You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

338 lines
8.6 KiB

/*!
* lib/auth/authorizations-manager.js
* Copyright © 2019 – Katana Cryptographic Ltd. All Rights Reserved.
*/
'use strict'
const validator = require('validator')
const jwt = require('jsonwebtoken')
const network = require('../bitcoin/network')
const keys = require('../../keys/')[network.key]
const errors = require('../errors')
const Logger = require('../logger')
/**
* A singleton managing authorizations the API
*/
class AuthorizationsManager {
/**
* Constructor
*/
constructor() {
try {
// Constants
this.JWT_ALGO = 'HS256'
this.ISS = 'Samourai Wallet backend'
this.TOKEN_TYPE_ACCESS = 'access-token'
this.TOKEN_TYPE_REFRESH = 'refresh-token'
this.TOKEN_PROFILE_API = 'api'
this.TOKEN_PROFILE_ADMIN = 'admin'
this.authActive = (keys.auth.activeStrategy != null)
this._secret = keys.auth.jwt.secret
this.isMandatory = keys.auth.mandatory
this.accessTokenExpires = keys.auth.jwt.accessToken.expires
this.refreshTokenExpires = keys.auth.jwt.refreshToken.expires
} catch(e) {
this._secret = null
Logger.error(e, errors.auth.INVALID_CONF)
}
}
/**
* Middleware generating authorization token
* @param {Object} req - http request object
* @param {Object} res - http response object
* @param {function} next - callback
*/
generateAuthorizations(req, res, next) {
if (!(req.user && req.user.authenticated))
return next(errors.auth.TECH_ISSUE)
// Generates an access token
const accessToken = this._generateAccessToken(req.user)
// Generates a refresh token
const refreshToken = this._generateRefreshToken(req.user)
// Stores the tokens in the request
req.authorizations = {
access_token: accessToken,
refresh_token: refreshToken
}
next()
}
/**
* Middleware refreshing authorizations
* @param {Object} req - http request object
* @param {Object} res - http response object
* @param {function} next - callback
*/
refreshAuthorizations(req, res, next) {
// Check if authentication is activated
if (!this.authActive)
return next()
// Authentication is activated
// A refresh token is required
const refreshToken = this._extractRefreshToken(req)
if (!refreshToken)
return next(errors.auth.MISSING_JWT)
try {
const decodedRefrehToken = this._verifyRefreshToken(refreshToken)
if (req.user == null)
req.user = {}
req.user['profile'] = decodedRefrehToken['prf']
} catch(e) {
Logger.error(e, `${errors.auth.INVALID_JWT}: ${refreshToken}`)
return next(errors.auth.INVALID_JWT)
}
// Generates a new access token
const accessToken = this._generateAccessToken(req.user)
// Stores the access token in the request
req.authorizations = {
access_token: accessToken
}
next()
}
/**
* Middleware revoking authorizations
* @param {Object} req - http request object
* @param {Object} res - http response object
* @param {function} next - callback
*/
revokeAuthorizations(req, res, next) {
// Nothing to do (for now)
}
/**
* Middleware checking if user is authenticated
* @param {Object} req - http request object
* @param {Object} res - http response object
* @param {function} next - callback
* @returns {boolean} returns true if user is authenticated, false otherwise
*/
checkAuthentication(req, res, next) {
// Check if authentication is activated
if (!this.authActive)
return next()
// Authentication is activated
// A JSON web token is required
const token = this._extractAccessToken(req)
if (this.isMandatory || token) {
try {
const decodedToken = this.isAuthenticated(token)
req.authorizations = {decoded_access_token: decodedToken}
next()
} catch (e) {
return next(e)
}
} else {
next()
}
}
/**
* Middleware checking if user is authenticated and has admin profile
* @param {Object} req - http request object
* @param {Object} res - http response object
* @param {function} next - callback
* @returns {boolean} returns true if user is authenticated and has admin profile, false otherwise
*/
checkHasAdminProfile(req, res, next) {
// Check if authentication is activated
if (!this.authActive)
return next()
// Authentication is activated
// A JSON web token is required
const token = this._extractAccessToken(req)
try {
const decodedToken = this.isAuthenticated(token)
if (decodedToken['prf'] == this.TOKEN_PROFILE_ADMIN) {
req.authorizations = {decoded_access_token: decodedToken}
next()
} else {
return next(errors.auth.INVALID_PRF)
}
} catch (e) {
return next(e)
}
}
/**
* Check if user is authenticated
* (i.e. we have received a valid json web token)
* @param {string} token - json web token
* @returns {boolean} returns the decoded token if valid
* throws an exception otherwise
*/
isAuthenticated(token) {
if (!token) {
Logger.error(null, `${errors.auth.MISSING_JWT}`)
throw errors.auth.MISSING_JWT
}
try {
return this._verifyAccessToken(token)
} catch(e) {
//Logger.error(e, `${errors.auth.INVALID_JWT}: ${token}`)
throw errors.auth.INVALID_JWT
}
}
/**
* Generate an access token
* @param {Object} user - user's information
* @returns {Object} returns a json web token
*/
_generateAccessToken(user) {
// Builds claims
const claims = {
'iss': this.ISS,
'type': this.TOKEN_TYPE_ACCESS,
'prf': user['profile']
}
// Builds and signs the access token
return jwt.sign(
claims,
this._secret,
{
expiresIn: this.accessTokenExpires,
algorithm: this.JWT_ALGO
}
)
}
/**
* Extract the access token from the http request
* @param {Object} req - http request object
* @returns {Object} returns the json web token
*/
_extractAccessToken(req) {
const token = this._extractBearerAuthorizationHeader(req)
if (token)
return token
if (req.body && req.body.at && validator.isJWT(req.body.at))
return req.body.at
if (req.query && req.query.at && validator.isJWT(req.query.at))
return req.query.at
return null
}
/**
* Verify an access token
* @param {Object} token - json web token
* @returns {Object} payload of the json web token
*/
_verifyAccessToken(token) {
const payload = jwt.verify(
token,
this._secret,
{algorithms: [this.JWT_ALGO]}
)
if (payload['type'] != this.TOKEN_TYPE_ACCESS)
throw errors.auth.INVALID_JWT
return payload
}
/**
* Generate an refresh token
* @param {Object} user - user's information
* @returns {Object} returns a json web token
*/
_generateRefreshToken(user) {
// Builds claims
const claims = {
'iss': this.ISS,
'type': this.TOKEN_TYPE_REFRESH,
'prf': user['profile']
}
// Builds and signs the access token
return jwt.sign(
claims,
this._secret,
{
expiresIn: this.refreshTokenExpires,
algorithm: this.JWT_ALGO
}
)
}
/**
* Extract the refresh token from the http request
* @param {Object} req - http request object
* @returns {Object} returns the json web token
*/
_extractRefreshToken(req) {
const token = this._extractBearerAuthorizationHeader(req)
if (token)
return token
if (req.body && req.body.rt && validator.isJWT(req.body.rt))
return req.body.rt
if (req.query && req.query.rt && validator.isJWT(req.query.rt))
return req.query.rt
return null
}
/**
* Verify a refresh token
* @param {Object} token - json web token
* @returns {Object} payload of the json web token
*/
_verifyRefreshToken(token) {
const payload = jwt.verify(
token,
this._secret,
{algorithms: [this.JWT_ALGO]}
)
if (payload['type'] != this.TOKEN_TYPE_REFRESH)
throw errors.auth.INVALID_JWT
return payload
}
/**
* Extract a bearer JWT auth token
* from the Authorization HTTP header
* Returns null if it doesn't exist or is an onvalid JWT
* @param {Object} req - http request object
* @returns {Object} returns the json web token
*/
_extractBearerAuthorizationHeader(req) {
if (req.get('Authorization')) {
const authHeader = req.get('Authorization')
if (authHeader.startsWith('Bearer ')) {
const token = authHeader.substring(7)
if (validator.isJWT(token))
return token
}
}
return null
}
}
module.exports = new AuthorizationsManager()