auth-server-helper/lib/Gateway.ts

/*
 * Copyright (C) Sapphirecode - All Rights Reserved
 * This file is part of Auth-Server-Helper which is released under MIT.
 * See file 'LICENSE' for full license details.
 * Created by Timo Hocker <timo@scode.ovh>, December 2020
 */

import { IncomingMessage, ServerResponse } from 'http';
import authority from './Authority';
import { AuthRequest, AccessSettings } from './AuthHandler';
import { debug } from './debug';
import { extract_cookie, CookieSettings } from './cookie';
import blacklist from './Blacklist';

const logger = debug ('gateway');

type AnyFunc = (...args: unknown[]) => unknown;
type Gateway = (
  req: IncomingMessage,
  res: ServerResponse,
  next: AnyFunc
) => unknown;

interface RefreshSettings extends AccessSettings {
  leave_open?: never;
  redirect_to?: never;
  data?: never;
}

interface GatewayOptions {
  redirect_url?: string;
  cookie?: CookieSettings;
  refresh_cookie?: CookieSettings;
  refresh_settings?: RefreshSettings;
  require_permissions?: string[];
}

interface ConnectionInfo {
  token_id: string
  token_data: unknown
  permissions: string[]
}

class GatewayClass {
  private _options: GatewayOptions;

  public constructor (options: GatewayOptions = {}) {
    const log = logger.extend ('constructor');
    log ('creating new gateway');
    if (
      typeof options?.cookie !== 'undefined'
      && typeof options?.refresh_cookie !== 'undefined'
      && options.cookie.name === options.refresh_cookie.name
    )
      throw new Error ('access and refresh cookies cannot have the same name');

    this._options = options;
  }

  public deny (res: ServerResponse): void {
    logger.extend ('deny') ('denied http request');
    res.statusCode = 403;
    res.end ();
  }

  public redirect (res: ServerResponse): void {
    const log = logger.extend ('redirect');
    log ('redirecting http request to %s', this._options.redirect_url);
    if (typeof this._options.redirect_url !== 'string') {
      log ('no redirect url defined');
      this.deny (res);
      return;
    }
    res.statusCode = 302;
    res.setHeader ('Location', this._options.redirect_url);
    res.end ();
  }

  public get_header_auth (req: IncomingMessage): string | null {
    const log = logger.extend ('get_header_auth');
    log ('extracting authorization header');
    const auth_header = req.headers.authorization;
    const auth = (/(?<type>\w+) (?<data>.*)/u).exec (auth_header || '');
    if (auth === null)
      return null;
    if (auth.groups?.type !== 'Bearer')
      return null;
    log ('found bearer token');
    return auth.groups?.data;
  }

  public async try_access (req: IncomingMessage): Promise<boolean> {
    const log = logger.extend ('try_access');
    log ('authenticating incoming request');
    let auth = this.get_header_auth (req);
    if (auth === null)
      auth = extract_cookie (this._options.cookie?.name, req.headers.cookie);
    if (auth === null) {
      log ('found no auth token');
      return false;
    }

    const ver = await authority.verify (auth);

    log ('setting connection info');
    const con = req.connection as unknown as Record<string, unknown>;
    con.auth = {
      token_id:    ver.id,
      token_data:  ver.data,
      permissions: ver.permissions
    };

    log ('token valid: %s', ver.authorized);
    return ver.authorized;
  }

  public async try_refresh (
    req: IncomingMessage,
    res: ServerResponse
  ): Promise<boolean> {
    const log = logger.extend ('try_refresh');
    if (
      typeof this._options.refresh_cookie === 'undefined'
      || typeof this._options.refresh_settings === 'undefined'
    )
      return false;

    log ('trying to apply refresh token');

    const refresh = extract_cookie (
      this._options.refresh_cookie.name,
      req.headers.cookie
    );
    if (refresh === null) {
      log ('could not find refresh token');
      return false;
    }

    const ver = await authority.verify (refresh);
    if (ver.type === 'refresh_token' && ver.valid) {
      log ('refresh token valid, generating new tokens');
      const auth_request = new AuthRequest (
        req,
        res,
        '',
        this._options.cookie,
        this._options.refresh_cookie
      );
      const refresh_result = await auth_request.allow_access ({
        ...this._options.refresh_settings,
        data:       ver.data,
        leave_open: true
      });

      log ('setting connection info');
      const con = req.connection as unknown as Record<string, unknown>;
      con.auth = {
        token_id:    refresh_result.access_token_id,
        token_data:  ver.data,
        permissions: ver.permissions
      };

      log ('tokens refreshed');
      return true;
    }

    log ('refresh token invalid');
    return false;
  }

  public async authenticate (
    req: IncomingMessage,
    res: ServerResponse
  ): Promise<boolean> {
    const log = logger.extend ('authenticate');
    log ('trying to authenticate http request');
    if (await this.try_access (req)) {
      log ('authenticated via access_token');
      return true;
    }
    if (await this.try_refresh (req, res)) {
      log ('authenticated via refresh_token');
      return true;
    }

    log ('could not verify session');
    return false;
  }

  public check_permissions (
    req: IncomingMessage,
    permissions = this._options.require_permissions || []
  ): boolean {
    for (const perm of permissions) {
      if (!this.has_permission (req, perm))
        return false;
    }
    return true;
  }

  public has_permission (req: IncomingMessage, permission: string) {
    const info = this.get_info (req);
    return info.permissions.includes (permission);
  }

  public async process_request (
    req: IncomingMessage,
    res: ServerResponse,
    next: AnyFunc
  ): Promise<unknown> {
    const log = logger.extend ('process_request');
    log ('processing incoming http request');
    if (await this.authenticate (req, res)) {
      log ('authentification successful');
      log ('checking permissions');

      if (!this.check_permissions (req))
        return this.redirect (res);

      log ('authorization successful. calling next handler');
      return next ();
    }

    log ('failed to authenticate, redirecting client');
    return this.redirect (res);
  }

  public async logout (req: IncomingMessage): Promise<void> {
    const log = logger.extend ('logout');
    log ('invalidating all submitted tokens');
    const auth_strings = [
      this.get_header_auth (req),
      extract_cookie (this._options.cookie?.name, req.headers.cookie),
      extract_cookie (this._options.refresh_cookie?.name, req.headers.cookie)
    ];
    const tokens = (
      await Promise.all (
        auth_strings
          .filter ((v) => v !== null)
          .map ((v) => authority.verify (v as string))
      )
    ).filter ((v) => v.valid);

    log ('found %d tokens: %O', tokens.length, tokens);

    for (const token of tokens) {
      // eslint-disable-next-line no-await-in-loop
      await blacklist.add_signature (token.id);
    }

    log ('complete');
  }

  public get_info (req: IncomingMessage): ConnectionInfo {
    const conn = req.connection as unknown as Record<string, unknown>;
    const auth = conn.auth as Record<string, unknown>;
    return {
      token_id:    auth.token_id as string,
      token_data:  auth.token_data,
      permissions: (auth.permissions as string[]) || []
    };
  }
}

export default function create_gateway (options: GatewayOptions): Gateway {
  const g = new GatewayClass (options);
  return g.process_request.bind (g);
}

export { AnyFunc, Gateway, GatewayOptions, GatewayClass, RefreshSettings };
improve signature structure, more tests 2020-12-13 13:37:11 +01:00			`/*`
			`* Copyright (C) Sapphirecode - All Rights Reserved`
			`* This file is part of Auth-Server-Helper which is released under MIT.`
			`* See file 'LICENSE' for full license details.`
			`* Created by Timo Hocker <timo@scode.ovh>, December 2020`
			`*/`

testing gateway 2020-12-28 16:53:08 +01:00			`import { IncomingMessage, ServerResponse } from 'http';`
separate authority 2020-12-19 15:40:49 +01:00			`import authority from './Authority';`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`import { AuthRequest, AccessSettings } from './AuthHandler';`
add debug logging 2022-01-05 12:32:04 +01:00			`import { debug } from './debug';`
cookie settings 2022-01-10 10:06:54 +01:00			`import { extract_cookie, CookieSettings } from './cookie';`
logout function 2022-05-02 13:30:09 +02:00			`import blacklist from './Blacklist';`
add debug logging 2022-01-05 12:32:04 +01:00
			`const logger = debug ('gateway');`
blacklist, gateway 2020-12-12 15:53:47 +01:00
testing gateway 2020-12-28 16:53:08 +01:00			`type AnyFunc = (...args: unknown[]) => unknown;`
			`type Gateway = (`
			`req: IncomingMessage,`
redis sync 2022-08-08 15:52:56 +02:00			`res: ServerResponse,`
			`next: AnyFunc`
testing gateway 2020-12-28 16:53:08 +01:00			`) => unknown;`
starting gateway 2020-12-06 15:51:59 +01:00
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`interface RefreshSettings extends AccessSettings {`
			`leave_open?: never;`
			`redirect_to?: never;`
fix refresh cookie settings 2022-01-05 08:11:18 +01:00			`data?: never;`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`}`

starting gateway 2020-12-06 15:51:59 +01:00			`interface GatewayOptions {`
allow gateway without redirection, manual request handling 2022-01-03 14:44:27 +01:00			`redirect_url?: string;`
cookie settings 2022-01-10 10:06:54 +01:00			`cookie?: CookieSettings;`
			`refresh_cookie?: CookieSettings;`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`refresh_settings?: RefreshSettings;`
permissions, connection data reader 2022-09-12 12:29:43 +02:00			`require_permissions?: string[];`
			`}`

			`interface ConnectionInfo {`
			`token_id: string`
			`token_data: unknown`
			`permissions: string[]`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`}`

starting gateway 2020-12-06 15:51:59 +01:00			`class GatewayClass {`
key store 2020-12-06 21:06:40 +01:00			`private _options: GatewayOptions;`
starting gateway 2020-12-06 15:51:59 +01:00
allow gateway without redirection, manual request handling 2022-01-03 14:44:27 +01:00			`public constructor (options: GatewayOptions = {}) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('constructor');`
			`log ('creating new gateway');`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`if (`
cookie settings 2022-01-10 10:06:54 +01:00			`typeof options?.cookie !== 'undefined'`
			`&& typeof options?.refresh_cookie !== 'undefined'`
			`&& options.cookie.name === options.refresh_cookie.name`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`)`
			`throw new Error ('access and refresh cookies cannot have the same name');`

key store 2020-12-06 21:06:40 +01:00			`this._options = options;`
starting gateway 2020-12-06 15:51:59 +01:00			`}`

allow gateway without redirection, manual request handling 2022-01-03 14:44:27 +01:00			`public deny (res: ServerResponse): void {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`logger.extend ('deny') ('denied http request');`
allow gateway without redirection, manual request handling 2022-01-03 14:44:27 +01:00			`res.statusCode = 403;`
fix 2022-01-03 14:46:12 +01:00			`res.end ();`
allow gateway without redirection, manual request handling 2022-01-03 14:44:27 +01:00			`}`

			`public redirect (res: ServerResponse): void {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('redirect');`
			`log ('redirecting http request to %s', this._options.redirect_url);`
fix 2022-01-03 14:46:12 +01:00			`if (typeof this._options.redirect_url !== 'string') {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('no redirect url defined');`
fix 2022-01-03 14:46:12 +01:00			`this.deny (res);`
			`return;`
			`}`
starting gateway 2020-12-06 15:51:59 +01:00			`res.statusCode = 302;`
key store 2020-12-06 21:06:40 +01:00			`res.setHeader ('Location', this._options.redirect_url);`
starting gateway 2020-12-06 15:51:59 +01:00			`res.end ();`
			`}`

allow gateway without redirection, manual request handling 2022-01-03 14:44:27 +01:00			`public get_header_auth (req: IncomingMessage): string \| null {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('get_header_auth');`
			`log ('extracting authorization header');`
testing gateway 2020-12-28 16:53:08 +01:00			`const auth_header = req.headers.authorization;`
			`const auth = (/(?<type>\w+) (?<data>.*)/u).exec (auth_header \|\| '');`
cookie auth 2020-12-13 12:26:40 +01:00			`if (auth === null)`
			`return null;`
testing gateway 2020-12-28 16:53:08 +01:00			`if (auth.groups?.type !== 'Bearer')`
cookie auth 2020-12-13 12:26:40 +01:00			`return null;`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('found bearer token');`
testing gateway 2020-12-28 16:53:08 +01:00			`return auth.groups?.data;`
cookie auth 2020-12-13 12:26:40 +01:00			`}`

redis sync 2022-08-08 15:52:56 +02:00			`public async try_access (req: IncomingMessage): Promise<boolean> {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('try_access');`
			`log ('authenticating incoming request');`
cookie auth 2020-12-13 12:26:40 +01:00			`let auth = this.get_header_auth (req);`
			`if (auth === null)`
cookie settings 2022-01-10 10:06:54 +01:00			`auth = extract_cookie (this._options.cookie?.name, req.headers.cookie);`
add debug logging 2022-01-05 12:32:04 +01:00			`if (auth === null) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('found no auth token');`
blacklist, gateway 2020-12-12 15:53:47 +01:00			`return false;`
add debug logging 2022-01-05 12:32:04 +01:00			`}`
blacklist, gateway 2020-12-12 15:53:47 +01:00
redis sync 2022-08-08 15:52:56 +02:00			`const ver = await authority.verify (auth);`
allow attaching of custom data 2021-01-03 15:32:29 +01:00
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('setting connection info');`
fix 2021-01-05 15:59:06 +01:00			`const con = req.connection as unknown as Record<string, unknown>;`
permissions, connection data reader 2022-09-12 12:29:43 +02:00			`con.auth = {`
			`token_id: ver.id,`
			`token_data: ver.data,`
			`permissions: ver.permissions`
			`};`
allow attaching of custom data 2021-01-03 15:32:29 +01:00
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('token valid: %s', ver.authorized);`
allow attaching of custom data 2021-01-03 15:32:29 +01:00			`return ver.authorized;`
starting gateway 2020-12-06 15:51:59 +01:00			`}`

automatic refresh tokens 2022-01-04 21:32:04 +01:00			`public async try_refresh (`
			`req: IncomingMessage,`
			`res: ServerResponse`
			`): Promise<boolean> {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('try_refresh');`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`if (`
cookie settings 2022-01-10 10:06:54 +01:00			`typeof this._options.refresh_cookie === 'undefined'`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`\|\| typeof this._options.refresh_settings === 'undefined'`
			`)`
			`return false;`

improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('trying to apply refresh token');`
add debug logging 2022-01-05 12:32:04 +01:00
improved cookie security 2022-01-08 22:10:02 +01:00			`const refresh = extract_cookie (`
cookie settings 2022-01-10 10:06:54 +01:00			`this._options.refresh_cookie.name,`
improved cookie security 2022-01-08 22:10:02 +01:00			`req.headers.cookie`
			`);`
add debug logging 2022-01-05 12:32:04 +01:00			`if (refresh === null) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('could not find refresh token');`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`return false;`
add debug logging 2022-01-05 12:32:04 +01:00			`}`
automatic refresh tokens 2022-01-04 21:32:04 +01:00
redis sync 2022-08-08 15:52:56 +02:00			`const ver = await authority.verify (refresh);`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`if (ver.type === 'refresh_token' && ver.valid) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('refresh token valid, generating new tokens');`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`const auth_request = new AuthRequest (`
			`req,`
			`res,`
redis sync 2022-08-08 15:52:56 +02:00			`'',`
			`this._options.cookie,`
cookie settings 2022-01-10 10:06:54 +01:00			`this._options.refresh_cookie`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`);`
			`const refresh_result = await auth_request.allow_access ({`
			`...this._options.refresh_settings,`
redis sync 2022-08-08 15:52:56 +02:00			`data: ver.data,`
			`leave_open: true`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`});`

improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('setting connection info');`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`const con = req.connection as unknown as Record<string, unknown>;`
			`con.auth = {`
permissions, connection data reader 2022-09-12 12:29:43 +02:00			`token_id: refresh_result.access_token_id,`
			`token_data: ver.data,`
			`permissions: ver.permissions`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`};`

improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('tokens refreshed');`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`return true;`
			`}`

improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('refresh token invalid');`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`return false;`
			`}`

fix 2022-01-05 12:58:00 +01:00			`public async authenticate (`
			`req: IncomingMessage,`
			`res: ServerResponse`
fixed wrong return type 2022-01-05 13:01:32 +01:00			`): Promise<boolean> {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('authenticate');`
			`log ('trying to authenticate http request');`
redis sync 2022-08-08 15:52:56 +02:00			`if (await this.try_access (req)) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('authenticated via access_token');`
fix 2022-01-05 12:58:00 +01:00			`return true;`
			`}`
			`if (await this.try_refresh (req, res)) {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('authenticated via refresh_token');`
fix 2022-01-05 12:58:00 +01:00			`return true;`
			`}`

improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('could not verify session');`
fix 2022-01-05 12:58:00 +01:00			`return false;`
			`}`

permissions, connection data reader 2022-09-12 12:29:43 +02:00			`public check_permissions (`
			`req: IncomingMessage,`
			`permissions = this._options.require_permissions \|\| []`
			`): boolean {`
			`for (const perm of permissions) {`
			`if (!this.has_permission (req, perm))`
			`return false;`
			`}`
			`return true;`
			`}`

			`public has_permission (req: IncomingMessage, permission: string) {`
			`const info = this.get_info (req);`
			`return info.permissions.includes (permission);`
			`}`

automatic refresh tokens 2022-01-04 21:32:04 +01:00			`public async process_request (`
testing gateway 2020-12-28 16:53:08 +01:00			`req: IncomingMessage,`
			`res: ServerResponse,`
key store 2020-12-06 21:06:40 +01:00			`next: AnyFunc`
automatic refresh tokens 2022-01-04 21:32:04 +01:00			`): Promise<unknown> {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('process_request');`
			`log ('processing incoming http request');`
fix 2022-01-05 12:58:00 +01:00			`if (await this.authenticate (req, res)) {`
permissions, connection data reader 2022-09-12 12:29:43 +02:00			`log ('authentification successful');`
			`log ('checking permissions');`

			`if (!this.check_permissions (req))`
			`return this.redirect (res);`

			`log ('authorization successful. calling next handler');`
key store 2020-12-06 21:06:40 +01:00			`return next ();`
add debug logging 2022-01-05 12:32:04 +01:00			`}`

improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('failed to authenticate, redirecting client');`
key store 2020-12-06 21:06:40 +01:00			`return this.redirect (res);`
starting gateway 2020-12-06 15:51:59 +01:00			`}`
logout function 2022-05-02 13:30:09 +02:00
redis sync 2022-08-08 15:52:56 +02:00			`public async logout (req: IncomingMessage): Promise<void> {`
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`const log = logger.extend ('logout');`
			`log ('invalidating all submitted tokens');`
logout function 2022-05-02 13:30:09 +02:00			`const auth_strings = [`
			`this.get_header_auth (req),`
			`extract_cookie (this._options.cookie?.name, req.headers.cookie),`
			`extract_cookie (this._options.refresh_cookie?.name, req.headers.cookie)`
			`];`
redis sync 2022-08-08 15:52:56 +02:00			`const tokens = (`
			`await Promise.all (`
			`auth_strings`
			`.filter ((v) => v !== null)`
			`.map ((v) => authority.verify (v as string))`
			`)`
			`).filter ((v) => v.valid);`
logout function 2022-05-02 13:30:09 +02:00
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('found %d tokens: %O', tokens.length, tokens);`
logout function 2022-05-02 13:30:09 +02:00
blacklist sync 2022-08-27 16:39:07 +02:00			`for (const token of tokens) {`
			`// eslint-disable-next-line no-await-in-loop`
			`await blacklist.add_signature (token.id);`
			`}`
logout function 2022-05-02 13:30:09 +02:00
improve debug, redis storage structure 2022-08-15 17:33:25 +02:00			`log ('complete');`
logout function 2022-05-02 13:30:09 +02:00			`}`
permissions, connection data reader 2022-09-12 12:29:43 +02:00
			`public get_info (req: IncomingMessage): ConnectionInfo {`
			`const conn = req.connection as unknown as Record<string, unknown>;`
			`const auth = conn.auth as Record<string, unknown>;`
			`return {`
			`token_id: auth.token_id as string,`
			`token_data: auth.token_data,`
			`permissions: (auth.permissions as string[]) \|\| []`
			`};`
			`}`
starting gateway 2020-12-06 15:51:59 +01:00			`}`

			`export default function create_gateway (options: GatewayOptions): Gateway {`
			`const g = new GatewayClass (options);`
testing gateway 2020-12-28 16:53:08 +01:00			`return g.process_request.bind (g);`
starting gateway 2020-12-06 15:51:59 +01:00			`}`
testing gateway 2020-12-28 16:53:08 +01:00
redis sync 2022-08-08 15:52:56 +02:00			`export { AnyFunc, Gateway, GatewayOptions, GatewayClass, RefreshSettings };`