From fa3816390bccc9f80db2a894c8071ab99fd4220a Mon Sep 17 00:00:00 2001 From: tigerbot Date: Fri, 11 Aug 2017 17:00:18 -0600 Subject: [PATCH] verify all tokens that are provided --- lib/oauth3.js | 49 ++++++++++++++++++++++--------------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/lib/oauth3.js b/lib/oauth3.js index 28ee6a9..39440ab 100644 --- a/lib/oauth3.js +++ b/lib/oauth3.js @@ -3,7 +3,7 @@ var PromiseA = require('bluebird'); function extractAccessToken(req) { - var token; + var token = null; var parts; var scheme; var credentials; @@ -133,6 +133,13 @@ function verifyToken(token) { url: OAUTH3.url.resolve(directives.api, url) , method: args.method , data: body + }).catch(function (err) { + return PromiseA.reject({ + message: 'failed to retrieve public key from token issuer' + , code: 'E_NO_PUB_KEY' + , url: 'https://oauth3.org/docs/errors#E_NO_PUB_KEY' + , subErr: err.toString() + }); }); }, function (err) { return PromiseA.reject({ @@ -178,6 +185,7 @@ function attachOauth3(req, res, next) { req.oauth3 = {}; extractAccessToken(req).then(function (token) { + req.oauth3.encodedToken = token; req.oauth3.verifyAsync = function (jwt) { return verifyToken(jwt || token); }; @@ -185,38 +193,25 @@ function attachOauth3(req, res, next) { if (!token) { return null; } - - var decoded; - try { - decoded = require('jsonwebtoken').decode(token); - } catch (e) {} - if (!decoded) { - return PromiseA.reject({ - message: 'provided token not a JSON Web Token' - , code: 'E_NOT_JWT' - , url: 'https://oauth3.org/docs/errors#E_NOT_JWT' - }); - } - if (!decoded.iss) { - return PromiseA.reject({ - message: 'token missing iss' - , code: 'E_MISSING_ISS' - , url: 'https://oauth3.org/docs/errors#E_MISSING_ISS' - }); - } - var ppid = decoded.sub || decoded.ppid || decoded.appScopedId; - - req.oauth3.encodedToken = token; + return verifyToken(token); + }).then(function (decoded) { req.oauth3.token = decoded; + if (!decoded) { + return null; + } + + var ppid = decoded.sub || decoded.ppid || decoded.appScopedId; req.oauth3.ppid = ppid; - req.oauth3.accountIdx = ppid+'@'+token.iss; - req.oauth3.accountHash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64'); - req.oauth3.accountHash = req.oauth3.accountHash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, ''); + req.oauth3.accountIdx = ppid+'@'+decoded.iss; + + var hash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64'); + hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, ''); + req.oauth3.accountHash = hash; req.oauth3.rescope = function (sub) { // TODO: this function is supposed to convert PPIDs of different parties to some account // ID that allows application to keep track of permisions and what-not. - return PromiseA.resolve(sub || ppid); + return PromiseA.resolve(sub || hash); }; }).then(function () { deepFreeze(req.oauth3);