@plusscommunities/pluss-core-aws 2.0.7 → 2.0.8-auth.0

package/db/strings/getString.js

@@ -0,0 +1,25 @@
+const _ = require("lodash");
+const getRef = require("../common/getRef");
+
+module.exports = async (id, defaultSite) => {
+  return new Promise((resolve) => {
+    getRef("strings", "RowId", id)
+      .then((ev) => {
+        return resolve(ev.Value);
+      })
+      .catch(() => {
+        if (defaultSite) {
+          const defaultId = `${defaultSite}_${id.split("_")[1]}`;
+          getRef("strings", "RowId", defaultId)
+            .then((ev) => {
+              return resolve(ev.Value);
+            })
+            .catch(() => {
+              return resolve(null);
+            });
+        } else {
+          return resolve(null);
+        }
+      });
+  });
+};

package/helper/auth/context/AuthenticationContext.js

@@ -0,0 +1,50 @@
+const Auth0Strategy = require("./auth0/Strategy");
+const CognitoStrategy = require("./cognito/Strategy");
+const BoltonClarkeStrategy = require("./boltonclarke/Strategy");
+const { getConfig } = require("../../../config");
+
+class AuthenticationContext {
+  static strategy = null;
+
+  static initialiseStrategy() {
+    switch (getConfig().authConfig.provider) {
+      case "auth0":
+        AuthenticationContext.strategy = new Auth0Strategy();
+        break;
+      case "boltonclarke":
+        AuthenticationContext.strategy = new BoltonClarkeStrategy();
+        break;
+      case "cognito":
+        AuthenticationContext.strategy = new CognitoStrategy();
+        break;
+      default:
+        throw new Error("Invalid authentication provider specified");
+    }
+  }
+
+  static getSessionUser = async (token) => {
+    if (!AuthenticationContext.strategy) {
+      AuthenticationContext.initialiseStrategy();
+    }
+    return AuthenticationContext.strategy.getSessionUser(token);
+  };
+
+  static populateUser = async (token) => {
+    if (!AuthenticationContext.strategy) {
+      AuthenticationContext.initialiseStrategy();
+    }
+    return AuthenticationContext.strategy.populateUser(token);
+  };
+
+  static updateIdentityAttributes = async (input, userId) => {
+    if (!AuthenticationContext.strategy) {
+      AuthenticationContext.initialiseStrategy();
+    }
+    return AuthenticationContext.strategy.updateIdentityAttributes(
+      input,
+      userId
+    );
+  };
+}
+
+module.exports = AuthenticationContext;

package/helper/auth/context/AuthenticationStrategy.js

@@ -0,0 +1,20 @@
+// Authentication Strategy Interface
+class AuthenticationStrategy {
+  constructor() {}
+
+  getSessionUser(token) {
+    throw new Error("Method 'getSessionUser()' must be implemented.");
+  }
+
+  // optional function to populate user data based on a token
+  populateUser(token) {
+    return;
+  }
+
+  // optional function to save attributes to identity provider
+  updateIdentityAttributes = async (input, userId) => {
+    return;
+  };
+}
+
+module.exports = AuthenticationStrategy;

package/helper/auth/context/auth0/Strategy.js

@@ -0,0 +1,12 @@
+// auth0Strategy.js
+const AuthenticationStrategy = require("../AuthenticationStrategy");
+const getSessionUser = require("./functions/getSessionUser");
+
+class Auth0Strategy extends AuthenticationStrategy {
+  constructor() {
+    super();
+    this.getSessionUser = getSessionUser;
+  }
+}
+
+module.exports = Auth0Strategy;

package/helper/auth/context/auth0/functions/decodeAccessToken.js

@@ -0,0 +1,45 @@
+const jwt = require("jsonwebtoken");
+const jwksClient = require("jwks-rsa");
+
+const { getConfig } = require("../../../../../config");
+
+// Function to retrieve the signing key from Auth0 JWKS
+const getKey = (header, callback) => {
+  // Initialize JWKS client
+  const client = jwksClient({
+    jwksUri: `https://${getConfig().auth0Config.domain}/.well-known/jwks.json`,
+  });
+
+  client.getSigningKey(header.kid, (err, key) => {
+    if (err) {
+      callback(err, null);
+    } else {
+      const signingKey = key.publicKey || key.rsaPublicKey;
+      callback(null, signingKey);
+    }
+  });
+};
+
+// Function to validate the token and extract user information
+const decodeAccessToken = async (token) => {
+  return new Promise((resolve, reject) => {
+    jwt.verify(
+      token,
+      getKey,
+      {
+        audience: getConfig().auth0Config.audience,
+        issuer: `https://${getConfig().auth0Config.domain}/`,
+        algorithms: ["RS256"],
+      },
+      (err, decoded) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(decoded); // 'sub' contains the user ID
+        }
+      }
+    );
+  });
+};
+
+module.exports = decodeAccessToken;

package/helper/auth/context/auth0/functions/getSessionUser.js

@@ -0,0 +1,21 @@
+const decodeAccessToken = require("./decodeAccessToken");
+const { getConfig } = require("../../../../../config");
+
+// Function to validate the token and extract user information
+const getSessionUser = async (token) => {
+  return new Promise((resolve, reject) => {
+    decodeAccessToken(token)
+      .then((claims) => {
+        return resolve(
+          claims[getConfig().auth0Config.residentIdClaim] ||
+            claims[getConfig().auth0Config.staffIdClaim] ||
+            claims[getConfig().auth0Config.userIdClaim]
+        );
+      })
+      .catch((err) => {
+        reject(err);
+      });
+  });
+};
+
+module.exports = getSessionUser;

package/helper/auth/context/boltonclarke/Strategy.js

@@ -0,0 +1,10 @@
+// auth0Strategy.js
+const Auth0Strategy = require("../auth0/Strategy");
+
+class BoltonClarkeStrategy extends Auth0Strategy {
+  constructor() {
+    super();
+  }
+}
+
+module.exports = BoltonClarkeStrategy;

package/helper/auth/context/cognito/Strategy.js

@@ -0,0 +1,12 @@
+// cognitoStrategy.js
+const AuthenticationStrategy = require("../AuthenticationStrategy");
+const getSessionUser = require("./functions/getSessionUser");
+
+class CognitoStrategy extends AuthenticationStrategy {
+  constructor() {
+    super();
+    this.getSessionUser = getSessionUser;
+  }
+}
+
+module.exports = CognitoStrategy;

package/helper/auth/context/cognito/functions/getSessionUser.js

@@ -0,0 +1,76 @@
+const https = require("https");
+const jose = require("node-jose");
+
+const { getConfig } = require("../../../../../config");
+
+module.exports = async (token) => {
+  return new Promise((resolve, reject) => {
+    if (!token) {
+      return resolve(null);
+    }
+    var sections = token.split(".");
+    // get the kid from the headers prior to verification
+    var header = jose.util.base64url.decode(sections[0]);
+    header = JSON.parse(header);
+    var kid = header.kid;
+    // download the public keys
+    https.get(getConfig().keys_url, async (response) => {
+      if (response.statusCode == 200) {
+        response.on("data", async (body) => {
+          var keys = JSON.parse(body)["keys"];
+          // search for the kid in the downloaded public keys
+          var key_index = -1;
+          for (var i = 0; i < keys.length; i++) {
+            if (kid == keys[i].kid) {
+              key_index = i;
+              break;
+            }
+          }
+          if (key_index == -1) {
+            reject();
+            return;
+          }
+          // construct the public key
+          jose.JWK.asKey(keys[key_index])
+            .then(async (result) => {
+              // verify the signature
+              jose.JWS.createVerify(result)
+                .verify(token)
+                .then(async (result2) => {
+                  // now we can use the claims
+                  var claims = JSON.parse(result2.payload);
+                  // additionally we can verify the token expiration
+                  var current_ts = Math.floor(new Date() / 1000);
+                  if (current_ts > claims.exp) {
+                    console.log("Token is expired");
+                    reject("Token is expired");
+                    return;
+                  }
+
+                  // const isDisabled = await isUserDisabled(claims.username);
+
+                  // if (isDisabled) {
+                  //   console.log("User is disabled");
+                  //   reject("User is disabled");
+                  //   return;
+                  // }
+
+                  resolve(claims.username);
+                })
+                .catch(async (error) => {
+                  console.log("Signature verification failed", error);
+                  reject("Signature verification failed");
+                });
+            })
+            .catch(async (error) => {
+              console.log("failed JWK.asKey", error);
+              reject(error);
+            });
+        });
+      } else {
+        console.log("failed on response", response);
+        reject(response);
+      }
+    });
+  });
+};

package/helper/auth/getSessionUser.js

@@ -1,63 +1,90 @@
-const https = require("https");
-const jose = require("node-jose");
-const { getConfig } = require("../../config");
+// const https = require("https");
+// const jose = require("node-jose");
+// const { app_client_id, keys_url } = require("../../../config");
+// const isUserDisabled = require("./isUserDisabled");
+const { log } = require("..");
+const AuthenticationContext = require("./context/AuthenticationContext");
 
 module.exports = async (token) => {
-  return new Promise((resolve, reject) => {
-    var sections = token.split(".");
-    // get the kid from the headers prior to verification
-    var header = jose.util.base64url.decode(sections[0]);
-    header = JSON.parse(header);
-    var kid = header.kid;
-    // download the public keys
-    https.get(getConfig().keys_url, function (response) {
-      if (response.statusCode == 200) {
-        response.on("data", function (body) {
-          var keys = JSON.parse(body)["keys"];
-          // search for the kid in the downloaded public keys
-          var key_index = -1;
-          for (var i = 0; i < keys.length; i++) {
-            if (kid == keys[i].kid) {
-              key_index = i;
-              break;
-            }
-          }
-          if (key_index == -1) {
-            reject();
-            return;
-          }
-          // construct the public key
-          jose.JWK.asKey(keys[key_index])
-            .then(function (result) {
-              // verify the signature
-              jose.JWS.createVerify(result)
-                .verify(token)
-                .then(function (result2) {
-                  // now we can use the claims
-                  var claims = JSON.parse(result2.payload);
-                  // additionally we can verify the token expiration
-                  var current_ts = Math.floor(new Date() / 1000);
-                  if (current_ts > claims.exp) {
-                    console.log("Token is expired");
-                    reject("Token is expired");
-                    return;
-                  }
-                  resolve(claims.username);
-                })
-                .catch(function (error) {
-                  console.log("Signature verification failed", error);
-                  reject("Signature verification failed");
-                });
-            })
-            .catch(function (error) {
-              console.log("failed JWK.asKey", error);
-              reject(error);
-            });
-        });
-      } else {
-        console.log("failed on response", response);
-        reject(response);
-      }
-    });
-  });
+  const logId = log("getSessionUser", "Start", true);
+  const userId = await AuthenticationContext.getSessionUser(token);
+  log("getSessionUser", "Result", userId, logId);
+  return userId;
+  // return new Promise((resolve, reject) => {
+  //   if (!token) {
+  //     return resolve(null);
+  //   }
+  //   var sections = token.split(".");
+  //   // get the kid from the headers prior to verification
+  //   var header = jose.util.base64url.decode(sections[0]);
+  //   header = JSON.parse(header);
+  //   var kid = header.kid;
+  //   // download the public keys
+  //   https.get(keys_url, async (response) => {
+  //     if (response.statusCode == 200) {
+  //       response.on("data", async (body) => {
+  //         var keys = JSON.parse(body)["keys"];
+  //         // search for the kid in the downloaded public keys
+  //         var key_index = -1;
+  //         for (var i = 0; i < keys.length; i++) {
+  //           if (kid == keys[i].kid) {
+  //             key_index = i;
+  //             break;
+  //           }
+  //         }
+  //         if (key_index == -1) {
+  //           reject();
+  //           return;
+  //         }
+  //         // construct the public key
+  //         jose.JWK.asKey(keys[key_index])
+  //           .then(async (result) => {
+  //             // verify the signature
+  //             jose.JWS.createVerify(result)
+  //               .verify(token)
+  //               .then(async (result2) => {
+  //                 // now we can use the claims
+  //                 var claims = JSON.parse(result2.payload);
+  //                 // additionally we can verify the token expiration
+  //                 var current_ts = Math.floor(new Date() / 1000);
+  //                 if (current_ts > claims.exp) {
+  //                   console.log("Token is expired");
+  //                   reject("Token is expired");
+  //                   return;
+  //                 }
+
+  //                 /*  --=- Optional audience stuff we dont use.
+  //                                   // and the Audience (use claims.client_id if verifying an access token)
+  //                                   if (claims.aud != app_client_id) {
+  //                                       console.log('Token was not issued for this audience')
+  //                                       return;
+  //                                   }
+  //                                    */
+
+  //                 const isDisabled = await isUserDisabled(claims.username);
+
+  //                 if (isDisabled) {
+  //                   console.log("User is disabled");
+  //                   reject("User is disabled");
+  //                   return;
+  //                 }
+
+  //                 resolve(claims.username);
+  //               })
+  //               .catch(async (error) => {
+  //                 console.log("Signature verification failed", error);
+  //                 reject("Signature verification failed");
+  //               });
+  //           })
+  //           .catch(async (error) => {
+  //             console.log("failed JWK.asKey", error);
+  //             reject(error);
+  //           });
+  //       });
+  //     } else {
+  //       console.log("failed on response", response);
+  //       reject(response);
+  //     }
+  //   });
+  // });
 };

package/package.json

@@ -1,12 +1,15 @@
 {
   "name": "@plusscommunities/pluss-core-aws",
-  "version": "2.0.7",
+  "version": "2.0.8-auth.0",
   "description": "Core extension package for Pluss Communities platform",
   "scripts": {
     "betapatch": "npm version prepatch --preid=beta",
     "patch": "npm version patch",
     "betaupload": "npm i && npm i && npm publish --access public --tag beta",
     "betaupload:p": "npm run betapatch && npm run betaupload",
+    "authpatch": "npm version prepatch --preid=auth",
+    "authupload": "npm i && npm i && npm publish --access public --tag auth",
+    "authupload:p": "npm run authpatch && npm run authupload",
     "upload": "npm i && npm i && npm publish --access public",
     "upload:p": "npm run patch && npm run upload"
   },
@@ -20,6 +23,8 @@
     "expo-server-sdk": "^3.0.1",
     "html-entities": "^2.3.2",
     "https": "^1.0.0",
+    "jsonwebtoken": "^9.0.2",
+    "jwks-rsa": "^3.1.0",
     "lodash": "^4.17.10",
     "moment": "^2.30.1",
     "node-fetch": "^2.2.0",