@eduzz/miau-client 0.0.1

package/eslint.config.js

@@ -0,0 +1,3 @@
+const { ignores, configs } = require('@eduzz/eslint-config');
+
+module.exports = [...configs, { ignores: ignores() }];

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "@eduzz/miau-client",
+  "publishConfig": {
+    "access": "public"
+  },
+  "version": "0.0.1",
+  "description": "",
+    "main": "src/index.ts",
+  "scripts": {
+    "lint": "eslint && tsc --noEmit",
+    "prebuild": "rm -rf dist",
+    "build": "esbuild src/index.ts --bundle --sourcemap --platform=node --target=es2020 --outfile=dist/index.js"
+  },
+  "dependencies": {
+    "@eduzz/miau-domain": "workspace:*"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC"
+}

package/src/MiauClient.ts

@@ -0,0 +1,81 @@
+import jwt from 'jsonwebtoken';
+import { JwksClient } from 'jwks-rsa';
+
+type MiauClientConfig = {
+  apiUrl: string;
+  appSecret: string;
+};
+
+export class MiauClient {
+  private apiUrl: string;
+  private jwtToken: string | undefined;
+  private basicAuthToken: string;
+  private jwksClient: JwksClient | undefined;
+
+  constructor(props: MiauClientConfig) {
+    this.apiUrl = props.apiUrl;
+    const apiKey = props.appSecret.substring(7, 27);
+    this.basicAuthToken = Buffer.from(`${apiKey}:${props.appSecret}`).toString('base64');
+  }
+
+  public async getToken() {
+    if (this.jwtToken) {
+      const tokenPayload = jwt.decode(this.jwtToken) as { iat: number };
+      const now = Math.floor(Date.now() / 1000);
+
+      const TEN_MINUTES = 10 * 60;
+
+      if (now - tokenPayload.iat < TEN_MINUTES) {
+        return this.jwtToken;
+      }
+    }
+
+    const response = await fetch(this.getApiJwtUrl(), {
+      headers: {
+        'Authorization': `Basic ${this.basicAuthToken}`,
+        'Content-Type': 'application/json'
+      }
+    });
+
+    if (response.status !== 200) {
+      throw new Error('Failed to fetch token');
+    }
+
+    this.jwtToken = (await response.json()).jwt;
+    return this.jwtToken;
+  }
+
+  public async getPermissions(sourceAppId: string) {
+    const response = await fetch(`${this.getPermissionsUrl()}/${sourceAppId}`, {
+      headers: { Authorization: `Basic ${this.basicAuthToken}` }
+    });
+
+    if (response.status !== 200) {
+      throw new Error('Failed to fetch permissions');
+    }
+
+    const permissions = await response.json();
+    return permissions.resources;
+  }
+
+  public async getPublicKey(kid: string) {
+    if (!this.jwksClient) {
+      this.jwksClient = new JwksClient({ jwksUri: this.getJwksUrl(), cache: true });
+    }
+
+    const signingKey = await this.jwksClient.getSigningKey(kid);
+    return signingKey.getPublicKey();
+  }
+
+  private getApiJwtUrl = () => {
+    return `${this.apiUrl}/jwt`;
+  };
+
+  private getPermissionsUrl = () => {
+    return `${this.apiUrl}/permissions`;
+  };
+
+  private getJwksUrl = () => {
+    return `${this.apiUrl}/jwks.json`;
+  };
+}

package/src/MiauMiddleware.ts

@@ -0,0 +1,61 @@
+import { type NextFunction, type Request, type Response } from 'express';
+import jwt from 'jsonwebtoken';
+
+import type { ApplicationToken, Resource } from '@eduzz/miau-domain';
+
+import type { MiauClient } from './MiauClient';
+
+const wildcardToRegex = (pattern: string) => {
+  // Escape regex special characters except for '*'
+  const escaped = pattern.replace(/[-/\\^$+?.()|[\]{}]/g, '\\$&');
+  // Replace '*' with '[^/]+' to match any non-slash segment
+  const withWildcards = escaped.replace(/\*/g, '[^/]+');
+  // Build regex to match the whole path
+  const regexStr = `^${withWildcards}$`;
+  return new RegExp(regexStr);
+};
+
+export const miauMiddleware = (miauService: MiauClient) => {
+  return async (req: Request, res: Response, next: NextFunction) => {
+    try {
+      const token = req.headers.authorization?.split(' ').pop();
+
+      if (!token) {
+        res.status(401).json({ error: 'Invalid Token', message: 'Token not provided' });
+        return;
+      }
+
+      const decodedToken = jwt.decode(token, { complete: true }) as { header: { kid: string } };
+
+      if (!decodedToken?.header?.kid) {
+        res.status(401).json({ error: 'Invalid token', message: 'Missing kid' });
+        return;
+      }
+
+      const publicKey = await miauService.getPublicKey(decodedToken.header.kid);
+      const appToken = jwt.verify(token, publicKey, { algorithms: ['RS256'] }) as ApplicationToken;
+
+      req.application = { id: appToken?.id, name: appToken?.name };
+
+      const resources = await miauService.getPermissions(req.application.id);
+      const isAllowed = resources.some((resource: Resource) => {
+        return (
+          resource.method.toLowerCase() === req.method.toLowerCase() &&
+          wildcardToRegex(resource.path).test(req.path.toLowerCase())
+        );
+      });
+
+      if (!isAllowed) {
+        res
+          .status(403)
+          .json({ error: 'Forbidden', message: `You do not have permission to access ${req.method} ${req.path} ` });
+        return;
+      }
+
+      next();
+    } catch (err: any) {
+      res.status(401).json({ error: err.name, message: err.message });
+      return;
+    }
+  };
+};

package/src/index.ts

@@ -0,0 +1,2 @@
+export * from './MiauClient';
+export * from './MiauMiddleware';

package/src/types/index.d.ts

@@ -0,0 +1,9 @@
+import { type ApplicationToken } from '@eduzz/miau-domain';
+
+declare global {
+  namespace Express {
+    interface Request {
+      application?: ApplicationToken;
+    }
+  }
+}

package/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "rootDir": "src",
+    "outDir": "dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}