Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
app.get("/", async function (req, res) {
console.log("incoming request");
let token = req.headers["x-ctfproxy-jwt"];
console.log(token);
var djwt;
if (token) {
try {
djwt = jose.JWT.verify(token, publicKEY);
} catch (err) {
console.log("token invalid");
return res.json({ success: false, message: "Token is not valid" });
}
} else {
console.log("auth token not supplied");
return res.json({
success: false,
message: "Auth token is not supplied",
});
}
if (!req.query.url) {
console.log("no url");
return res.json({ success: false, message: "url invalid" });
}
async validateJWT(jwt, expectedAlg, required = ['iss', 'sub', 'aud', 'exp', 'iat']) {
const timestamp = now();
let header;
let payload;
try {
({ header, payload } = jose.JWT.decode(jwt, { complete: true }));
} catch (err) {
throw new RPError({
printf: ['failed to decode JWT (%s: %s)', err.name, err.message],
jwt,
});
}
if (header.alg !== expectedAlg) {
throw new RPError({
printf: ['unexpected JWT alg received, expected %s, got: %s', expectedAlg, header.alg],
jwt,
});
}
required.forEach(verifyPresence.bind(undefined, payload, jwt));
const { iss } = payload;
if (header.alg === 'none') {
return payload;
}
let key;
if (!iss || iss === this.issuer.issuer) {
key = await this.issuer.key(header);
} else if (issuerRegistry.has(iss)) {
key = await issuerRegistry.get(iss).key(header);
} else {
const discovered = await this.issuer.constructor.discover(iss);
key = await discovered.key(header);
}
return jose.JWT.verify(jwt, key);
} catch (err) {
if (err instanceof RPError || err instanceof OPError || err.name === 'AggregateError') {
throw err;
} else {
throw new RPError({
printf: ['failed to validate the %s JWT (%s: %s)', label, err.name, err.message],
jwt,
});
}
}
}