impress-2020/src/server/auth.js

import util from "util";

const jwtVerify = util.promisify(require("jsonwebtoken").verify);
import jwksClient from "jwks-rsa";

const jwks = jwksClient({
  jwksUri: "https://openneo.us.auth0.com/.well-known/jwks.json",
});

async function getJwtKey(header, callback) {
  jwks.getSigningKey(header.kid, (err, key) => {
    if (err) {
      return callback(null, signingKey);
    }
    const signingKey = key.publicKey || key.rsaPublicKey;
    callback(null, signingKey);
  });
}

async function getUserIdFromToken(token) {
  // In development, you can start the server with
  // `IMPRESS_LOG_IN_AS=12345 vc dev` to simulate logging in as user 12345.
  //
  // This flag shouldn't be present in prod anyway, but the dev check is an
  // extra safety precaution!
  if (
    process.env["NODE_ENV"] === "development" &&
    process.env["IMPRESS_LOG_IN_AS"]
  ) {
    return process.env["IMPRESS_LOG_IN_AS"];
  }

  if (!token) {
    return null;
  }

  let payload;
  try {
    payload = await jwtVerify(token, getJwtKey, {
      audience: "https://impress-2020.openneo.net/api",
      issuer: "https://openneo.us.auth0.com/",
      algorithms: ["RS256"],
    });
  } catch (e) {
    console.error(`Invalid auth token: ${token}`, e);
    return null;
  }

  const subMatch = payload.sub.match(/auth0\|impress-([0-9]+)/);
  if (!subMatch) {
    console.log("Unexpected auth token sub format", payload.sub);
    return null;
  }
  const userId = subMatch[1];
  return userId;
}

module.exports = { getUserIdFromToken };
Use ES module syntax in backend instead of require Ok cool, so apparently another win we get from using `ts-node` is that I can finally easily use some non-native-Node features like ES module import syntax, for consistency with what I'm doing in the main app source! That was getting on my nerves tbh. Ooh I bet I can finally use `?.` too, I've had to rewrite that a bunch… 2021-02-02 22:26:55 -08:00			`import util from "util";`
extract server auth into auth.js This is just a nice cleanup, but it also supports a test mock I want to do next, to mock logins for the test db without having to round-trip to auth0. 2020-10-22 19:53:10 -07:00
			`const jwtVerify = util.promisify(require("jsonwebtoken").verify);`
Use ES module syntax in backend instead of require Ok cool, so apparently another win we get from using `ts-node` is that I can finally easily use some non-native-Node features like ES module import syntax, for consistency with what I'm doing in the main app source! That was getting on my nerves tbh. Ooh I bet I can finally use `?.` too, I've had to rewrite that a bunch… 2021-02-02 22:26:55 -08:00			`import jwksClient from "jwks-rsa";`
extract server auth into auth.js This is just a nice cleanup, but it also supports a test mock I want to do next, to mock logins for the test db without having to round-trip to auth0. 2020-10-22 19:53:10 -07:00
			`const jwks = jwksClient({`
			`jwksUri: "https://openneo.us.auth0.com/.well-known/jwks.json",`
			`});`

			`async function getJwtKey(header, callback) {`
			`jwks.getSigningKey(header.kid, (err, key) => {`
			`if (err) {`
			`return callback(null, signingKey);`
			`}`
			`const signingKey = key.publicKey \|\| key.rsaPublicKey;`
			`callback(null, signingKey);`
			`});`
			`}`

			`async function getUserIdFromToken(token) {`
simulate login with IMPRESS_LOG_IN_AS flag 2021-01-05 23:22:03 -08:00			`// In development, you can start the server with`
			// `IMPRESS_LOG_IN_AS=12345 vc dev` to simulate logging in as user 12345.
			`//`
			`// This flag shouldn't be present in prod anyway, but the dev check is an`
			`// extra safety precaution!`
			`if (`
			`process.env["NODE_ENV"] === "development" &&`
			`process.env["IMPRESS_LOG_IN_AS"]`
			`) {`
			`return process.env["IMPRESS_LOG_IN_AS"];`
			`}`

extract server auth into auth.js This is just a nice cleanup, but it also supports a test mock I want to do next, to mock logins for the test db without having to round-trip to auth0. 2020-10-22 19:53:10 -07:00			`if (!token) {`
			`return null;`
			`}`

			`let payload;`
			`try {`
			`payload = await jwtVerify(token, getJwtKey, {`
			`audience: "https://impress-2020.openneo.net/api",`
			`issuer: "https://openneo.us.auth0.com/",`
			`algorithms: ["RS256"],`
			`});`
			`} catch (e) {`
fix bugs in auth mocking for tests 2020-10-27 22:16:34 -07:00			console.error(`Invalid auth token: ${token}`, e);
extract server auth into auth.js This is just a nice cleanup, but it also supports a test mock I want to do next, to mock logins for the test db without having to round-trip to auth0. 2020-10-22 19:53:10 -07:00			`return null;`
			`}`

			`const subMatch = payload.sub.match(/auth0\\|impress-([0-9]+)/);`
			`if (!subMatch) {`
			`console.log("Unexpected auth token sub format", payload.sub);`
			`return null;`
			`}`
			`const userId = subMatch[1];`
			`return userId;`
			`}`

			`module.exports = { getUserIdFromToken };`