first commit

2024-07-10 17:53:27 +07:00 · 2024-07-10 17:53:27 +07:00 · e082feae8b
commit e082feae8b
26 changed files with 7238 additions and 0 deletions
--- a/src/middlewares/auth-provider/keycloak.ts
+++ b/src/middlewares/auth-provider/keycloak.ts
@ -0,0 +1,74 @@
+import Express from "express";
+import { createDecoder, createVerifier } from "fast-jwt";
+
+import HttpError from "../../interfaces/http-error";
+import HttpStatus from "../../interfaces/http-status";
+
+if (!process.env.KC_PUBLIC_KEY && !process.env.KC_REALM_URL) {
+  throw new Error("Require keycloak KC_PUBLIC_KEY or KC_REALM_URL.");
+}
+if (process.env.KC_PUBLIC_KEY && process.env.KC_REALM_URL && !process.env.KC_PREFERRED_MODE) {
+  throw new Error(
+    "AUTH_PREFERRED must be specified if KC_PUBLIC_KEY and KC_REALM_URL is provided.",
+  );
+}
+
+const jwtVerify = createVerifier({
+  key: async () => {
+    return `-----BEGIN PUBLIC KEY-----\n${process.env.KC_PUBLIC_KEY}\n-----END PUBLIC KEY-----`;
+  },
+});
+
+const jwtDecode = createDecoder();
+
+export async function keycloakAuth(request: Express.Request) {
+  if (process.env.NODE_ENV !== "production" && process.env.AUTH_BYPASS) {
+    return { preferred_username: "bypassed" };
+  }
+
+  const token = request.headers["authorization"]?.includes("Bearer ")
+    ? request.headers["authorization"].split(" ")[1]
+    : request.headers["authorization"];
+
+  if (!token) {
+    throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่พบข้อมูลสำหรับยืนยันตัวตน");
+  }
+
+  let payload: Record<string, any> = {};
+
+  switch (process.env.KC_PREFERRED_MODE) {
+    case "online":
+      payload = await verifyOnline(token);
+      break;
+    case "offline":
+      payload = await verifyOffline(token);
+      break;
+    default:
+      if (process.env.KC_REALM_URL) payload = await verifyOnline(token);
+      if (process.env.KC_PUBLIC_KEY) payload = await verifyOffline(token);
+      break;
+  }
+
+  return payload;
+}
+
+async function verifyOffline(token: string) {
+  const payload = await jwtVerify(token).catch((_) => null);
+  if (!payload) {
+    throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
+  }
+  return payload;
+}
+
+async function verifyOnline(token: string) {
+  const res = await fetch(`${process.env.KC_REALM_URL}/protocol/openid-connect/userinfo`, {
+    headers: { authorization: `Bearer ${token}` },
+  }).catch((e) => console.error(e));
+
+  if (!res) throw new Error("ไม่สามารถเข้าถึงระบบยืนยันตัวตน");
+  if (!res.ok) {
+    throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
+  }
+
+  return await jwtDecode(token);
+}
--- a/src/middlewares/auth.ts
+++ b/src/middlewares/auth.ts
@ -0,0 +1,17 @@
+import Express from "express";
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
+import { keycloakAuth } from "./auth-provider/keycloak";
+
+export async function expressAuthentication(
+  request: Express.Request,
+  securityName: string,
+  _scopes?: string[],
+) {
+  switch (securityName) {
+    case "keycloak":
+      return keycloakAuth(request);
+    default:
+      throw new HttpError(HttpStatus.NOT_IMPLEMENTED, "ไม่ทราบวิธียืนยันตัวตน");
+  }
+}
--- a/src/middlewares/error.ts
+++ b/src/middlewares/error.ts
@ -0,0 +1,30 @@
+import { NextFunction, Request, Response } from "express";
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
+import { ValidateError } from "tsoa";
+
+function error(error: Error, _req: Request, res: Response, _next: NextFunction) {
+  if (error instanceof HttpError) {
+    return res.status(error.status).json({
+      status: error.status,
+      message: error.message,
+    });
+  }
+
+  if (error instanceof ValidateError) {
+    return res.status(error.status).json({
+      status: HttpStatus.UNPROCESSABLE_ENTITY,
+      message: "Validation error(s).",
+      detail: error.fields,
+    });
+  }
+
+  console.error("Exception Caught:" + error);
+
+  return res.status(HttpStatus.INTERNAL_SERVER_ERROR).json({
+    status: HttpStatus.INTERNAL_SERVER_ERROR,
+    message: error.message,
+  });
+}
+
+export default error;
--- a/src/middlewares/role.ts
+++ b/src/middlewares/role.ts
@ -0,0 +1,19 @@
+import { Response, NextFunction } from "express";
+import { RequestWithUser } from "../interfaces/user";
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
+
+export function role(
+  role: string | string[],
+  errorMessage: string = "คุณไม่มีสิทธิในการเข้าถึงทรัพยากรดังกล่าว",
+) {
+  return (req: RequestWithUser, _res: Response, next: NextFunction) => {
+    if (!Array.isArray(role) && !req.user.role.includes(role) && !req.user.role.includes("*")) {
+      throw new HttpError(HttpStatus.FORBIDDEN, errorMessage);
+    }
+    if (role !== "*" && !req.user.role.some((v) => role.includes(v))) {
+      throw new HttpError(HttpStatus.FORBIDDEN, errorMessage);
+    }
+    return next();
+  };
+}