From 80d04f7441a0fd0786c51b07c04d090d55c7e3cf Mon Sep 17 00:00:00 2001
From: Timo Hocker <timo@scode.ovh>
Date: Sun, 3 Jan 2021 15:13:03 +0100
Subject: [PATCH] allow signed data storage

---
 CHANGELOG.md           | 13 +++++++++++++
 lib/AuthHandler.ts     | 24 +++++++++++++++++++-----
 lib/Authority.ts       | 21 +++++++++++++++------
 test/spec/Authority.ts |  2 +-
 4 files changed, 48 insertions(+), 12 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..4e4f1a7
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,13 @@
+# Changelog
+
+## 2.0.0
+
+Complete redesign
+
+## 1.1.0
+
+add user_id to res.connection, so request handlers can access the current user
+
+## 1.0.0
+
+initial release
diff --git a/lib/AuthHandler.ts b/lib/AuthHandler.ts
index 114bc01..75726f4 100644
--- a/lib/AuthHandler.ts
+++ b/lib/AuthHandler.ts
@@ -13,6 +13,7 @@ interface AccessSettings {
   access_token_expires_in: number
   include_refresh_token?: boolean
   refresh_token_expires_in?: number
+  data?: Record<string, unknown>
 }
 
 interface AccessResult {
@@ -64,11 +65,12 @@ class AuthRequest {
   public allow_access ({
     access_token_expires_in,
     include_refresh_token,
-    refresh_token_expires_in
+    refresh_token_expires_in,
+    data
   }: AccessSettings): AccessResult {
     this.default_header ();
 
-    const at = auth.sign ('access_token', access_token_expires_in);
+    const at = auth.sign ('access_token', access_token_expires_in, { data });
     const result: AccessResult = { access_token_id: at.id };
 
     const res: AccessResponse = {
@@ -87,7 +89,11 @@ class AuthRequest {
     if (include_refresh_token) {
       if (typeof refresh_token_expires_in !== 'number')
         throw new Error ('no expiry time defined for refresh tokens');
-      const rt = auth.sign ('refresh_token', refresh_token_expires_in);
+      const rt = auth.sign (
+        'refresh_token',
+        refresh_token_expires_in,
+        { data }
+      );
       res.refresh_token = rt.signature;
       res.refresh_expires_in = refresh_token_expires_in;
       result.refresh_token_id = rt.id;
@@ -98,10 +104,18 @@ class AuthRequest {
     return result;
   }
 
-  public allow_part (part_token_expires_in: number, module: string): string {
+  public allow_part (
+    part_token_expires_in: number,
+    next_module: string,
+    data?: Record<string, unknown>
+  ): string {
     this.default_header ();
 
-    const pt = auth.sign ('part_token', part_token_expires_in, module);
+    const pt = auth.sign (
+      'part_token',
+      part_token_expires_in,
+      { next_module, data }
+    );
 
     const res = {
       token_type: 'bearer',
diff --git a/lib/Authority.ts b/lib/Authority.ts
index 8ec29a8..a75733e 100644
--- a/lib/Authority.ts
+++ b/lib/Authority.ts
@@ -21,6 +21,7 @@ interface VerificationResult {
   valid: boolean;
   type: TokenType;
   next_module?: string;
+  data?: Record<string, unknown>;
 }
 
 interface SignatureResult {
@@ -28,6 +29,12 @@ interface SignatureResult {
   id: string;
 }
 
+interface SignatureOptions
+{
+  data?: Record<string, unknown>
+  next_module?: string
+}
+
 class Authority {
   public verify (key: string): VerificationResult {
     const result: VerificationResult = {
@@ -58,7 +65,8 @@ class Authority {
 
     result.valid = true;
     result.authorized = result.type === 'access_token';
-    result.next_module = data.obj;
+    result.next_module = data.next_module;
+    result.data = data.obj;
 
     return result;
   }
@@ -66,17 +74,18 @@ class Authority {
   public sign (
     type: TokenType,
     valid_for: number,
-    next_module?: string
+    options?: SignatureOptions
   ): SignatureResult {
     const time = Date.now ();
     const key = keystore.get_key (time / 1000, valid_for);
     const attributes = {
-      id:  create_salt (),
-      iat: time,
+      id:          create_salt (),
+      iat:         time,
       type,
-      valid_for
+      valid_for,
+      next_module: options?.next_module
     };
-    const signature = sign_object (next_module, key, attributes);
+    const signature = sign_object (options?.data, key, attributes);
     return { id: attributes.id, signature };
   }
 }
diff --git a/test/spec/Authority.ts b/test/spec/Authority.ts
index 5bc2a17..c322ca1 100644
--- a/test/spec/Authority.ts
+++ b/test/spec/Authority.ts
@@ -56,7 +56,7 @@ describe ('authority', () => {
   });
 
   it ('should create a part token', () => {
-    const token = auth.sign ('part_token', 60, '2fa');
+    const token = auth.sign ('part_token', 60, { next_module: '2fa' });
     jasmine.clock ()
       .tick (30000);
     const res = auth.verify (token.signature);