How to use the @authx/authx.ForbiddenError function in @authx/authx
To help you get started, we’ve selected a few @authx/authx examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
the-control-group / authx / packages / strategy-email / src / server / graphql / mutation / createEmailCredentials.ts View on Github 
!authority.details.publicKeys.some(key => {
try {
const payload = jwt.verify(proof, key, {
algorithms: ["RS512"]
});
// Make sure we're using the same email
if ((payload as any).email !== input.email) {
throw new ForbiddenError(
"This proof was generated for a different email address."
);
}
// Make sure this is for the same user
if ((payload as any).sub !== a.userId) {
throw new ForbiddenError(
"This proof was generated for a different user."
);
}
return true;
} catch (error) {
if (error instanceof ForbiddenError) {
throw error;
}
return false;
}
})
) {async resolve(source, args, context): Promise[]> {
const {
pool,
authorization: a,
realm,
strategies: { authorityMap }
} = context;
if (!a) {
throw new ForbiddenError(
"You must be authenticated to update an authority."
);
}
return args.authorities.map(async input => {
// Validate `id`.
if (!validateIdFormat(input.id)) {
throw new ValidationError("The provided `id` is an invalid ID.");
}
const tx = await pool.connect();
try {
await tx.query("BEGIN DEFERRABLE");
const before = await Authority.read(tx, input.id, authorityMap, {
forUpdate: trueasync resolve(source, args, context): Promise[]> {
const {
pool,
authorization: a,
realm,
strategies: { authorityMap }
} = context;
if (!a) {
throw new ForbiddenError(
"You must be authenticated to update an authority."
);
}
return args.authorities.map(async input => {
// Validate `id`.
if (!validateIdFormat(input.id)) {
throw new ValidationError("The provided `id` is an invalid ID.");
}
// Validate `emailAuthorityId`.
if (
typeof input.emailAuthorityId === "string" &&
!validateIdFormat(input.emailAuthorityId)
) {
throw new ValidationError({
type: "authorization",
authorizationId: "",
grantId: "",
clientId: "",
userId: user.id
},
{
basic: "*",
scopes: "*",
secrets: "*"
}
)
)
) {
throw new ForbiddenError(
"You do not have permission to create this authorization"
);
}
// Create a new authorization.
const authorization = await Authorization.write(
tx,
{
id: authorizationId,
enabled: true,
userId: credential.userId,
grantId: null,
secret: randomBytes(16).toString("hex"),
scopes: [`${realm}:**:**`]
},
{async resolve(source, args, context): Promise {
const {
pool,
authorization: a,
realm,
strategies: { authorityMap },
sendMail,
base
} = context;
if (a) {
throw new ForbiddenError("You area already authenticated.");
}
const tx = await pool.connect();
try {
await tx.query("BEGIN DEFERRABLE");
// fetch the authority
const authority = await Authority.read(
tx,
args.authorityId,
authorityMap
);
if (!(authority instanceof EmailAuthority)) {
throw new AuthenticationError(
__DEV__!authority.details.publicKeys.some(key => {
try {
const payload = jwt.verify(proof, key, {
algorithms: ["RS512"]
});
// Make sure we're using the same email
if ((payload as any).email !== args.email) {
throw new ForbiddenError(
"This proof was generated for a different email address."
);
}
// Make sure this is for the same user
if ((payload as any).sub) {
throw new ForbiddenError(
"This proof was generated for a specific user."
);
}
return true;
} catch (error) {
if (error instanceof ForbiddenError) {
throw error;
}
return false;
}
})
) {async resolve(source, args, context): Promise {
const {
pool,
authorization: a,
realm,
strategies: { authorityMap },
base
} = context;
if (a) {
throw new ForbiddenError("You area already authenticated.");
}
const tx = await pool.connect();
try {
await tx.query("BEGIN DEFERRABLE");
// Fetch the authority.
const authority = await Authority.read(
tx,
args.authorityId,
authorityMap
);
if (!(authority instanceof OpenIdAuthority)) {
throw new AuthenticationError(
"The authority uses a strategy other than openid."throw new ForbiddenError(
"This proof was generated for a specific user."
);
}
return true;
} catch (error) {
if (error instanceof ForbiddenError) {
throw error;
}
return false;
}
})
) {
throw new ForbiddenError("The proof is invalid.");
}
}
// The user needs to be sent a proof.
else {
const proofId = v4();
// Generate a new proof
const proof = jwt.sign(
{
email: args.email
},
authority.details.privateKey,
{
algorithm: "RS512",
expiresIn: authority.details.proofValidityDuration,const tx = await pool.connect();
try {
await tx.query("BEGIN DEFERRABLE");
const before = await Credential.read(tx, input.id, credentialMap, {
forUpdate: true
});
if (!(before instanceof PasswordCredential)) {
throw new NotFoundError(
"The authority uses a strategy other than password."
);
}
if (!(await before.isAccessibleBy(realm, a, tx, "write.basic"))) {
throw new ForbiddenError(
"You do not have permission to update this credential."
);
}
if (
typeof input.password === "string" &&
!(await before.isAccessibleBy(realm, a, tx, "write.*"))
) {
throw new ForbiddenError(
"You do not have permission to update this credential's details."
);
}
const credential = await PasswordCredential.write(
tx,
{if (!(before instanceof OpenIdAuthority)) {
throw new NotFoundError("No openid authority exists with this ID.");
}
if (!(await before.isAccessibleBy(realm, a, tx, "write.basic"))) {
throw new ForbiddenError(
"You do not have permission to update this authority."
);
}
if (
(typeof input.clientId === "string" ||
typeof input.clientSecret === "string") &&
!(await before.isAccessibleBy(realm, a, tx, "write.*"))
) {
throw new ForbiddenError(
"You do not have permission to update this authority's details."
);
}
const authority = await OpenIdAuthority.write(
tx,
{
...before,
enabled:
typeof input.enabled === "boolean"
? input.enabled
: before.enabled,
name: typeof input.name === "string" ? input.name : before.name,
description:
typeof input.description === "string"
? input.description
: before.description,@authx/authx
This is AuthX. It's named AuthX because it's an "exchange" of sorts, consolidating identities from several upstream authorities into a single identity for downstream clients. AuthX uses the OAuth2 framework in both directions, and adds a robust access con
Package Health Score
73 / 100Popular @authx/authx functions
- @authx/authx.AuthenticationError
- @authx/authx.Authority.read
- @authx/authx.Authorization
- @authx/authx.Authorization.write
- @authx/authx.Client.write
- @authx/authx.Credential.read
- @authx/authx.ForbiddenError
- @authx/authx.Grant.write
- @authx/authx.NotFoundError
- @authx/authx.Role
- @authx/authx.Role.read
- @authx/authx.Role.write
- @authx/authx.StrategyCollection
- @authx/authx.User.read
- @authx/authx.User.write
- @authx/authx.validateIdFormat
- @authx/authx.ValidationError
- @authx/authx/dist/util/explanations.match
- @authx/authx/dist/util/scopes.createV2AuthXScope
- @authx/authx