rxnt-authentication 0.0.2-alpha-2345

package/dist/index.d.ts

@@ -0,0 +1,15 @@
+import { Request } from 'express';
+
+declare class RxntAuthentication {
+    private readonly jwtIssuerBaseUrl;
+    private jwtAuthPublicKeys;
+    constructor(jwtIssuerBaseUrl: string);
+    stripJwtIfExists(req: Request): void;
+    getCookie(req: Request, cookieName: string): string;
+    getJwt(req: Request): string;
+    verifyJwt(req: Request): Promise<void>;
+    getClaimFromJwt(req: Request, claimName: string): any;
+    private getJwtAuthPublicKeys;
+}
+
+export { RxntAuthentication as default };

package/dist/index.js

@@ -0,0 +1,124 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  default: () => RxntAuthentication
+});
+module.exports = __toCommonJS(src_exports);
+var jwt = __toESM(require("jsonwebtoken"));
+var RxntAuthentication = class {
+  constructor(jwtIssuerBaseUrl) {
+    this.jwtIssuerBaseUrl = jwtIssuerBaseUrl;
+    this.getJwtAuthPublicKeys();
+  }
+  jwtAuthPublicKeys = [];
+  stripJwtIfExists(req) {
+    const authHeaders = req.headers.authorization?.split(",") ?? [];
+    for (const auth of authHeaders) {
+      const parts = auth.split(" ").filter((p) => !!p);
+      if (parts[0] === "Bearer") {
+        const jwtlessHeaders = authHeaders.filter((h) => h != auth);
+        if (jwtlessHeaders.length > 0) {
+          req.headers.authorization = jwtlessHeaders.join(",");
+        } else {
+          delete req.headers.authorization;
+        }
+      }
+    }
+    const cookie = req.headers.cookie;
+    const splitCookies = cookie?.split("; ") ?? [];
+    const accessTokenCookieInd = splitCookies.findIndex((c) => c.startsWith("app.at="));
+    if (accessTokenCookieInd >= 0) {
+      const filteredCookies = splitCookies.filter((_, ind) => ind !== accessTokenCookieInd);
+      if (filteredCookies.length > 0) {
+        req.headers.cookie = filteredCookies.join("; ");
+      } else {
+        delete req.headers.cookie;
+      }
+    }
+  }
+  getCookie(req, cookieName) {
+    const cookie = req.headers.cookie;
+    const splitCookies = cookie?.split("; ") ?? [];
+    const targetCookie = splitCookies.find((c) => c.startsWith(`${cookieName}=`));
+    let cookieValue = "";
+    if (targetCookie) {
+      cookieValue = targetCookie.split("=")[1] ?? "";
+      if (cookieValue.endsWith(";")) {
+        cookieValue = cookieValue.substring(0, cookieValue.length - 1);
+      }
+    }
+    return cookieValue;
+  }
+  getJwt(req) {
+    const authHeaders = req.headers.authorization?.split(",") ?? [];
+    let jwtFromAuthHeader = "";
+    for (const auth of authHeaders) {
+      const parts = auth.split(" ").filter((p) => !!p);
+      if (parts[0] === "Bearer") {
+        jwtFromAuthHeader = parts[1] ?? "";
+        break;
+      }
+    }
+    if (jwtFromAuthHeader) {
+      return jwtFromAuthHeader;
+    }
+    return this.getCookie(req, "app.at");
+  }
+  async verifyJwt(req) {
+    const reqJwt = this.getJwt(req);
+    const jwtKid = jwt.decode(reqJwt, { complete: true, json: true }).header.kid;
+    let publicKey = this.jwtAuthPublicKeys.find((k) => k.key.kid === jwtKid);
+    if (!publicKey) {
+      await this.getJwtAuthPublicKeys();
+      publicKey = this.jwtAuthPublicKeys.find((k) => k.key.kid === jwtKid);
+      if (!publicKey) {
+        throw new Error("Public key for the given jwt does not exist on FusionAuth.");
+      }
+    }
+    const verifiedJwt = jwt.verify(reqJwt, publicKey);
+    if (!verifiedJwt) {
+      throw new Error("JWT verification failed, returning unauthorized status.");
+    }
+  }
+  getClaimFromJwt(req, claimName) {
+    const reqJwt = this.getJwt(req);
+    const jwtObj = jwt.decode(reqJwt, { complete: true, json: true });
+    const payload = jwtObj?.payload ?? {};
+    return payload[claimName];
+  }
+  async getJwtAuthPublicKeys() {
+    if (this.jwtIssuerBaseUrl) {
+      const publicKeyRes = await fetch(`${this.jwtIssuerBaseUrl}/.well-known/jwks.json`);
+      this.jwtAuthPublicKeys = (await publicKeyRes.json()).keys.map((k) => ({ format: "jwk", key: k }));
+    }
+  }
+};

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "rxnt-authentication",
+  "version": "0.0.2-alpha-2345",
+  "description": "Authentication helper methods for RXNT Authentication in Node APIs",
+  "main": "dist/index.js",
+  "types": "dist/indext.d.ts",
+  "files": [
+    "src",
+    "dist"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/RXNT/common.git",
+    "directory": "rxnt-authentication"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --dts",
+    "test": "jest",
+    "format": "prettier --write src/**/*",
+    "lint": "eslint src/**/*.{js,ts,json}",
+    "increment-version": "node ../scripts/increment-version.script.js",
+    "publish-package": "node ../scripts/publish.script.js"
+  },
+  "author": "",
+  "license": "ISC",
+  "devDependencies": {
+    "@types/express": "^5.0.3",
+    "@types/jest": "^30.0.0",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/node": "^24.3.1",
+    "jest": "^30.1.3",
+    "typescript": "^5.9.2"
+  },
+  "dependencies": {
+    "express": "^5.1.0",
+    "jsonwebtoken": "^9.0.2"
+  }
+}

package/src/index.spec.ts

@@ -0,0 +1,239 @@
+import { Request } from 'express';
+import RxntAuthentication from './index';
+
+describe('RxntAuthentication Instantiation', () => {
+  it('should be able to instantiate RxntAuthentication with base issuer URL', () => {
+    const auth = new RxntAuthentication('');
+    expect(auth).toBeInstanceOf(RxntAuthentication);
+  });
+});
+
+describe('stripJwtIfExists', () => {
+  it('should be able to strip JWT from request if it exists as single authorization header', () => {
+    // Arrange
+    const req = {
+      headers: {
+        authorization: 'Bearer insertjwthere',
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    auth.stripJwtIfExists(req);
+    // Assert
+    expect(req.headers.authorization).toBeUndefined();
+  });
+
+  it('should be able to strip JWT from request if it exists as part of combination authorization header', () => {
+    // Arrange
+    const mockBasicToken = 'Basic insertbasictokenhere';
+    const mockBearerToken = 'Bearer insertjwthere';
+    const req = {
+      headers: {
+        authorization: `${mockBasicToken}, ${mockBearerToken}`,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    auth.stripJwtIfExists(req);
+    // Assert
+    expect(req.headers.authorization).toBe(mockBasicToken);
+  });
+
+  it('should be able to strip JWT from request if it exists as single cookie header', () => {
+    // Arrange
+    const req = {
+      headers: {
+        cookie: 'app.at=insertjwthere',
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    auth.stripJwtIfExists(req);
+    // Assert
+    expect(req.headers.cookie).toBeUndefined();
+  });
+
+  it('should be able to strip JWT from request if it exists as part of combination cookie header', () => {
+    // Arrange
+    const mockCookie1 = 'cookieOne=someValue';
+    const mockCookie2 = 'cookieTwo=someValue';
+    const mockAuthenticationTokenCookie = 'app.at=insertjwthere';
+    const req = {
+      headers: {
+        cookie: `${mockCookie1}; ${mockAuthenticationTokenCookie}; ${mockCookie2}`,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    auth.stripJwtIfExists(req);
+    // Assert
+    expect(req.headers.cookie).toBe(`${mockCookie1}; ${mockCookie2}`);
+  });
+
+  it('should be able to strip JWT from request if it exists as both authorization header and cookie header', () => {
+    // Arrange
+    const mockAuthorizationHeader = 'Bearer insertjwthere';
+    const mockAuthenticationTokenCookie = 'app.at=insertjwthere';
+    const req = {
+      headers: {
+        authorization: mockAuthorizationHeader,
+        cookie: mockAuthenticationTokenCookie,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    auth.stripJwtIfExists(req);
+    // Assert
+    expect(req.headers.authorization).toBeUndefined();
+    expect(req.headers.cookie).toBeUndefined();
+  });
+
+  it('should leave request headers unchanged if no JWT exists', () => {
+    // Arrange
+    const mockCookieHeader = 'cookieOne=someValue; cookieTwo=someValue';
+    const mockAuthorizationHeader = 'Basic insertbasictokenhere';
+    const req = {
+      headers: {
+        cookie: mockCookieHeader,
+        authorization: mockAuthorizationHeader,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    auth.stripJwtIfExists(req);
+    // Assert
+    expect(req.headers.cookie).toBe(mockCookieHeader);
+    expect(req.headers.authorization).toBe(mockAuthorizationHeader);
+  });
+});
+
+describe('getCookie', () => {
+  it('should fetch cookie value from request cookie header when exists', () => {
+    // Arrange
+    const mockCookie1Name = 'cookieOne';
+    const mockCookie1Value = 'value1';
+    const mockCookie2Name = 'cookieTwo';
+    const mockCookie2Value = 'value2';
+    const req = {
+      headers: {
+        cookie: `${mockCookie1Name}=${mockCookie1Value}; ${mockCookie2Name}=${mockCookie2Value}`,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const cookie1Res = auth.getCookie(req, mockCookie1Name);
+    const cookie2Res = auth.getCookie(req, mockCookie2Name);
+    // Assert
+    expect(cookie1Res).toBe(mockCookie1Value);
+    expect(cookie2Res).toBe(mockCookie2Value);
+  });
+  
+  it('should return empty string when requested cookie does not exist', () => {
+    // Arrange
+    const mockCookie3Name = 'cookieThree';
+    const req = {
+      headers: {
+        cookie: `cookieOne=value1; cookieTwo=value2`,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const cookie3Res = auth.getCookie(req, mockCookie3Name);
+    // Assert
+    expect(cookie3Res).toBe('');
+  });
+});
+
+describe('getJwt', () => {
+  it('should fetch JWT from authorization header', () => {
+    // Arrange
+    const mockJwt = 'insertjwthere';
+    const req = {
+      headers: {
+        authorization: `Bearer ${mockJwt}`,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const jwtRes = auth.getJwt(req);
+    // Assert
+    expect(jwtRes).toBe(mockJwt);
+  });
+
+  it('should fetch JWT from cookie header', () => {
+    // Arrange
+    const mockJwt = 'insertjwthere';
+    const req = {
+      headers: {
+        cookie: `app.at=${mockJwt}`,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const jwtRes = auth.getJwt(req);
+    // Assert
+    expect(jwtRes).toBe(mockJwt);
+  });
+
+  it('should prioritize authorization header over cookie header', () => {
+    // Arrange
+    const mockJwt1 = 'jwt1';
+    const mockJwt2 = 'jwt2';
+    const req = {
+      headers: {
+        authorization: `Bearer ${mockJwt1}`,
+        cookie: `app.at=${mockJwt2}`,
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const jwtRes = auth.getJwt(req);
+    // Assert
+    expect(jwtRes).toBe(mockJwt1);
+  });
+
+  it('should return empty string when no JWT exists', () => {
+    // Arrange
+    const req = {
+      headers: {},
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const jwtRes = auth.getJwt(req);
+    // Assert
+    expect(jwtRes).toBe('');
+  });
+});
+
+describe('getClaimFromJwt', () => {
+  it('should fetch claim object from JWT', () => {
+    // Arrange
+    const claimObj = {
+      v2LoginId: 123456
+    };
+    const req = {
+      headers: {
+        authorization: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwiZGFzaGJvYXJkIjp7InYyTG9naW5JZCI6MTIzNDU2fX0.8GYXMoAaxAsBWoX7Xql2cXmz8Tw0nUTqFnR0t-mjMpY',
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const claimRes = auth.getClaimFromJwt(req, 'dashboard');
+    // Assert
+    expect(claimRes).toEqual(claimObj);
+  });
+
+  it('should return undefined for nonexistent claim name', () => {
+    // Arrange
+    const req = {
+      headers: {
+        authorization: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwiZGFzaGJvYXJkIjp7InYyTG9naW5JZCI6MTIzNDU2fX0.8GYXMoAaxAsBWoX7Xql2cXmz8Tw0nUTqFnR0t-mjMpY',
+      },
+    } as Request;
+    const auth = new RxntAuthentication('');
+    // Act
+    const claimRes = auth.getClaimFromJwt(req, 'dashboard2');
+    // Assert
+    expect(claimRes).toBeUndefined();
+  });
+});

package/src/index.ts

@@ -0,0 +1,108 @@
+import * as jwt from 'jsonwebtoken';
+import { Request } from 'express';
+import { JsonWebKeyInput } from 'crypto';
+
+export default class RxntAuthentication {
+  private jwtAuthPublicKeys: JsonWebKeyInput[] = [];
+  constructor(private readonly jwtIssuerBaseUrl: string) {
+    this.getJwtAuthPublicKeys();
+  }
+
+  stripJwtIfExists(req: Request): void {
+    // try to strip bearer authorization header first
+    const authHeaders = req.headers.authorization?.split(',') ?? [];
+    for (const auth of authHeaders) {
+      const parts = auth.split(' ').filter((p) => !!p); // split on spaces, filter out empty strings
+      if (parts[0] === 'Bearer') {
+        const jwtlessHeaders = authHeaders.filter(h => h != auth);
+        if (jwtlessHeaders.length > 0) {
+          req.headers.authorization = jwtlessHeaders.join(',');
+        } else {
+          delete req.headers.authorization;
+        }
+      }
+    }
+
+    // strip access token cookie from cookie header if previous was unfound
+    const cookie = req.headers.cookie;
+    const splitCookies = cookie?.split('; ') ?? [];
+    const accessTokenCookieInd = splitCookies.findIndex((c) => c.startsWith('app.at='));
+    if (accessTokenCookieInd >= 0) {
+      const filteredCookies = splitCookies.filter((_, ind) => ind !== accessTokenCookieInd);
+      if (filteredCookies.length > 0) {
+        req.headers.cookie = filteredCookies.join('; ');
+      } else {
+        delete req.headers.cookie;
+      }
+    }
+  }
+
+  getCookie(req: Request, cookieName: string): string {
+    const cookie = req.headers.cookie;
+    const splitCookies = cookie?.split('; ') ?? [];
+    const targetCookie = splitCookies.find((c) => c.startsWith(`${cookieName}=`));
+    let cookieValue = '';
+    if (targetCookie) {
+      cookieValue = targetCookie.split('=')[1] ?? '';
+      // if there's only one cookie or the target cookie is last on the cookie list, the `; ` split won't trim the final semicolon.
+      // this shouldn't ever show up in production, but it's better to be safe than sorry.
+      if (cookieValue.endsWith(';')) {
+        cookieValue = cookieValue.substring(0, cookieValue.length - 1);
+      }
+    }
+    return cookieValue;
+  }
+
+  getJwt(req: Request): string {
+    const authHeaders = req.headers.authorization?.split(',') ?? [];
+    let jwtFromAuthHeader = '';
+    for (const auth of authHeaders) {
+      const parts = auth.split(' ').filter((p) => !!p); // split on spaces, filter out empty strings
+      if (parts[0] === 'Bearer') {
+        jwtFromAuthHeader = parts[1] ?? '';
+        break;
+      }
+    }
+
+    if (jwtFromAuthHeader) {
+      return jwtFromAuthHeader;
+    }
+    return this.getCookie(req, 'app.at');
+  }
+
+  async verifyJwt(req: Request): Promise<void> {
+    const reqJwt = this.getJwt(req);
+    const jwtKid = (jwt.decode(reqJwt, { complete: true, json: true }) as jwt.JwtPayload).header.kid;
+
+    // get the public key from the current stored keys. if it doesn't exist, refresh them and try again. if it still doesn't exist, throw an error
+    let publicKey = this.jwtAuthPublicKeys.find(k => k.key.kid === jwtKid);
+    if (!publicKey) {
+      // cache miss case
+      await this.getJwtAuthPublicKeys();
+      publicKey = this.jwtAuthPublicKeys.find(k => k.key.kid === jwtKid);
+      if (!publicKey) {
+        throw new Error('Public key for the given jwt does not exist on FusionAuth.');
+      }
+    }
+
+    // verify jwt
+    const verifiedJwt = jwt.verify(reqJwt, publicKey);
+    if (!verifiedJwt) {
+      throw new Error('JWT verification failed, returning unauthorized status.');
+    }
+  }
+
+  getClaimFromJwt(req: Request, claimName: string): any {
+    const reqJwt = this.getJwt(req);
+    const jwtObj = jwt.decode(reqJwt, { complete: true, json: true });
+    const payload = (jwtObj?.payload as jwt.JwtPayload) ?? {};
+    return payload[claimName];
+  }
+
+  private async getJwtAuthPublicKeys() {
+    if (this.jwtIssuerBaseUrl) {
+      const publicKeyRes = await fetch(`${this.jwtIssuerBaseUrl}/.well-known/jwks.json`);
+      this.jwtAuthPublicKeys = (await publicKeyRes.json()).keys.map((k: any) => ({ format: 'jwk', key: k }));
+    }
+  }
+}