-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathverify_user.js
More file actions
133 lines (121 loc) · 5.57 KB
/
verify_user.js
File metadata and controls
133 lines (121 loc) · 5.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
// Middle-ware to verify the idToken retrieved from cookie
var https = require('https');
var jose = require('node-jose');
var cognito = require("./config/configuration_keys");
// ================================================
// MIDDLEWARE CONFIGURATION
// ================================================
var region = cognito.region;
var userpool_id = cognito.userPoolId;
var app_client_id = cognito.ClientId;
var keys_url = 'https://cognito-idp.' + region + '.amazonaws.com/' + userpool_id + '/.well-known/jwks.json';
// ================================================
// MIDDLEWARE - Cognito Token Verifier
// ================================================
function VerifyToken(req, res, next) {
// res.header('Content-Type', 'application/json;charset=UTF-8')
// res.header('Access-Control-Allow-Credentials', true)
// res.header(
// 'Access-Control-Allow-Headers',
// 'Origin, X-Requested-With, Content-Type, Accept'
// )
console.log("IN Verify user CORS Allowed for DOMAIN ", `${process.env.DOMAIN}/`);
// Check to allow for CORS if ran locally using localhost for testing
// CORS is allowed
// Else one have to add header for it
console.log(req.headers.origin);
// if(process.env.DOMAIN!= "http://localhost:3000"){
// res.header("Access-Control-Allow-Origin", `${process.env.DOMAIN}/`);
// }
// res.header("Access-Control-Allow-Origin", "*");
// res.header("Access-Control-Allow-Origin", "*");
console.log("Verify Token is called");
try {
var sections = req.cookies.token.split('.');
// get the kid from the headers prior to verification
var header = jose.util.base64url.decode(sections[0]);
header = JSON.parse(header);
console.log('header -----------------------------\n',header.kid)
var kid = header.kid;
// download the public keys
https.get(keys_url, function (response) {
if (response.statusCode == 200) {
response.on('data', function (body) {
var keys = JSON.parse(body)['keys'];
// search for the kid in the downloaded public keys
var key_index = -1;
for (var i = 0; i < keys.length; i++) {
if (kid == keys[i].kid) {
key_index = i;
break;
}
}
if (key_index == -1) {
console.log('Public key not found in jwks.json');
res.send({
message : "failure",
status : "AUTH_FAILURE",
error : "Internal Service Error"
})
}
// construct the public key
jose.JWK.asKey(keys[key_index]).
then(function (result) {
// verify the signature
jose.JWS.createVerify(result).
verify(req.cookies.token).
then(function (result) {
// now we can use the claims
var claims = JSON.parse(result.payload);
console.log('claims',claims)
// additionally we can verify the token expiration
console.log('claims',claims)
let numWeeks = 1;
let now = new Date();
now.setDate(now.getDate() + numWeeks * -7);
// additionally we can verify the token expiration
var current_ts = Math.floor(now / 1000);
console.log('current_ts',current_ts,'claims.exp',claims.exp)
if (current_ts > claims.exp) {
res.send({
message : "failure",
status : "AUTH_FAILURE",
error : "User session expired"
})
}
// and the Audience (use claims.client_id if verifying an access token)
else if (claims.aud != app_client_id) {
console.log('Token was not issued for this audience');
res.send({
message : "failure",
status : "AUTH_FAILURE",
error : "Token not issued for this audience"
})
}
else{
req["user_cognito_id"] = claims.sub;
next();
}
}).
catch(function () {
console.log('Signature verification failed');
res.send({
message : "failure",
status : "AUTH_FAILURE",
error : "Signature Verification failed!"
})
});
});
});
}
});
} catch (e) {
console.log("Invalid token Input");
res.send({
message : "failure",
status : "AUTH_FAILURE",
error : "Invalid Token Input"
})
}
}
module.exports = VerifyToken;