lfk/backend
2
0
Fork 0
Code Issues 1 Pull Requests Actions Projects Releases 40 Activity

Now with smooth access token refreshing

Browse Source 
ref #6
This commit is contained in:
Nicolai Ort 2020-12-18 19:07:31 +01:00
parent 65a8449ea3
commit 6403e386ab
4 changed files with 47 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@ -28,6 +28,7 @@
"class-validator": "^0.12.2", "class-validator": "^0.12.2",
"class-validator-jsonschema": "^2.0.3", "class-validator-jsonschema": "^2.0.3",
"consola": "^2.15.0", "consola": "^2.15.0",
"cookie": "^0.4.1",
"cookie-parser": "^1.4.5", "cookie-parser": "^1.4.5",
"cors": "^2.8.5", "cors": "^2.8.5",
"csvtojson": "^2.0.10", "csvtojson": "^2.0.10",

61
src/authchecker.ts
View File

@ -1,10 +1,13 @@
import cookie from "cookie";
import * as jwt from "jsonwebtoken"; import * as jwt from "jsonwebtoken";
import { Action } from "routing-controllers"; import { Action } from "routing-controllers";
import { getConnectionManager } from 'typeorm'; import { getConnectionManager } from 'typeorm';
import { config } from './config'; import { config } from './config';
import { IllegalJWTError, NoPermissionError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError'; import { IllegalJWTError, NoPermissionError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError';
import { JwtCreator, JwtUser } from './JwtCreator';
import { User } from './models/entities/User'; import { User } from './models/entities/User';
const authchecker = async (action: Action, permissions: string[] | string) => { const authchecker = async (action: Action, permissions: string[] | string) => {
let required_permissions = undefined; let required_permissions = undefined;
if (typeof permissions === "string") { if (typeof permissions === "string") {
@ -13,34 +16,52 @@ const authchecker = async (action: Action, permissions: string[] | string) => {
required_permissions = permissions required_permissions = permissions
} }
const provided_token = action.request.headers["authorization"].replace("Bearer ", ""); let provided_token = "" + action.request.headers["authorization"];
try {
provided_token = provided_token.replace("Bearer ", "");
}
catch { }
let jwtPayload = undefined let jwtPayload = undefined
try { try {
jwtPayload = <any>jwt.verify(provided_token, config.jwt_secret); jwtPayload = <any>jwt.verify(provided_token, config.jwt_secret);
jwtPayload = jwtPayload["userdetails"];
} catch (error) { } catch (error) {
throw new IllegalJWTError() jwtPayload = await refresh(action);
} }
const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["userdetails"]["id"], refreshTokenCount: jwtPayload["userdetails"]["refreshTokenCount"] }, { relations: ['permissions'] }) const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions'] })
if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() } if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() }
if (!jwtPayload.permissions) { throw new NoPermissionError(); } if (!jwtPayload["permissions"]) { throw new NoPermissionError(); }
action.response.local = {} action.response.local = {}
action.response.local.jwtPayload = jwtPayload.permissions action.response.local.jwtPayload = jwtPayload;
required_permissions.forEach(r => { for (let required_permission of required_permissions) {
const permission_key = r.split(":")[0] if (!(jwtPayload["permissions"].includes(required_permission))) { return false; }
const actual_accesslevel_for_permission = jwtPayload.permissions[permission_key]
const permission_access_level = r.split(":")[1]
if (actual_accesslevel_for_permission.includes(permission_access_level)) {
return true;
} else {
throw new NoPermissionError()
}
});
try {
jwt.verify(provided_token, config.jwt_secret);
return true
} catch (error) {
return false
} }
return true;
}
const refresh = async (action: Action) => {
let refresh_token = undefined;
try {
cookie.parse(action.request.headers["cookie"])["lfk_backend__refresh_token"];
}
catch {
throw new IllegalJWTError();
}
let jwtPayload = undefined;
try {
jwtPayload = <any>jwt.verify(refresh_token, config.jwt_secret);
} catch (error) {
throw new IllegalJWTError();
}
const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions'] })
if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() }
let newAccess = JwtCreator.createAccess(user);
action.response.header("authorization", "Bearer " + newAccess);
return await new JwtUser(user);
} }
export default authchecker export default authchecker

6
src/jwtcreator.ts
View File

@ -7,8 +7,8 @@ export class JwtCreator {
public static createRefresh(user: User, expiry_timestamp?: number) { public static createRefresh(user: User, expiry_timestamp?: number) {
if (!expiry_timestamp) { expiry_timestamp = Math.floor(Date.now() / 1000) + 10 * 36000; } if (!expiry_timestamp) { expiry_timestamp = Math.floor(Date.now() / 1000) + 10 * 36000; }
return jsonwebtoken.sign({ return jsonwebtoken.sign({
refreshtokencount: user.refreshTokenCount, refreshTokenCount: user.refreshTokenCount,
userid: user.id, id: user.id,
exp: expiry_timestamp exp: expiry_timestamp
}, config.jwt_secret) }, config.jwt_secret)
} }
@ -22,7 +22,7 @@ export class JwtCreator {
} }
} }
class JwtUser { export class JwtUser {
@IsInt() @IsInt()
id: number; id: number;

2
src/models/actions/RefreshAuth.ts
View File

@ -23,7 +23,7 @@ export class RefreshAuth {
} catch (error) { } catch (error) {
throw new IllegalJWTError() throw new IllegalJWTError()
} }
const found_user = await getConnectionManager().get().getRepository(User).findOne({ id: decoded["userid"] }, { relations: ['groups', 'permissions'] }); const found_user = await getConnectionManager().get().getRepository(User).findOne({ id: decoded["id"] }, { relations: ['groups', 'permissions'] });
if (!found_user) { if (!found_user) {
throw new UserNotFoundError() throw new UserNotFoundError()
} }