.get = function (req, res) { + var promise = req.Models.IssuerOauth3OrgJwks.find({ kid: req.params.kid }, { limit: 1 }).then(function (jwkArr) { + var jwk = jwkArr[0]; + // We need to sanitize the key to make sure we don't deliver any private keys fields if + // we were given a key we could use to sign tokens on behalf of the user. + var whitelist = [ 'kty', 'alg', 'kid', 'use' ]; + if (jwk.kty === 'EC') { + whitelist = whitelist.concat([ 'crv', 'x', 'y' ]); + } else if (jwk.kty === 'RSA') { + whitelist = whitelist.concat([ 'e', 'n' ]); + } + + var result = {}; + whitelist.forEach(function (key) { + result[key] = jwk[key]; + }); + return result; + }); + + app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK"); + }; + Jwks.restful.saveNew = function (req, res) { + var jwk = req.body; + var promise = Jwks.thumbprint(jwk).then(function (kid) { + if (jwk.kid && jwk.kid !== kid) { + throw new Error('provided kid "'+jwk.kid+'" does not match calculated "'+kid+'"'); + } + jwk.kid = kid; + + return req.Models.IssuerOauth3OrgJwks.upsert(req.params.sub, jwk); + }).then(function () { + return { success: true }; + }); + + app.handlePromise(req, res, promise, "[issuer@oauth3.org] create JWK"); + }; + + app.use( '/jwks', attachModels); + app.get( '/jwks/:kid.json', Jwks.restful.get); + app.post( '/jwks/:sub', Jwks.restful.saveNew); +};