@plusscommunities/pluss-core-aws 2.0.25-auth.0 → 2.0.25-beta.1

package/helper/auth/checkTokenBlacklist.js

@@ -2,24 +2,24 @@ const crypto = require("crypto");
 const { getRef } = require("../../db/common/getRef");
 
 module.exports = async (token) => {
-  if (!token) return false;
+	if (!token) return false;
 
-  try {
-    // Create hash of token for TokenId lookup
-    const tokenHash = crypto.createHash("sha256").update(token).digest("hex");
+	try {
+		// Create hash of token for TokenId lookup
+		const tokenHash = crypto.createHash("sha256").update(token).digest("hex");
 
-    // Check if token exists in blacklist
-    const blacklistedToken = await getRef(
-      "invalidTokens",
-      "TokenId",
-      tokenHash
-    );
+		// Check if token exists in blacklist
+		const blacklistedToken = await getRef(
+			"invalidTokens",
+			"TokenId",
+			tokenHash,
+		);
 
-    // Return true if found (blacklisted), false if not found
-    return !!blacklistedToken;
-  } catch (error) {
-    // If error occurs during lookup, assume token is not blacklisted
-    // This ensures authentication doesn't fail due to blacklist issues
-    return false;
-  }
+		// Return true if found (blacklisted), false if not found
+		return !!blacklistedToken;
+	} catch (error) {
+		// If error occurs during lookup, assume token is not blacklisted
+		// This ensures authentication doesn't fail due to blacklist issues
+		return false;
+	}
 };

package/helper/auth/getApiKeyFromReq.js

@@ -1,6 +1,6 @@
 const getRef = require("../../db/common/getRef");
 
 module.exports = async (event) => {
-  if (!event?.headers?.apikey) return null;
-  return await getRef("accesskeys", "Key", event.headers.apikey);
+	if (!event?.headers?.apikey) return null;
+	return await getRef("accesskeys", "Key", event.headers.apikey);
 };

package/helper/auth/getSessionUser.js

@@ -1,90 +1,75 @@
-// const https = require("https");
-// const jose = require("node-jose");
-// const { app_client_id, keys_url } = require("../../../config");
-// const isUserDisabled = require("./isUserDisabled");
-const { log } = require("..");
-const AuthenticationContext = require("./context/AuthenticationContext");
+const https = require("https");
+const jose = require("node-jose");
+const { getConfig } = require("../../config");
+const checkTokenBlacklist = require("./checkTokenBlacklist");
 
 module.exports = async (token) => {
-  const logId = log("getSessionUser", "Start", true);
-  const userId = await AuthenticationContext.getSessionUser(token);
-  log("getSessionUser", "Result", userId, logId);
-  return userId;
-  // return new Promise((resolve, reject) => {
-  //   if (!token) {
-  //     return resolve(null);
-  //   }
-  //   var sections = token.split(".");
-  //   // get the kid from the headers prior to verification
-  //   var header = jose.util.base64url.decode(sections[0]);
-  //   header = JSON.parse(header);
-  //   var kid = header.kid;
-  //   // download the public keys
-  //   https.get(keys_url, async (response) => {
-  //     if (response.statusCode == 200) {
-  //       response.on("data", async (body) => {
-  //         var keys = JSON.parse(body)["keys"];
-  //         // search for the kid in the downloaded public keys
-  //         var key_index = -1;
-  //         for (var i = 0; i < keys.length; i++) {
-  //           if (kid == keys[i].kid) {
-  //             key_index = i;
-  //             break;
-  //           }
-  //         }
-  //         if (key_index == -1) {
-  //           reject();
-  //           return;
-  //         }
-  //         // construct the public key
-  //         jose.JWK.asKey(keys[key_index])
-  //           .then(async (result) => {
-  //             // verify the signature
-  //             jose.JWS.createVerify(result)
-  //               .verify(token)
-  //               .then(async (result2) => {
-  //                 // now we can use the claims
-  //                 var claims = JSON.parse(result2.payload);
-  //                 // additionally we can verify the token expiration
-  //                 var current_ts = Math.floor(new Date() / 1000);
-  //                 if (current_ts > claims.exp) {
-  //                   console.log("Token is expired");
-  //                   reject("Token is expired");
-  //                   return;
-  //                 }
+	return new Promise(async (resolve, reject) => {
+		if (!token) {
+			return resolve(null);
+		}
 
-  //                 /*  --=- Optional audience stuff we dont use.
-  //                                   // and the Audience (use claims.client_id if verifying an access token)
-  //                                   if (claims.aud != app_client_id) {
-  //                                       console.log('Token was not issued for this audience')
-  //                                       return;
-  //                                   }
-  //                                    */
+		// Check if token is blacklisted before expensive verification
+		const isBlacklisted = await checkTokenBlacklist(token);
+		if (isBlacklisted) {
+			reject("Token has been invalidated");
+			return;
+		}
 
-  //                 const isDisabled = await isUserDisabled(claims.username);
-
-  //                 if (isDisabled) {
-  //                   console.log("User is disabled");
-  //                   reject("User is disabled");
-  //                   return;
-  //                 }
-
-  //                 resolve(claims.username);
-  //               })
-  //               .catch(async (error) => {
-  //                 console.log("Signature verification failed", error);
-  //                 reject("Signature verification failed");
-  //               });
-  //           })
-  //           .catch(async (error) => {
-  //             console.log("failed JWK.asKey", error);
-  //             reject(error);
-  //           });
-  //       });
-  //     } else {
-  //       console.log("failed on response", response);
-  //       reject(response);
-  //     }
-  //   });
-  // });
+		var sections = token.split(".");
+		// get the kid from the headers prior to verification
+		var header = jose.util.base64url.decode(sections[0]);
+		header = JSON.parse(header);
+		var kid = header.kid;
+		// download the public keys
+		https.get(getConfig().keys_url, function (response) {
+			if (response.statusCode == 200) {
+				response.on("data", function (body) {
+					var keys = JSON.parse(body)["keys"];
+					// search for the kid in the downloaded public keys
+					var key_index = -1;
+					for (var i = 0; i < keys.length; i++) {
+						if (kid == keys[i].kid) {
+							key_index = i;
+							break;
+						}
+					}
+					if (key_index == -1) {
+						reject();
+						return;
+					}
+					// construct the public key
+					jose.JWK.asKey(keys[key_index])
+						.then(function (result) {
+							// verify the signature
+							jose.JWS.createVerify(result)
+								.verify(token)
+								.then(function (result2) {
+									// now we can use the claims
+									var claims = JSON.parse(result2.payload);
+									// additionally we can verify the token expiration
+									var current_ts = Math.floor(new Date() / 1000);
+									if (current_ts > claims.exp) {
+										console.log("Token is expired");
+										reject("Token is expired");
+										return;
+									}
+									resolve(claims.username);
+								})
+								.catch(function (error) {
+									console.log("Signature verification failed", error);
+									reject("Signature verification failed");
+								});
+						})
+						.catch(function (error) {
+							console.log("failed JWK.asKey", error);
+							reject(error);
+						});
+				});
+			} else {
+				console.log("failed on response", response);
+				reject(response);
+			}
+		});
+	});
 };

package/helper/auth/getSessionUserFromReq.js

@@ -1,6 +1,6 @@
 const getSessionUser = require("./getSessionUser");
 
 module.exports = (event) => {
-  const idToken = event.headers.Authorization.split("Bearer ")[1];
-  return getSessionUser(idToken);
+	const idToken = event.headers.Authorization.split("Bearer ")[1];
+	return getSessionUser(idToken);
 };

package/helper/auth/getSessionUserFromReqAuthKey.js

@@ -2,15 +2,15 @@ const getSessionUser = require("./getSessionUser");
 const getApiKeyFromReq = require("./getApiKeyFromReq");
 
 module.exports = async (event) => {
-  if (!event.headers) {
-    return null;
-  }
-  if (event.headers.apikey) {
-    const key = await getApiKeyFromReq(event);
-    return key?.UserId;
-  }
-  if (!event.headers.authkey) {
-    return null;
-  }
-  return getSessionUser(event.headers.authkey);
+	if (!event.headers) {
+		return null;
+	}
+	if (event.headers.apikey) {
+		const key = await getApiKeyFromReq(event);
+		return key?.UserId;
+	}
+	if (!event.headers.authkey) {
+		return null;
+	}
+	return getSessionUser(event.headers.authkey);
 };

package/helper/auth/validateApiKey.js

@@ -3,41 +3,41 @@ const { log, generateLogId } = require("../");
 const getApiKeyFromReq = require("./getApiKeyFromReq");
 
 module.exports = async (req, actionType, site) => {
-  const logId = generateLogId();
-  try {
-    log("ApiKey", "Input", req.headers.apikey, logId);
-    const key = await getApiKeyFromReq(req);
-    log("ApiKey", "Key", key, logId);
+	const logId = generateLogId();
+	try {
+		log("ApiKey", "Input", req.headers.apikey, logId);
+		const key = await getApiKeyFromReq(req);
+		log("ApiKey", "Key", key, logId);
 
-    if (key.UserId) {
-      const validateMasterAuth = require("./validateMasterAuth");
-      return await validateMasterAuth(undefined, actionType, site, undefined, {
-        userId: key.UserId,
-      });
-    }
+		if (key.UserId) {
+			const validateMasterAuth = require("./validateMasterAuth");
+			return await validateMasterAuth(undefined, actionType, site, undefined, {
+				userId: key.UserId,
+			});
+		}
 
-    const validSite = key.Site === site;
-    const isHQKey = key.Site === "hq";
-    log("ApiKey", "validSite", validSite, logId);
-    log("ApiKey", "isHQKey", isHQKey, logId);
+		const validSite = key.Site === site;
+		const isHQKey = key.Site === "hq";
+		log("ApiKey", "validSite", validSite, logId);
+		log("ApiKey", "isHQKey", isHQKey, logId);
 
-    if (!validSite && !isHQKey) {
-      log("ApiKey", "Result", false, logId);
-      return false;
-    }
+		if (!validSite && !isHQKey) {
+			log("ApiKey", "Result", false, logId);
+			return false;
+		}
 
-    const isAny = actionType === "any";
-    const isMaster = _.includes(key.Permissions, "master");
-    const hasPermission = _.includes(key.Permissions, actionType);
-    const result = isAny || isMaster || hasPermission;
+		const isAny = actionType === "any";
+		const isMaster = _.includes(key.Permissions, "master");
+		const hasPermission = _.includes(key.Permissions, actionType);
+		const result = isAny || isMaster || hasPermission;
 
-    log("ApiKey", "isAny", isAny, logId);
-    log("ApiKey", "isMaster", isMaster, logId);
-    log("ApiKey", "hasPermission", hasPermission, logId);
-    log("ApiKey", "Result", result, logId);
-    return result;
-  } catch (e) {
-    log("ApiKey", "Error", e, logId);
-    return false;
-  }
+		log("ApiKey", "isAny", isAny, logId);
+		log("ApiKey", "isMaster", isMaster, logId);
+		log("ApiKey", "hasPermission", hasPermission, logId);
+		log("ApiKey", "Result", result, logId);
+		return result;
+	} catch (e) {
+		log("ApiKey", "Error", e, logId);
+		return false;
+	}
 };