fix: added proper parsing for incoming token

[ci skip]

Author: aryanjassal

src/auth/CommandLogin.ts

@@ -7,20 +7,25 @@ import type {
 import type { IdentityRequestData } from 'polykey/client/types.js';
 import CommandPolykey from '../CommandPolykey.js';
 import * as binProcessors from '../utils/processors.js';
+import * as binParsers from '../utils/parsers.js';
 import * as binUtils from '../utils/index.js';
 import * as binOptions from '../utils/options.js';
-import * as binErrors from '../errors.js';
+import * as errors from '../errors.js';
 
 class CommandLogin extends CommandPolykey {
   constructor(...args: ConstructorParameters<typeof CommandPolykey>) {
     super(...args);
     this.name('login');
     this.description('Login to a platform with Polykey identity');
-    this.argument('<token>', 'Token provided by platform for logging in');
+    this.argument(
+      '<token>',
+      'Token provided by platform for logging in',
+      binParsers.parseCompactJWT,
+    );
     this.addOption(binOptions.nodeId);
     this.addOption(binOptions.clientHost);
     this.addOption(binOptions.clientPort);
-    this.action(async (token, options) => {
+    this.action(async (encodedToken, options) => {
       const { default: PolykeyClient } = await import(
         'polykey/PolykeyClient.js'
       );
@@ -52,10 +57,9 @@ class CommandLogin extends CommandPolykey {
           },
           logger: this.logger.getChild(PolykeyClient.name),
         });
-        // Compact JWTs are in xxxx.yyyy.zzzz format where x is the protected
-        // header, y is the payload, and z is the binary signature.
-        const [protectedHeader, payload, signature]: [string, string, string] =
-          token.split('.');
+
+        // Create a JSON representation of the encoded header
+        const [protectedHeader, payload, signature] = encodedToken;
         const incomingTokenEncoded = {
           payload: payload as TokenPayloadEncoded,
           signatures: [
@@ -65,6 +69,8 @@ class CommandLogin extends CommandPolykey {
             },
           ],
         };
+
+        // Get it verified and signed by the agent
         const response = await binUtils.retryAuthentication(
           (auth) =>
             pkClient.rpcClient.methods.authSignToken({
@@ -73,30 +79,28 @@ class CommandLogin extends CommandPolykey {
             }),
           meta,
         );
-        // We don't expect multiple signatures so a compact JWT will suffice
-        const compactHeader = `${response.signatures[0].protected}.${response.payload}.${response.signatures[0].signature}`;
-        const incomingPayload = tokensUtils.parseTokenPayload<IdentityRequestData>(payload);
+
+        // Send the returned JWT to the returnURL provided by the initial token
+        const compactHeader = binUtils.jsonToCompactJWT(response);
+        const incomingPayload =
+          tokensUtils.parseTokenPayload<IdentityRequestData>(payload);
         let result: Response;
         try {
-          result = await fetch(incomingPayload.returnUrl, {
+          result = await fetch(incomingPayload.returnURL, {
             method: 'POST',
             body: JSON.stringify({ token: compactHeader }),
           });
         } catch (e) {
-          throw new binErrors.ErrorPolykeyCLILoginFailed(
+          throw new errors.ErrorPolykeyCLILoginFailed(
             'Failed to send token to return url',
-            { cause: e, },
+            { cause: e },
           );
         }
+
         // Handle non-200 response
         if (!result.ok) {
-          throw new binErrors.ErrorPolykeyCLILoginFailed(
-            'Return url returned failure',
-            {
-              data: {
-                code: result.status,
-              },
-            },
+          throw new errors.ErrorPolykeyCLILoginFailed(
+            `Return url returned failure with code ${result.status}`,
           );
         }
       } finally {

src/errors.ts

@@ -196,6 +196,11 @@ class ErrorPolykeyCLITouchSecret<T> extends ErrorPolykeyCLI<T> {
   exitCode = 1;
 }
 
+class ErrorPolykeyCLIInvalidJWT<T> extends ErrorPolykeyCLI<T> {
+  static description: 'JWT is not valid';
+  exitCode = sysexits.USAGE;
+}
+
 class ErrorPolykeyCLILoginFailed<T> extends ErrorPolykeyCLI<T> {
   static description = 'Failed to login using Polykey';
   exitCode = sysexits.SOFTWARE;
@@ -229,5 +234,6 @@ export {
   ErrorPolykeyCLICatSecret,
   ErrorPolykeyCLIEditSecret,
   ErrorPolykeyCLITouchSecret,
+  ErrorPolykeyCLIInvalidJWT,
   ErrorPolykeyCLILoginFailed,
 };

src/utils/parsers.ts

@@ -13,6 +13,7 @@ const vaultNameRegex = /^(?!.*[:])[ -~\t\n]*$/s;
 const secretPathRegex = /^(?!.*[=])[ -~\t\n]*$/s;
 const secretPathValueRegex = /^([a-zA-Z_][\w]+)?$/;
 const environmentVariableRegex = /^([a-zA-Z_]+[a-zA-Z0-9_]*)?$/;
+const base64UrlRegex = /^[A-Za-z0-9\-_]+$/;
 
 /**
  * Converts a validation parser to commander argument parser
@@ -192,6 +193,30 @@ const parsePort: (data: string) => Port = validateParserToArgParser(
 const parseSeedNodes: (data: string) => [SeedNodes, boolean] =
   validateParserToArgParser(nodesUtils.parseSeedNodes);
 
+// Compact JWTs are in xxxx.yyyy.zzzz format where x is the protected
+// header, y is the payload, and z is the binary signature.
+const parseCompactJWT = (token: string): [string, string, string] => {
+  // Clean up whitespaces
+  token = token.trim();
+
+  // Confirm part amount
+  const parts = token.split('.');
+  if (parts.length !== 3) {
+    throw new InvalidArgumentError(
+      'JWT must contain three dot-separated parts',
+    );
+  }
+
+  // Validate base64 encoding
+  for (const part of parts) {
+    if (!part || !base64UrlRegex.test(part)) {
+      throw new InvalidArgumentError('JWT is not correctly encoded');
+    }
+  }
+
+  return [parts[0], parts[1], parts[2]];
+};
+
 export {
   vaultNameRegex,
   secretPathRegex,
@@ -220,4 +245,5 @@ export {
   parseProviderId,
   parseIdentityId,
   parseProviderIdList,
+  parseCompactJWT,
 };

src/utils/utils.ts

@@ -1,5 +1,5 @@
-import type { FileSystem } from 'polykey/types.js';
-import type { POJO } from 'polykey/types.js';
+import type { FileSystem, POJO } from 'polykey/types.js';
+import type { SignedTokenEncoded } from 'polykey/tokens/types.js';
 import type {
   TableRow,
   TableOptions,
@@ -469,7 +469,7 @@ function outputFormatterError(err: any): string {
       if (err.data && !utils.isEmptyObject(err.data)) {
         output += `${indent}data\t${JSON.stringify(err.data)}\n`;
       }
-      if (err.cause) {
+      if (err.cause && !utils.isEmptyObject(err.cause)) {
         output += `${indent}cause: `;
         if (err.cause instanceof ErrorPolykey) {
           err = err.cause;
@@ -637,6 +637,15 @@ async function importFS(fs?: FileSystem): Promise<FileSystem> {
   return fsImported;
 }
 
+function jsonToCompactJWT(token: SignedTokenEncoded): string {
+  if (token.signatures.length !== 1) {
+    throw new errors.ErrorPolykeyCLIInvalidJWT(
+      'Too many signatures, expected 1',
+    );
+  }
+  return `${token.signatures[0].protected}.${token.payload}.${token.signatures[0].signature}`;
+}
+
 export {
   verboseToLogLevel,
   standardErrorReplacer,
@@ -660,6 +669,7 @@ export {
   generateVersionString,
   promise,
   importFS,
+  jsonToCompactJWT,
 };
 
 export type { OutputObject };