2020-12-13 13:37:11 +01:00
|
|
|
/*
|
|
|
|
* Copyright (C) Sapphirecode - All Rights Reserved
|
|
|
|
* This file is part of Auth-Server-Helper which is released under MIT.
|
|
|
|
* See file 'LICENSE' for full license details.
|
|
|
|
* Created by Timo Hocker <timo@scode.ovh>, December 2020
|
|
|
|
*/
|
|
|
|
|
2020-12-28 16:53:08 +01:00
|
|
|
import { IncomingMessage, ServerResponse } from 'http';
|
2020-12-13 12:26:40 +01:00
|
|
|
import { run_regex } from '@sapphirecode/utilities';
|
2020-12-19 15:40:49 +01:00
|
|
|
import authority from './Authority';
|
2022-01-04 21:32:04 +01:00
|
|
|
import { AuthRequest, AccessSettings } from './AuthHandler';
|
2020-12-12 15:53:47 +01:00
|
|
|
|
2020-12-28 16:53:08 +01:00
|
|
|
type AnyFunc = (...args: unknown[]) => unknown;
|
|
|
|
type Gateway = (
|
|
|
|
req: IncomingMessage,
|
|
|
|
res: ServerResponse, next: AnyFunc
|
|
|
|
) => unknown;
|
2020-12-06 15:51:59 +01:00
|
|
|
|
2022-01-04 21:32:04 +01:00
|
|
|
interface RefreshSettings extends AccessSettings {
|
|
|
|
leave_open?: never;
|
|
|
|
redirect_to?: never;
|
2022-01-05 08:11:18 +01:00
|
|
|
data?: never;
|
2022-01-04 21:32:04 +01:00
|
|
|
}
|
|
|
|
|
2020-12-06 15:51:59 +01:00
|
|
|
interface GatewayOptions {
|
2022-01-03 14:44:27 +01:00
|
|
|
redirect_url?: string;
|
2020-12-13 12:26:40 +01:00
|
|
|
cookie_name?: string;
|
2022-01-04 21:32:04 +01:00
|
|
|
refresh_cookie_name?: string;
|
|
|
|
refresh_settings?: RefreshSettings;
|
|
|
|
}
|
|
|
|
|
|
|
|
interface AuthCookies {
|
|
|
|
access_cookie: string | null;
|
|
|
|
refresh_cookie: string | null;
|
2020-12-06 15:51:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
class GatewayClass {
|
2020-12-06 21:06:40 +01:00
|
|
|
private _options: GatewayOptions;
|
2020-12-06 15:51:59 +01:00
|
|
|
|
2022-01-03 14:44:27 +01:00
|
|
|
public constructor (options: GatewayOptions = {}) {
|
2022-01-04 21:32:04 +01:00
|
|
|
if (
|
|
|
|
typeof options.cookie_name === 'string'
|
|
|
|
&& options.cookie_name === options.refresh_cookie_name
|
|
|
|
)
|
|
|
|
throw new Error ('access and refresh cookies cannot have the same name');
|
|
|
|
|
2020-12-06 21:06:40 +01:00
|
|
|
this._options = options;
|
2020-12-06 15:51:59 +01:00
|
|
|
}
|
|
|
|
|
2022-01-03 14:44:27 +01:00
|
|
|
public deny (res: ServerResponse): void {
|
|
|
|
res.statusCode = 403;
|
2022-01-03 14:46:12 +01:00
|
|
|
res.end ();
|
2022-01-03 14:44:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
public redirect (res: ServerResponse): void {
|
2022-01-03 14:46:12 +01:00
|
|
|
if (typeof this._options.redirect_url !== 'string') {
|
|
|
|
this.deny (res);
|
|
|
|
return;
|
|
|
|
}
|
2020-12-06 15:51:59 +01:00
|
|
|
res.statusCode = 302;
|
2020-12-06 21:06:40 +01:00
|
|
|
res.setHeader ('Location', this._options.redirect_url);
|
2020-12-06 15:51:59 +01:00
|
|
|
res.end ();
|
|
|
|
}
|
|
|
|
|
2022-01-03 14:44:27 +01:00
|
|
|
public get_header_auth (req: IncomingMessage): string | null {
|
2020-12-28 16:53:08 +01:00
|
|
|
const auth_header = req.headers.authorization;
|
|
|
|
const auth = (/(?<type>\w+) (?<data>.*)/u).exec (auth_header || '');
|
2020-12-13 12:26:40 +01:00
|
|
|
if (auth === null)
|
|
|
|
return null;
|
2020-12-28 16:53:08 +01:00
|
|
|
if (auth.groups?.type !== 'Bearer')
|
2020-12-13 12:26:40 +01:00
|
|
|
return null;
|
2020-12-28 16:53:08 +01:00
|
|
|
return auth.groups?.data;
|
2020-12-13 12:26:40 +01:00
|
|
|
}
|
|
|
|
|
2022-01-04 21:32:04 +01:00
|
|
|
public get_cookie_auth (req: IncomingMessage): AuthCookies {
|
|
|
|
const result: AuthCookies = {
|
|
|
|
access_cookie: null,
|
|
|
|
refresh_cookie: null
|
|
|
|
};
|
|
|
|
|
|
|
|
const cookie_regex = /(?:^|;)\s*(?<name>[^;=]+)=(?<value>[^;]+)/gu;
|
|
|
|
|
2020-12-13 12:26:40 +01:00
|
|
|
run_regex (
|
2022-01-04 21:32:04 +01:00
|
|
|
cookie_regex,
|
2020-12-28 16:53:08 +01:00
|
|
|
req.headers.cookie,
|
|
|
|
(res: RegExpMatchArray) => {
|
|
|
|
if (res.groups?.name === this._options.cookie_name)
|
2022-01-04 21:32:04 +01:00
|
|
|
result.access_cookie = res.groups?.value as string;
|
|
|
|
else if (res.groups?.name === this._options.refresh_cookie_name)
|
|
|
|
result.refresh_cookie = res.groups?.value as string;
|
2020-12-13 12:26:40 +01:00
|
|
|
}
|
|
|
|
);
|
2022-01-04 21:32:04 +01:00
|
|
|
|
|
|
|
return result;
|
2020-12-13 12:26:40 +01:00
|
|
|
}
|
|
|
|
|
2022-01-03 14:44:27 +01:00
|
|
|
public authenticate (req: IncomingMessage): boolean {
|
2022-01-04 21:32:04 +01:00
|
|
|
const cookies = this.get_cookie_auth (req);
|
2020-12-13 12:26:40 +01:00
|
|
|
let auth = this.get_header_auth (req);
|
|
|
|
if (auth === null)
|
2022-01-04 21:32:04 +01:00
|
|
|
auth = cookies.access_cookie;
|
2020-12-13 12:26:40 +01:00
|
|
|
if (auth === null)
|
2020-12-12 15:53:47 +01:00
|
|
|
return false;
|
|
|
|
|
2021-01-03 15:32:29 +01:00
|
|
|
const ver = authority.verify (auth);
|
|
|
|
|
2021-01-05 15:59:06 +01:00
|
|
|
const con = req.connection as unknown as Record<string, unknown>;
|
|
|
|
con.auth = { token_id: ver.id, token_data: ver.data };
|
2021-01-03 15:32:29 +01:00
|
|
|
|
|
|
|
return ver.authorized;
|
2020-12-06 15:51:59 +01:00
|
|
|
}
|
|
|
|
|
2022-01-04 21:32:04 +01:00
|
|
|
public async try_refresh (
|
|
|
|
req: IncomingMessage,
|
|
|
|
res: ServerResponse
|
|
|
|
): Promise<boolean> {
|
|
|
|
if (
|
|
|
|
typeof this._options.refresh_cookie_name === 'undefined'
|
|
|
|
|| typeof this._options.refresh_settings === 'undefined'
|
|
|
|
)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
const refresh = this.get_cookie_auth (req).refresh_cookie;
|
|
|
|
if (refresh === null)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
const ver = authority.verify (refresh);
|
|
|
|
if (ver.type === 'refresh_token' && ver.valid) {
|
|
|
|
const auth_request = new AuthRequest (
|
|
|
|
req,
|
|
|
|
res,
|
|
|
|
''
|
|
|
|
, this._options.cookie_name,
|
|
|
|
this._options.refresh_cookie_name
|
|
|
|
);
|
|
|
|
const refresh_result = await auth_request.allow_access ({
|
|
|
|
...this._options.refresh_settings,
|
2022-01-05 08:11:18 +01:00
|
|
|
data: ver.data,
|
|
|
|
leave_open: true
|
2022-01-04 21:32:04 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
const con = req.connection as unknown as Record<string, unknown>;
|
|
|
|
con.auth = {
|
|
|
|
token_id: refresh_result.access_token_id,
|
|
|
|
token_data: this._options.refresh_settings.data
|
|
|
|
};
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
public async process_request (
|
2020-12-28 16:53:08 +01:00
|
|
|
req: IncomingMessage,
|
|
|
|
res: ServerResponse,
|
2020-12-06 21:06:40 +01:00
|
|
|
next: AnyFunc
|
2022-01-04 21:32:04 +01:00
|
|
|
): Promise<unknown> {
|
2020-12-12 15:53:47 +01:00
|
|
|
if (this.authenticate (req))
|
2020-12-06 21:06:40 +01:00
|
|
|
return next ();
|
2022-01-04 21:32:04 +01:00
|
|
|
if (await this.try_refresh (req, res))
|
|
|
|
return next ();
|
2020-12-06 21:06:40 +01:00
|
|
|
return this.redirect (res);
|
2020-12-06 15:51:59 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
export default function create_gateway (options: GatewayOptions): Gateway {
|
|
|
|
const g = new GatewayClass (options);
|
2020-12-28 16:53:08 +01:00
|
|
|
return g.process_request.bind (g);
|
2020-12-06 15:51:59 +01:00
|
|
|
}
|
2020-12-28 16:53:08 +01:00
|
|
|
|
2021-01-05 22:10:41 +01:00
|
|
|
export {
|
|
|
|
AnyFunc,
|
|
|
|
Gateway,
|
|
|
|
GatewayOptions,
|
2022-01-05 08:11:18 +01:00
|
|
|
GatewayClass,
|
|
|
|
RefreshSettings
|
2021-01-05 22:10:41 +01:00
|
|
|
};
|