|
| 1 | +/** |
| 2 | + * Copyright (c) 2023 Gitpod GmbH. All rights reserved. |
| 3 | + * Licensed under the GNU Affero General Public License (AGPL). |
| 4 | + * See License.AGPL.txt in the project root for license information. |
| 5 | + */ |
| 6 | + |
| 7 | +import * as jsonwebtoken from "jsonwebtoken"; |
| 8 | +import { Config } from "../config"; |
| 9 | +import { inject, injectable } from "inversify"; |
| 10 | + |
| 11 | +const algorithm: jsonwebtoken.Algorithm = "RS512"; |
| 12 | + |
| 13 | +@injectable() |
| 14 | +export class AuthJWT { |
| 15 | + @inject(Config) protected config: Config; |
| 16 | + |
| 17 | + async sign(subject: string, payload: object | Buffer, expiresIn: string = `${24 * 7}h`) { |
| 18 | + const opts: jsonwebtoken.SignOptions = { |
| 19 | + algorithm, |
| 20 | + expiresIn, |
| 21 | + issuer: this.config.hostUrl.toString(), |
| 22 | + subject, |
| 23 | + }; |
| 24 | + |
| 25 | + return new Promise((resolve, reject) => { |
| 26 | + jsonwebtoken.sign(payload, this.config.auth.pki.signing.privateKey, opts, (err, encoded) => { |
| 27 | + if (err || !encoded) { |
| 28 | + return reject(err); |
| 29 | + } |
| 30 | + return resolve(encoded); |
| 31 | + }); |
| 32 | + }); |
| 33 | + } |
| 34 | + |
| 35 | + async verify(encoded: string): Promise<object> { |
| 36 | + const publicKeys = [ |
| 37 | + this.config.auth.pki.signing.publicKey, // signing key is checked first |
| 38 | + ...this.config.auth.pki.validating.map((keypair) => keypair.publicKey), |
| 39 | + ]; |
| 40 | + |
| 41 | + let lastErr; |
| 42 | + for (let publicKey of publicKeys) { |
| 43 | + try { |
| 44 | + const decoded = verify(encoded, publicKey, { |
| 45 | + algorithms: [algorithm], |
| 46 | + }); |
| 47 | + return decoded; |
| 48 | + } catch (err) { |
| 49 | + lastErr = err; |
| 50 | + } |
| 51 | + } |
| 52 | + |
| 53 | + throw lastErr; |
| 54 | + } |
| 55 | +} |
| 56 | + |
| 57 | +async function verify( |
| 58 | + encoded: string, |
| 59 | + publicKey: string, |
| 60 | + opts: jsonwebtoken.VerifyOptions, |
| 61 | +): Promise<jsonwebtoken.JwtPayload> { |
| 62 | + return new Promise((resolve, reject) => { |
| 63 | + jsonwebtoken.verify(encoded, publicKey, opts, (err, decoded) => { |
| 64 | + if (err || !decoded) { |
| 65 | + return reject(err); |
| 66 | + } |
| 67 | + resolve(decoded); |
| 68 | + }); |
| 69 | + }); |
| 70 | +} |
| 71 | + |
| 72 | +export async function newSessionJWT(userID: string): Promise<string> { |
| 73 | + const payload = { |
| 74 | + // subject |
| 75 | + sub: userID, |
| 76 | + // issuer |
| 77 | + iss: "gitpod.io", |
| 78 | + }; |
| 79 | + const temporaryTestKeyForExperimentation = "my-secret"; |
| 80 | + |
| 81 | + return new Promise((resolve, reject) => { |
| 82 | + jsonwebtoken.sign(payload, temporaryTestKeyForExperimentation, { algorithm: "HS256" }, function (err, token) { |
| 83 | + if (err || !token) { |
| 84 | + return reject(err); |
| 85 | + } |
| 86 | + return resolve(token); |
| 87 | + }); |
| 88 | + }); |
| 89 | +} |
0 commit comments