@guardian/pan-domain-node 0.4.1 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.changeset/README.md +8 -0
- package/.changeset/config.json +11 -0
- package/.nvmrc +1 -1
- package/CHANGELOG.md +7 -0
- package/dist/src/api.js +2 -1
- package/dist/src/fetch-public-key.d.ts +5 -0
- package/dist/src/fetch-public-key.js +40 -0
- package/dist/src/panda.d.ts +4 -7
- package/dist/src/panda.js +39 -24
- package/dist/src/utils.d.ts +2 -1
- package/dist/src/utils.js +28 -8
- package/dist/test/fixtures.d.ts +1 -0
- package/dist/test/fixtures.js +3 -3
- package/dist/test/panda.test.js +106 -16
- package/jest.config.js +2 -1
- package/package.json +9 -8
- package/src/fetch-public-key.ts +27 -0
- package/src/panda.ts +30 -30
- package/src/utils.ts +20 -11
- package/test/fixtures.ts +3 -4
- package/test/panda.test.ts +144 -20
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
# Changesets
|
|
2
|
+
|
|
3
|
+
Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
|
|
4
|
+
with multi-package repos, or single-package repos to help you version and publish your code. You can
|
|
5
|
+
find the full documentation for it [in our repository](https://github.com/changesets/changesets)
|
|
6
|
+
|
|
7
|
+
We have a quick list of common questions to get you started engaging with this project in
|
|
8
|
+
[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://unpkg.com/@changesets/config@3.0.4/schema.json",
|
|
3
|
+
"changelog": "@changesets/cli/changelog",
|
|
4
|
+
"commit": false,
|
|
5
|
+
"fixed": [],
|
|
6
|
+
"linked": [],
|
|
7
|
+
"access": "public",
|
|
8
|
+
"baseBranch": "main",
|
|
9
|
+
"updateInternalDependencies": "patch",
|
|
10
|
+
"ignore": []
|
|
11
|
+
}
|
package/.nvmrc
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
|
|
1
|
+
v20.18.1
|
package/CHANGELOG.md
ADDED
package/dist/src/api.js
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.guardianValidation = exports.AuthenticationStatus = void 0;
|
|
3
4
|
var panda_1 = require("./panda");
|
|
4
|
-
exports
|
|
5
|
+
Object.defineProperty(exports, "PanDomainAuthentication", { enumerable: true, get: function () { return panda_1.PanDomainAuthentication; } });
|
|
5
6
|
var AuthenticationStatus;
|
|
6
7
|
(function (AuthenticationStatus) {
|
|
7
8
|
AuthenticationStatus["INVALID_COOKIE"] = "Invalid Cookie";
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
|
|
5
|
+
}) : (function(o, m, k, k2) {
|
|
6
|
+
if (k2 === undefined) k2 = k;
|
|
7
|
+
o[k2] = m[k];
|
|
8
|
+
}));
|
|
9
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
10
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
11
|
+
}) : function(o, v) {
|
|
12
|
+
o["default"] = v;
|
|
13
|
+
});
|
|
14
|
+
var __importStar = (this && this.__importStar) || function (mod) {
|
|
15
|
+
if (mod && mod.__esModule) return mod;
|
|
16
|
+
var result = {};
|
|
17
|
+
if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
|
18
|
+
__setModuleDefault(result, mod);
|
|
19
|
+
return result;
|
|
20
|
+
};
|
|
21
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
22
|
+
exports.fetchPublicKey = void 0;
|
|
23
|
+
const iniparser = __importStar(require("iniparser"));
|
|
24
|
+
const utils_1 = require("./utils");
|
|
25
|
+
function fetchPublicKey(region, bucket, keyFile) {
|
|
26
|
+
const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
|
|
27
|
+
return utils_1.httpGet(path).then(response => {
|
|
28
|
+
const config = iniparser.parseString(response);
|
|
29
|
+
if (config.publicKey) {
|
|
30
|
+
return {
|
|
31
|
+
key: utils_1.base64ToPEM(config.publicKey, "PUBLIC"),
|
|
32
|
+
lastUpdated: new Date()
|
|
33
|
+
};
|
|
34
|
+
}
|
|
35
|
+
else {
|
|
36
|
+
throw new Error("Missing publicKey setting from config");
|
|
37
|
+
}
|
|
38
|
+
});
|
|
39
|
+
}
|
|
40
|
+
exports.fetchPublicKey = fetchPublicKey;
|
package/dist/src/panda.d.ts
CHANGED
|
@@ -1,10 +1,8 @@
|
|
|
1
1
|
/// <reference types="node" />
|
|
2
|
-
import {
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
}
|
|
7
|
-
export declare function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTimestamp: number, validateUser: ValidateUserFn): AuthenticationResult;
|
|
2
|
+
import { User, AuthenticationResult, ValidateUserFn } from './api';
|
|
3
|
+
import { PublicKeyHolder } from './fetch-public-key';
|
|
4
|
+
export declare function createCookie(user: User, privateKey: string): string;
|
|
5
|
+
export declare function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult;
|
|
8
6
|
export declare class PanDomainAuthentication {
|
|
9
7
|
cookieName: string;
|
|
10
8
|
region: string;
|
|
@@ -19,4 +17,3 @@ export declare class PanDomainAuthentication {
|
|
|
19
17
|
getPublicKey(): Promise<string>;
|
|
20
18
|
verify(requestCookies: string): Promise<AuthenticationResult>;
|
|
21
19
|
}
|
|
22
|
-
export {};
|
package/dist/src/panda.js
CHANGED
|
@@ -1,32 +1,46 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
|
|
5
|
+
}) : (function(o, m, k, k2) {
|
|
6
|
+
if (k2 === undefined) k2 = k;
|
|
7
|
+
o[k2] = m[k];
|
|
8
|
+
}));
|
|
9
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
10
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
11
|
+
}) : function(o, v) {
|
|
12
|
+
o["default"] = v;
|
|
13
|
+
});
|
|
2
14
|
var __importStar = (this && this.__importStar) || function (mod) {
|
|
3
15
|
if (mod && mod.__esModule) return mod;
|
|
4
16
|
var result = {};
|
|
5
|
-
if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result
|
|
6
|
-
result
|
|
17
|
+
if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
|
18
|
+
__setModuleDefault(result, mod);
|
|
7
19
|
return result;
|
|
8
20
|
};
|
|
9
21
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
-
|
|
22
|
+
exports.PanDomainAuthentication = exports.verifyUser = exports.createCookie = void 0;
|
|
11
23
|
const cookie = __importStar(require("cookie"));
|
|
12
24
|
const utils_1 = require("./utils");
|
|
13
25
|
const api_1 = require("./api");
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
26
|
+
const fetch_public_key_1 = require("./fetch-public-key");
|
|
27
|
+
function createCookie(user, privateKey) {
|
|
28
|
+
let queryParams = [];
|
|
29
|
+
queryParams.push("firstName=" + user.firstName);
|
|
30
|
+
queryParams.push("lastName=" + user.lastName);
|
|
31
|
+
queryParams.push("email=" + user.email);
|
|
32
|
+
user.avatarUrl && queryParams.push("avatarUrl=" + user.avatarUrl);
|
|
33
|
+
queryParams.push("system=" + user.authenticatingSystem);
|
|
34
|
+
queryParams.push("authedIn=" + user.authenticatedIn.join(","));
|
|
35
|
+
queryParams.push("expires=" + user.expires.toString());
|
|
36
|
+
queryParams.push("multifactor=" + String(user.multifactor));
|
|
37
|
+
const combined = queryParams.join("&");
|
|
38
|
+
const queryParamsString = Buffer.from(combined).toString('base64');
|
|
39
|
+
const signature = utils_1.sign(combined, privateKey);
|
|
40
|
+
return queryParamsString + "." + signature;
|
|
28
41
|
}
|
|
29
|
-
|
|
42
|
+
exports.createCookie = createCookie;
|
|
43
|
+
function verifyUser(pandaCookie, publicKey, currentTime, validateUser) {
|
|
30
44
|
if (!pandaCookie) {
|
|
31
45
|
return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
|
|
32
46
|
}
|
|
@@ -34,9 +48,10 @@ function verifyUser(pandaCookie, publicKey, currentTimestamp, validateUser) {
|
|
|
34
48
|
if (!utils_1.verifySignature(data, signature, publicKey)) {
|
|
35
49
|
return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
|
|
36
50
|
}
|
|
51
|
+
const currentTimestampInMilliseconds = currentTime.getTime();
|
|
37
52
|
try {
|
|
38
53
|
const user = utils_1.parseUser(data);
|
|
39
|
-
const isExpired = user.expires <
|
|
54
|
+
const isExpired = user.expires < currentTimestampInMilliseconds;
|
|
40
55
|
if (isExpired) {
|
|
41
56
|
return { status: api_1.AuthenticationStatus.EXPIRED, user };
|
|
42
57
|
}
|
|
@@ -59,20 +74,21 @@ class PanDomainAuthentication {
|
|
|
59
74
|
this.bucket = bucket;
|
|
60
75
|
this.keyFile = keyFile;
|
|
61
76
|
this.validateUser = validateUser;
|
|
62
|
-
this.publicKey = fetchPublicKey(region, bucket, keyFile);
|
|
77
|
+
this.publicKey = fetch_public_key_1.fetchPublicKey(region, bucket, keyFile);
|
|
63
78
|
this.keyUpdateTimer = setInterval(() => this.getPublicKey(), this.keyCacheTime);
|
|
64
79
|
}
|
|
65
80
|
stop() {
|
|
66
81
|
if (this.keyUpdateTimer) {
|
|
67
82
|
clearInterval(this.keyUpdateTimer);
|
|
83
|
+
this.keyUpdateTimer = undefined;
|
|
68
84
|
}
|
|
69
85
|
}
|
|
70
86
|
getPublicKey() {
|
|
71
87
|
return this.publicKey.then(({ key, lastUpdated }) => {
|
|
72
88
|
const now = new Date();
|
|
73
|
-
const diff = now.
|
|
89
|
+
const diff = now.getTime() - lastUpdated.getTime();
|
|
74
90
|
if (diff > this.keyCacheTime) {
|
|
75
|
-
this.publicKey = fetchPublicKey(this.region, this.bucket, this.keyFile);
|
|
91
|
+
this.publicKey = fetch_public_key_1.fetchPublicKey(this.region, this.bucket, this.keyFile);
|
|
76
92
|
return this.publicKey.then(({ key }) => key);
|
|
77
93
|
}
|
|
78
94
|
else {
|
|
@@ -84,8 +100,7 @@ class PanDomainAuthentication {
|
|
|
84
100
|
return this.getPublicKey().then(publicKey => {
|
|
85
101
|
const cookies = cookie.parse(requestCookies);
|
|
86
102
|
const pandaCookie = cookies[this.cookieName];
|
|
87
|
-
|
|
88
|
-
return verifyUser(pandaCookie, publicKey, now, this.validateUser);
|
|
103
|
+
return verifyUser(pandaCookie, publicKey, new Date(), this.validateUser);
|
|
89
104
|
});
|
|
90
105
|
}
|
|
91
106
|
}
|
package/dist/src/utils.d.ts
CHANGED
|
@@ -11,6 +11,7 @@ export declare function parseCookie(cookie: string): {
|
|
|
11
11
|
* Verify signed data using nodeJs crypto library
|
|
12
12
|
*/
|
|
13
13
|
export declare function verifySignature(message: string, signature: string, pandaPublicKey: string): boolean;
|
|
14
|
-
export declare function
|
|
14
|
+
export declare function sign(message: string, privateKey: string): string;
|
|
15
|
+
export declare function base64ToPEM(key: string, headerFooter: string): string;
|
|
15
16
|
export declare function httpGet(path: string): Promise<string>;
|
|
16
17
|
export declare function parseUser(data: string): User;
|
package/dist/src/utils.js
CHANGED
|
@@ -1,17 +1,30 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
|
|
5
|
+
}) : (function(o, m, k, k2) {
|
|
6
|
+
if (k2 === undefined) k2 = k;
|
|
7
|
+
o[k2] = m[k];
|
|
8
|
+
}));
|
|
9
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
10
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
11
|
+
}) : function(o, v) {
|
|
12
|
+
o["default"] = v;
|
|
13
|
+
});
|
|
2
14
|
var __importStar = (this && this.__importStar) || function (mod) {
|
|
3
15
|
if (mod && mod.__esModule) return mod;
|
|
4
16
|
var result = {};
|
|
5
|
-
if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result
|
|
6
|
-
result
|
|
17
|
+
if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
|
18
|
+
__setModuleDefault(result, mod);
|
|
7
19
|
return result;
|
|
8
20
|
};
|
|
9
21
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
22
|
+
exports.parseUser = exports.httpGet = exports.base64ToPEM = exports.sign = exports.verifySignature = exports.parseCookie = exports.decodeBase64 = void 0;
|
|
10
23
|
const crypto = __importStar(require("crypto"));
|
|
11
24
|
const https = __importStar(require("https"));
|
|
12
25
|
const url_1 = require("url");
|
|
13
26
|
function decodeBase64(data) {
|
|
14
|
-
return
|
|
27
|
+
return Buffer.from(data, 'base64').toString('utf8');
|
|
15
28
|
}
|
|
16
29
|
exports.decodeBase64 = decodeBase64;
|
|
17
30
|
/**
|
|
@@ -34,12 +47,19 @@ function verifySignature(message, signature, pandaPublicKey) {
|
|
|
34
47
|
.verify(pandaPublicKey, signature, 'base64');
|
|
35
48
|
}
|
|
36
49
|
exports.verifySignature = verifySignature;
|
|
50
|
+
function sign(message, privateKey) {
|
|
51
|
+
const sign = crypto.createSign("sha256WithRSAEncryption");
|
|
52
|
+
sign.write(message);
|
|
53
|
+
sign.end();
|
|
54
|
+
return sign.sign(privateKey, 'base64');
|
|
55
|
+
}
|
|
56
|
+
exports.sign = sign;
|
|
37
57
|
const ASCII_NEW_LINE = String.fromCharCode(10);
|
|
38
|
-
|
|
39
|
-
const
|
|
40
|
-
|
|
58
|
+
function base64ToPEM(key, headerFooter) {
|
|
59
|
+
const PEM_HEADER = `-----BEGIN ${headerFooter} KEY-----`;
|
|
60
|
+
const PEM_FOOTER = `-----END ${headerFooter} KEY-----`;
|
|
41
61
|
let tmp = [];
|
|
42
|
-
const ret = [
|
|
62
|
+
const ret = [Buffer.from(PEM_HEADER).toString('ascii')];
|
|
43
63
|
for (let i = 0, len = key.length; i < len; i++) {
|
|
44
64
|
if (i > 0 && i % 64 === 0) {
|
|
45
65
|
ret.push(tmp.join(''));
|
|
@@ -48,7 +68,7 @@ function base64ToPEM(key) {
|
|
|
48
68
|
tmp.push(key[i]);
|
|
49
69
|
}
|
|
50
70
|
ret.push(tmp.join(''));
|
|
51
|
-
ret.push(
|
|
71
|
+
ret.push(Buffer.from(PEM_FOOTER).toString('ascii'));
|
|
52
72
|
return ret.join(ASCII_NEW_LINE);
|
|
53
73
|
}
|
|
54
74
|
exports.base64ToPEM = base64ToPEM;
|
package/dist/test/fixtures.d.ts
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
export declare const encodedPrivateKey = "MIIJKAIBAAKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQKCAgAFEDXDb10Rtl5vT6oXLjzswYcD6Ct8v23eLYcKqJlNeXuysQODxnJAxBTuubPvXOSxC6DVbaa7zQxqldjPy92eVfDiOii5naR648AMG2Rl4ybm9+Zfvnwgu9WIjLxFK6zl6A0dMi82W47HP6s5d8gbWREjtO1HXOCGe6rIUyLpC3mm5JX/aaeG9NHRsNeY5vXWgsrOdgaUSeaPSsiXvi/XdPP94aBdvDjqq0kKssQofA5PTMlOd0Nv+lN9Sew7po0NJ4q/U7aFzF5BaFidty8JA3DdQQRPgVrWVF57StvHkYMZSnwgWA6noZaWL/N2RkbeQw0KsDKxdo3KFYkVb8OuTN68b3J5sKIo48LaDbfWbuThcdUFdpKXUd6lvJ2vCnbN6e1fzJdjpCNg9mb2g8KnSW9xqXek8cx0b+LNh+p/YDUI/BZDfsXjeqODiGEruYWfaYiL4STOOXIq5SoyP6XEDbX41UHcb/P3pJExBB7R6fpUFREUd0tUAQAQ93YUitWIs8U1tVAB9/qaUO6BFgOghrbswUiX4twVdmqhrBVOcYUImu7LUdcpMLIdR/gyy47w8xEhiv/oudWVx7rkJS4+l949KtUmyd5x+MNT7nAF99eSIv3iNpL6eS7OWiak5gfoVATy0shNd48H62mGtYjfoGzndGE26tNCHXoAkTrbQQKCAQEA47QXH0Y5xbnq8rlqukwVt+EDMJUtZBqfxGDnkDmtfGefxiyE1VLb+Q0Z1es3lxjcmb1Qupl9tjrWeejK2QymSOzPaluOTpIFOZbFqzNha68nONoiWjqwkCg7VvTo0mRKLwSEnCrCOB8HiLKQAhirdPwtW/8PLd+B8HZSB3UKFylbT+ghHIz5b4P81GksRGbsb6g3+ipz53mvtJpe77J7Y84wPQppj6Ry0WjsQr4iv2hF5PWNMhHVDj8eO80DJvWRCFVTWqTE3WYxZJ/5jdeOdVTwtrYghP72X0zAnVpQCVzcn8tLghKsfePhCw3zNtFE3dk4XHQD4uhPU88GtxJ3vwKCAQEA0fHVZmW8EwxYUEzhFl+2J4evszh8R2Sga+LHv4hy2qGydiciVnv4Y/IoScc0IQ+YHoj9fNad+/UoR8ctSBgrPDzeiY/7ldSp/j5Tbqb4h3Ioaqf9uNg7qHpnciz1o8AI8fFelXZ5hA8GuXo8VGy60xMCyapjkLzTXshdRPjUzcLX1PrUy+me4ZR/KdIkqOOmzgvBVII3gb0iN70gTqn2HSIUC3yMiXA+X6OkHoDL7tn8tkF/aD+uenxOvOadsoJPtaFPaMD0X5vJ8LIjsBThAncVApx93XJIdkJm2ffXq2JhQJfZ6ZXypa6ooepzmB58kxA+TZiJpQLLQJ17xC/sYQKCAQBwuzJPW3cyuw7kyINcZFrERHRN0y07yCqdENTUBJotYygo9tV0v6cEMEZAMEm/VqGww5d6Ko+gbpTMmkIDH04cAJHXuChGIejQUCLg1Xk/1OF4NhaX0UKkvCZUsL+rmddYW8ZDgq/RFRunw6+kOg54xni2eRpMvcEZCZsm8fzi5qi8cNIjzm+XlCLSDpfJ7aLUzNWZ1va2/PnOUjb6OMT57pTXQ5ZrdSEbJ/UAPh354WfpKOCUj1uJyBnxxVfwK9d35rZzw+trKTL+/GySmst+r2TVMGn9LjVPjTI3NQU2/XCE9CMX7KLVWMKLtIZa91Q++VH8A7wA1L6hYXeTn2MFAoIBAEb5xvdTNX4LEmAzXXU+7kn26UNhuUI5lrJifL0X2BxpxfeDy2wJhTPkzhIDMnBq4TaRgYEO3WIsw21gvMI+yX8X5PQEpT1GJCI71+D0udiwk1Fbcb9n+uM+XnKPGIw/g8annx5Qa0xl+BQEaxjvmUl6h9q9q+Nmst68RivnI6pcULNECWTWmkwQ89yjmpkuPVozRyzWyQUnd8X4Pk/ZzcaTmss3VBuywqN6oyVczZT2RSUoh3Yq8UWfeM8L+Aw9Wc1Bt6LmeLdJ579jugTxShCXSZcUaMjQtgak9DiEPXlHTTGVJKp/cwToQ0JaDLJEvEDLoQSCqSYMB8LUet8chIECggEBANxvUJxCLbx4CZrUJC5O2w01GMDFdTfYOUcK75pFAbXkpBPXDLsuz2dK1y8ANk3ibWWrlV6YKDUwl+gWDHmJOcvKqKKAeUnrhIMmJGaO6C++5DxPE/n7g5M86GA0bu/+B+32wL/65B8HoJrkHnSMJp9GcCsVZA3+2xcJfo+xAiXeiRobRIxCQMYCDDM7Hr7X5jGa7l9bQr4GuWRKRYTroE9LCDnH/LLUN+0ny3UXrSjtTUVL4mVAJT0Ws2H1zUzVDbu7ZQgA0u3GjtdFvAnS/E+ln8DS3Q1DeD6Zsf0hrrJbtwU4zZIU445SZ+IUaTjueB9v/skukoIQi/0Mj+gpZ1c=";
|
|
2
|
+
export declare const privateKey: string;
|
|
2
3
|
export declare const encodedPublicKey = "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQ==";
|
|
3
4
|
export declare const publicKey: string;
|
|
4
5
|
export declare const sampleCookie = "Zmlyc3ROYW1lPVRlc3QmbGFzdE5hbWU9VXNlciZlbWFpbD10ZXN0LnVzZXJAZ3VhcmRpYW4uY28udWsmc3lzdGVtPXRlc3QmYXV0aGVkSW49dGVzdCZleHBpcmVzPTEyMzQmbXVsdGlmYWN0b3I9dHJ1ZQ==.tDQmAb1HaXzrEaLQKK3xLtICoQm6R/8eFbjISe7IHggNOzdnypnPZKXiWXqYbC22ROL0i0e+iUWHc7icEfAO6LXv5PwTQuvI8i/q8IE5Vp+/8S319dvNOyivXiLAdTBIvqjPF0ue4Cj0j3uWMU/n0A54qtX7PDJJSDdYmRRbDN/FsmnEslqBGCDSzMTkNhPBBXcndn2YXLTnMv0vmZbRJxyygRfV3rvy6vzU4NqaIMkvSu3vd0Pqj75B9IAG0epSvC36ysAUrvhYSWcWMj8sv0oh0lWuo1Ilu5Vu+8oJ5eEr82ZqALT9o+8dP7h4NGtRNkgP81y2RtK68eDWCpOKp2JXwrvb+F7QInEsZcatEr2aKioCsaszNt5tH0FtVVuwZ+Ul6Fsu2hZG84a1pTq34zsxh0WafYTciAOmoMvQQcZSKpJc9GfxtBQo6lq9X7TPIG4flNyWS7GD61p9q8pqG5wgtandG9lIueEJLSsMOPkhGfBs/WOfLs1ftquwqt14q985twBw3k6yvMBcVB9pPdm0h/6vcLF4GwZekHiFhOmyguU7FLaDfHL+TIHSPlCy1iCtE9BmIU0g0e2RRN4bDMT6PrLPN+fx34/2dlonGHnDyQw794G0NOBKUtxsaw6dx60yv/J19dau91qyGfTMb4nXmehm8/B78y/RecveWgI=";
|
package/dist/test/fixtures.js
CHANGED
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.sampleNonGuardianCookie = exports.sampleCookieWithoutMultifactor = exports.sampleCookie = exports.publicKey = exports.encodedPublicKey = exports.privateKey = exports.encodedPrivateKey = void 0;
|
|
3
4
|
const utils_1 = require("../src/utils");
|
|
4
|
-
// The private key is not required by the node module as it can only verify cookies, not generate them
|
|
5
|
-
// I've included it here however so we can use it to generate new cookie data for future tests
|
|
6
5
|
exports.encodedPrivateKey = "MIIJKAIBAAKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQKCAgAFEDXDb10Rtl5vT6oXLjzswYcD6Ct8v23eLYcKqJlNeXuysQODxnJAxBTuubPvXOSxC6DVbaa7zQxqldjPy92eVfDiOii5naR648AMG2Rl4ybm9+Zfvnwgu9WIjLxFK6zl6A0dMi82W47HP6s5d8gbWREjtO1HXOCGe6rIUyLpC3mm5JX/aaeG9NHRsNeY5vXWgsrOdgaUSeaPSsiXvi/XdPP94aBdvDjqq0kKssQofA5PTMlOd0Nv+lN9Sew7po0NJ4q/U7aFzF5BaFidty8JA3DdQQRPgVrWVF57StvHkYMZSnwgWA6noZaWL/N2RkbeQw0KsDKxdo3KFYkVb8OuTN68b3J5sKIo48LaDbfWbuThcdUFdpKXUd6lvJ2vCnbN6e1fzJdjpCNg9mb2g8KnSW9xqXek8cx0b+LNh+p/YDUI/BZDfsXjeqODiGEruYWfaYiL4STOOXIq5SoyP6XEDbX41UHcb/P3pJExBB7R6fpUFREUd0tUAQAQ93YUitWIs8U1tVAB9/qaUO6BFgOghrbswUiX4twVdmqhrBVOcYUImu7LUdcpMLIdR/gyy47w8xEhiv/oudWVx7rkJS4+l949KtUmyd5x+MNT7nAF99eSIv3iNpL6eS7OWiak5gfoVATy0shNd48H62mGtYjfoGzndGE26tNCHXoAkTrbQQKCAQEA47QXH0Y5xbnq8rlqukwVt+EDMJUtZBqfxGDnkDmtfGefxiyE1VLb+Q0Z1es3lxjcmb1Qupl9tjrWeejK2QymSOzPaluOTpIFOZbFqzNha68nONoiWjqwkCg7VvTo0mRKLwSEnCrCOB8HiLKQAhirdPwtW/8PLd+B8HZSB3UKFylbT+ghHIz5b4P81GksRGbsb6g3+ipz53mvtJpe77J7Y84wPQppj6Ry0WjsQr4iv2hF5PWNMhHVDj8eO80DJvWRCFVTWqTE3WYxZJ/5jdeOdVTwtrYghP72X0zAnVpQCVzcn8tLghKsfePhCw3zNtFE3dk4XHQD4uhPU88GtxJ3vwKCAQEA0fHVZmW8EwxYUEzhFl+2J4evszh8R2Sga+LHv4hy2qGydiciVnv4Y/IoScc0IQ+YHoj9fNad+/UoR8ctSBgrPDzeiY/7ldSp/j5Tbqb4h3Ioaqf9uNg7qHpnciz1o8AI8fFelXZ5hA8GuXo8VGy60xMCyapjkLzTXshdRPjUzcLX1PrUy+me4ZR/KdIkqOOmzgvBVII3gb0iN70gTqn2HSIUC3yMiXA+X6OkHoDL7tn8tkF/aD+uenxOvOadsoJPtaFPaMD0X5vJ8LIjsBThAncVApx93XJIdkJm2ffXq2JhQJfZ6ZXypa6ooepzmB58kxA+TZiJpQLLQJ17xC/sYQKCAQBwuzJPW3cyuw7kyINcZFrERHRN0y07yCqdENTUBJotYygo9tV0v6cEMEZAMEm/VqGww5d6Ko+gbpTMmkIDH04cAJHXuChGIejQUCLg1Xk/1OF4NhaX0UKkvCZUsL+rmddYW8ZDgq/RFRunw6+kOg54xni2eRpMvcEZCZsm8fzi5qi8cNIjzm+XlCLSDpfJ7aLUzNWZ1va2/PnOUjb6OMT57pTXQ5ZrdSEbJ/UAPh354WfpKOCUj1uJyBnxxVfwK9d35rZzw+trKTL+/GySmst+r2TVMGn9LjVPjTI3NQU2/XCE9CMX7KLVWMKLtIZa91Q++VH8A7wA1L6hYXeTn2MFAoIBAEb5xvdTNX4LEmAzXXU+7kn26UNhuUI5lrJifL0X2BxpxfeDy2wJhTPkzhIDMnBq4TaRgYEO3WIsw21gvMI+yX8X5PQEpT1GJCI71+D0udiwk1Fbcb9n+uM+XnKPGIw/g8annx5Qa0xl+BQEaxjvmUl6h9q9q+Nmst68RivnI6pcULNECWTWmkwQ89yjmpkuPVozRyzWyQUnd8X4Pk/ZzcaTmss3VBuywqN6oyVczZT2RSUoh3Yq8UWfeM8L+Aw9Wc1Bt6LmeLdJ579jugTxShCXSZcUaMjQtgak9DiEPXlHTTGVJKp/cwToQ0JaDLJEvEDLoQSCqSYMB8LUet8chIECggEBANxvUJxCLbx4CZrUJC5O2w01GMDFdTfYOUcK75pFAbXkpBPXDLsuz2dK1y8ANk3ibWWrlV6YKDUwl+gWDHmJOcvKqKKAeUnrhIMmJGaO6C++5DxPE/n7g5M86GA0bu/+B+32wL/65B8HoJrkHnSMJp9GcCsVZA3+2xcJfo+xAiXeiRobRIxCQMYCDDM7Hr7X5jGa7l9bQr4GuWRKRYTroE9LCDnH/LLUN+0ny3UXrSjtTUVL4mVAJT0Ws2H1zUzVDbu7ZQgA0u3GjtdFvAnS/E+ln8DS3Q1DeD6Zsf0hrrJbtwU4zZIU445SZ+IUaTjueB9v/skukoIQi/0Mj+gpZ1c=";
|
|
6
|
+
exports.privateKey = utils_1.base64ToPEM(exports.encodedPrivateKey, "RSA PRIVATE");
|
|
7
7
|
exports.encodedPublicKey = "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQ==";
|
|
8
|
-
exports.publicKey = utils_1.base64ToPEM(exports.encodedPublicKey);
|
|
8
|
+
exports.publicKey = utils_1.base64ToPEM(exports.encodedPublicKey, "PUBLIC");
|
|
9
9
|
// The comments above each fixture are the Scala case classe representation used to generate the encoded cookie
|
|
10
10
|
/*
|
|
11
11
|
val user = AuthenticatedUser(
|
package/dist/test/panda.test.js
CHANGED
|
@@ -1,24 +1,114 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
2
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
12
|
const api_1 = require("../src/api");
|
|
4
13
|
const panda_1 = require("../src/panda");
|
|
14
|
+
const fetch_public_key_1 = require("../src/fetch-public-key");
|
|
5
15
|
const fixtures_1 = require("./fixtures");
|
|
6
|
-
|
|
7
|
-
|
|
16
|
+
const utils_1 = require("../src/utils");
|
|
17
|
+
jest.mock('../src/fetch-public-key');
|
|
18
|
+
jest.useFakeTimers('modern');
|
|
19
|
+
describe('verifyUser', function () {
|
|
20
|
+
test("return invalid cookie if missing", () => {
|
|
21
|
+
expect(panda_1.verifyUser(undefined, "", new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
|
|
22
|
+
});
|
|
23
|
+
test("return invalid cookie for a malformed signature", () => {
|
|
24
|
+
const [data, signature] = fixtures_1.sampleCookie.split(".");
|
|
25
|
+
const testCookie = data + ".1234";
|
|
26
|
+
expect(panda_1.verifyUser(testCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
|
|
27
|
+
});
|
|
28
|
+
test("return expired", () => {
|
|
29
|
+
const someTimeInTheFuture = new Date(5678);
|
|
30
|
+
expect(someTimeInTheFuture.getTime()).toBe(5678);
|
|
31
|
+
expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, someTimeInTheFuture, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.EXPIRED);
|
|
32
|
+
});
|
|
33
|
+
test("return not authenticated if user fails validation function", () => {
|
|
34
|
+
expect(panda_1.verifyUser(fixtures_1.sampleCookieWithoutMultifactor, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
|
|
35
|
+
expect(panda_1.verifyUser(fixtures_1.sampleNonGuardianCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
|
|
36
|
+
});
|
|
37
|
+
test("return authenticated", () => {
|
|
38
|
+
expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.AUTHORISED);
|
|
39
|
+
});
|
|
8
40
|
});
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
41
|
+
describe('createCookie', function () {
|
|
42
|
+
it('should return the same cookie based on the user details being provided', function () {
|
|
43
|
+
const user = {
|
|
44
|
+
firstName: "Test",
|
|
45
|
+
lastName: "User",
|
|
46
|
+
email: "test.user@guardian.co.uk",
|
|
47
|
+
authenticatingSystem: "test",
|
|
48
|
+
authenticatedIn: ["test"],
|
|
49
|
+
expires: 1234,
|
|
50
|
+
multifactor: true
|
|
51
|
+
};
|
|
52
|
+
const cookie = panda_1.createCookie(user, fixtures_1.privateKey);
|
|
53
|
+
expect(utils_1.decodeBase64(cookie)).toEqual(utils_1.decodeBase64(fixtures_1.sampleCookie));
|
|
54
|
+
expect(cookie).toEqual(fixtures_1.sampleCookie);
|
|
55
|
+
});
|
|
13
56
|
});
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
});
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
57
|
+
describe('panda class', function () {
|
|
58
|
+
beforeEach(() => {
|
|
59
|
+
fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: new Date() });
|
|
60
|
+
});
|
|
61
|
+
describe('stop', () => {
|
|
62
|
+
it('stops auto refresh', () => {
|
|
63
|
+
const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
|
|
64
|
+
expect(panda.keyUpdateTimer).not.toBeUndefined();
|
|
65
|
+
panda.stop();
|
|
66
|
+
expect(panda.keyUpdateTimer).toBeUndefined();
|
|
67
|
+
});
|
|
68
|
+
});
|
|
69
|
+
describe('getPublicKey', () => {
|
|
70
|
+
it('getsPublicKey immediately when last fetch is within the cache time', () => __awaiter(this, void 0, void 0, function* () {
|
|
71
|
+
const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
|
|
72
|
+
const fetchesBeforeGet = fetch_public_key_1.fetchPublicKey.mock.calls.length;
|
|
73
|
+
yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
|
|
74
|
+
const fetchesAfterGet = fetch_public_key_1.fetchPublicKey.mock.calls.length;
|
|
75
|
+
expect(fetchesAfterGet).toEqual(fetchesBeforeGet);
|
|
76
|
+
}));
|
|
77
|
+
it('getsPublicKey after refetching when last fetch is outside the cache time', () => __awaiter(this, void 0, void 0, function* () {
|
|
78
|
+
// cache time is 1 min
|
|
79
|
+
const fiveMinsAgo = new Date();
|
|
80
|
+
fiveMinsAgo.setMinutes(fiveMinsAgo.getMinutes() - 5);
|
|
81
|
+
fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: fiveMinsAgo });
|
|
82
|
+
const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
|
|
83
|
+
const fetchesBefore = fetch_public_key_1.fetchPublicKey.mock.calls.length;
|
|
84
|
+
yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
|
|
85
|
+
fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY 2', lastUpdated: fiveMinsAgo });
|
|
86
|
+
const fetchesAfter = fetch_public_key_1.fetchPublicKey.mock.calls.length;
|
|
87
|
+
yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY 2');
|
|
88
|
+
expect(fetchesAfter).toEqual(fetchesBefore + 1);
|
|
89
|
+
}));
|
|
90
|
+
});
|
|
91
|
+
describe('verify', () => {
|
|
92
|
+
beforeEach(() => {
|
|
93
|
+
fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: fixtures_1.publicKey, lastUpdated: new Date() });
|
|
94
|
+
});
|
|
95
|
+
it('should return authenticated if valid', () => __awaiter(this, void 0, void 0, function* () {
|
|
96
|
+
jest.setSystemTime(100);
|
|
97
|
+
const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
|
|
98
|
+
const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleCookie}`);
|
|
99
|
+
expect(status).toBe(api_1.AuthenticationStatus.AUTHORISED);
|
|
100
|
+
}));
|
|
101
|
+
it('should return expired if expired', () => __awaiter(this, void 0, void 0, function* () {
|
|
102
|
+
jest.setSystemTime(10000);
|
|
103
|
+
const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
|
|
104
|
+
const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleCookie}`);
|
|
105
|
+
expect(status).toBe(api_1.AuthenticationStatus.EXPIRED);
|
|
106
|
+
}));
|
|
107
|
+
it('should return not authenticated if validation fails', () => __awaiter(this, void 0, void 0, function* () {
|
|
108
|
+
jest.setSystemTime(100);
|
|
109
|
+
const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', api_1.guardianValidation);
|
|
110
|
+
const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleNonGuardianCookie}`);
|
|
111
|
+
expect(status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
|
|
112
|
+
}));
|
|
113
|
+
});
|
|
24
114
|
});
|
package/jest.config.js
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@guardian/pan-domain-node",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"description": "NodeJs implementation of Guardian pan-domain auth verification",
|
|
5
5
|
"main": "dist/src/api.js",
|
|
6
6
|
"types": "dist/src/api.d.ts",
|
|
@@ -22,16 +22,17 @@
|
|
|
22
22
|
},
|
|
23
23
|
"homepage": "https://github.com/guardian/pan-domain-authentication",
|
|
24
24
|
"devDependencies": {
|
|
25
|
-
"@
|
|
25
|
+
"@changesets/cli": "^2.27.10",
|
|
26
|
+
"@types/cookie": "^0.4.0",
|
|
26
27
|
"@types/iniparser": "0.0.29",
|
|
27
|
-
"@types/jest": "^
|
|
28
|
-
"@types/node": "^
|
|
29
|
-
"jest": "^
|
|
30
|
-
"ts-jest": "^
|
|
31
|
-
"typescript": "^3.
|
|
28
|
+
"@types/jest": "^26.0.9",
|
|
29
|
+
"@types/node": "^14.0.27",
|
|
30
|
+
"jest": "^26.2.2",
|
|
31
|
+
"ts-jest": "^26.1.4",
|
|
32
|
+
"typescript": "^3.9.7"
|
|
32
33
|
},
|
|
33
34
|
"dependencies": {
|
|
34
|
-
"cookie": "^0.
|
|
35
|
+
"cookie": "^0.4.1",
|
|
35
36
|
"iniparser": "^1.0.5"
|
|
36
37
|
},
|
|
37
38
|
"scripts": {
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import * as iniparser from 'iniparser';
|
|
2
|
+
import {base64ToPEM, httpGet} from './utils';
|
|
3
|
+
|
|
4
|
+
export interface PublicKeyHolder {
|
|
5
|
+
key: string,
|
|
6
|
+
lastUpdated: Date
|
|
7
|
+
}
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
export function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder> {
|
|
11
|
+
const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
|
|
12
|
+
|
|
13
|
+
return httpGet(path).then(response => {
|
|
14
|
+
const config: { publicKey?: string} = iniparser.parseString(response);
|
|
15
|
+
|
|
16
|
+
if(config.publicKey) {
|
|
17
|
+
return {
|
|
18
|
+
key: base64ToPEM(config.publicKey, "PUBLIC"),
|
|
19
|
+
lastUpdated: new Date()
|
|
20
|
+
};
|
|
21
|
+
} else {
|
|
22
|
+
throw new Error("Missing publicKey setting from config");
|
|
23
|
+
}
|
|
24
|
+
});
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
|
package/src/panda.ts
CHANGED
|
@@ -1,32 +1,30 @@
|
|
|
1
|
-
import * as iniparser from 'iniparser';
|
|
2
1
|
import * as cookie from 'cookie';
|
|
3
2
|
|
|
4
|
-
import {
|
|
5
|
-
import {
|
|
3
|
+
import {parseCookie, parseUser, sign, verifySignature} from './utils';
|
|
4
|
+
import {AuthenticationStatus, User, AuthenticationResult, ValidateUserFn} from './api';
|
|
5
|
+
import { fetchPublicKey, PublicKeyHolder } from './fetch-public-key';
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
lastUpdated: Date
|
|
10
|
-
}
|
|
7
|
+
export function createCookie(user: User, privateKey: string): string {
|
|
8
|
+
let queryParams: string[] = [];
|
|
11
9
|
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
10
|
+
queryParams.push("firstName=" + user.firstName);
|
|
11
|
+
queryParams.push("lastName=" + user.lastName);
|
|
12
|
+
queryParams.push("email=" + user.email);
|
|
13
|
+
user.avatarUrl && queryParams.push("avatarUrl=" + user.avatarUrl);
|
|
14
|
+
queryParams.push("system=" + user.authenticatingSystem);
|
|
15
|
+
queryParams.push("authedIn=" + user.authenticatedIn.join(","));
|
|
16
|
+
queryParams.push("expires=" + user.expires.toString());
|
|
17
|
+
queryParams.push("multifactor=" + String(user.multifactor));
|
|
18
|
+
const combined = queryParams.join("&");
|
|
19
|
+
|
|
20
|
+
const queryParamsString = Buffer.from(combined).toString('base64');
|
|
21
|
+
|
|
22
|
+
const signature = sign(combined, privateKey);
|
|
23
|
+
|
|
24
|
+
return queryParamsString + "." + signature
|
|
27
25
|
}
|
|
28
26
|
|
|
29
|
-
export function verifyUser(pandaCookie: string | undefined, publicKey: string,
|
|
27
|
+
export function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult {
|
|
30
28
|
if(!pandaCookie) {
|
|
31
29
|
return { status: AuthenticationStatus.INVALID_COOKIE };
|
|
32
30
|
}
|
|
@@ -37,9 +35,11 @@ export function verifyUser(pandaCookie: string | undefined, publicKey: string, c
|
|
|
37
35
|
return { status: AuthenticationStatus.INVALID_COOKIE };
|
|
38
36
|
}
|
|
39
37
|
|
|
38
|
+
const currentTimestampInMilliseconds = currentTime.getTime();
|
|
39
|
+
|
|
40
40
|
try {
|
|
41
41
|
const user: User = parseUser(data);
|
|
42
|
-
const isExpired = user.expires <
|
|
42
|
+
const isExpired = user.expires < currentTimestampInMilliseconds;
|
|
43
43
|
|
|
44
44
|
if(isExpired) {
|
|
45
45
|
return { status: AuthenticationStatus.EXPIRED, user };
|
|
@@ -65,7 +65,7 @@ export class PanDomainAuthentication {
|
|
|
65
65
|
|
|
66
66
|
publicKey: Promise<PublicKeyHolder>;
|
|
67
67
|
keyCacheTime: number = 60 * 1000; // 1 minute
|
|
68
|
-
keyUpdateTimer?: NodeJS.Timeout
|
|
68
|
+
keyUpdateTimer?: NodeJS.Timeout;
|
|
69
69
|
|
|
70
70
|
constructor(cookieName: string, region: string, bucket: string, keyFile: string, validateUser: ValidateUserFn) {
|
|
71
71
|
this.cookieName = cookieName;
|
|
@@ -75,20 +75,21 @@ export class PanDomainAuthentication {
|
|
|
75
75
|
this.validateUser = validateUser;
|
|
76
76
|
|
|
77
77
|
this.publicKey = fetchPublicKey(region, bucket, keyFile);
|
|
78
|
-
|
|
78
|
+
|
|
79
79
|
this.keyUpdateTimer = setInterval(() => this.getPublicKey(), this.keyCacheTime);
|
|
80
80
|
}
|
|
81
81
|
|
|
82
82
|
stop(): void {
|
|
83
83
|
if(this.keyUpdateTimer) {
|
|
84
84
|
clearInterval(this.keyUpdateTimer);
|
|
85
|
+
this.keyUpdateTimer = undefined;
|
|
85
86
|
}
|
|
86
87
|
}
|
|
87
88
|
|
|
88
89
|
getPublicKey(): Promise<string> {
|
|
89
90
|
return this.publicKey.then(({ key, lastUpdated }) => {
|
|
90
91
|
const now = new Date();
|
|
91
|
-
const diff = now.
|
|
92
|
+
const diff = now.getTime() - lastUpdated.getTime();
|
|
92
93
|
|
|
93
94
|
if(diff > this.keyCacheTime) {
|
|
94
95
|
this.publicKey = fetchPublicKey(this.region, this.bucket, this.keyFile);
|
|
@@ -104,8 +105,7 @@ export class PanDomainAuthentication {
|
|
|
104
105
|
const cookies = cookie.parse(requestCookies);
|
|
105
106
|
const pandaCookie = cookies[this.cookieName];
|
|
106
107
|
|
|
107
|
-
|
|
108
|
-
return verifyUser(pandaCookie, publicKey, now, this.validateUser);
|
|
108
|
+
return verifyUser(pandaCookie, publicKey, new Date(), this.validateUser);
|
|
109
109
|
});
|
|
110
110
|
}
|
|
111
|
-
}
|
|
111
|
+
}
|
package/src/utils.ts
CHANGED
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
import * as crypto from 'crypto';
|
|
2
2
|
import * as https from 'https';
|
|
3
3
|
|
|
4
|
-
import {
|
|
5
|
-
import {
|
|
4
|
+
import {User} from './api';
|
|
5
|
+
import {URLSearchParams} from 'url';
|
|
6
6
|
|
|
7
7
|
export function decodeBase64(data: string): string {
|
|
8
|
-
return
|
|
8
|
+
return Buffer.from(data, 'base64').toString('utf8');
|
|
9
9
|
}
|
|
10
10
|
|
|
11
11
|
/**
|
|
@@ -28,13 +28,22 @@ export function verifySignature(message: string, signature: string, pandaPublicK
|
|
|
28
28
|
.verify(pandaPublicKey, signature, 'base64');
|
|
29
29
|
}
|
|
30
30
|
|
|
31
|
+
export function sign(message: string, privateKey: string): string {
|
|
32
|
+
const sign = crypto.createSign("sha256WithRSAEncryption");
|
|
33
|
+
sign.write(message);
|
|
34
|
+
sign.end();
|
|
35
|
+
|
|
36
|
+
return sign.sign(privateKey, 'base64');
|
|
37
|
+
}
|
|
38
|
+
|
|
31
39
|
const ASCII_NEW_LINE = String.fromCharCode(10);
|
|
32
|
-
const PEM_HEADER = '-----BEGIN PUBLIC KEY-----';
|
|
33
|
-
const PEM_FOOTER = '-----END PUBLIC KEY-----';
|
|
34
40
|
|
|
35
|
-
export function base64ToPEM (key: string): string {
|
|
41
|
+
export function base64ToPEM (key: string, headerFooter: string): string {
|
|
42
|
+
const PEM_HEADER = `-----BEGIN ${headerFooter} KEY-----`;
|
|
43
|
+
const PEM_FOOTER = `-----END ${headerFooter} KEY-----`;
|
|
44
|
+
|
|
36
45
|
let tmp = [];
|
|
37
|
-
const ret = [
|
|
46
|
+
const ret = [Buffer.from(PEM_HEADER).toString('ascii')];
|
|
38
47
|
|
|
39
48
|
for (let i = 0, len = key.length; i < len; i++) {
|
|
40
49
|
|
|
@@ -47,7 +56,7 @@ export function base64ToPEM (key: string): string {
|
|
|
47
56
|
}
|
|
48
57
|
|
|
49
58
|
ret.push(tmp.join(''));
|
|
50
|
-
ret.push(
|
|
59
|
+
ret.push(Buffer.from(PEM_FOOTER).toString('ascii'));
|
|
51
60
|
|
|
52
61
|
return ret.join(ASCII_NEW_LINE);
|
|
53
62
|
}
|
|
@@ -61,7 +70,7 @@ export function httpGet(path: string): Promise<string> {
|
|
|
61
70
|
res.on('error', err => reject(err));
|
|
62
71
|
|
|
63
72
|
res.on('end', () => {
|
|
64
|
-
const body = data.join('');
|
|
73
|
+
const body = data.join('');
|
|
65
74
|
|
|
66
75
|
if(res.statusCode == 200) {
|
|
67
76
|
resolve(body);
|
|
@@ -69,7 +78,7 @@ export function httpGet(path: string): Promise<string> {
|
|
|
69
78
|
// Response might be XML
|
|
70
79
|
const match = body.match(/<message>(.*)<\/message>/i);
|
|
71
80
|
const error = new Error(match ? match[1] : 'Invalid public key response');
|
|
72
|
-
|
|
81
|
+
|
|
73
82
|
reject(error);
|
|
74
83
|
}
|
|
75
84
|
});
|
|
@@ -117,4 +126,4 @@ export function parseUser(data: string): User {
|
|
|
117
126
|
expires: numberField("expires"),
|
|
118
127
|
multifactor: booleanField("multifactor")
|
|
119
128
|
};
|
|
120
|
-
}
|
|
129
|
+
}
|
package/test/fixtures.ts
CHANGED
|
@@ -1,11 +1,10 @@
|
|
|
1
1
|
import { base64ToPEM } from '../src/utils';
|
|
2
2
|
|
|
3
|
-
// The private key is not required by the node module as it can only verify cookies, not generate them
|
|
4
|
-
// I've included it here however so we can use it to generate new cookie data for future tests
|
|
5
3
|
export const encodedPrivateKey = "MIIJKAIBAAKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQKCAgAFEDXDb10Rtl5vT6oXLjzswYcD6Ct8v23eLYcKqJlNeXuysQODxnJAxBTuubPvXOSxC6DVbaa7zQxqldjPy92eVfDiOii5naR648AMG2Rl4ybm9+Zfvnwgu9WIjLxFK6zl6A0dMi82W47HP6s5d8gbWREjtO1HXOCGe6rIUyLpC3mm5JX/aaeG9NHRsNeY5vXWgsrOdgaUSeaPSsiXvi/XdPP94aBdvDjqq0kKssQofA5PTMlOd0Nv+lN9Sew7po0NJ4q/U7aFzF5BaFidty8JA3DdQQRPgVrWVF57StvHkYMZSnwgWA6noZaWL/N2RkbeQw0KsDKxdo3KFYkVb8OuTN68b3J5sKIo48LaDbfWbuThcdUFdpKXUd6lvJ2vCnbN6e1fzJdjpCNg9mb2g8KnSW9xqXek8cx0b+LNh+p/YDUI/BZDfsXjeqODiGEruYWfaYiL4STOOXIq5SoyP6XEDbX41UHcb/P3pJExBB7R6fpUFREUd0tUAQAQ93YUitWIs8U1tVAB9/qaUO6BFgOghrbswUiX4twVdmqhrBVOcYUImu7LUdcpMLIdR/gyy47w8xEhiv/oudWVx7rkJS4+l949KtUmyd5x+MNT7nAF99eSIv3iNpL6eS7OWiak5gfoVATy0shNd48H62mGtYjfoGzndGE26tNCHXoAkTrbQQKCAQEA47QXH0Y5xbnq8rlqukwVt+EDMJUtZBqfxGDnkDmtfGefxiyE1VLb+Q0Z1es3lxjcmb1Qupl9tjrWeejK2QymSOzPaluOTpIFOZbFqzNha68nONoiWjqwkCg7VvTo0mRKLwSEnCrCOB8HiLKQAhirdPwtW/8PLd+B8HZSB3UKFylbT+ghHIz5b4P81GksRGbsb6g3+ipz53mvtJpe77J7Y84wPQppj6Ry0WjsQr4iv2hF5PWNMhHVDj8eO80DJvWRCFVTWqTE3WYxZJ/5jdeOdVTwtrYghP72X0zAnVpQCVzcn8tLghKsfePhCw3zNtFE3dk4XHQD4uhPU88GtxJ3vwKCAQEA0fHVZmW8EwxYUEzhFl+2J4evszh8R2Sga+LHv4hy2qGydiciVnv4Y/IoScc0IQ+YHoj9fNad+/UoR8ctSBgrPDzeiY/7ldSp/j5Tbqb4h3Ioaqf9uNg7qHpnciz1o8AI8fFelXZ5hA8GuXo8VGy60xMCyapjkLzTXshdRPjUzcLX1PrUy+me4ZR/KdIkqOOmzgvBVII3gb0iN70gTqn2HSIUC3yMiXA+X6OkHoDL7tn8tkF/aD+uenxOvOadsoJPtaFPaMD0X5vJ8LIjsBThAncVApx93XJIdkJm2ffXq2JhQJfZ6ZXypa6ooepzmB58kxA+TZiJpQLLQJ17xC/sYQKCAQBwuzJPW3cyuw7kyINcZFrERHRN0y07yCqdENTUBJotYygo9tV0v6cEMEZAMEm/VqGww5d6Ko+gbpTMmkIDH04cAJHXuChGIejQUCLg1Xk/1OF4NhaX0UKkvCZUsL+rmddYW8ZDgq/RFRunw6+kOg54xni2eRpMvcEZCZsm8fzi5qi8cNIjzm+XlCLSDpfJ7aLUzNWZ1va2/PnOUjb6OMT57pTXQ5ZrdSEbJ/UAPh354WfpKOCUj1uJyBnxxVfwK9d35rZzw+trKTL+/GySmst+r2TVMGn9LjVPjTI3NQU2/XCE9CMX7KLVWMKLtIZa91Q++VH8A7wA1L6hYXeTn2MFAoIBAEb5xvdTNX4LEmAzXXU+7kn26UNhuUI5lrJifL0X2BxpxfeDy2wJhTPkzhIDMnBq4TaRgYEO3WIsw21gvMI+yX8X5PQEpT1GJCI71+D0udiwk1Fbcb9n+uM+XnKPGIw/g8annx5Qa0xl+BQEaxjvmUl6h9q9q+Nmst68RivnI6pcULNECWTWmkwQ89yjmpkuPVozRyzWyQUnd8X4Pk/ZzcaTmss3VBuywqN6oyVczZT2RSUoh3Yq8UWfeM8L+Aw9Wc1Bt6LmeLdJ579jugTxShCXSZcUaMjQtgak9DiEPXlHTTGVJKp/cwToQ0JaDLJEvEDLoQSCqSYMB8LUet8chIECggEBANxvUJxCLbx4CZrUJC5O2w01GMDFdTfYOUcK75pFAbXkpBPXDLsuz2dK1y8ANk3ibWWrlV6YKDUwl+gWDHmJOcvKqKKAeUnrhIMmJGaO6C++5DxPE/n7g5M86GA0bu/+B+32wL/65B8HoJrkHnSMJp9GcCsVZA3+2xcJfo+xAiXeiRobRIxCQMYCDDM7Hr7X5jGa7l9bQr4GuWRKRYTroE9LCDnH/LLUN+0ny3UXrSjtTUVL4mVAJT0Ws2H1zUzVDbu7ZQgA0u3GjtdFvAnS/E+ln8DS3Q1DeD6Zsf0hrrJbtwU4zZIU445SZ+IUaTjueB9v/skukoIQi/0Mj+gpZ1c=";
|
|
4
|
+
export const privateKey = base64ToPEM(encodedPrivateKey, "RSA PRIVATE");
|
|
6
5
|
|
|
7
6
|
export const encodedPublicKey = "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQ==";
|
|
8
|
-
export const publicKey = base64ToPEM(encodedPublicKey);
|
|
7
|
+
export const publicKey = base64ToPEM(encodedPublicKey, "PUBLIC");
|
|
9
8
|
|
|
10
9
|
// The comments above each fixture are the Scala case classe representation used to generate the encoded cookie
|
|
11
10
|
|
|
@@ -42,4 +41,4 @@ export const sampleCookieWithoutMultifactor =
|
|
|
42
41
|
)
|
|
43
42
|
*/
|
|
44
43
|
export const sampleNonGuardianCookie =
|
|
45
|
-
"Zmlyc3ROYW1lPVRlc3QmbGFzdE5hbWU9VXNlciZlbWFpbD10ZXN0LnVzZXJAYmJjLmNvLnVrJnN5c3RlbT10ZXN0JmF1dGhlZEluPXRlc3QmZXhwaXJlcz0xMjM0Jm11bHRpZmFjdG9yPWZhbHNl.mX4eQF7RXNJXnI9szVwGaMN5XL8ruTiZyDQ8/fEjO+TcC+q/y1rPCjRWAjhmBD+VjVES3IcCdlC4bVQ+T9BM9eLtZYnDGFDAalKP1BnoGYg3nGku0vJi7n+lS/UC16zmJyy19SgkI7GqjoTgaeN7PRgE4kZPWHtXJQa8GyC9Bc5SInvhgW04yIe6Pm9IIVGGNqWo3/qmiTDHxWPHBSxf8gNO3d1VTmp4homkIxKoqaJNloCPSjYvgk1kf8ZJQFPL00HNA+gYNRjQDpDbMAINMS3/BQLdEkRKaTIqmIEmp3+LVoN+8p11K7fd8deOQXsMqnhGCFwxAr3Mk1hUXQsvOl2uHSFg2eRhHbTbILvurNp3hmtF3kld6EmrFbKiag73YsLV6/x03CrhktvUmQlhP9/DdOt+qWEkDCcZP5z4oazJjiiVl21F2TZ1EOD3Yjw9OSVR7tGxe6gPzi/bQQa/Yl3Gd5FtR53QMbnKMBB3NIWxFl7JeVHtvZo+4SSjVRTPxtBnnwnYW+jQulhMCYuGRIKUJ4v4fbCsUXhBguYGYz6v1vKcllobkyMa8AVX38bLH/+CFY1u8mCdjD81Ojwg5iWPoJu/7z/AZ+cKNRquHuEa3z5R6OZBE4IxDqGFc5U8ZdvBYxtrPR19NzwmDZ0uebtZ047P7xQKHAaS+NTitDo=";
|
|
44
|
+
"Zmlyc3ROYW1lPVRlc3QmbGFzdE5hbWU9VXNlciZlbWFpbD10ZXN0LnVzZXJAYmJjLmNvLnVrJnN5c3RlbT10ZXN0JmF1dGhlZEluPXRlc3QmZXhwaXJlcz0xMjM0Jm11bHRpZmFjdG9yPWZhbHNl.mX4eQF7RXNJXnI9szVwGaMN5XL8ruTiZyDQ8/fEjO+TcC+q/y1rPCjRWAjhmBD+VjVES3IcCdlC4bVQ+T9BM9eLtZYnDGFDAalKP1BnoGYg3nGku0vJi7n+lS/UC16zmJyy19SgkI7GqjoTgaeN7PRgE4kZPWHtXJQa8GyC9Bc5SInvhgW04yIe6Pm9IIVGGNqWo3/qmiTDHxWPHBSxf8gNO3d1VTmp4homkIxKoqaJNloCPSjYvgk1kf8ZJQFPL00HNA+gYNRjQDpDbMAINMS3/BQLdEkRKaTIqmIEmp3+LVoN+8p11K7fd8deOQXsMqnhGCFwxAr3Mk1hUXQsvOl2uHSFg2eRhHbTbILvurNp3hmtF3kld6EmrFbKiag73YsLV6/x03CrhktvUmQlhP9/DdOt+qWEkDCcZP5z4oazJjiiVl21F2TZ1EOD3Yjw9OSVR7tGxe6gPzi/bQQa/Yl3Gd5FtR53QMbnKMBB3NIWxFl7JeVHtvZo+4SSjVRTPxtBnnwnYW+jQulhMCYuGRIKUJ4v4fbCsUXhBguYGYz6v1vKcllobkyMa8AVX38bLH/+CFY1u8mCdjD81Ojwg5iWPoJu/7z/AZ+cKNRquHuEa3z5R6OZBE4IxDqGFc5U8ZdvBYxtrPR19NzwmDZ0uebtZ047P7xQKHAaS+NTitDo=";
|
package/test/panda.test.ts
CHANGED
|
@@ -1,29 +1,153 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { verifyUser } from '../src/panda';
|
|
1
|
+
import {guardianValidation, AuthenticationStatus, User} from '../src/api';
|
|
2
|
+
import { verifyUser, createCookie, PanDomainAuthentication } from '../src/panda';
|
|
3
|
+
import { fetchPublicKey } from '../src/fetch-public-key';
|
|
3
4
|
|
|
4
|
-
import {
|
|
5
|
+
import {
|
|
6
|
+
sampleCookie,
|
|
7
|
+
sampleCookieWithoutMultifactor,
|
|
8
|
+
sampleNonGuardianCookie,
|
|
9
|
+
publicKey,
|
|
10
|
+
privateKey
|
|
11
|
+
} from './fixtures';
|
|
12
|
+
import {decodeBase64} from "../src/utils";
|
|
5
13
|
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
});
|
|
14
|
+
jest.mock('../src/fetch-public-key');
|
|
15
|
+
jest.useFakeTimers('modern');
|
|
9
16
|
|
|
10
|
-
|
|
11
|
-
const [data, signature] = sampleCookie.split(".");
|
|
12
|
-
const testCookie = data + ".1234";
|
|
17
|
+
describe('verifyUser', function () {
|
|
13
18
|
|
|
14
|
-
|
|
15
|
-
|
|
19
|
+
test("return invalid cookie if missing", () => {
|
|
20
|
+
expect(verifyUser(undefined, "", new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
|
|
21
|
+
});
|
|
22
|
+
|
|
23
|
+
test("return invalid cookie for a malformed signature", () => {
|
|
24
|
+
const [data, signature] = sampleCookie.split(".");
|
|
25
|
+
const testCookie = data + ".1234";
|
|
26
|
+
|
|
27
|
+
expect(verifyUser(testCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
|
|
28
|
+
});
|
|
29
|
+
|
|
30
|
+
test("return expired", () => {
|
|
31
|
+
const someTimeInTheFuture = new Date(5678);
|
|
32
|
+
expect(someTimeInTheFuture.getTime()).toBe(5678);
|
|
33
|
+
expect(verifyUser(sampleCookie, publicKey, someTimeInTheFuture, guardianValidation).status).toBe(AuthenticationStatus.EXPIRED);
|
|
34
|
+
});
|
|
16
35
|
|
|
17
|
-
test("return
|
|
18
|
-
|
|
19
|
-
|
|
36
|
+
test("return not authenticated if user fails validation function", () => {
|
|
37
|
+
expect(verifyUser(sampleCookieWithoutMultifactor, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
|
|
38
|
+
expect(verifyUser(sampleNonGuardianCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
|
|
39
|
+
});
|
|
40
|
+
|
|
41
|
+
test("return authenticated", () => {
|
|
42
|
+
expect(verifyUser(sampleCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.AUTHORISED);
|
|
43
|
+
});
|
|
20
44
|
});
|
|
21
45
|
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
46
|
+
describe('createCookie', function () {
|
|
47
|
+
it('should return the same cookie based on the user details being provided', function () {
|
|
48
|
+
const user: User = {
|
|
49
|
+
firstName: "Test",
|
|
50
|
+
lastName: "User",
|
|
51
|
+
email: "test.user@guardian.co.uk",
|
|
52
|
+
authenticatingSystem: "test",
|
|
53
|
+
authenticatedIn: ["test"],
|
|
54
|
+
expires: 1234,
|
|
55
|
+
multifactor: true
|
|
56
|
+
};
|
|
57
|
+
|
|
58
|
+
const cookie = createCookie(user, privateKey);
|
|
59
|
+
|
|
60
|
+
expect(decodeBase64(cookie)).toEqual(decodeBase64(sampleCookie));
|
|
61
|
+
expect(cookie).toEqual(sampleCookie)
|
|
62
|
+
});
|
|
25
63
|
});
|
|
26
64
|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
});
|
|
65
|
+
describe('panda class', function () {
|
|
66
|
+
beforeEach(() => {
|
|
67
|
+
(fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: new Date() });
|
|
68
|
+
});
|
|
69
|
+
|
|
70
|
+
describe('stop', () => {
|
|
71
|
+
|
|
72
|
+
it('stops auto refresh', () => {
|
|
73
|
+
const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
|
|
74
|
+
expect(panda.keyUpdateTimer).not.toBeUndefined();
|
|
75
|
+
panda.stop();
|
|
76
|
+
expect(panda.keyUpdateTimer).toBeUndefined();
|
|
77
|
+
});
|
|
78
|
+
|
|
79
|
+
});
|
|
80
|
+
|
|
81
|
+
describe('getPublicKey', () => {
|
|
82
|
+
|
|
83
|
+
it('getsPublicKey immediately when last fetch is within the cache time', async () => {
|
|
84
|
+
|
|
85
|
+
const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
|
|
86
|
+
const fetchesBeforeGet = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
|
|
87
|
+
|
|
88
|
+
await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
|
|
89
|
+
const fetchesAfterGet = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
|
|
90
|
+
|
|
91
|
+
expect(fetchesAfterGet).toEqual(fetchesBeforeGet);
|
|
92
|
+
|
|
93
|
+
});
|
|
94
|
+
|
|
95
|
+
it('getsPublicKey after refetching when last fetch is outside the cache time', async () => {
|
|
96
|
+
// cache time is 1 min
|
|
97
|
+
const fiveMinsAgo = new Date();
|
|
98
|
+
fiveMinsAgo.setMinutes(fiveMinsAgo.getMinutes() - 5);
|
|
99
|
+
|
|
100
|
+
(fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: fiveMinsAgo });
|
|
101
|
+
|
|
102
|
+
const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
|
|
103
|
+
|
|
104
|
+
const fetchesBefore = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
|
|
105
|
+
|
|
106
|
+
await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
|
|
107
|
+
|
|
108
|
+
(fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY 2', lastUpdated: fiveMinsAgo });
|
|
109
|
+
|
|
110
|
+
const fetchesAfter = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
|
|
111
|
+
|
|
112
|
+
await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY 2');
|
|
113
|
+
|
|
114
|
+
expect(fetchesAfter).toEqual(fetchesBefore + 1);
|
|
115
|
+
});
|
|
116
|
+
|
|
117
|
+
});
|
|
118
|
+
|
|
119
|
+
describe('verify', () => {
|
|
120
|
+
|
|
121
|
+
beforeEach(() => {
|
|
122
|
+
(fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: publicKey, lastUpdated: new Date() });
|
|
123
|
+
});
|
|
124
|
+
|
|
125
|
+
it('should return authenticated if valid', async () => {
|
|
126
|
+
jest.setSystemTime(100);
|
|
127
|
+
const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
|
|
128
|
+
const { status } = await panda.verify(`cookiename=${sampleCookie}`);
|
|
129
|
+
|
|
130
|
+
expect(status).toBe(AuthenticationStatus.AUTHORISED);
|
|
131
|
+
});
|
|
132
|
+
|
|
133
|
+
it('should return expired if expired', async () => {
|
|
134
|
+
jest.setSystemTime(10_000);
|
|
135
|
+
|
|
136
|
+
const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
|
|
137
|
+
const { status } = await panda.verify(`cookiename=${sampleCookie}`);
|
|
138
|
+
|
|
139
|
+
expect(status).toBe(AuthenticationStatus.EXPIRED);
|
|
140
|
+
});
|
|
141
|
+
|
|
142
|
+
it('should return not authenticated if validation fails', async () => {
|
|
143
|
+
jest.setSystemTime(100);
|
|
144
|
+
|
|
145
|
+
const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', guardianValidation);
|
|
146
|
+
const { status } = await panda.verify(`cookiename=${sampleNonGuardianCookie}`);
|
|
147
|
+
|
|
148
|
+
expect(status).toBe(AuthenticationStatus.NOT_AUTHORISED);
|
|
149
|
+
});
|
|
150
|
+
|
|
151
|
+
});
|
|
152
|
+
|
|
153
|
+
});
|