npm - @openstax/ts-utils - Versions diffs - 1.1.32 → 1.1.34 - Mend

@openstax/ts-utils 1.1.32 → 1.1.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/cjs/services/authProvider/decryption.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { ConfigProviderForConfig } from '../../config';
-import { CookieAuthProvider } from '.';
+import type { ConfigProviderForConfig } from '../../config';
+import { CookieAuthProvider, User } from '.';
 declare type Config = {
     cookieName: string;
     encryptionPrivateKey: string;
@@ -8,6 +8,9 @@ declare type Config = {
 interface Initializer<C> {
     configSpace?: C;
 }
+export declare type Jwt = {
+    sub?: User;
+};
 export declare const decryptionAuthProvider: <C extends string = "decryption">(initializer: Initializer<C>) => (configProvider: { [key in C]: {
     cookieName: import("../../config").ConfigValueProvider<string>;
     encryptionPrivateKey: import("../../config").ConfigValueProvider<string>;

package/dist/cjs/services/authProvider/decryption.js CHANGED Viewed

@@ -1,29 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.decryptionAuthProvider = void 0;
-const jose_1 = require("jose");
 const resolveConfigValue_1 = require("../../config/resolveConfigValue");
 const guards_1 = require("../../guards");
 const helpers_1 = require("../../misc/helpers");
+const decryptAndVerify_1 = require("./utils/decryptAndVerify");
 const _1 = require(".");
 const decryptionAuthProvider = (initializer) => (configProvider) => {
     const config = configProvider[(0, guards_1.ifDefined)(initializer.configSpace, 'decryption')];
     const cookieName = (0, helpers_1.once)(() => (0, resolveConfigValue_1.resolveConfigValue)(config.cookieName));
     const encryptionPrivateKey = (0, helpers_1.once)(() => (0, resolveConfigValue_1.resolveConfigValue)(config.encryptionPrivateKey));
     const signaturePublicKey = (0, helpers_1.once)(() => (0, resolveConfigValue_1.resolveConfigValue)(config.signaturePublicKey));
-    const decryptAndVerify = async (jwt) => {
-        try {
-            // Decrypt SSO cookie
-            const { plaintext } = await (0, jose_1.compactDecrypt)(jwt, Buffer.from(await encryptionPrivateKey()), // Note: Buffer.from() is node-js only
-            { contentEncryptionAlgorithms: ['A256GCM'], keyManagementAlgorithms: ['dir'] });
-            // Verify SSO cookie signature
-            const { payload } = await (0, jose_1.compactVerify)(plaintext, await (0, jose_1.importSPKI)(await signaturePublicKey(), 'RS256'), { algorithms: ['RS256'] });
-            return payload;
-        }
-        catch {
-            return undefined;
-        }
-    };
     return ({ request, profile }) => {
         let user;
         const getAuthorizedFetchConfig = profile.track('getAuthorizedFetchConfig', () => async () => {
@@ -38,18 +25,7 @@ const decryptionAuthProvider = (initializer) => (configProvider) => {
             if (!token) {
                 return undefined;
             }
-            const payload = await decryptAndVerify(token);
-            if (!payload) {
-                return undefined;
-            }
-            // Note: Uint8Array.toString() returns text in node-js only
-            //       The browser version is new TextDecoder().decode(payload)
-            const jwt = JSON.parse(payload.toString());
-            // Allow clock skew up to 5 minutes
-            if (!jwt.sub || !jwt.sub.uuid || (jwt.exp && jwt.exp < Math.floor(Date.now() / 1000) - 300)) {
-                return undefined;
-            }
-            return jwt.sub;
+            return (0, decryptAndVerify_1.decryptAndVerify)(token, await encryptionPrivateKey(), await signaturePublicKey());
         });
         return {
             getAuthorizedFetchConfig,

package/dist/cjs/services/authProvider/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import { FetchConfig } from '../../fetch';
-import { Track } from '../../profile';
-import { HttpHeaders } from '../../routing';
+import type { FetchConfig } from '../../fetch';
+import type { Track } from '../../profile';
+import type { HttpHeaders } from '../../routing';
 export interface User {
     id: number;
     name: string;

package/dist/cjs/services/authProvider/index.js CHANGED Viewed

@@ -5,8 +5,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAuthTokenOrCookie = exports.stubAuthProvider = void 0;
 const cookie_1 = __importDefault(require("cookie"));
-const __1 = require("../..");
-const routing_1 = require("../../routing");
+const helpers_1 = require("../../misc/helpers");
+const helpers_2 = require("../../routing/helpers");
 const stubAuthProvider = (user) => ({
     getUser: () => Promise.resolve(user),
     getAuthorizedFetchConfig: () => Promise.resolve(user ? { headers: { Authorization: user.uuid } } : {})
@@ -14,10 +14,10 @@ const stubAuthProvider = (user) => ({
 exports.stubAuthProvider = stubAuthProvider;
 const getAuthTokenOrCookie = (request, cookieName) => {
     var _a;
-    const authHeader = (0, routing_1.getHeader)(request.headers, 'authorization');
+    const authHeader = (0, helpers_2.getHeader)(request.headers, 'authorization');
     const cookieValue = cookie_1.default.parse(((_a = request.cookies) === null || _a === void 0 ? void 0 : _a.join('; ')) || '')[cookieName];
     return authHeader && authHeader.length >= 8 && authHeader.startsWith('Bearer ')
-        ? (0, __1.tuple)(authHeader.slice(7), { Authorization: authHeader })
-        : (0, __1.tuple)(cookieValue, { cookie: cookie_1.default.serialize(cookieName, cookieValue) });
+        ? (0, helpers_1.tuple)(authHeader.slice(7), { Authorization: authHeader })
+        : (0, helpers_1.tuple)(cookieValue, { cookie: cookie_1.default.serialize(cookieName, cookieValue) });
 };
 exports.getAuthTokenOrCookie = getAuthTokenOrCookie;

package/dist/cjs/services/authProvider/utils/decryptAndVerify.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { User } from '..';
2	+ export declare const decryptAndVerify: (token: string, encryptionPrivateKey: string, signaturePublicKey: string) => User \| undefined;

package/dist/cjs/services/authProvider/utils/decryptAndVerify.js ADDED Viewed

@@ -0,0 +1,66 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decryptAndVerify = void 0;
+const crypto = __importStar(require("crypto"));
+const util_1 = require("util");
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const guards_1 = require("../../../guards");
+const decrypt = (input, key) => {
+    const splitInput = input.split('.');
+    const aad = new util_1.TextEncoder().encode(splitInput[0]);
+    const iv = Buffer.from(splitInput[2], 'base64');
+    const ciphertext = Buffer.from(splitInput[3], 'base64');
+    const tag = Buffer.from(splitInput[4], 'base64');
+    const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(key), iv, { authTagLength: 16 });
+    decipher.setAAD(aad, { plaintextLength: ciphertext.length });
+    decipher.setAuthTag(tag);
+    const result = Buffer.concat([
+        decipher.update(ciphertext),
+        decipher.final(),
+    ]);
+    return result.toString('utf-8');
+};
+const decryptAndVerify = (token, encryptionPrivateKey, signaturePublicKey) => {
+    try {
+        // Decrypt SSO cookie
+        const plaintext = decrypt(token, encryptionPrivateKey);
+        const payload = jsonwebtoken_1.default.verify(plaintext, signaturePublicKey, {
+            clockTolerance: 300 // 5 minutes
+        });
+        if (!(0, guards_1.isPlainObject)(payload) || !(0, guards_1.isPlainObject)(payload.sub) || !payload.sub.uuid) {
+            return undefined;
+        }
+        // TS is confused because the library types the `sub` as a string
+        return payload.sub;
+    }
+    catch {
+        return undefined;
+    }
+};
+exports.decryptAndVerify = decryptAndVerify;