-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathauthorization-middleware.ts
More file actions
123 lines (105 loc) · 4.21 KB
/
authorization-middleware.ts
File metadata and controls
123 lines (105 loc) · 4.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
import { RequestHandler } from 'express';
import HttpException from '../exceptions/http/http-base-exception';
import fetch, { Response } from 'node-fetch';
import jwt_decode from 'jwt-decode';
import { Forbidden, UnAuthenticated } from '../exceptions/http/http-exceptions';
import { UserProfile } from '../model/dto/user-profile-dto';
import { Utility } from '../utility/utility';
import { environment } from '../environment/environment';
function authorizationMiddleware(roles: string[], validateProjectGroup?: boolean, allowInraCom?: boolean): RequestHandler {
return async (req, res, next) => {
let authToken = Utility.extractToken(req);
if (roles.length > 0 && authToken == null) {
next(new Forbidden());
return;
}
if (authToken == null) {
if (allowInraCom) {
//Check if intranet communication
let secretToken = Utility.extractSecret(req);
if (secretToken != null) {
let isValidated = await Utility.verifySecret(secretToken);
if (isValidated) {
next(); return;
}
}
}
if (Utility.extractApiKey(req) != null) {
//Check if intranet communication
let apiKey = Utility.extractApiKey(req);
if (apiKey != null) {
let isValidated = await Utility.verifyApiKey(apiKey);
if (isValidated) {
next(); return;
}
}
}
next(new UnAuthenticated());
return;
}
else {
try {
var userProfile = await validateAccessToken(authToken);
//Set request context
req.userProfile = userProfile;
if (roles.length > 0) {
var decoded: any = jwt_decode(authToken);
var url = new URL(environment.permissionUrl as string);
let params = new URLSearchParams();
params.append("userId", decoded.sub);
//Set request context
req.userId = decoded.sub;
if (validateProjectGroup) {
let projectGroup_id = req.params.projectGroupId ? req.params.projectGroupId : req.body.tdei_project_group_id;
params.append("projectGroupId", projectGroup_id);
}
params.append("affirmative", "false");
roles.forEach(x => params.append("roles", x));
url.search = params.toString();
const resp: Response = await fetch(url);
if (!resp.ok) {
throw new Error();
}
else {
var satisfied: boolean = await resp.json();
if (satisfied) {
next();
return;
}
else
next(new Forbidden());
}
}
next();
}
catch (error: any) {
console.error(error);
if (error instanceof HttpException) {
next(error);
}
else {
next(new HttpException(500, "Error authorizing the request."));
}
}
}
};
}
async function validateAccessToken(token: String): Promise<UserProfile> {
let userProfile = new UserProfile();
try {
const result = await fetch(environment.validateAccessTokenUrl as string, {
method: 'post',
body: JSON.stringify(token),
headers: { 'Content-Type': 'text/plain' }
});
const data = await result.json();
if (result.status != undefined && result.status != 200)
throw new Error(data);
userProfile = new UserProfile(data);
} catch (error: any) {
console.error(error);
throw new UnAuthenticated();
}
return userProfile;
}
export default authorizationMiddleware;