@rodit/rodit-auth-be 9.11.14 → 9.11.16

package/lib/auth/tokenservice.js

@@ -25,9 +25,8 @@ logger.infoWithContext("TokenService using SessionManager instance", {
   timestamp: new Date().toISOString()
 });
 const stateManager = require('../blockchain/statemanager');
-const {  
-  nearorg_rpc_tokenfromroditid, 
-  nearorg_rpc_tokensfromaccountid, 
+const {
+  nearorg_rpc_tokenfromroditid,
   nearorg_rpc_fetchpublickeybytes,
 } = require("../blockchain/blockchainservice");
 
@@ -62,6 +61,15 @@ function isCanonicalBase64Url(value) {
   }
 }
 
+/** Login peer RODiT token id embedded in JWT sub (`{sp};sub={peerTokenId}`). */
+function extractLoginPeerRoditIdFromSub(sub) {
+  if (!sub || typeof sub !== "string") {
+    return "";
+  }
+  const subParts = sub.split(";sub=");
+  return subParts.length > 1 ? subParts[1] : "";
+}
+
 function parseRoditJwtDurationSeconds(metadata) {
   const parsed = parseInt(metadata?.jwt_duration, 10);
   if (Number.isFinite(parsed) && parsed > 0) {
@@ -1727,20 +1735,30 @@ function resolveCredentialExpirationUnix(now, sessionExpiration, own_rodit) {
     const startTime = Date.now();
 
     try {
+      const extractedSub = extractLoginPeerRoditIdFromSub(token.sub);
+      if (!extractedSub) {
+        const duration = Date.now() - startTime;
+        logger.warn("Brief token validation failed - missing login peer in sub", {
+          component: "JwtAuth",
+          method: "brief_validate_jwt_token_be",
+          requestId,
+          duration,
+          tokenJti: token.jti,
+          tokenSub: token.sub,
+        });
+        logger.metric("jwt_brief_validation", duration, {
+          result: "failure",
+          token_jti: token.jti || "unknown",
+          id_match: "false",
+        });
+        return { isValid: false, notAfter: null };
+      }
+
       const tokenFetchStart = Date.now();
-      const peer_rodit =
-        await nearorg_rpc_tokensfromaccountid(
-          
-          token.aud
-        );
+      const peer_rodit = await nearorg_rpc_tokenfromroditid(extractedSub);
       const tokenFetchDuration = Date.now() - tokenFetchStart;
 
-      const subParts = token.sub.split(";sub=");
-      const extractedSub = subParts.length > 1 ? subParts[1] : "";
-
-      const isValid =
-        peer_rodit.token_id === extractedSub &&
-        peer_rodit.owner_id === token.aud;
+      const isValid = !!peer_rodit?.token_id && peer_rodit.token_id === extractedSub;
 
       const totalDuration = Date.now() - startTime;
 
@@ -1753,6 +1771,7 @@ function resolveCredentialExpirationUnix(now, sessionExpiration, own_rodit) {
           tokenFetchDuration,
           tokenJti: token.jti,
           peerRoditId: peer_rodit.token_id,
+          extractedSub,
           notAfter: peer_rodit.metadata.not_after,
         });
 
@@ -1769,26 +1788,23 @@ function resolveCredentialExpirationUnix(now, sessionExpiration, own_rodit) {
           duration: totalDuration,
           tokenFetchDuration,
           tokenJti: token.jti,
-          peerRoditId: peer_rodit.token_id,
+          peerRoditId: peer_rodit?.token_id || null,
           extractedSub,
           tokenAud: token.aud,
-          peerRoditOwnerId: peer_rodit.owner_id,
-          idMatch: peer_rodit.token_id === extractedSub,
-          ownerMatch: peer_rodit.owner_id === token.aud,
+          idMatch: peer_rodit?.token_id === extractedSub,
         });
 
         // Add metrics for failed brief validations
         logger.metric("jwt_brief_validation", totalDuration, {
           result: "failure",
           token_jti: token.jti || "unknown",
-          id_match: peer_rodit.token_id === extractedSub ? "true" : "false",
-          owner_match: peer_rodit.owner_id === token.aud ? "true" : "false",
+          id_match: peer_rodit?.token_id === extractedSub ? "true" : "false",
         });
       }
 
       return {
         isValid,
-        notAfter: peer_rodit.metadata.not_after,
+        notAfter: peer_rodit?.metadata?.not_after ?? null,
       };
     } catch (error) {
       const duration = Date.now() - startTime;
@@ -1831,14 +1847,32 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
   const startTime = performance.now(); // More precise timing measurement
 
   try {
+    const extractedSub = extractLoginPeerRoditIdFromSub(token.sub);
+    if (!extractedSub) {
+      logger.warn("Thorough token validation failed - missing login peer in sub", {
+        component: "JwtAuth",
+        method: "thorough_validate_jwt_token_be",
+        requestId,
+        duration: performance.now() - startTime,
+        tokenJti: token?.jti,
+        tokenSub: token?.sub,
+      });
+      logger.metric &&
+        logger.metric("jwt_thorough_validation", performance.now() - startTime, {
+          result: "missing_login_peer_sub",
+          token_jti: token.jti || "unknown",
+        });
+      return { isValid: false, notAfter: null };
+    }
+
     // Fetch configuration with better timing measurements
     const configStart = performance.now();
     const config_own_rodit = await stateManager.getConfigOwnRodit();
     const configDuration = performance.now() - configStart;
 
-    // Fetch peer RODiT with clearer logging
+    // Fetch login peer RODiT (client identity from sub), not server passport (rodit_id claim)
     const tokenFetchStart = performance.now();
-    const peer_rodit = await nearorg_rpc_tokenfromroditid(token.rodit_id);
+    const peer_rodit = await nearorg_rpc_tokenfromroditid(extractedSub);
     const tokenFetchDuration = performance.now() - tokenFetchStart;
 
     if (!peer_rodit) {
@@ -1846,7 +1880,7 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
         component: "JwtAuth",
         requestId,
         duration: performance.now() - startTime,
-        tokenRoditId: token?.rodit_id,
+        loginPeerRoditId: extractedSub,
       });
 
       // Add metrics for failed token fetch
@@ -2075,11 +2109,7 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
       };
     }
 
-    // Extract subject and perform final validation
-    const subParts = token.sub.split(";sub=");
-    const extractedSub = subParts.length > 1 ? subParts[1] : "";
-
-    logger.debug("Extracted subject from token", {
+    logger.debug("Login peer identity check", {
       requestId,
       extractedSub,
       tokenSub: token.sub,
@@ -2088,10 +2118,8 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
       tokenAud: token.aud,
     });
 
-    // Additional identity checks
     const idMatch = peer_rodit.token_id === extractedSub;
-    const ownerMatch = peer_rodit.owner_id === token.aud;
-    const isValid = idMatch && ownerMatch;
+    const isValid = idMatch;
 
     const totalDuration = performance.now() - startTime;
 
@@ -2114,10 +2142,6 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
           peer_rodit_id: peer_rodit.token_id,
         });
     } else {
-      const failedIdentityChecks = [];
-      if (!idMatch) failedIdentityChecks.push("token_id_mismatch");
-      if (!ownerMatch) failedIdentityChecks.push("owner_id_mismatch");
-
       logger.warn("Token identity verification failed", {
         component: "JwtAuth",
         method: "thorough_validate_jwt_token_be",
@@ -2129,8 +2153,7 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
         tokenAud: token.aud,
         peerRoditOwnerId: peer_rodit.owner_id,
         idMatch,
-        ownerMatch,
-        failedIdentityChecks,
+        failedIdentityChecks: ["token_id_mismatch"],
       });
 
       // Add metrics for identity mismatch with more details
@@ -2138,19 +2161,22 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
         logger.metric("jwt_thorough_validation", totalDuration, {
           result: "identity_mismatch",
           token_jti: token.jti || "unknown",
-          id_match: idMatch ? "true" : "false",
-          owner_match: ownerMatch ? "true" : "false",
-          failed_checks: failedIdentityChecks.join(","),
+          id_match: "false",
+          failed_checks: "token_id_mismatch",
           peer_rodit_id: peer_rodit.token_id,
         });
     }
 
+    const failedIdentityChecks = !isValid ? ["token_id_mismatch"] : [];
+
     return {
       isValid,
       notAfter: peer_rodit.metadata.not_after,
       error: !isValid ? "Token identity verification failed" : undefined,
       errorCode: !isValid ? "SERVER_TOKEN_IDENTITY_MISMATCH" : undefined,
-      errorMessage: !isValid ? `Server token identity mismatch: ${failedIdentityChecks.join(", ")}` : undefined
+      errorMessage: !isValid
+        ? `Server token identity mismatch: ${failedIdentityChecks.join(", ")}`
+        : undefined
     };
   } catch (error) {
     const duration = performance.now() - startTime;
@@ -2409,10 +2435,17 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
 
 
 // Export the class directly (will be instantiated in rodit.js)
-module.exports = {generate_jwt_token,base64url2jwk_public_key,
+module.exports = {
+  generate_jwt_token,
+  base64url2jwk_public_key,
   checkandrenew_jwt_token,
   thorough_validate_jwt_token_be,
   brief_validate_jwt_token_be,
   generate_jwt_token_fromtoken,
-  verify_jwt_token,validate_jwt_token_be, generate_session_termination_token
+  verify_jwt_token,
+  validate_jwt_token_be,
+  generate_session_termination_token,
+  parseRoditJwtDurationSeconds,
+  resolveSessionExpirationUnix,
+  resolveCredentialExpirationUnix,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rodit/rodit-auth-be",
-  "version": "9.11.14",
+  "version": "9.11.16",
   "description": "RODiT-based authentication system for Express.js applications",
   "main": "index.js",
   "exports": {