@thinkingcat/auth-utils 1.0.50 → 2.0.1

package/dist/core/verify.js

@@ -0,0 +1,181 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyAndRefreshToken = verifyAndRefreshToken;
+exports.verifyAndRefreshTokenWithNextAuth = verifyAndRefreshTokenWithNextAuth;
+const jose_1 = require("jose");
+const logger_1 = require("../utils/logger");
+const api_1 = require("../sso/api");
+const server_1 = require("../utils/server");
+const jwt_1 = require("./jwt");
+const cookies_1 = require("./cookies");
+/**
+ * 토큰 검증 및 갱신 시도
+ */
+async function verifyAndRefreshToken(req, secret, options) {
+    const { cookiePrefix, serviceId, isProduction, cookieDomain, ssoBaseURL, authServiceKey, forceRefresh = false, } = options;
+    const accessTokenName = `${cookiePrefix}_access_token`;
+    const accessToken = req.cookies.get(accessTokenName)?.value;
+    if (accessToken && !forceRefresh) {
+        try {
+            const secretBytes = new TextEncoder().encode(secret);
+            const { payload } = await (0, jose_1.jwtVerify)(accessToken, secretBytes);
+            if (payload && typeof payload === 'object' && payload.email) {
+                return { isValid: true, payload: payload };
+            }
+        }
+        catch {
+            // Token verification failed
+        }
+    }
+    const refreshTokenName = `${cookiePrefix}_refresh_token`;
+    const refreshToken = req.cookies.get(refreshTokenName)?.value;
+    if (refreshToken) {
+        try {
+            if (!ssoBaseURL || !authServiceKey) {
+                return { isValid: false, error: 'SSO_CONFIG_MISSING' };
+            }
+            const refreshResult = await (0, api_1.refreshSSOToken)(refreshToken, {
+                ssoBaseURL,
+                authServiceKey,
+            });
+            if (refreshResult.success && refreshResult.accessToken) {
+                const newRefreshToken = refreshResult.refreshToken || refreshToken;
+                try {
+                    let payload;
+                    const secretBytes = new TextEncoder().encode(secret);
+                    const { payload: tokenPayload } = await (0, jose_1.jwtVerify)(refreshResult.accessToken, secretBytes);
+                    if (tokenPayload && typeof tokenPayload === 'object' && tokenPayload.email) {
+                        payload = tokenPayload;
+                    }
+                    const { NextResponse: NextResponseClass } = await (0, server_1.getNextServer)();
+                    const response = NextResponseClass.next();
+                    const jwt = (0, jwt_1.createNextAuthJWT)(payload, serviceId);
+                    if (newRefreshToken)
+                        jwt.refreshToken = newRefreshToken;
+                    jwt.accessTokenExpires = Date.now() + (15 * 60 * 1000);
+                    try {
+                        const encodedSessionToken = await (0, jwt_1.encodeNextAuthToken)(jwt, secret, 30 * 24 * 60 * 60);
+                        (0, cookies_1.setNextAuthToken)(response, encodedSessionToken, {
+                            isProduction,
+                            cookieDomain,
+                        });
+                    }
+                    catch (error) {
+                        (0, logger_1.debugError)('verifyAndRefreshToken', 'Failed to set NextAuth session cookie', error);
+                    }
+                    if (newRefreshToken) {
+                        (0, cookies_1.setCustomTokens)(response, refreshResult.accessToken, newRefreshToken, {
+                            cookiePrefix,
+                            isProduction,
+                            cookieDomain,
+                        });
+                    }
+                    else {
+                        (0, cookies_1.setCustomTokens)(response, refreshResult.accessToken, {
+                            cookiePrefix,
+                            isProduction,
+                            cookieDomain,
+                        });
+                    }
+                    return { isValid: true, response, payload };
+                }
+                catch (error) {
+                    return { isValid: false, error: 'SESSION_CREATION_FAILED' };
+                }
+            }
+            else {
+                const { NextResponse: NextResponseClass } = await (0, server_1.getNextServer)();
+                const response = NextResponseClass.next();
+                (0, cookies_1.clearAllAuthCookies)(response, options.cookiePrefix, options.isProduction);
+                return { isValid: false, response, error: 'REFRESH_FAILED' };
+            }
+        }
+        catch (error) {
+            const { NextResponse: NextResponseClass } = await (0, server_1.getNextServer)();
+            const response = NextResponseClass.next();
+            (0, cookies_1.clearAllAuthCookies)(response, options.cookiePrefix, options.isProduction);
+            return { isValid: false, response, error: 'REFRESH_ERROR' };
+        }
+    }
+    return { isValid: false, error: 'NO_TOKEN' };
+}
+/**
+ * NextAuth 토큰과 자체 토큰을 모두 확인하는 미들웨어용 함수
+ */
+async function verifyAndRefreshTokenWithNextAuth(req, nextAuthToken, secret, options) {
+    const { cookiePrefix, isProduction } = options;
+    const nextAuthSessionTokenCookieName = isProduction
+        ? '__Secure-next-auth.session-token'
+        : 'next-auth.session-token';
+    const nextAuthCookieValue = req.cookies.get(nextAuthSessionTokenCookieName)?.value;
+    const hasNextAuthSessionTokenCookie = !!nextAuthCookieValue;
+    const hasValidNextAuthToken = nextAuthToken && (0, jwt_1.isValidToken)(nextAuthToken);
+    const accessTokenName = `${cookiePrefix}_access_token`;
+    const accessToken = req.cookies.get(accessTokenName)?.value;
+    let hasValidAccessToken = false;
+    if (accessToken) {
+        try {
+            const secretBytes = new TextEncoder().encode(secret);
+            const { payload } = await (0, jose_1.jwtVerify)(accessToken, secretBytes);
+            if (payload && typeof payload === 'object' && payload.email) {
+                hasValidAccessToken = true;
+            }
+        }
+        catch {
+            // Ignored
+        }
+    }
+    const refreshTokenName = `${cookiePrefix}_refresh_token`;
+    const refreshToken = req.cookies.get(refreshTokenName)?.value;
+    if (hasValidNextAuthToken && hasValidAccessToken) {
+        let payload;
+        if (accessToken) {
+            try {
+                const secretBytes = new TextEncoder().encode(secret);
+                const result = await (0, jose_1.jwtVerify)(accessToken, secretBytes);
+                payload = result.payload;
+            }
+            catch {
+                // Ignored
+            }
+        }
+        return {
+            isValid: true,
+            token: nextAuthToken,
+            payload
+        };
+    }
+    if (refreshToken && (!hasValidNextAuthToken || !hasValidAccessToken)) {
+        const authCheck = await verifyAndRefreshToken(req, secret, {
+            ...options,
+            forceRefresh: true,
+        });
+        let refreshedToken = null;
+        if (authCheck.isValid && authCheck.payload) {
+            refreshedToken = (0, jwt_1.createNextAuthJWT)(authCheck.payload, options.serviceId);
+        }
+        return {
+            ...authCheck,
+            token: refreshedToken || undefined
+        };
+    }
+    if (hasValidNextAuthToken || hasValidAccessToken) {
+        let payload;
+        if (accessToken && hasValidAccessToken) {
+            try {
+                const secretBytes = new TextEncoder().encode(secret);
+                const result = await (0, jose_1.jwtVerify)(accessToken, secretBytes);
+                payload = result.payload;
+            }
+            catch {
+                // Ignored
+            }
+        }
+        return {
+            isValid: true,
+            token: nextAuthToken || (payload ? (0, jwt_1.createNextAuthJWT)(payload, options.serviceId) : undefined),
+            payload
+        };
+    }
+    return { isValid: false, error: 'NO_TOKEN' };
+}