@nitra/cf-security 3.0.0 → 3.1.0

package/README.md

@@ -17,3 +17,17 @@ exports.function = async (req, res) => {
     return
   }
 ```
+
+```HTTP
+ALLOWED_ROLES: role1,role2
+```
+
+```JavaScript
+import runSecurity from '@nitra/cf-security'
+
+exports.function = async (req, res) => {
+  if (!runSecurity(req)) {
+    res.send(`Nitra security not passed`)
+    return
+  }
+```

package/package.json

@@ -1,11 +1,14 @@
 {
   "name": "@nitra/cf-security",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "check header in cloud functions",
-  "main": "src/index.js",
   "type": "module",
+  "exports": {
+    ".": "./src/index.js",
+    "./jwt": "./src/jwt.js"
+  },
   "scripts": {
-    "fix": "npx standard --fix && npx prettier --write .",
+    "fix": "npx eslint --fix . && npx prettier --write . ",
     "test": "env $(cat ./test/.env) npx coverage-node test/index.js"
   },
   "repository": {
@@ -18,13 +21,27 @@
     "url": "https://github.com/nitra/cf-security/issues"
   },
   "homepage": "https://github.com/nitra/cf-security#readme",
-  "prettier": "prettier-config-standard",
+  "prettier": "@nitra/prettier-config",
+  "eslintConfig": {
+    "extends": [
+      "@nitra/eslint-config/node"
+    ],
+    "root": true
+  },
   "devDependencies": {
-    "prettier-config-standard": "^1.0.1",
+    "@nitra/eslint-config": "^1.0.9",
+    "@nitra/prettier-config": "^1.0.1",
     "test-director": "^7.0.0"
   },
   "dependencies": {
+    "@nitra/bunyan": "^1.1.1",
     "@nitra/check-env": "^2.0.1",
-    "@nitra/consola": "^1.3.1"
+    "@nitra/jwt": "^3.1.2"
+  },
+  "files": [
+    "src"
+  ],
+  "engines": {
+    "node": ">=16.0.0"
   }
 }

package/src/index.js

@@ -1,4 +1,4 @@
-import consola from '@nitra/consola'
+import getLogger from '@nitra/bunyan/trace'
 import checkEnv from '@nitra/check-env'
 checkEnv(['X_NITRA_CF_KEY'])
 
@@ -9,23 +9,25 @@ checkEnv(['X_NITRA_CF_KEY'])
  * @return {boolean} if check passed
  */
 export const cfSecurity = req => {
+  const log = getLogger(req)
+
   if (typeof req.headers === 'undefined') {
-    consola.debug('Request without headers')
+    log.info('Request without headers')
     return false
   }
 
   if (typeof req.headers['x-nitra-cf-key'] === 'undefined') {
-    consola.debug('Nitra key not exist in request')
+    log.info('Nitra key not exist in request')
     return false
   }
 
   if (req.headers['x-nitra-cf-key'] === 0) {
-    consola.debug('Empty Nitra key in headers request')
+    log.info('Empty Nitra key in headers request')
     return false
   }
 
   if (req.headers['x-nitra-cf-key'] !== process.env.X_NITRA_CF_KEY) {
-    consola.debug('Not equal Nitra key')
+    log.info('Not equal Nitra key')
     return false
   }
 

package/src/jwt.js

@@ -0,0 +1,47 @@
+import getLogger from '@nitra/bunyan/trace'
+import checkEnv from '@nitra/check-env'
+import verify from '@nitra/jwt/verify'
+
+checkEnv(['ALLOWED_ROLES'])
+
+/**
+ * Check request for Nitra security rules WI
+ *
+ * @param {object} req - Fastify  Request for check
+ * @return {string} token if check passed
+ */
+export default async req => {
+  const log = getLogger(req)
+
+  // Перевіряємо токен тільки
+  if (!req.headers?.authorization) {
+    log.info('[verification] no authorization data')
+    return false
+  }
+
+  const authHeaders = req.headers.authorization.split(' ')
+  const token = await verify(authHeaders[1])
+
+  if (!token) {
+    log.info('[verification] invalid token')
+    return false
+  }
+
+  const roleArray = token.body['https://hasura.io/jwt/claims']['x-hasura-allowed-roles']
+
+  const allowedRoles = process.env.ALLOWED_ROLES.split(',')
+
+  const intersectRoles = intersection(roleArray, allowedRoles)
+
+  if (intersectRoles.length === 0) {
+    log.info('[verification] invalid all roles')
+    return false
+  }
+
+  return token.body
+}
+
+function intersection(a, b) {
+  const setA = new Set(a)
+  return b.filter(value => setA.has(value))
+}