Token decoding without a route

[AstaDK]

I'm attempting to decode a token in order to obtain user information. However, after reading the documentation, I discovered that we can obtain user information using route authentication as

import Route from '@ioc:Adonis/Core/Route'
Route.get('dashboard', async ({ auth }) => {
  await auth.use('api').authenticate()
  console.log(auth.use('api').user!)
})

So, how can I decode a token at any point throughout the code?

[aikrom]

It is not entirely clear to me which case you want to implement. Do you want to get information about the authorized user somewhere outside the route or controller?

[aikrom]

You should send token in request headers.

Example with axios:

axios.get('/some/thing', {
    headers: {
       'Authorization': `Bearer ${token}` 
    }
})

[matvp91]

@aikrom there's cases where you're not relying on http, thus the HttpContextContract is not available (none of the controller logic is). Authentication with ws / socket.io for example. OP's question to decode a token beyond what's provided as part of the controller logic seems reasonable to me.

[Kuzzy]

I've did it by hands for socket.io, and I'm using Redis storage for tokens:

// start/socket.ts
Ws.io
  .of('/myChannel')
  .on('connection', async socket => {
    const { auth, headers, query } = socket.handshake

    const token = auth.token.replace('Bearer ', '')
    const parts = token.split('.')
    const tokenId = base64.urlDecode(parts[0], undefined, true)
    const tokenStr = await Redis.get(`api:${tokenId}`)

    if (!tokenStr)
      throw new Exceptions.ForbiddenException(constants.errorMessages.forbiddenException)

    const tokenObj = JSON.parse(tokenStr)

    const userId = tokenObj.user_id

    // Now you can grab user from DB and do what you need
    let user = await User.findById(userId)

   ....

   // Additionally you can use Hash provider to verify token hash, something like that:
  const isValid = await Hash.verify(tokenObj.token, token)
})


// Client
import { Manager } from 'socket.io-client'

const manager = new Manager(wsUrl, {
        timeout: 25000,
        reconnectionDelay: 10000,
      })

const socket = manager.socket('/myChannel', {
        auth: {
          token, // Grab it from LS or from other place where it stored in client
        },
      })

Here is a source: https://github.com/adonisjs/auth/blob/a48cee194596d0096de38fba86f5b39f5a759861/src/Guards/Oat/index.ts#L196

And yes, it would be nice to share HttpContext somehow for such places to avoid extra coding and code duplication from sources.

[Rai-Satyam]

The above solution was very useful however I faced some issue with this:

While verifying the token in this following line

const isValid = await Hash.verify(tokenObj.token, token)

I got this error

TypeError: The hash must be a valid phc string

So I created my own function to compare the hash. Hope this will help someone stuck like me. :)

import crypto from 'crypto'

function compareToken(plainToken: string, hash: string) {
  const tokenHash = crypto.createHash('sha256').update(plainToken).digest('hex')

  return tokenHash === hash
}

const isValid = compareToken(token, tokenObj.token)

[aikrom]

#4146