@commercetools/connect-payments-sdk 0.0.4 → 0.0.6

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @commercetools/connect-payments-sdk
 
+## 0.0.6
+
+### Patch Changes
+
+- 11ae367: Export authorization hook AuthorityAuthorizationHook in the root path
+
+## 0.0.5
+
+### Patch Changes
+
+- 22434c9: Enforce validation of projectkey on the jwt authentication.
+
 ## 0.0.4
 
 ### Patch Changes

package/dist/api/hooks/authorize.hook.d.ts

@@ -0,0 +1,12 @@
+import { AuthorityAuthorizationManager } from '../../security/authz/authorization-manager';
+import { ContextProvider, RequestContextData } from '../context/types/request-context.type';
+import { AuthorizationHook } from './types/hook.type';
+export declare class AuthorityAuthorizationHook implements AuthorizationHook {
+    private authorizationManager;
+    private contextProvider;
+    constructor(opts: {
+        authorizationManager: AuthorityAuthorizationManager;
+        contextProvider: ContextProvider<RequestContextData>;
+    });
+    authorize(...authorities: string[]): () => Promise<void>;
+}

package/dist/api/hooks/authorize.hook.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorityAuthorizationHook = void 0;
+const errorx_1 = require("../../errorx");
+class AuthorityAuthorizationHook {
+    authorizationManager;
+    contextProvider;
+    constructor(opts) {
+        this.authorizationManager = opts.authorizationManager;
+        this.contextProvider = opts.contextProvider;
+    }
+    authorize(...authorities) {
+        return async () => {
+            const authn = this.contextProvider.getContextData().authentication;
+            if (!authn) {
+                throw new errorx_1.ErrorAuthErrorResponse('Authentication is required.');
+            }
+            this.authorizationManager.verify(authn, authorities);
+        };
+    }
+}
+exports.AuthorityAuthorizationHook = AuthorityAuthorizationHook;

package/dist/api/index.d.ts

@@ -6,3 +6,4 @@ export * from './hooks/jwt-auth.hook';
 export * from './hooks/oauth2-auth.hook';
 export * from './hooks/session-auth.hook';
 export * from './hooks/types/hook.type';
+export * from './hooks/authorize.hook';

package/dist/api/index.js

@@ -22,3 +22,4 @@ __exportStar(require("./hooks/jwt-auth.hook"), exports);
 __exportStar(require("./hooks/oauth2-auth.hook"), exports);
 __exportStar(require("./hooks/session-auth.hook"), exports);
 __exportStar(require("./hooks/types/hook.type"), exports);
+__exportStar(require("./hooks/authorize.hook"), exports);

package/dist/index.js

@@ -73,6 +73,7 @@ const setupPaymentSDK = (opts) => {
     const jwtAuthenticationManager = new security_1.JWTAuthenticationManager({
         jwtService,
         iss: opts.jwtIssuer,
+        projectKey: opts.projectKey,
     });
     const sessionAuthHookFn = new api_1.SessionAuthenticationHook({
         authenticationManager: sessionAuthenticationManager,

package/dist/security/authn/jwt-authn-manager.d.ts

@@ -4,9 +4,11 @@ import { AuthenticationManager } from './types/authn.type';
 export declare class JWTAuthenticationManager implements AuthenticationManager {
     private jwtService;
     private iss;
+    private projectKey;
     constructor(opts: {
         jwtService: JWTService;
         iss: string;
+        projectKey: string;
     });
     authenticate(authentication: HeaderBasedAuthentication): Promise<JWTAuthentication>;
 }

package/dist/security/authn/jwt-authn-manager.js

@@ -7,9 +7,11 @@ const bearer_utils_1 = require("./bearer-utils");
 class JWTAuthenticationManager {
     jwtService;
     iss;
+    projectKey;
     constructor(opts) {
         this.jwtService = opts.jwtService;
         this.iss = opts.iss;
+        this.projectKey = opts.projectKey;
     }
     async authenticate(authentication) {
         const principal = authentication.getPrincipal();
@@ -18,13 +20,23 @@ class JWTAuthenticationManager {
             token,
         }));
         if (decodedToken.iss !== this.iss) {
-            throw new errorx_1.ErrorAuthErrorResponse('Issuer in the token does not match the expected issuer', {
+            throw new errorx_1.ErrorAuthErrorResponse('Issuer in the token does not match the expected issuer.', {
                 privateFields: {
                     expectedIssuer: this.iss,
                     actualIssuer: decodedToken['iss'],
                 },
             });
         }
+        const projectKey = decodedToken[`${this.iss}/claims/project_key`];
+        if (projectKey !== this.projectKey) {
+            throw new errorx_1.ErrorAuthErrorResponse('Project key does not match.', {
+                privateFields: {
+                    expectedIssuer: this.iss,
+                    actualIssuer: decodedToken['iss'],
+                    projectKey,
+                },
+            });
+        }
         return new authns_1.JWTAuthentication(token, {
             mcCustomerId: decodedToken['sub'],
         });

package/dist/security/authz/authorization-manager.d.ts

@@ -0,0 +1,6 @@
+import { Authentication } from '../authn/types/authn.type';
+import { AuthorizationManager } from './types/authz.type';
+export declare class AuthorityAuthorizationManager implements AuthorizationManager<string[]> {
+    verify(authentication: Authentication, authorities: string[]): void;
+    check(authentication: Authentication, authorities: string[]): boolean;
+}

package/dist/security/authz/authorization-manager.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorityAuthorizationManager = void 0;
+const errorx_1 = require("../../errorx");
+class AuthorityAuthorizationManager {
+    verify(authentication, authorities) {
+        const isAuthorized = this.check(authentication, authorities);
+        if (!isAuthorized) {
+            throw new errorx_1.ErrorAuthErrorResponse('Not authorized', {
+                skipLog: true,
+                fields: {
+                    validAuthorities: authorities,
+                },
+                privateFields: {
+                    grantedAuthorities: authentication.getAuthorities(),
+                    requiredAuthorities: authorities,
+                },
+            });
+        }
+    }
+    check(authentication, authorities) {
+        const grantedAuthorities = authentication.getAuthorities();
+        const hasGrantedAuthorities = authorities.some((authority) => {
+            return grantedAuthorities.find((grantedAuthority) => grantedAuthority === authority);
+        });
+        return hasGrantedAuthorities;
+    }
+}
+exports.AuthorityAuthorizationManager = AuthorityAuthorizationManager;

package/dist/security/authz/types/authz.type.d.ts

@@ -0,0 +1,11 @@
+import { Authentication } from '../../authn/types/authn.type';
+export interface AuthorizationManager<T> {
+    /**
+     * Determines if access should be granted for a specific authentication and object.
+     */
+    verify(authentication: Authentication, object: T): void;
+    /**
+     * Determines if access is granted for a specific object.
+     */
+    check(authentication: Authentication, object: T): boolean;
+}

package/dist/security/authz/types/authz.type.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commercetools/connect-payments-sdk",
-  "version": "0.0.4",
+  "version": "0.0.6",
   "description": "Payment SDK for commercetools payment connectors",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",