gauravve/handler.js

## handler.js
const contacts_post = (event, context, callback) => {
    console.log('event', event);

    // Write scope as its a POST
    const requested_scope = ['write:contacts'];

    //No token check
    if (!event.authorizationToken) {
      return callback('Unauthorized')
    };

    console.log('context',context);
    const tokenParts = event.authorizationToken.split(' ')
    const tokenValue = tokenParts[1]

    //More token checks
    if (!(tokenParts[0].toLowerCase() === 'bearer' && tokenValue)) {
      // no auth token!
      return callback('Unauthorized')
    }
    const options = {
      audience: AUTH0_CLIENT_ID,
      issuer: `${iss}`,
      algorithms: ['RS256']
    }

    // decode base64 secret. ref: http://bit.ly/2hA6CrO
    const secret = new Buffer.from(AUTH0_CLIENT_SECRET, 'base64')

    console.log('Auth function invoked');
    if (event.authorizationToken) {
      // Remove 'bearer ' from token:
      const token = event.authorizationToken.substring(7);
      // Make a request to the iss + .well-known/jwks.json URL:
      // This is to get the public key
      request(
        { url: `${iss}.well-known/jwks.json`, json: true },
        (error, response, body) => {
          if (error || response.statusCode !== 200) {
            console.log('Request error:', error);
            callback('Unauthorized');
          }
          const keys = body;
          // Based on the JSON of `jwks` create a Pem:
          const k = keys.keys[0];
          const jwkArray = {
            kty: k.kty,
            n: k.n,
            e: k.e,
          };
          const pem = jwkToPem(jwkArray);

          //Decode the token using public key
          jwt.verify(token, pem, { issuer: iss }, (err, decoded) => {
            if (err) {
              console.log('Unauthorized user:', err.message);
              callback('Unauthorized');
            }
            else {
              console.log('Decoded:', decoded);
              console.log('Scopes:' , decoded.scope);
              // Check if the decoded token contains scopes
              if (decoded.scope.length === 0){
                console.log('scopes not defined');
                callback('Unauthorized');
              }
              const granted_scope = decoded.scope.split(" ");
              console.log(granted_scope);
              // Check if the token contains the correct scope
              if (_.intersection(granted_scope, requested_scope).length == 0){
                console.log('scopes not correct');
                callback('Unauthorized');
              }
              else {
              console.log('Scopes correct, Generating policy');
              //Gerenrate a policy for customer authoriser. Code not present here.
              callback(null, generatePolicy(decoded.sub, 'Allow', event.methodArn));
              }
            };
          });
        });
    } else {
      console.log('No authorizationToken found in the header.');
      callback('Unauthorized');
    }
};
	const contacts_post = (event, context, callback) => {
	console.log('event', event);

	// Write scope as its a POST
	const requested_scope = ['write:contacts'];

	//No token check
	if (!event.authorizationToken) {
	return callback('Unauthorized')
	};

	console.log('context',context);
	const tokenParts = event.authorizationToken.split(' ')
	const tokenValue = tokenParts[1]

	//More token checks
	if (!(tokenParts[0].toLowerCase() === 'bearer' && tokenValue)) {
	// no auth token!
	return callback('Unauthorized')
	}
	const options = {
	audience: AUTH0_CLIENT_ID,
	issuer: `${iss}`,
	algorithms: ['RS256']
	}

	// decode base64 secret. ref: http://bit.ly/2hA6CrO
	const secret = new Buffer.from(AUTH0_CLIENT_SECRET, 'base64')

	console.log('Auth function invoked');
	if (event.authorizationToken) {
	// Remove 'bearer ' from token:
	const token = event.authorizationToken.substring(7);
	// Make a request to the iss + .well-known/jwks.json URL:
	// This is to get the public key
	request(
	{ url: `${iss}.well-known/jwks.json`, json: true },
	(error, response, body) => {
	if (error \|\| response.statusCode !== 200) {
	console.log('Request error:', error);
	callback('Unauthorized');
	}
	const keys = body;
	// Based on the JSON of `jwks` create a Pem:
	const k = keys.keys[0];
	const jwkArray = {
	kty: k.kty,
	n: k.n,
	e: k.e,
	};
	const pem = jwkToPem(jwkArray);

	//Decode the token using public key
	jwt.verify(token, pem, { issuer: iss }, (err, decoded) => {
	if (err) {
	console.log('Unauthorized user:', err.message);
	callback('Unauthorized');
	}
	else {
	console.log('Decoded:', decoded);
	console.log('Scopes:' , decoded.scope);
	// Check if the decoded token contains scopes
	if (decoded.scope.length === 0){
	console.log('scopes not defined');
	callback('Unauthorized');
	}
	const granted_scope = decoded.scope.split(" ");
	console.log(granted_scope);
	// Check if the token contains the correct scope
	if (_.intersection(granted_scope, requested_scope).length == 0){
	console.log('scopes not correct');
	callback('Unauthorized');
	}
	else {
	console.log('Scopes correct, Generating policy');
	//Gerenrate a policy for customer authoriser. Code not present here.
	callback(null, generatePolicy(decoded.sub, 'Allow', event.methodArn));
	}
	};
	});
	});
	} else {
	console.log('No authorizationToken found in the header.');
	callback('Unauthorized');
	}
	};