@openstax/ts-utils 1.35.5 → 1.36.1

package/dist/esm/misc/jwks.d.ts

@@ -0,0 +1,7 @@
+import { JwksClient } from 'jwks-rsa';
+import type { JWK } from 'node-jose';
+export type JwksFetcher = (uri: string) => Promise<{
+    keys: JWK.RawKey[];
+}>;
+export declare const getJwksClient: (iss: string, fetcher?: JwksFetcher) => JwksClient;
+export declare const getJwksKey: (iss: string, kid?: string, fetcher?: JwksFetcher) => Promise<import("jwks-rsa").SigningKey>;

package/dist/esm/misc/jwks.js

@@ -0,0 +1,10 @@
+import { JwksClient } from 'jwks-rsa';
+import { memoize } from './helpers';
+export const getJwksClient = memoize((iss, fetcher) => {
+    const jwksUri = new URL('/.well-known/jwks.json', iss).toString();
+    return new JwksClient({ jwksUri, fetcher });
+});
+export const getJwksKey = memoize(async (iss, kid, fetcher) => {
+    const client = getJwksClient(iss, fetcher);
+    return client.getSigningKey(kid);
+});

package/dist/esm/services/httpMessageVerifier/index.d.ts

@@ -0,0 +1,24 @@
+import { APIGatewayProxyEventV2 } from 'aws-lambda';
+import { VerifyConfig } from 'http-message-signatures';
+import { JWK } from 'node-jose';
+import { ConfigProviderForConfig } from '../../config';
+type Config = {
+    bypassSignatureVerification: string;
+};
+interface Initializer<C> {
+    configSpace?: C;
+    fetcher?: (uri: string) => Promise<{
+        keys: JWK.RawKey[];
+    }>;
+}
+export type SignatureAgentVerifier = (signatureAgent: string) => boolean | Promise<boolean>;
+export declare const createHttpMessageVerifier: <C extends string = "verifier">({ configSpace, fetcher }: Initializer<C>) => (configProvider: { [_key in C]: ConfigProviderForConfig<Config>; }) => ({ request }: {
+    request: APIGatewayProxyEventV2;
+}) => {
+    verify: ({ configOverride, signatureAgentVerifier }: {
+        configOverride?: Partial<VerifyConfig>;
+        signatureAgentVerifier: SignatureAgentVerifier;
+    }) => Promise<boolean>;
+};
+export type HttpMessageVerifier = ReturnType<ReturnType<ReturnType<typeof createHttpMessageVerifier>>>;
+export {};

package/dist/esm/services/httpMessageVerifier/index.js

@@ -0,0 +1,90 @@
+// cspell:ignore algs, httpbis, keyid
+import { createHash } from 'crypto';
+import { createVerifier, httpbis } from 'http-message-signatures';
+import { SigningKeyNotFoundError } from 'jwks-rsa';
+import { assertString } from '../../assertions';
+import { resolveConfigValue } from '../../config';
+import { InvalidRequestError } from '../../errors';
+import { once } from '../../misc/helpers';
+import { getJwksClient } from '../../misc/jwks';
+export const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configProvider) => {
+    const config = configProvider[configSpace !== null && configSpace !== void 0 ? configSpace : 'verifier'];
+    const getBypassSignatureVerification = once(async () => (await resolveConfigValue(config.bypassSignatureVerification)) === 'true');
+    return ({ request }) => ({
+        verify: async ({ configOverride, signatureAgentVerifier }) => {
+            var _a;
+            if (await getBypassSignatureVerification()) {
+                return true;
+            }
+            const headers = {};
+            Object.entries(request.headers).forEach(([key, value]) => {
+                if (value !== undefined) {
+                    headers[key.toLowerCase()] = value;
+                }
+            });
+            // https://datatracker.ietf.org/doc/html/draft-meunier-http-message-signatures-directory-04#name-http-method-context-signatu
+            // We accept Signature-Agent as either a simple URL string (as in an earlier RFC draft) or a dictionary of URLs,
+            // but we do not bother matching the Signature-Agent names with the Signature names
+            // as that would be awkward with the packages we use
+            const signatureAgentString = (_a = headers['signature-agent']) !== null && _a !== void 0 ? _a : '';
+            const signatureAgentMatches = [...signatureAgentString.matchAll(/([^=]+)="([^"]+)"/g)];
+            const signatureAgents = signatureAgentMatches.length == 0 ?
+                [signatureAgentString] : [...new Set(signatureAgentMatches.map((match) => match[2]))];
+            const keys = (await Promise.all(signatureAgents.map(async (signatureAgent) => {
+                if (!await signatureAgentVerifier(signatureAgent)) {
+                    throw new InvalidRequestError('Signature-Agent verification failed');
+                }
+                return getJwksClient(signatureAgent, fetcher).getSigningKeys();
+            }))).flat();
+            const { body, requestContext } = request;
+            const verificationRequest = {
+                body,
+                headers,
+                method: requestContext.http.method,
+                // Node's request.url is really just the path and querystring
+                url: requestContext.http.path,
+            };
+            if (!await httpbis.verifyMessage({
+                all: true,
+                keyLookup: async (parameters) => {
+                    var _a;
+                    const { keyid } = parameters;
+                    // This is basically JwksClient.getSigningKey() but using the keys above from the Signature-Agent
+                    const kidDefined = keyid !== undefined && keyid !== null;
+                    if (!kidDefined && keys.length > 1) {
+                        throw new SigningKeyNotFoundError('No keyid specified and JWKS endpoint returned more than 1 key');
+                    }
+                    const key = keys.find(k => !kidDefined || k.kid === keyid);
+                    if (!key)
+                        throw new SigningKeyNotFoundError(`Unable to find a signing key that matches "${keyid}"`);
+                    const alg = (_a = parameters.alg) !== null && _a !== void 0 ? _a : key.alg;
+                    if (!alg) {
+                        throw new InvalidRequestError('Signature algorithm must be specified either as a signature param or in the JWKS key');
+                    }
+                    return {
+                        id: key.kid,
+                        algs: [alg],
+                        verify: createVerifier(key.getPublicKey(), alg)
+                    };
+                },
+                requiredFields: ['@method', '@target-uri', 'content-digest', 'signature-agent'],
+                tolerance: 300,
+                ...configOverride,
+            }, verificationRequest))
+                throw new InvalidRequestError('Signature verification failed');
+            // For example, if a GET request uses configOverride to make content-digest not required
+            if (!headers['content-digest'])
+                return true;
+            const match = headers['content-digest'].match(/^(sha-256|sha-512)=:([^:]+):/);
+            if (!match)
+                throw new InvalidRequestError('Unsupported Content-Digest header format');
+            const contentDigestAlg = match[1];
+            const contentDigestHash = match[2];
+            const calculatedContentDigestHash = createHash(contentDigestAlg).update(assertString(body)).digest('base64');
+            if (calculatedContentDigestHash !== contentDigestHash.replace(/:/g, '')) {
+                throw new InvalidRequestError('Calculated Content-Digest value did not match header');
+            }
+            return true;
+        },
+    });
+};

package/dist/esm/services/launchParams/verifier.js

@@ -1,10 +1,9 @@
 import jwt, { TokenExpiredError } from 'jsonwebtoken';
-import { JwksClient } from 'jwks-rsa';
-import { memoize } from '../..';
 import { resolveConfigValue } from '../../config';
 import { InvalidRequestError, SessionExpiredError } from '../../errors';
 import { ifDefined } from '../../guards';
 import { once } from '../../misc/helpers';
+import { getJwksKey } from '../../misc/jwks';
 /**
  * Creates a class that can verify launch params
  */
@@ -12,26 +11,20 @@ export const createLaunchVerifier = ({ configSpace, fetcher }) => (configProvide
     const config = configProvider[ifDefined(configSpace, 'launch')];
     const getTrustedDomain = once(() => resolveConfigValue(config.trustedDomain));
     const getBypassSignatureVerification = once(async () => (await resolveConfigValue(config.bypassSignatureVerification)) === 'true');
-    const getJwksClient = memoize((jwksUri) => new JwksClient({ fetcher, jwksUri }));
-    const getJwksKey = memoize(async (jwksUri, kid) => {
-        const client = getJwksClient(jwksUri);
-        const key = await client.getSigningKey(kid);
-        return key.getPublicKey();
-    });
     const getKey = async (header, callback) => {
         // The JWT spec allows iss in the header as a copy of the iss claim, but we require it
-        if (!header.iss) {
+        const { iss, kid } = header;
+        if (!iss) {
             return callback(new Error('JWT header missing iss claim'));
         }
-        const { iss, kid } = header;
         try {
-            const jwksUrl = new URL('/.well-known/jwks.json', iss);
-            const launchDomain = jwksUrl.hostname;
+            const domain = new URL(iss).host;
             const trustedDomain = await getTrustedDomain();
-            if (launchDomain !== trustedDomain && !launchDomain.endsWith(`.${trustedDomain}`)) {
-                return callback(new Error(`Untrusted launch domain: "${launchDomain}"`));
+            if (domain !== trustedDomain && !domain.endsWith(`.${trustedDomain}`)) {
+                return callback(new Error(`Untrusted JWKS domain: "${domain}"`));
             }
-            callback(null, await getJwksKey(jwksUrl.toString(), kid));
+            const key = await getJwksKey(iss, kid, fetcher);
+            callback(null, key.getPublicKey());
         }
         catch (error) {
             callback(error);