npm - @infoxchange/make-it-so - Versions diffs - 2.10.0 → 2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.1 - Mend

@infoxchange/make-it-so 2.10.0 → 2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/lib/auth/oidc.d.ts +26 -0
package/dist/lib/auth/oidc.d.ts.map +1 -0
package/dist/lib/auth/oidc.js +48 -0
package/package.json +1 -1
package/src/lib/auth/oidc.ts +73 -0

package/dist/lib/auth/oidc.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { JWTPayload } from "jose";
+type VerifyAccessTokenParams<SafeVerify extends boolean = false> = {
+    token: string;
+    issuerUrl: string;
+    audience: string;
+    safeVerify?: SafeVerify;
+};
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export declare function verifyAccessToken<SafeVerify extends boolean = false>({ token, issuerUrl, audience, safeVerify, }: VerifyAccessTokenParams<SafeVerify>): Promise<SafeVerify extends true ? {
+    error: Error | unknown;
+    payload: null;
+} | {
+    error: null;
+    payload: JWTPayload;
+} : JWTPayload>;
+export {};
+//# sourceMappingURL=oidc.d.ts.map

package/dist/lib/auth/oidc.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/oidc.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,UAAU,EAAa,MAAM,MAAM,CAAC;AAEjE,KAAK,uBAAuB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,IAAI;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,EAAE,EAC1E,KAAK,EACL,SAAS,EACT,QAAQ,EACR,UAAU,GACX,EAAE,uBAAuB,CAAC,UAAU,CAAC,GAAG,OAAO,CAC9C,UAAU,SAAS,IAAI,GAEf;IAAE,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GACzC;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,GACxC,UAAU,CACf,CAyCA"}

package/dist/lib/auth/oidc.js ADDED Viewed

@@ -0,0 +1,48 @@
+import { Issuer } from "openid-client";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export async function verifyAccessToken({ token, issuerUrl, audience, safeVerify, }) {
+    try {
+        const issuer = await Issuer.discover(issuerUrl);
+        const jwksUri = issuer.metadata.jwks_uri;
+        if (!jwksUri) {
+            throw new Error("JWKS URI not found in issuer metadata");
+        }
+        const JWKS = createRemoteJWKSet(new URL(jwksUri));
+        // Verify the signature and basic claims
+        const { payload } = await jwtVerify(token, JWKS, {
+            issuer: issuer.metadata.issuer,
+        });
+        const tokenAud = payload.aud ?? payload.client_id;
+        let audienceMatches = false;
+        for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
+            if (aud === audience) {
+                audienceMatches = true;
+                break;
+            }
+        }
+        if (!audienceMatches) {
+            console.info("Token data:", payload);
+            throw new Error(`Token audience does not match expected audience ${audience}`);
+        }
+        if (safeVerify) {
+            return { payload, error: null };
+        }
+        return payload;
+    }
+    catch (err) {
+        if (safeVerify) {
+            return { error: err, payload: null };
+        }
+        throw err;
+    }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0",
+  "version": "2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.1",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/lib/auth/oidc.ts ADDED Viewed

@@ -0,0 +1,73 @@
+import { Issuer } from "openid-client";
+import { createRemoteJWKSet, JWTPayload, jwtVerify } from "jose";
+type VerifyAccessTokenParams<SafeVerify extends boolean = false> = {
+  token: string;
+  issuerUrl: string;
+  audience: string;
+  safeVerify?: SafeVerify;
+};
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export async function verifyAccessToken<SafeVerify extends boolean = false>({
+  token,
+  issuerUrl,
+  audience,
+  safeVerify,
+}: VerifyAccessTokenParams<SafeVerify>): Promise<
+  SafeVerify extends true
+    ?
+        | { error: Error | unknown; payload: null }
+        | { error: null; payload: JWTPayload }
+    : JWTPayload
+> {
+  try {
+    const issuer = await Issuer.discover(issuerUrl);
+    const jwksUri = issuer.metadata.jwks_uri;
+    if (!jwksUri) {
+      throw new Error("JWKS URI not found in issuer metadata");
+    }
+    const JWKS = createRemoteJWKSet(new URL(jwksUri));
+    // Verify the signature and basic claims
+    const { payload } = await jwtVerify(token, JWKS, {
+      issuer: issuer.metadata.issuer,
+    });
+    const tokenAud = payload.aud ?? payload.client_id;
+    let audienceMatches = false;
+    for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
+      if (aud === audience) {
+        audienceMatches = true;
+        break;
+      }
+    }
+    if (!audienceMatches) {
+      console.info("Token data:", payload);
+      throw new Error(
+        `Token audience does not match expected audience ${audience}`,
+      );
+    }
+    if (safeVerify) {
+      return { payload, error: null };
+    }
+    return payload as SafeVerify extends true
+      ? { error: null; payload: JWTPayload }
+      : JWTPayload;
+  } catch (err) {
+    if (safeVerify) {
+      return { error: err, payload: null };
+    }
+    throw err;
+  }
+}