'use strict'; var PromiseA = require('bluebird'); function extractAccessToken(req) { var token; var parts; var scheme; var credentials; if (req.headers && req.headers.authorization) { // Works for all of Authorization: Bearer {{ token }}, Token {{ token }}, JWT {{ token }} parts = req.headers.authorization.split(' '); if (parts.length !== 2) { return PromiseA.reject(new Error("malformed Authorization header")); } scheme = parts[0]; credentials = parts[1]; if (-1 !== ['token', 'bearer'].indexOf(scheme.toLowerCase())) { token = credentials; } } if (req.body && req.body.access_token) { if (token) { PromiseA.reject(new Error("token exists in header and body")); } token = req.body.access_token; } // TODO disallow query with req.method === 'GET' // NOTE: the case of DDNS on routers requires a GET and access_token // (cookies should be used for protected static assets) if (req.query && req.query.access_token) { if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); } token = req.query.access_token; } /* err = new Error(challenge()); err.code = 'E_BEARER_REALM'; if (!token) { return PromiseA.reject(err); } */ return PromiseA.resolve(token); } function verifyToken(token) { var jwt = require('jsonwebtoken'); var decoded; if (!token) { return PromiseA.reject({ message: 'no token provided' , code: 'E_NO_TOKEN' , url: 'https://oauth3.org/docs/errors#E_NO_TOKEN' }); } try { decoded = jwt.decode(token, {complete: true}); } catch (e) {} if (!decoded) { return PromiseA.reject({ message: 'provided token not a JSON Web Token' , code: 'E_NOT_JWT' , url: 'https://oauth3.org/docs/errors#E_NOT_JWT' }); } var sub = decoded.payload.sub || decoded.payload.ppid || decoded.payload.appScopedId; if (!sub) { return PromiseA.reject({ message: 'token missing sub' , code: 'E_MISSING_SUB' , url: 'https://oauth3.org/docs/errors#E_MISSING_SUB' }); } var kid = decoded.header.kid || decoded.payload.kid; if (!kid) { return PromiseA.reject({ message: 'token missing kid' , code: 'E_MISSING_KID' , url: 'https://oauth3.org/docs/errors#E_MISSING_KID' }); } if (!decoded.payload.iss) { return PromiseA.reject({ message: 'token missing iss' , code: 'E_MISSING_ISS' , url: 'https://oauth3.org/docs/errors#E_MISSING_ISS' }); } var OAUTH3 = require('oauth3.js'); OAUTH3._hooks = require('oauth3.js/oauth3.node.storage.js'); return OAUTH3.discover(decoded.payload.iss).then(function (directives) { var args = (directives || {}).retrieve_jwk; if (typeof args === 'string') { args = { url: args, method: 'GET' }; } if (typeof (args || {}).url !== 'string') { return PromiseA.reject({ message: 'token issuer does not support retrieving JWKs' , code: 'E_INVALID_ISS' , url: 'https://oauth3.org/docs/errors#E_INVALID_ISS' }); } var params = { sub: sub , kid: kid }; var url = args.url; var body; Object.keys(params).forEach(function (key) { if (url.indexOf(':'+key) !== -1) { url = url.replace(':'+key, params[key]); delete params[key]; } }); if (Object.keys(params).length > 0) { if ('GET' === (args.method || 'GET').toUpperCase()) { url += '?' + OAUTH3.query.stringify(params); } else { body = params; } } return OAUTH3.request({ url: OAUTH3.url.resolve(directives.api, url) , method: args.method , data: body }); }, function (err) { return PromiseA.reject({ message: 'token issuer is not a valid OAuth3 provider' , code: 'E_INVALID_ISS' , url: 'https://oauth3.org/docs/errors#E_INVALID_ISS' , subErr: err.toString() }); }).then(function (res) { if (res.data.error) { return PromiseA.reject(res.data.error); } var opts = {}; if (Array.isArray(res.data.alg)) { opts.algorithms = res.data.alg; } else if (typeof res.data.alg === 'string') { opts.algorithms = [res.data.alg]; } try { return jwt.verify(token, require('jwk-to-pem')(res.data), opts); } catch (err) { return PromiseA.reject({ message: 'token verification failed' , code: 'E_INVALID_TOKEN' , url: 'https://oauth3.org/docs/errors#E_INVALID_TOKEN' , subErr: err.toString() }); } }); } function deepFreeze(obj) { Object.keys(obj).forEach(function (key) { if (obj[key] && typeof obj[key] === 'object') { deepFreeze(obj[key]); } }); Object.freeze(obj); } function attachOauth3(req, res, next) { req.oauth3 = {}; extractAccessToken(req).then(function (token) { req.oauth3.verifyAsync = function (jwt) { return verifyToken(jwt || token); }; if (!token) { return null; } var decoded; try { decoded = require('jsonwebtoken').decode(token); } catch (e) {} if (!decoded) { return PromiseA.reject({ message: 'provided token not a JSON Web Token' , code: 'E_NOT_JWT' , url: 'https://oauth3.org/docs/errors#E_NOT_JWT' }); } if (!decoded.iss) { return PromiseA.reject({ message: 'token missing iss' , code: 'E_MISSING_ISS' , url: 'https://oauth3.org/docs/errors#E_MISSING_ISS' }); } var ppid = decoded.sub || decoded.ppid || decoded.appScopedId; req.oauth3.encodedToken = token; req.oauth3.token = decoded; req.oauth3.ppid = ppid; req.oauth3.accountIdx = ppid+'@'+token.iss; req.oauth3.accountHash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64'); req.oauth3.accountHash = req.oauth3.accountHash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, ''); req.oauth3.rescope = function (sub) { // TODO: this function is supposed to convert PPIDs of different parties to some account // ID that allows application to keep track of permisions and what-not. return PromiseA.resolve(sub || ppid); }; }).then(function () { deepFreeze(req.oauth3); Object.defineProperty(req, 'oauth3', {configurable: false, writable: false}); next(); }, function (err) { res.send(err); }); } module.exports.attachOauth3 = attachOauth3; module.exports.verifyToken = verifyToken;