joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Security upgrade jsonwebtoken to 9.0.0 (#8431)

Browse Source
This commit is contained in:
Daniel
2023-02-17 05:52:48 +11:00
committed by GitHub
parent 30576f1091
commit 2c19c2e4d4
8 changed files with 333 additions and 330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

555
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

2
package.json
View File

@@ -37,7 +37,7 @@
"graphql-tag": "2.12.6", "graphql-tag": "2.12.6",
"graphql-relay": "0.10.0", "graphql-relay": "0.10.0",
"intersect": "1.0.1", "intersect": "1.0.1",
"jsonwebtoken": "8.5.1", "jsonwebtoken": "9.0.0",
"jwks-rsa": "2.1.4", "jwks-rsa": "2.1.4",
"ldapjs": "2.3.3", "ldapjs": "2.3.3",
"lodash": "4.17.21", "lodash": "4.17.21",

53
spec/AuthenticationAdapters.spec.js
View File

@@ -596,6 +596,7 @@ describe('instagram auth adapter', () => {
describe('google auth adapter', () => { describe('google auth adapter', () => {
const google = require('../lib/Adapters/Auth/google'); const google = require('../lib/Adapters/Auth/google');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const authUtils = require('../lib/Adapters/Auth/utils');
it('should throw error with missing id_token', async () => { it('should throw error with missing id_token', async () => {
try { try {
@@ -618,7 +619,7 @@ describe('google auth adapter', () => {
// it('should throw error if public key used to encode token is not available', async () => { // it('should throw error if public key used to encode token is not available', async () => {
// const fakeDecodedToken = { header: { kid: '789', alg: 'RS256' } }; // const fakeDecodedToken = { header: { kid: '789', alg: 'RS256' } };
// try { // try {
// spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); // spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
// await google.validateAuthData({ id: 'the_user_id', id_token: 'the_token' }, {}); // await google.validateAuthData({ id: 'the_user_id', id_token: 'the_token' }, {});
// fail(); // fail();
@@ -637,7 +638,7 @@ describe('google auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim); spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
const result = await google.validateAuthData( const result = await google.validateAuthData(
@@ -653,7 +654,7 @@ describe('google auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim); spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
try { try {
@@ -677,7 +678,7 @@ describe('google auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim); spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
try { try {
@@ -699,7 +700,7 @@ describe('google auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim); spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
try { try {
@@ -1402,6 +1403,7 @@ describe('apple signin auth adapter', () => {
const apple = require('../lib/Adapters/Auth/apple'); const apple = require('../lib/Adapters/Auth/apple');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const util = require('util'); const util = require('util');
const authUtils = require('../lib/Adapters/Auth/utils');
it('(using client id as string) should throw error with missing id_token', async () => { it('(using client id as string) should throw error with missing id_token', async () => {
try { try {
@@ -1436,7 +1438,7 @@ describe('apple signin auth adapter', () => {
it('should throw error if public key used to encode token is not available', async () => { it('should throw error if public key used to encode token is not available', async () => {
const fakeDecodedToken = { header: { kid: '789', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '789', alg: 'RS256' } };
try { try {
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken.header);
await apple.validateAuthData( await apple.validateAuthData(
{ id: 'the_user_id', token: 'the_token' }, { id: 'the_user_id', token: 'the_token' },
@@ -1458,7 +1460,7 @@ describe('apple signin auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken.header);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim); spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
@@ -1475,7 +1477,7 @@ describe('apple signin auth adapter', () => {
it('should not verify invalid id_token', async () => { it('should not verify invalid id_token', async () => {
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1512,7 +1514,7 @@ describe('apple signin auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1534,7 +1536,7 @@ describe('apple signin auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1556,7 +1558,7 @@ describe('apple signin auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1576,7 +1578,7 @@ describe('apple signin auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1604,7 +1606,7 @@ describe('apple signin auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1633,7 +1635,7 @@ describe('apple signin auth adapter', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1705,7 +1707,7 @@ describe('apple signin auth adapter', () => {
sub: 'a_different_user_id', sub: 'a_different_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { kid: '123', rsaPublicKey: 'the_rsa_public_key' }; return { kid: '123', rsaPublicKey: 'the_rsa_public_key' };
}; };
@@ -1972,6 +1974,7 @@ describe('facebook limited auth adapter', () => {
const facebook = require('../lib/Adapters/Auth/facebook'); const facebook = require('../lib/Adapters/Auth/facebook');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const util = require('util'); const util = require('util');
const authUtils = require('../lib/Adapters/Auth/utils');
// TODO: figure out a way to run this test alongside facebook classic tests // TODO: figure out a way to run this test alongside facebook classic tests
xit('(using client id as string) should throw error with missing id_token', async () => { xit('(using client id as string) should throw error with missing id_token', async () => {
@@ -2010,7 +2013,7 @@ describe('facebook limited auth adapter', () => {
header: { kid: '789', alg: 'RS256' }, header: { kid: '789', alg: 'RS256' },
}; };
try { try {
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken.header);
await facebook.validateAuthData( await facebook.validateAuthData(
{ id: 'the_user_id', token: 'the_token' }, { id: 'the_user_id', token: 'the_token' },
@@ -2034,7 +2037,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken.header);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim); spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
@@ -2056,7 +2059,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',
@@ -2098,7 +2101,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',
@@ -2125,7 +2128,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',
@@ -2152,7 +2155,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',
@@ -2177,7 +2180,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',
@@ -2210,7 +2213,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',
@@ -2244,7 +2247,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',
@@ -2330,7 +2333,7 @@ describe('facebook limited auth adapter', () => {
const fakeDecodedToken = { const fakeDecodedToken = {
header: { kid: '123', alg: 'RS256' }, header: { kid: '123', alg: 'RS256' },
}; };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
const fakeGetSigningKeyAsyncFunction = () => { const fakeGetSigningKeyAsyncFunction = () => {
return { return {
kid: '123', kid: '123',

3
spec/index.spec.js
View File

@@ -553,6 +553,7 @@ describe('server', () => {
it('should not fail when Google signin is introduced without the optional clientId', done => { it('should not fail when Google signin is introduced without the optional clientId', done => {
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const authUtils = require('../lib/Adapters/Auth/utils');
reconfigureServer({ reconfigureServer({
auth: { google: {} }, auth: { google: {} },
@@ -565,7 +566,7 @@ describe('server', () => {
sub: 'the_user_id', sub: 'the_user_id',
}; };
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } }; const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken); spyOn(authUtils, 'getHeaderFromToken').and.callFake(() => fakeDecodedToken);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim); spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
const user = new Parse.User(); const user = new Parse.User();
user user

12
src/Adapters/Auth/apple.js
View File

@@ -5,6 +5,7 @@ const Parse = require('parse/node').Parse;
const jwksClient = require('jwks-rsa'); const jwksClient = require('jwks-rsa');
const util = require('util'); const util = require('util');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const authUtils = require('./utils');
const TOKEN_ISSUER = 'https://appleid.apple.com'; const TOKEN_ISSUER = 'https://appleid.apple.com';
@@ -30,21 +31,12 @@ const getAppleKeyByKeyId = async (keyId, cacheMaxEntries, cacheMaxAge) => {
return key; return key;
}; };
const getHeaderFromToken = token => {
const decodedToken = jwt.decode(token, { complete: true });
if (!decodedToken) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `provided token does not decode as JWT`);
}
return decodedToken.header;
};
const verifyIdToken = async ({ token, id }, { clientId, cacheMaxEntries, cacheMaxAge }) => { const verifyIdToken = async ({ token, id }, { clientId, cacheMaxEntries, cacheMaxAge }) => {
if (!token) { if (!token) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token is invalid for this user.`); throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token is invalid for this user.`);
} }
const { kid: keyId, alg: algorithm } = getHeaderFromToken(token); const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
const ONE_HOUR_IN_MS = 3600000; const ONE_HOUR_IN_MS = 3600000;
let jwtClaims; let jwtClaims;

12
src/Adapters/Auth/facebook.js
View File

@@ -5,6 +5,7 @@ const jwksClient = require('jwks-rsa');
const util = require('util'); const util = require('util');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const httpsRequest = require('./httpsRequest'); const httpsRequest = require('./httpsRequest');
const authUtils = require('./utils');
const TOKEN_ISSUER = 'https://facebook.com'; const TOKEN_ISSUER = 'https://facebook.com';
@@ -73,21 +74,12 @@ const getFacebookKeyByKeyId = async (keyId, cacheMaxEntries, cacheMaxAge) => {
return key; return key;
}; };
const getHeaderFromToken = token => {
const decodedToken = jwt.decode(token, { complete: true });
if (!decodedToken) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'provided token does not decode as JWT');
}
return decodedToken.header;
};
const verifyIdToken = async ({ token, id }, { clientId, cacheMaxEntries, cacheMaxAge }) => { const verifyIdToken = async ({ token, id }, { clientId, cacheMaxEntries, cacheMaxAge }) => {
if (!token) { if (!token) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'id token is invalid for this user.'); throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'id token is invalid for this user.');
} }
const { kid: keyId, alg: algorithm } = getHeaderFromToken(token); const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
const ONE_HOUR_IN_MS = 3600000; const ONE_HOUR_IN_MS = 3600000;
let jwtClaims; let jwtClaims;

13
src/Adapters/Auth/google.js
View File

@@ -5,6 +5,7 @@ var Parse = require('parse/node').Parse;
const https = require('https'); const https = require('https');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const authUtils = require('./utils');
const TOKEN_ISSUER = 'accounts.google.com'; const TOKEN_ISSUER = 'accounts.google.com';
const HTTPS_TOKEN_ISSUER = 'https://accounts.google.com'; const HTTPS_TOKEN_ISSUER = 'https://accounts.google.com';
@@ -51,22 +52,12 @@ function getGoogleKeyByKeyId(keyId) {
}); });
} }
function getHeaderFromToken(token) {
const decodedToken = jwt.decode(token, { complete: true });
if (!decodedToken) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `provided token does not decode as JWT`);
}
return decodedToken.header;
}
async function verifyIdToken({ id_token: token, id }, { clientId }) { async function verifyIdToken({ id_token: token, id }, { clientId }) {
if (!token) { if (!token) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token is invalid for this user.`); throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token is invalid for this user.`);
} }
const { kid: keyId, alg: algorithm } = getHeaderFromToken(token); const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
let jwtClaims; let jwtClaims;
const googleKey = await getGoogleKeyByKeyId(keyId); const googleKey = await getGoogleKeyByKeyId(keyId);

13
src/Adapters/Auth/utils.js Normal file
View File

@@ -0,0 +1,13 @@
const jwt = require('jsonwebtoken');
const Parse = require('parse/node').Parse;
const getHeaderFromToken = token => {
const decodedToken = jwt.decode(token, { complete: true });
if (!decodedToken) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `provided token does not decode as JWT`);
}
return decodedToken.header;
};
module.exports = {
getHeaderFromToken,
};