@villedemontreal/jwt-validator 5.8.0 → 5.8.1

package/README.md

@@ -155,6 +155,30 @@ let jwt: string = '...';
 let jwtPayload: IJWTPayload = await jwtValidator.verifyToken(jwt);
 ```
 
+### Token transformation middleware
+
+When working locally, you do not have all the infrastructure required to simulate the translation between an access token and a JWT (ex: Kong).
+
+Prior to usage of the `jwtValidationMiddleware`, you can use the `token transformation middleware` which do an API call to exchange your access token for an extended jwt and update the authorization header.
+
+```typescript
+export async function createApp(apiRoutes: IHandlerRoute[]): Promise<express.Express> {
+  // ...
+
+  if (configs.security.jwt.enable) {
+    if (configs.environment.isLocal) {
+      // Required prior to the jwtValidationMiddleware
+      app.use(tokenTransformationMiddleware(config));
+    }
+
+    // ...
+    app.use(jwtValidationMiddleware())
+  }
+
+  // ...
+}
+```
+
 ## Usage For Tests
 
 This library provides a mock tool to generate your own JWT with a signature which it will be correcly validated.

package/dist/src/config/tokenTransformationMiddlewareConfig.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Configuration for the token transformation
+ * middleware (UTTM).
+ */
+export interface ITokenTtransformationMiddlewareConfig {
+    service: ITokenTtransformationMiddlewareServiceConfig;
+    extensions: {
+        jwt: {
+            customDataProvider: ITokenTtransformationMiddlewareCustomDataProviderConfig;
+        };
+    };
+}
+/**
+ * Configuration specific for the token transformation service.
+ */
+export interface ITokenTtransformationMiddlewareServiceConfig {
+    uri: string;
+}
+/**
+ * Configuration specific for the custom data provider.
+ */
+export interface ITokenTtransformationMiddlewareCustomDataProviderConfig {
+    uri: string;
+    method: string;
+    options: any;
+}

package/dist/src/config/tokenTransformationMiddlewareConfig.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=tokenTransformationMiddlewareConfig.js.map

package/dist/src/config/tokenTransformationMiddlewareConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenTransformationMiddlewareConfig.js","sourceRoot":"","sources":["../../../src/config/tokenTransformationMiddlewareConfig.ts"],"names":[],"mappings":""}

package/dist/src/index.d.ts

@@ -2,6 +2,7 @@ export * from './config/constants';
 export * from './config/init';
 export * from './jwtValidator';
 export * from './middleware/jwtMiddleware';
+export * from './middleware/tokenTransformationMiddleware';
 export * from './models/expressRequest';
 export * from './models/gluuUserType';
 export * from './models/jwtPayload';

package/dist/src/index.js

@@ -23,6 +23,7 @@ __exportStar(require("./config/constants"), exports);
 __exportStar(require("./config/init"), exports);
 __exportStar(require("./jwtValidator"), exports);
 __exportStar(require("./middleware/jwtMiddleware"), exports);
+__exportStar(require("./middleware/tokenTransformationMiddleware"), exports);
 __exportStar(require("./models/expressRequest"), exports);
 __exportStar(require("./models/gluuUserType"), exports);
 __exportStar(require("./models/jwtPayload"), exports);

package/dist/src/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,6CAA6C;AAC7C,gDAAgD;AAChD,6CAA6C;AAC7C,qCAAqC;AACrC,6CAA6C;AAC7C,gDAA8B;AAC9B,iDAA+B;AAC/B,6DAA2C;AAC3C,0DAAwC;AACxC,wDAAsC;AACtC,sDAAoC;AACpC,qDAAmC;AACnC,kDAAgC;AAChC,kDAAgC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,6CAA6C;AAC7C,gDAAgD;AAChD,6CAA6C;AAC7C,qCAAqC;AACrC,6CAA6C;AAC7C,gDAA8B;AAC9B,iDAA+B;AAC/B,6DAA2C;AAC3C,6EAA2D;AAC3D,0DAAwC;AACxC,wDAAsC;AACtC,sDAAoC;AACpC,qDAAmC;AACnC,kDAAgC;AAChC,kDAAgC"}

package/dist/src/middleware/tokenTransformationMiddleware.d.ts

@@ -0,0 +1,9 @@
+import * as express from 'express';
+import { ITokenTtransformationMiddlewareConfig } from '../config/tokenTransformationMiddlewareConfig';
+/**
+ * Token transformation Middleware. It will generate extended jwt
+ * in exchange for an access token.
+ *
+ * @param {boolean} config Configuration of the middleware.
+ */
+export declare const tokenTransformationMiddleware: (config?: ITokenTtransformationMiddlewareConfig) => (req: express.Request, res: express.Response, next: express.NextFunction) => void;

package/dist/src/middleware/tokenTransformationMiddleware.js

@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenTransformationMiddleware = void 0;
+const general_utils_1 = require("@villedemontreal/general-utils");
+const http_header_fields_typed_1 = require("http-header-fields-typed");
+const constants_1 = require("../config/constants");
+const customError_1 = require("../models/customError");
+const logger_1 = require("../utils/logger");
+const superagent = require("superagent");
+const _regexAccessToken = /([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})/;
+const logger = (0, logger_1.createLogger)('Token transformation middleware');
+/**
+ * Token transformation Middleware. It will generate extended jwt
+ * in exchange for an access token.
+ *
+ * @param {boolean} config Configuration of the middleware.
+ */
+const tokenTransformationMiddleware = (config) => {
+    return (req, res, next) => {
+        try {
+            // Validate the authorization header
+            const authHeader = req.get(http_header_fields_typed_1.default.AUTHORIZATION);
+            if (general_utils_1.utils.isBlank(authHeader)) {
+                throw (0, customError_1.createInvalidAuthHeaderError)({
+                    code: constants_1.constants.errors.codes.INVALID_VALUE,
+                    target: 'authorization_header',
+                    message: 'authorization header is empty',
+                });
+            }
+            // Extract the access token value from the authorization header
+            const accessTokenRegExpArray = _regexAccessToken.exec(authHeader);
+            if (accessTokenRegExpArray.length <= 1) {
+                throw (0, customError_1.createInvalidAuthHeaderError)({
+                    code: constants_1.constants.errors.codes.INVALID_VALUE,
+                    target: 'access_token',
+                    message: 'could not find a valid access token from the authorization header',
+                });
+            }
+            const accessToken = accessTokenRegExpArray[1];
+            // Call the service endpoint to exchange the access token for a extended jwt
+            superagent
+                .post(config.service.uri)
+                .send({ accessToken, extensions: config.extensions })
+                .then((response) => {
+                const extendedJwt = response.body.jwts?.extended;
+                logger.debug(extendedJwt, 'Extended jwt content.');
+                const basicJwt = response.body.jwts?.basic;
+                logger.debug(basicJwt, 'Basic jwt content.');
+                // Get the extended jwt. If not available, fallback to basic jwt.
+                const jwt = extendedJwt ?? basicJwt;
+                if (jwt) {
+                    // Warning: Headers are all in lowercase. To be sure to replace
+                    // the authorization header instead of duplicate it, must use lower case property name.
+                    req.headers[http_header_fields_typed_1.default.AUTHORIZATION.toLowerCase()] = `Bearer ${jwt}`;
+                    logger.debug(req.headers, 'Request headers');
+                    next();
+                }
+                else {
+                    const err = (0, customError_1.createInvalidJwtError)({
+                        code: constants_1.constants.errors.codes.NULL_VALUE,
+                        target: 'jwt',
+                        message: 'could not get a valid jwt from token translation service',
+                    });
+                    next(err);
+                }
+            })
+                .catch((err) => next(err));
+        }
+        catch (err) {
+            next(err);
+        }
+    };
+};
+exports.tokenTransformationMiddleware = tokenTransformationMiddleware;
+//# sourceMappingURL=tokenTransformationMiddleware.js.map

package/dist/src/middleware/tokenTransformationMiddleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenTransformationMiddleware.js","sourceRoot":"","sources":["../../../src/middleware/tokenTransformationMiddleware.ts"],"names":[],"mappings":";;;AAAA,kEAAuD;AAEvD,uEAA6D;AAC7D,mDAAgD;AAEhD,uDAA4F;AAC5F,4CAA+C;AAC/C,yCAA0C;AAE1C,MAAM,iBAAiB,GAAG,gEAAgE,CAAC;AAE3F,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,iCAAiC,CAAC,CAAC;AAE/D;;;;;GAKG;AACI,MAAM,6BAA6B,GAE+C,CACvF,MAAM,EACN,EAAE;IACF,OAAO,CAAC,GAAoB,EAAE,GAAqB,EAAE,IAA0B,EAAQ,EAAE;QACvF,IAAI;YACF,oCAAoC;YACpC,MAAM,UAAU,GAAW,GAAG,CAAC,GAAG,CAAC,kCAAqB,CAAC,aAAa,CAAC,CAAC;YACxE,IAAI,qBAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;gBAC7B,MAAM,IAAA,0CAA4B,EAAC;oBACjC,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;oBAC1C,MAAM,EAAE,sBAAsB;oBAC9B,OAAO,EAAE,+BAA+B;iBACzC,CAAC,CAAC;aACJ;YAED,+DAA+D;YAC/D,MAAM,sBAAsB,GAAG,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAClE,IAAI,sBAAsB,CAAC,MAAM,IAAI,CAAC,EAAE;gBACtC,MAAM,IAAA,0CAA4B,EAAC;oBACjC,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;oBAC1C,MAAM,EAAE,cAAc;oBACtB,OAAO,EAAE,mEAAmE;iBAC7E,CAAC,CAAC;aACJ;YACD,MAAM,WAAW,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC;YAE9C,4EAA4E;YAC5E,UAAU;iBACP,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;iBACxB,IAAI,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;iBACpD,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE;gBACjB,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC;gBACjD,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,uBAAuB,CAAC,CAAC;gBAEnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;gBAC3C,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;gBAE7C,iEAAiE;gBACjE,MAAM,GAAG,GAAG,WAAW,IAAI,QAAQ,CAAC;gBAEpC,IAAI,GAAG,EAAE;oBACP,+DAA+D;oBAC/D,uFAAuF;oBACvF,GAAG,CAAC,OAAO,CAAC,kCAAqB,CAAC,aAAa,CAAC,WAAW,EAAE,CAAC,GAAG,UAAU,GAAG,EAAE,CAAC;oBACjF,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;oBAC7C,IAAI,EAAE,CAAC;iBACR;qBAAM;oBACL,MAAM,GAAG,GAAG,IAAA,mCAAqB,EAAC;wBAChC,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU;wBACvC,MAAM,EAAE,KAAK;wBACb,OAAO,EAAE,0DAA0D;qBACpE,CAAC,CAAC;oBACH,IAAI,CAAC,GAAG,CAAC,CAAC;iBACX;YACH,CAAC,CAAC;iBACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;SAC9B;QAAC,OAAO,GAAG,EAAE;YACZ,IAAI,CAAC,GAAG,CAAC,CAAC;SACX;IACH,CAAC,CAAC;AACJ,CAAC,CAAC;AA9DW,QAAA,6BAA6B,iCA8DxC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@villedemontreal/jwt-validator",
-  "version": "5.8.0",
+  "version": "5.8.1",
   "description": "Module to validate JWT (JSON Web Tokens)",
   "main": "dist/src/index.js",
   "typings": "dist/src",

package/src/config/tokenTransformationMiddlewareConfig.ts

@@ -0,0 +1,28 @@
+/**
+ * Configuration for the token transformation
+ * middleware (UTTM).
+ */
+export interface ITokenTtransformationMiddlewareConfig {
+  service: ITokenTtransformationMiddlewareServiceConfig;
+  extensions: {
+    jwt: {
+      customDataProvider: ITokenTtransformationMiddlewareCustomDataProviderConfig;
+    };
+  };
+}
+
+/**
+ * Configuration specific for the token transformation service.
+ */
+export interface ITokenTtransformationMiddlewareServiceConfig {
+  uri: string;
+}
+
+/**
+ * Configuration specific for the custom data provider.
+ */
+export interface ITokenTtransformationMiddlewareCustomDataProviderConfig {
+  uri: string;
+  method: string;
+  options: any;
+}

package/src/index.ts

@@ -7,6 +7,7 @@ export * from './config/constants';
 export * from './config/init';
 export * from './jwtValidator';
 export * from './middleware/jwtMiddleware';
+export * from './middleware/tokenTransformationMiddleware';
 export * from './models/expressRequest';
 export * from './models/gluuUserType';
 export * from './models/jwtPayload';

package/src/middleware/tokenTransformationMiddleware.ts

@@ -0,0 +1,82 @@
+import { utils } from '@villedemontreal/general-utils';
+import * as express from 'express';
+import httpHeaderFieldsTyped from 'http-header-fields-typed';
+import { constants } from '../config/constants';
+import { ITokenTtransformationMiddlewareConfig } from '../config/tokenTransformationMiddlewareConfig';
+import { createInvalidAuthHeaderError, createInvalidJwtError } from '../models/customError';
+import { createLogger } from '../utils/logger';
+import superagent = require('superagent');
+
+const _regexAccessToken = /([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})/;
+
+const logger = createLogger('Token transformation middleware');
+
+/**
+ * Token transformation Middleware. It will generate extended jwt
+ * in exchange for an access token.
+ *
+ * @param {boolean} config Configuration of the middleware.
+ */
+export const tokenTransformationMiddleware: (
+  config?: ITokenTtransformationMiddlewareConfig
+) => (req: express.Request, res: express.Response, next: express.NextFunction) => void = (
+  config
+) => {
+  return (req: express.Request, res: express.Response, next: express.NextFunction): void => {
+    try {
+      // Validate the authorization header
+      const authHeader: string = req.get(httpHeaderFieldsTyped.AUTHORIZATION);
+      if (utils.isBlank(authHeader)) {
+        throw createInvalidAuthHeaderError({
+          code: constants.errors.codes.INVALID_VALUE,
+          target: 'authorization_header',
+          message: 'authorization header is empty',
+        });
+      }
+
+      // Extract the access token value from the authorization header
+      const accessTokenRegExpArray = _regexAccessToken.exec(authHeader);
+      if (accessTokenRegExpArray.length <= 1) {
+        throw createInvalidAuthHeaderError({
+          code: constants.errors.codes.INVALID_VALUE,
+          target: 'access_token',
+          message: 'could not find a valid access token from the authorization header',
+        });
+      }
+      const accessToken = accessTokenRegExpArray[1];
+
+      // Call the service endpoint to exchange the access token for a extended jwt
+      superagent
+        .post(config.service.uri)
+        .send({ accessToken, extensions: config.extensions })
+        .then((response) => {
+          const extendedJwt = response.body.jwts?.extended;
+          logger.debug(extendedJwt, 'Extended jwt content.');
+
+          const basicJwt = response.body.jwts?.basic;
+          logger.debug(basicJwt, 'Basic jwt content.');
+
+          // Get the extended jwt. If not available, fallback to basic jwt.
+          const jwt = extendedJwt ?? basicJwt;
+
+          if (jwt) {
+            // Warning: Headers are all in lowercase. To be sure to replace
+            // the authorization header instead of duplicate it, must use lower case property name.
+            req.headers[httpHeaderFieldsTyped.AUTHORIZATION.toLowerCase()] = `Bearer ${jwt}`;
+            logger.debug(req.headers, 'Request headers');
+            next();
+          } else {
+            const err = createInvalidJwtError({
+              code: constants.errors.codes.NULL_VALUE,
+              target: 'jwt',
+              message: 'could not get a valid jwt from token translation service',
+            });
+            next(err);
+          }
+        })
+        .catch((err) => next(err));
+    } catch (err) {
+      next(err);
+    }
+  };
+};