@culturefy/shared 1.0.39 → 1.0.40

package/src/middlewares/verify-middleware.ts

@@ -0,0 +1,197 @@
+import { HttpResponseInit } from "@azure/functions";
+import { HttpRequest } from "@azure/functions";
+import { InvocationContext } from "@azure/functions";
+import { sendResponse } from "../utils";
+import { IMiddleware } from "../types/middleware";
+import { IAppId } from "../types/app";
+import { APP_MAP } from "../constants";
+import { jwtDecode } from "jwt-decode";
+import { setCookieKV } from "../utils/cookies";
+
+const apiURL = process.env.REFRESH_SESSION_URL || ''
+
+const parseCookieHeader = (header: string | null | undefined) => {
+  const out: Record<string, string> = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const [k, ...rest] = part.trim().split("=");
+    if (!k) continue;
+    out[k] = decodeURIComponent(rest.join("=") || "");
+  }
+  return out;
+};
+
+export const verifyMw: IMiddleware = async (
+  req: HttpRequest,
+  ctx: InvocationContext,
+  next: () => Promise<HttpResponseInit>
+): Promise<HttpResponseInit> => {
+  const appId = req.headers.get("app-id") as IAppId | undefined;
+
+  if (!appId || !APP_MAP?.[appId]?.clientId) {
+    return sendResponse(400, { status: "bad_request", reason: "invalid_app" });
+  }
+  
+  const expectedClientId = APP_MAP[appId].clientId;
+
+  // cookies
+  const cookies = parseCookieHeader(req.headers.get("cookie"));
+  const at = cookies[`__Secure-session-v1.${appId}.at`];
+  const rt = cookies[`__Secure-session-v1.${appId}.rt`];
+
+  if (!at && !rt) {
+    return sendResponse(401, { status: "unauthenticated", reason: "no_tokens" });
+  }
+
+  // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)
+  let p: any;
+  try {
+    p = jwtDecode(at);
+  } catch {
+    return sendResponse(401, { status: "unauthenticated", reason: "invalid_token" });
+  }
+
+  if (!p?.sid) {
+    return sendResponse(401, { status: "unauthenticated", reason: "user_not_found" });
+  }
+
+  const now = Math.floor(Date.now() / 1000);
+  // if (typeof p.exp === "number" && p.exp <= now) {
+  if (typeof p.exp === "number" && p.exp >= now) {
+    // Delegate to refresh helper; it will handle setting cookies/state or returning an error
+    return await getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next);
+  }
+
+  // audience checks
+  const audOk =
+    (Array.isArray(p.aud) && p.aud.includes(expectedClientId)) ||
+    (typeof p.aud === "string" && (p.aud === expectedClientId || p.aud === "account")) ||
+    p.azp === expectedClientId;
+
+  if (!audOk) {
+    return sendResponse(403, { status: "forbidden", reason: "audience_mismatch" });
+  }
+
+
+  setCookieKV(ctx, 'ew','rre');
+
+  // pass data downstream
+  (ctx as any).state ??= {};
+  const tenantId = p.cfy_tid ?? (p.iss ? new URL(p.iss).pathname.split("/").pop() : null);
+
+  (ctx as any).state.auth = {
+    appId,
+    userId: p.sub ?? null,
+    businessId: p.cfy_bid ?? tenantId ?? null,
+    tenantId,
+    email: p.email ?? p.preferred_username ?? null,
+    name: p.name ?? undefined,
+    roles: p.resource_access?.[expectedClientId]?.roles ?? p.realm_access?.roles ?? [],
+    exp: p.exp,
+  };
+
+  return next();
+};
+
+
+
+async function getNewRefreshToken(
+  req: HttpRequest,
+  ctx: InvocationContext,
+  appId: IAppId,
+  expectedClientId: string,
+  rt: string | undefined,
+  p: any,
+  next: () => Promise<HttpResponseInit>
+): Promise<HttpResponseInit> {
+  // Attempt server-side refresh using RT
+  if (!rt) {
+    return sendResponse(401, { status: "unauthenticated", reason: "expired_no_rt" });
+  }
+
+  // Resolve realm for refresh
+  let realmId: string | undefined = APP_MAP[appId].auth?.realm;
+  if (!realmId) {
+    try {
+      const issRealm = p?.iss ? new URL(p.iss).pathname.split("/").pop() : undefined;
+      realmId = (p as any)?.cfy_tid || issRealm || undefined;
+    } catch {
+      realmId = undefined;
+    }
+  }
+
+  if (!realmId) {
+    return sendResponse(401, { status: "unauthenticated", reason: "cannot_resolve_realm" });
+  }
+
+  ctx.info("refreshing token payload ----------------------", {
+    realmId,
+    expectedClientId,
+    rt
+  });
+
+
+  // Call auth service to refresh
+  try {
+    const resp = await fetch(apiURL, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ 
+        realmId, 
+        clientId: expectedClientId, 
+        refresh_token: rt
+      })
+    });
+
+    if (!resp.ok) {
+      const text = await resp.text();
+      ctx.warn?.(`refresh call failed: ${resp.status} ${text}`);
+      return sendResponse(401, { status: "unauthenticated", reason: "refresh_failed" });
+    }
+
+
+    const payload = await resp.json();
+    const data = payload?.data || {};
+    const newAT = data.access_token as string | undefined;
+    const newRT = data.refresh_token as string | undefined;
+    if (!newAT || !newRT) {
+      return sendResponse(401, { status: "unauthenticated", reason: "invalid_refresh_response" });
+    }
+
+    // Set refreshed cookies for client session
+    setCookieKV(ctx, `__Secure-session-v1.${appId}.at`, newAT);
+    setCookieKV(ctx, `__Secure-session-v1.${appId}.rt`, newRT);
+
+    // Decode new AT and proceed
+    let p2: any;
+    try { p2 = jwtDecode(newAT); } catch { return sendResponse(401, { status: "unauthenticated", reason: "invalid_new_token" }); }
+
+    const audOk2 =
+      (Array.isArray(p2.aud) && p2.aud.includes(expectedClientId)) ||
+      (typeof p2.aud === "string" && (p2.aud === expectedClientId || p2.aud === "account")) ||
+      p2.azp === expectedClientId;
+    if (!audOk2) {
+      return sendResponse(403, { status: "forbidden", reason: "audience_mismatch" });
+    }
+
+    // Update downstream auth state with refreshed token
+    (ctx as any).state ??= {};
+    const tenantId2 = p2.cfy_tid ?? (p2.iss ? new URL(p2.iss).pathname.split("/").pop() : null);
+    (ctx as any).state.auth = {
+      appId,
+      userId: p2.sub ?? null,
+      businessId: p2.cfy_bid ?? tenantId2 ?? null,
+      tenantId: tenantId2,
+      email: p2.email ?? p2.preferred_username ?? null,
+      name: p2.name ?? undefined,
+      roles: p2.resource_access?.[expectedClientId]?.roles ?? p2.realm_access?.roles ?? [],
+      exp: p2.exp,
+    };
+
+    // Continue pipeline after refresh
+    return next();
+  } catch (e) {
+    ctx.error?.("refresh exception", e as any);
+    return sendResponse(401, { status: "unauthenticated", reason: "refresh_exception" });
+  }
+}

package/src/types/app.ts

@@ -0,0 +1,27 @@
+export type IAppId = "3238hxa2";
+
+export interface IDomainMappings {
+  domains: Record<string, string[]>;
+  clientId: string;
+  appId: string;
+  name: string;
+  exclude: Record<string, string[]>;
+  cookie: {
+      prefix: string;
+      domain: {
+          local: string | null;
+          dev: string;
+          staging: string;
+          prod: string;
+      };
+      path: string;
+      sameSite: string;
+      secure: boolean;
+      httpOnly: boolean;
+      maxAgeSec: { sid: number; rt: number };
+  };
+  auth?: {
+      realm: string;
+      clientId: string;
+  };
+}

package/src/utils/cookies.ts

@@ -0,0 +1,24 @@
+import { InvocationContext } from "@azure/functions";
+
+export function setCookieKV(ctx: InvocationContext, key: string, value: string): void {
+  // Object-cookie bag (preferred)
+  const CTX_COOKIES_OBJ = Symbol.for("cfy.resCookies.obj");
+  // @ts-ignore
+  const objBag = ((ctx as any)[CTX_COOKIES_OBJ] ??= [] as HttpCookie[]);
+  objBag.push({
+      name: key,
+      value,
+      path: "/",
+      httpOnly: true,
+      secure: true,       // drop to false if testing on http://
+      sameSite: "None",   // use "Lax" for same-site
+      maxAge: 300,        // seconds
+  });
+
+  // (Optional) Keep your string fallback too:
+  const CTX_COOKIES = Symbol.for("cfy.resCookies");
+  const strBag = ((ctx as any)[CTX_COOKIES] ??= [] as string[]);
+  strBag.push(
+      `${encodeURIComponent(key)}=${encodeURIComponent(value)}; Path=/; HttpOnly; SameSite=None; Secure; Max-Age=300`
+  );
+}