From 6c2daebf30bdd4dffc302c4bbcf9337d8c047236 Mon Sep 17 00:00:00 2001 From: rijkvanzanten Date: Tue, 23 Jun 2020 15:46:07 -0400 Subject: [PATCH] Add extract token + authenticate middleware --- src/app.ts | 6 +++-- src/middleware/authenticate.ts | 31 ++++++++++++++++++++++++++ src/middleware/extract-token.ts | 39 +++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 src/middleware/authenticate.ts create mode 100644 src/middleware/extract-token.ts diff --git a/src/app.ts b/src/app.ts index 5f96f940bb..5451744c7a 100644 --- a/src/app.ts +++ b/src/app.ts @@ -6,7 +6,8 @@ import bodyParser from 'body-parser'; import { errorHandler, ErrorCode } from './error'; -import passport from './auth/passport'; +import extractToken from './middleware/extract-token'; +import authenticate from './middleware/authenticate'; import activityRouter from './routes/activity'; import authRouter from './routes/auth'; @@ -38,7 +39,8 @@ import notFoundHandler from './routes/not-found'; const app = express() .disable('x-powered-by') .use(bodyParser.json()) - .use(passport.initialize()) + .use(extractToken) + .use(authenticate) .use('/activity', activityRouter) .use('/auth', authRouter) .use('/collection_presets', collectionPresetsRouter) diff --git a/src/middleware/authenticate.ts b/src/middleware/authenticate.ts new file mode 100644 index 0000000000..2fcc61e1f2 --- /dev/null +++ b/src/middleware/authenticate.ts @@ -0,0 +1,31 @@ +import { RequestHandler } from 'express'; +import jwt from 'jsonwebtoken'; +import isJWT from '../utils/is-jwt'; +import database from '../database'; + +const authenticate: RequestHandler = async (req, res, next) => { + if (!req.token) return next(); + + if (isJWT(req.token)) { + const payload = jwt.verify(req.token, process.env.SECRET) as { id: string }; + const user = await database + .select('role') + .from('directus_users') + .where({ id: payload.id }) + .first(); + /** @TODO verify user status */ + req.user = payload.id; + req.role = user.role; + return next(); + } + + /** + * @TODO + * Implement static tokens + * + * We'll silently ignore wrong tokens. This makes sure we prevent brute-forcing static tokens + */ + return next(); +}; + +export default authenticate; diff --git a/src/middleware/extract-token.ts b/src/middleware/extract-token.ts new file mode 100644 index 0000000000..efa5f55593 --- /dev/null +++ b/src/middleware/extract-token.ts @@ -0,0 +1,39 @@ +/** + * Extract access token from: + * + * Authorization: Bearer + * access_token query parameter + * + * and store in req.token + */ + +import { RequestHandler } from 'express'; + +const extractToken: RequestHandler = (req, res, next) => { + let token: string | null = null; + + if (req.query && req.query.access_token) { + token = req.query.access_token as string; + } + + if (req.headers && req.headers.authorization) { + const parts = req.headers.authorization.split(' '); + + if (parts.length === 2 && parts[0] === 'Bearer') { + token = parts[1]; + } + } + + /** + * @TODO + * Look into RFC6750 compliance: + * In order to be fully compliant with RFC6750, we have to throw a 400 error when you have the + * token in more than 1 place afaik. We also might have to support "access_token" as a post body + * key + */ + + req.token = token; + next(); +}; + +export default extractToken;