auth-server-helper/lib/Authority.ts

/*
 * Copyright (C) Sapphirecode - All Rights Reserved
 * This file is part of Auth-Server-Helper which is released under MIT.
 * See file 'LICENSE' for full license details.
 * Created by Timo Hocker <timo@scode.ovh>, December 2020
 */

import {
  create_salt,
  sign_object,
  verify_signature_get_info
} from '@sapphirecode/crypto-helper';
import keystore from './KeyStore';
import blacklist from './Blacklist';
import { debug } from './debug';

const logger = debug ('authority');

// eslint-disable-next-line no-shadow
type TokenType = 'access_token' | 'none' | 'part_token' | 'refresh_token'

interface VerificationResult {
  authorized: boolean;
  valid: boolean;
  type: TokenType;
  id: string;
  next_module?: string;
  data?: unknown;
  error?: string;
}

interface SignatureResult {
  signature: string;
  id: string;
}

interface SignatureOptions
{
  data?: unknown
  next_module?: string
}

class Authority {
  public async verify (key: string): Promise<VerificationResult> {
    const log = logger.extend ('verify');
    log ('verifying token');
    const result: VerificationResult = {
      authorized: false,
      valid:      false,
      type:       'none',
      id:         ''
    };
    const data = await verify_signature_get_info (
      key,
      async (info) => {
        try {
          return await keystore.get_key (info.iat / 1000, info.iss);
        }
        catch {
          return '';
        }
      },
      (info) => info.valid_for * 1000
    );

    if (data === null) {
      log ('token invalid');
      result.error = 'invalid signature';
      return result;
    }

    result.id = data.id;
    result.type = data.type;

    log ('parsing token %s %s', result.type, result.id);

    if (!(await blacklist.is_valid (data.id))) {
      log ('token is blacklisted');
      result.error = 'blacklisted';
      return result;
    }

    result.valid = true;
    result.authorized = result.type === 'access_token';
    result.next_module = data.next_module;
    result.data = data.obj;

    log (
      'valid %s; targeting module %s',
      result.type,
      result.next_module
    );

    return result;
  }

  public async sign (
    type: TokenType,
    valid_for: number,
    options?: SignatureOptions
  ): Promise<SignatureResult> {
    const log = logger.extend ('sign');
    log ('signing new %s', type);
    const time = Date.now ();
    const key = await keystore.get_sign_key (time / 1000, valid_for);
    const attributes = {
      id:          create_salt (),
      iat:         time,
      iss:         keystore.instance_id,
      type,
      valid_for,
      next_module: options?.next_module
    };
    const signature = sign_object (options?.data, key, attributes);
    log ('created token %s', attributes.id);
    return { id: attributes.id, signature };
  }
}

const auth = (new Authority);

export {
  TokenType,
  VerificationResult,
  SignatureResult,
  SignatureOptions,
  Authority
};

export default auth;
fix copy notices 2020-12-28 15:04:52 +01:00			`/*`
			`* Copyright (C) Sapphirecode - All Rights Reserved`
			`* This file is part of Auth-Server-Helper which is released under MIT.`
			`* See file 'LICENSE' for full license details.`
			`* Created by Timo Hocker <timo@scode.ovh>, December 2020`
			`*/`

separate authority 2020-12-19 15:40:49 +01:00			`import {`
			`create_salt,`
			`sign_object,`
			`verify_signature_get_info`
			`} from '@sapphirecode/crypto-helper';`
			`import keystore from './KeyStore';`
			`import blacklist from './Blacklist';`
add debug logging 2022-01-05 12:32:04 +01:00			`import { debug } from './debug';`

			`const logger = debug ('authority');`
separate authority 2020-12-19 15:40:49 +01:00
			`// eslint-disable-next-line no-shadow`
formatting 2021-05-10 12:41:00 +02:00			`type TokenType = 'access_token' \| 'none' \| 'part_token' \| 'refresh_token'`
separate authority 2020-12-19 15:40:49 +01:00
			`interface VerificationResult {`
			`authorized: boolean;`
more tests, stryker 2020-12-28 14:53:14 +01:00			`valid: boolean;`
separate authority 2020-12-19 15:40:49 +01:00			`type: TokenType;`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`id: string;`
more tests, stryker 2020-12-28 14:53:14 +01:00			`next_module?: string;`
fix 2021-01-05 15:59:06 +01:00			`data?: unknown;`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`error?: string;`
separate authority 2020-12-19 15:40:49 +01:00			`}`

			`interface SignatureResult {`
			`signature: string;`
			`id: string;`
			`}`

allow signed data storage 2021-01-03 15:13:03 +01:00			`interface SignatureOptions`
			`{`
fix 2021-01-05 15:59:06 +01:00			`data?: unknown`
allow signed data storage 2021-01-03 15:13:03 +01:00			`next_module?: string`
			`}`

separate authority 2020-12-19 15:40:49 +01:00			`class Authority {`
redis sync 2022-08-08 15:52:56 +02:00			`public async verify (key: string): Promise<VerificationResult> {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('verify');`
			`log ('verifying token');`
tests for authority 2020-12-19 16:19:09 +01:00			`const result: VerificationResult = {`
more tests, stryker 2020-12-28 14:53:14 +01:00			`authorized: false,`
			`valid: false,`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`type: 'none',`
			`id: ''`
tests for authority 2020-12-19 16:19:09 +01:00			`};`
redis sync 2022-08-08 15:52:56 +02:00			`const data = await verify_signature_get_info (`
separate authority 2020-12-19 15:40:49 +01:00			`key,`
fix 2022-08-10 11:11:39 +02:00			`async (info) => {`
testing gateway 2020-12-28 16:53:08 +01:00			`try {`
catch key error 2022-08-10 11:08:14 +02:00			`return await keystore.get_key (info.iat / 1000, info.iss);`
testing gateway 2020-12-28 16:53:08 +01:00			`}`
			`catch {`
			`return '';`
			`}`
			`},`
separate authority 2020-12-19 15:40:49 +01:00			`(info) => info.valid_for * 1000`
			`);`

allow attaching of custom data 2021-01-03 15:32:29 +01:00			`if (data === null) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('token invalid');`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`result.error = 'invalid signature';`
separate authority 2020-12-19 15:40:49 +01:00			`return result;`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`}`
separate authority 2020-12-19 15:40:49 +01:00
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`result.id = data.id;`
separate authority 2020-12-19 15:40:49 +01:00			`result.type = data.type;`

improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('parsing token %s %s', result.type, result.id);`
add debug logging 2022-01-05 12:32:04 +01:00
blacklist sync 2022-08-27 16:39:07 +02:00			`if (!(await blacklist.is_valid (data.id))) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('token is blacklisted');`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`result.error = 'blacklisted';`
separate authority 2020-12-19 15:40:49 +01:00			`return result;`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`}`
separate authority 2020-12-19 15:40:49 +01:00
more tests, stryker 2020-12-28 14:53:14 +01:00			`result.valid = true;`
separate authority 2020-12-19 15:40:49 +01:00			`result.authorized = result.type === 'access_token';`
allow signed data storage 2021-01-03 15:13:03 +01:00			`result.next_module = data.next_module;`
			`result.data = data.obj;`
separate authority 2020-12-19 15:40:49 +01:00
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log (`
add debug logging 2022-01-05 12:32:04 +01:00			`'valid %s; targeting module %s',`
			`result.type,`
			`result.next_module`
			`);`

separate authority 2020-12-19 15:40:49 +01:00			`return result;`
			`}`

asymmetric keys 2021-01-06 16:06:03 +01:00			`public async sign (`
separate authority 2020-12-19 15:40:49 +01:00			`type: TokenType,`
			`valid_for: number,`
allow signed data storage 2021-01-03 15:13:03 +01:00			`options?: SignatureOptions`
asymmetric keys 2021-01-06 16:06:03 +01:00			`): Promise<SignatureResult> {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('sign');`
			`log ('signing new %s', type);`
separate authority 2020-12-19 15:40:49 +01:00			`const time = Date.now ();`
asymmetric keys 2021-01-06 16:06:03 +01:00			`const key = await keystore.get_sign_key (time / 1000, valid_for);`
separate authority 2020-12-19 15:40:49 +01:00			`const attributes = {`
allow signed data storage 2021-01-03 15:13:03 +01:00			`id: create_salt (),`
			`iat: time,`
export/import keys 2021-01-08 13:30:53 +01:00			`iss: keystore.instance_id,`
separate authority 2020-12-19 15:40:49 +01:00			`type,`
allow signed data storage 2021-01-03 15:13:03 +01:00			`valid_for,`
			`next_module: options?.next_module`
separate authority 2020-12-19 15:40:49 +01:00			`};`
allow signed data storage 2021-01-03 15:13:03 +01:00			`const signature = sign_object (options?.data, key, attributes);`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('created token %s', attributes.id);`
separate authority 2020-12-19 15:40:49 +01:00			`return { id: attributes.id, signature };`
			`}`
			`}`

			`const auth = (new Authority);`

fix 2021-01-05 22:10:41 +01:00			`export {`
			`TokenType,`
			`VerificationResult,`
			`SignatureResult,`
			`SignatureOptions,`
			`Authority`
			`};`

separate authority 2020-12-19 15:40:49 +01:00			`export default auth;`