Last active
January 3, 2018 08:22
-
-
Save gauravve/b5eefdf0966451b33768a5060b605098 to your computer and use it in GitHub Desktop.
POST Authoriser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const contacts_post = (event, context, callback) => { | |
console.log('event', event); | |
// Write scope as its a POST | |
const requested_scope = ['write:contacts']; | |
//No token check | |
if (!event.authorizationToken) { | |
return callback('Unauthorized') | |
}; | |
console.log('context',context); | |
const tokenParts = event.authorizationToken.split(' ') | |
const tokenValue = tokenParts[1] | |
//More token checks | |
if (!(tokenParts[0].toLowerCase() === 'bearer' && tokenValue)) { | |
// no auth token! | |
return callback('Unauthorized') | |
} | |
const options = { | |
audience: AUTH0_CLIENT_ID, | |
issuer: `${iss}`, | |
algorithms: ['RS256'] | |
} | |
// decode base64 secret. ref: http://bit.ly/2hA6CrO | |
const secret = new Buffer.from(AUTH0_CLIENT_SECRET, 'base64') | |
console.log('Auth function invoked'); | |
if (event.authorizationToken) { | |
// Remove 'bearer ' from token: | |
const token = event.authorizationToken.substring(7); | |
// Make a request to the iss + .well-known/jwks.json URL: | |
// This is to get the public key | |
request( | |
{ url: `${iss}.well-known/jwks.json`, json: true }, | |
(error, response, body) => { | |
if (error || response.statusCode !== 200) { | |
console.log('Request error:', error); | |
callback('Unauthorized'); | |
} | |
const keys = body; | |
// Based on the JSON of `jwks` create a Pem: | |
const k = keys.keys[0]; | |
const jwkArray = { | |
kty: k.kty, | |
n: k.n, | |
e: k.e, | |
}; | |
const pem = jwkToPem(jwkArray); | |
//Decode the token using public key | |
jwt.verify(token, pem, { issuer: iss }, (err, decoded) => { | |
if (err) { | |
console.log('Unauthorized user:', err.message); | |
callback('Unauthorized'); | |
} | |
else { | |
console.log('Decoded:', decoded); | |
console.log('Scopes:' , decoded.scope); | |
// Check if the decoded token contains scopes | |
if (decoded.scope.length === 0){ | |
console.log('scopes not defined'); | |
callback('Unauthorized'); | |
} | |
const granted_scope = decoded.scope.split(" "); | |
console.log(granted_scope); | |
// Check if the token contains the correct scope | |
if (_.intersection(granted_scope, requested_scope).length == 0){ | |
console.log('scopes not correct'); | |
callback('Unauthorized'); | |
} | |
else { | |
console.log('Scopes correct, Generating policy'); | |
//Gerenrate a policy for customer authoriser. Code not present here. | |
callback(null, generatePolicy(decoded.sub, 'Allow', event.methodArn)); | |
} | |
}; | |
}); | |
}); | |
} else { | |
console.log('No authorizationToken found in the header.'); | |
callback('Unauthorized'); | |
} | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment