hrms-edm/Services/server/src/utils/auth.ts

import * as express from "express";
import { createVerifier } from "fast-jwt";

import HttpError from "../interfaces/http-error";
import HttpStatusCode from "../interfaces/http-status";

if (!process.env.PUBLIC_KEY && !process.env.REALM_URL) {
  throw new Error("Require public key or realm url.");
}

const jwtVerify = createVerifier({
  key: async () => {
    return `-----BEGIN PUBLIC KEY-----\n${process.env.PUBLIC_KEY}\n-----END PUBLIC KEY-----`;
  },
});

export async function expressAuthentication(
  request: express.Request,
  securityName: string,
  scopes?: string[],
) {
  if (process.env.AUTH_BYPASS) return { preferred_username: "bypassed" };

  if (securityName !== "bearerAuth") throw new Error("Unknown authentication method.");

  const token = request.headers["authorization"]?.includes("Bearer ")
    ? request.headers["authorization"].split(" ")[1]
    : null;

  if (!token) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "No token provided.");

  const payload = await jwtVerify(token).catch((_) => null);

  if (!payload) {
    throw new HttpError(HttpStatusCode.UNAUTHORIZED, "Invalid token provided.");
  }

  if (
    scopes &&
    scopes.length > 0 &&
    scopes.some((v) => !payload.resource_access[payload.azp].roles.includes(v))
  ) {
    throw new HttpError(HttpStatusCode.FORBIDDEN, "You are not allowed to perform this action.");
  }

  return payload;
}
Initial commit server prototype 2023-11-17 09:03:31 +07:00			`import * as express from "express";`
			`import { createVerifier } from "fast-jwt";`

			`import HttpError from "../interfaces/http-error";`
			`import HttpStatusCode from "../interfaces/http-status";`

			`if (!process.env.PUBLIC_KEY && !process.env.REALM_URL) {`
			`throw new Error("Require public key or realm url.");`
			`}`

			`const jwtVerify = createVerifier({`
			`key: async () => {`
			return `-----BEGIN PUBLIC KEY-----\n${process.env.PUBLIC_KEY}\n-----END PUBLIC KEY-----`;
			`},`
			`});`

refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`export async function expressAuthentication(`
Initial commit server prototype 2023-11-17 09:03:31 +07:00			`request: express.Request,`
			`securityName: string,`
feat: auth role 2023-11-24 13:49:08 +07:00			`scopes?: string[],`
Initial commit server prototype 2023-11-17 09:03:31 +07:00			`) {`
refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`if (process.env.AUTH_BYPASS) return { preferred_username: "bypassed" };`
Initial commit server prototype 2023-11-17 09:03:31 +07:00
refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`if (securityName !== "bearerAuth") throw new Error("Unknown authentication method.");`
Initial commit server prototype 2023-11-17 09:03:31 +07:00
refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`const token = request.headers["authorization"]?.includes("Bearer ")`
			`? request.headers["authorization"].split(" ")[1]`
			`: null;`
Initial commit server prototype 2023-11-17 09:03:31 +07:00
refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`if (!token) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "No token provided.");`
Initial commit server prototype 2023-11-17 09:03:31 +07:00
refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`const payload = await jwtVerify(token).catch((_) => null);`
Initial commit server prototype 2023-11-17 09:03:31 +07:00
refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`if (!payload) {`
			`throw new HttpError(HttpStatusCode.UNAUTHORIZED, "Invalid token provided.");`
			`}`
feat: auth role 2023-11-24 13:49:08 +07:00
fix: auth role and rename dir 2023-11-29 17:18:08 +07:00			`if (`
			`scopes &&`
			`scopes.length > 0 &&`
			`scopes.some((v) => !payload.resource_access[payload.azp].roles.includes(v))`
			`) {`
refactor: rabbitmq implement 2023-11-27 09:45:30 +07:00			`throw new HttpError(HttpStatusCode.FORBIDDEN, "You are not allowed to perform this action.");`
			`}`

			`return payload;`
Initial commit server prototype 2023-11-17 09:03:31 +07:00			`}`