propro-utils 1.3.8

package/src/server/middleware/verifyToken.js

@@ -0,0 +1,119 @@
+const axios = require("axios");
+const jwt = require("jsonwebtoken");
+const tokenCache = new Map();
+
+/**
+ * Verifies a JSON Web Token (JWT) using the provided secret.
+ * @param {string} token - The JWT to be verified.
+ * @param {string} secret - The secret used to sign the JWT.
+ * @returns {object|null} - The decoded payload of the JWT if it is valid, or null if it is not valid.
+ */
+function verifyJWT(token, secret) {
+  try {
+    return jwt.verify(token, secret);
+  } catch (err) {
+    return null;
+  }
+}
+
+/**
+ * Exchanges an authorization code for an access token.
+ * @param {string} authUrl - The URL of the authorization server.
+ * @param {string} code - The authorization code.
+ * @param {string} clientId - The client ID.
+ * @param {string} clientSecret - The client secret.
+ * @param {string} redirectUri - The redirect URI.
+ * @returns {Promise<Object>} - The response data containing the access token.
+ */
+async function exchangeToken(
+  authUrl,
+  code,
+  clientId,
+  clientSecret,
+  redirectUri
+) {
+  const response = await axios.post(
+    authUrl + "/api/v1/auth/authorize",
+    {
+      grantType: "authorization_code",
+      code: code,
+      redirectUri: redirectUri,
+      clientId: clientId,
+      clientSecret: clientSecret,
+    },
+    {
+      headers: { "Content-Type": "application/json" },
+    }
+  );
+
+  return response.data;
+}
+
+/**
+ * Middleware function to verify user account and permissions
+ * @param {Array} requiredPermissions - Array of required permissions for the user
+ * @returns {Function} - Express middleware function
+ */
+const VerifyAccount = (requiredPermissions) => {
+  return async (req, res, next) => {
+    const accessToken = req.headers.authorization?.split(" ")[1];
+    if (!accessToken) {
+      return res.status(401).json({ error: "Access token is required" });
+    }
+
+    // Check if token is in cache
+    if (tokenCache.has(accessToken)) {
+      req.user = tokenCache.get(accessToken);
+      return next();
+    }
+
+    try {
+      const decoded = jwt.verify(accessToken, process.env.JWT_SECRET);
+      if (!isValid(decoded, requiredPermissions)) {
+        return res.status(403).json({ error: "Invalid permissions" });
+      }
+      tokenCache.set(accessToken, decoded);
+      req.user = decoded;
+      return next();
+    } catch (error) {
+      try {
+        const userResponse = await axios.get(
+          `${process.env.AUTH_URL}/api/user`,
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+            },
+          }
+        );
+
+        if (!isValid(userResponse.data, requiredPermissions)) {
+          return res.status(403).json({ error: "Invalid permissions" });
+        }
+
+        tokenCache.set(accessToken, userResponse.data);
+        req.user = userResponse.data;
+        return next();
+      } catch (networkError) {
+        return res.status(500).json({ error: "Error validating token" });
+      }
+    }
+  };
+};
+
+/**
+ * Checks if the decoded token has all the required permissions.
+ * @param {object} decodedToken - The decoded token object.
+ * @param {string[]} requiredPermissions - An array of required permissions.
+ * @returns {boolean} - Returns true if the decoded token has all the required permissions, false otherwise.
+ */
+function isValid(decodedToken, requiredPermissions) {
+  return requiredPermissions.every((permission) =>
+    decodedToken.permissions.includes(permission)
+  );
+}
+
+module.exports = {
+  VerifyAccount,
+  exchangeToken,
+  verifyJWT,
+};

package/src/server/middleware/verifyToken.test.js

@@ -0,0 +1,171 @@
+describe("isValid", () => {
+  it("should return true when all required permissions are present", () => {
+    const decodedToken = { permissions: ["user", "manageUsers"] };
+    const requiredPermissions = ["user", "manageUsers"];
+
+    const result = isValid(decodedToken, requiredPermissions);
+
+    expect(result).toBe(true);
+  });
+
+  it("should return false when some required permissions are missing", () => {
+    const decodedToken = { permissions: ["user"] };
+    const requiredPermissions = ["user", "manageUsers"];
+
+    const result = isValid(decodedToken, requiredPermissions);
+
+    expect(result).toBe(false);
+  });
+
+  it("should return false when all required permissions are missing", () => {
+    const decodedToken = { permissions: [] };
+    const requiredPermissions = ["user", "manageUsers"];
+
+    const result = isValid(decodedToken, requiredPermissions);
+
+    expect(result).toBe(false);
+  });
+
+  it("should return true when no permissions are required", () => {
+    const decodedToken = { permissions: ["user", "manageUsers"] };
+    const requiredPermissions = [];
+
+    const result = isValid(decodedToken, requiredPermissions);
+
+    expect(result).toBe(true);
+  });
+});
+
+describe("VerifyAccount", () => {
+  // Verify that a valid access token is present in the request header and proceed with the verification process.
+  it("should return a 401 error response when access token is not present in the request header", async () => {
+    const req = { headers: {} };
+    const res = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+    const next = jest.fn();
+
+    await VerifyAccount([])(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({
+      error: "Access token is required",
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  // Verify that the account has all the required permissions and attach account info to the request object.
+  it("should return a 403 error response when the account does not have all the required permissions", async () => {
+    const requiredPermissions = ["user", "manageUsers"];
+    const account = { id: "123", permissions: ["user"] };
+    const req = { headers: { authorization: "Bearer token" }, account };
+    const res = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+    const next = jest.fn();
+
+    await VerifyAccount(requiredPermissions)(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: "Insufficient permissions",
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  // Verify that the function calls the next middleware function after successful verification.
+  it("should call the next middleware function after successful verification", async () => {
+    const requiredPermissions = ["user", "manageUsers"];
+    const account = { id: "123", permissions: ["user", "manageUsers"] };
+    const req = { headers: { authorization: "Bearer token" }, account };
+    const res = { status: jest.fn(), json: jest.fn() };
+    const next = jest.fn();
+
+    await VerifyAccount(requiredPermissions)(req, res, next);
+
+    expect(res.status).not.toHaveBeenCalled();
+    expect(res.json).not.toHaveBeenCalled();
+    expect(next).toHaveBeenCalled();
+  });
+
+  // Verify that the function returns a 500 error response when an unexpected error occurs during verification.
+  it("should return a 500 error response when an unexpected error occurs during verification", async () => {
+    const requiredPermissions = ["user", "manageUsers"];
+    const req = { headers: { authorization: "Bearer token" } };
+    const res = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+    const next = jest.fn();
+
+    await VerifyAccount(requiredPermissions)(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: "Internal Server Error" });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  // Verify that the function handles errors returned by the external API and returns a 401 error response when the access token is invalid or expired.
+  it("should return a 401 error response when the access token is invalid or expired", async () => {
+    const requiredPermissions = ["user", "manageUsers"];
+    const req = { headers: { authorization: "Bearer token" } };
+    const res = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+    const next = jest.fn();
+
+    axios.get.mockRejectedValueOnce({ response: { status: 401 } });
+
+    await VerifyAccount(requiredPermissions)(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({
+      error: "Invalid or expired access token",
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  // Verify that the function handles errors returned by the external API and returns a 500 error response when an unexpected error occurs during API call.
+  it("should return a 500 error response when an unexpected error occurs during API call", async () => {
+    const requiredPermissions = ["user", "manageUsers"];
+    const req = { headers: { authorization: "Bearer token" } };
+    const res = { status: jest.fn().mockReturnThis(), json: jest.fn() };
+    const next = jest.fn();
+
+    axios.get.mockRejectedValueOnce(new Error("API error"));
+
+    await VerifyAccount(requiredPermissions)(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: "Internal Server Error" });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  // Verify that the function retrieves the user from cache when the token is already cached.
+  it("should retrieve the user from cache when the token is already cached", async () => {
+    const requiredPermissions = ["user", "manageUsers"];
+    const account = { id: "123", permissions: ["user", "manageUsers"] };
+    const accessToken = "token";
+    const decoded = { ...account, accessToken };
+    const req = { headers: { authorization: `Bearer ${accessToken}` } };
+    const res = { status: jest.fn(), json: jest.fn() };
+    const next = jest.fn();
+
+    tokenCache.set(accessToken, decoded);
+
+    await VerifyAccount(requiredPermissions)(req, res, next);
+
+    expect(req.user).toEqual(decoded);
+    expect(next).toHaveBeenCalled();
+  });
+
+  // Verify that the function retrieves the user from the external API when the token is not cached.
+  it("should retrieve the user from the external API when the token is not cached", async () => {
+    const requiredPermissions = ["user", "manageUsers"];
+    const account = { id: "123", permissions: ["user", "manageUsers"] };
+    const accessToken = "token";
+    const decoded = { ...account, accessToken };
+    const req = { headers: { authorization: `Bearer ${accessToken}` } };
+    const res = { status: jest.fn(), json: jest.fn() };
+    const next = jest.fn();
+
+    axios.get.mockResolvedValueOnce({ data: decoded });
+
+    await VerifyAccount(requiredPermissions)(req, res, next);
+
+    expect(req.user).toEqual(decoded);
+    expect(tokenCache.get(accessToken)).toEqual(decoded);
+    expect(next).toHaveBeenCalled();
+  });
+});

package/src/server/server.test.js

@@ -0,0 +1,37 @@
+const request = require("supertest");
+const express = require("express");
+const app = express();
+const axios = require("axios");
+jest.mock("axios");
+
+require("./index.js")(app);
+
+describe("GET /auth", () => {
+  it("should redirect to the auth client", async () => {
+    const res = await request(app).get("/auth");
+    expect(res.statusCode).toEqual(302);
+    expect(res.headers.location).toContain(process.env.CLIENT_URL);
+  });
+});
+
+describe("GET /callback", () => {
+  it("should exchange code for tokens", async () => {
+    const mockCode = "mockCode";
+    const mockTokenResponse = {
+      data: {
+        access_token: "mockAccessToken",
+        refresh_token: "mockRefreshToken",
+      },
+    };
+    axios.post.mockResolvedValue(mockTokenResponse);
+
+    const res = await request(app).get(`/callback?code=${mockCode}`);
+    expect(res.statusCode).toEqual(302);
+    expect(res.headers.location).toContain(mockTokenResponse.data.access_token);
+  });
+
+  it("should respond with 400 if no code is provided", async () => {
+    const res = await request(app).get("/callback");
+    expect(res.statusCode).toEqual(400);
+  });
+});