Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
async (assert) => {
assert.plan(1)
auth0Mock.start()
const client = jwksClient({
jwksUri: 'https://hardfork.eu.auth0.com/.well-known/jwks.json',
strictSsl: true, // Default value
})
const kid = auth0Mock.kid()
client.getSigningKey(kid, (err) => {
auth0Mock.stop()
if (err) {
return assert.fail()
}
assert.pass()
})
}
)
(assert) => {
assert.plan(1)
auth0Mock.start()
const client = jwksClient({
jwksUri: 'https://hardfork.eu.auth0.com/.well-known/jwks.json',
strictSsl: true, // Default value
})
const kid = auth0Mock.kid()
client.getSigningKey(kid, (err, key) => {
if (err) {
auth0Mock.stop()
return assert.fail()
}
const signingKey = String(key.publicKey || key.rsaPublicKey)
try {
verify(auth0Mock.token({}), signingKey)
} catch (err) {
auth0Mock.stop()
return assert.fail()
token = getToken(event)
} catch (err) {
console.log('could not get token', event, err)
return cb('could not get token')
}
const decoded = decode(token, { complete: true })
if (!decoded) {
return cb('could not decode token')
}
const kid = decoded.header.kid
const TOKEN_ISSUER = `https://cognito-idp.${region}.amazonaws.com/${poolId}`
const JWKS_URI = `${TOKEN_ISSUER}/.well-known/jwks.json`
const client = jwksClient({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 10, // Default value
jwksUri: JWKS_URI
})
client.getSigningKey(kid, function(err, key) {
if (err) {
cb(err)
} else {
const signingKey = key.publicKey || key.rsaPublicKey
verify(token, signingKey, { issuer: TOKEN_ISSUER }, function(
err,
tokenPayload
) {
if (err) {
module.exports.auth = (event, context, callback) => {
console.log(event);
// jwt.decode may throw error in case of validating wrong/expired access_token
try {
let token, client, decoded, kid;
token = getToken(event);
client = jwksClient({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 10,
jwksUri: process.env.JWKS_URI
});
decoded = jwt.decode(token, {complete: true});
kid = decoded.header.kid;
client.getSigningKey(kid, (err, key) => {
if (err) {
console.log("getSigningKey error:", err);
callback(null, {policyDocument: getPolicyDocument('Deny', event.methodArn)});
} else {
let signingKey = key.publicKey || key.rsaPublicKey;
let options = {
import jwt from 'jsonwebtoken'
import jwksClient from 'jwks-rsa'
import config from '../../src/_config'
/* initialize the JWKS client */
const auth0Domain = process.env.AUTH0_DOMAIN || config.auth0.domain
const authClient = jwksClient({
cache: true,
jwksUri: `https://${auth0Domain}/.well-known/jwks.json`,
audience: 'universe-theater',
issuer: 'https://adobot.auth0.com/',
})
/* Check authorization JWT */
export default function checkAuth(event) {
const alg = 'RS256' // algorithm is RSA http://bit.ly/2xAYygk
return new Promise((resolve, reject) => {
console.log('event.headers', event.headers)
if (!event.headers.authorization) {
const reason = 'Missing event.headers.authorization. You must be signed in to call this function'
return reject(new Error(reason))
}
console.log('event.headers', event.headers)
let tenantIntegration = this.cache.get(tenantID);
if (!tenantIntegration) {
const strategy = this.createStrategy(req, oidc);
// Create the entry.
tenantIntegration = {
strategy,
};
// We don't reset the entry in the cache here because if we just created
// it, we'll be creating the jwksClient anyways, so we'll update it there.
}
if (!tenantIntegration.jwksClient) {
// Create the new JWKS client.
const jwksClient = jwks({
jwksUri: oidc.jwksURI,
});
// Set the jwksClient on the entry.
tenantIntegration.jwksClient = jwksClient;
// Update the cached entry.
this.cache.set(tenantID, tenantIntegration);
}
return tenantIntegration.jwksClient;
}
COMPOSER_AUTH_CLIENT_ID,
COMPOSER_AUTH_REDIRECT_URI,
COMPOSER_AUTH_JWKS_URL,
COMPOSER_AUTH_RESOURCE,
MicrosoftAppId,
} = process.env;
// validate required config settings
const botId = validateConfig('COMPOSER_BOT_ID', COMPOSER_BOT_ID);
const clientId = validateConfig('COMPOSER_AUTH_CLIENT_ID', COMPOSER_AUTH_CLIENT_ID);
const redirectUri = validateConfig('COMPOSER_AUTH_REDIRECT_URI', COMPOSER_AUTH_REDIRECT_URI);
const jwksUri = validateConfig('COMPOSER_AUTH_JWKS_URL', COMPOSER_AUTH_JWKS_URL);
const resource = validateConfig('COMPOSER_AUTH_RESOURCE', COMPOSER_AUTH_RESOURCE);
const msAppId = validateConfig('MicrosoftAppId', MicrosoftAppId);
const jwksClient = JWKSClient({ jwksUri });
const getKey: GetPublicKeyOrSecret = (header, callback) => {
const { kid } = header;
if (!kid || kid.length === 0) {
callback('kid missing');
return;
}
jwksClient.getSigningKey(kid, (err, key) => {
if (err) {
callback(err);
return;
}
if (!key) {
const auth = tokenString => {
if (!tokenString) {
return Promise.resolve(null);
}
const token = getToken(tokenString);
const client = jwksClient({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 10, // Default value
jwksUri: JWKS_URI
});
return new Promise((yay, nay) => {
const decoded = jwt.decode(token, { complete: true });
if (!decoded) {
return nay(new Error('Malformed jwt'));
}
const { kid } = decoded.header;
client.getSigningKey(kid, (err, key) => {
if (err) {
nay(err);
public async verify(
tokenString: string,
token: OIDCIDToken,
tenant: Tenant,
now: Date
) {
// Ensure that the integration is enabled.
const integration = getEnabledIntegration(tenant.auth.integrations.oidc);
// Grab the JWKS client to verify the SSO ID token.
let client = this.cache.get(tenant.id);
if (!client) {
logger.trace({ tenantID: tenant.id }, "jwks client not cached");
client = jwks({
jwksUri: integration.jwksURI,
});
this.cache.set(tenant.id, client);
} else {
logger.trace({ tenantID: tenant.id }, "jwks client cached");
}
return findOrCreateOIDCUserWithToken(
this.mongo,
tenant,
client,
integration,
tokenString,
now
);
import jwksClient from 'jwks-rsa'
import jwt from 'jsonwebtoken'
import { AuthenticationError } from '../../errors'
import { findUser, createUser, deleteUser } from '../../models/user'
import got from 'got'
const jwks = jwksClient({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 1,
jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
})
function verifyAndDecodeIdToken(idToken) {
const invalidTokenMessage = 'Invalid id token.'
return new Promise((resolve, reject) => {
const { header, payload } = jwt.decode(idToken, { complete: true }) || {}
if (!header || !header.kid || !payload) {
return reject(new AuthenticationError(invalidTokenMessage))
}