archetecture security fix
This commit is contained in:
Vendored
+51
@@ -0,0 +1,51 @@
|
||||
"use strict";
|
||||
var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.signActorToken = signActorToken;
|
||||
exports.verifyActorToken = verifyActorToken;
|
||||
exports.verifyAnyActorToken = verifyAnyActorToken;
|
||||
const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
|
||||
const ISSUER = 'rentaldrivego-api';
|
||||
const ALG = ['HS256'];
|
||||
function getJwtSecret() {
|
||||
const secret = process.env.JWT_SECRET;
|
||||
if (!secret)
|
||||
throw new Error('JWT_SECRET is required');
|
||||
return secret;
|
||||
}
|
||||
function signActorToken(actorId, actorType, options = {}) {
|
||||
const { sessionVersion, last2faAt, ...signOptions } = options;
|
||||
return jsonwebtoken_1.default.sign({
|
||||
sub: actorId,
|
||||
type: actorType,
|
||||
...(sessionVersion === undefined ? {} : { sessionVersion }),
|
||||
...(last2faAt === undefined ? {} : { last2faAt }),
|
||||
}, getJwtSecret(), {
|
||||
algorithm: 'HS256',
|
||||
issuer: ISSUER,
|
||||
audience: actorType,
|
||||
expiresIn: signOptions.expiresIn ?? '8h',
|
||||
});
|
||||
}
|
||||
function verifyActorToken(token, expectedType) {
|
||||
const payload = jsonwebtoken_1.default.verify(token, getJwtSecret(), {
|
||||
algorithms: ALG,
|
||||
issuer: ISSUER,
|
||||
audience: expectedType,
|
||||
});
|
||||
if (typeof payload.sub !== 'string' || payload.type !== expectedType) {
|
||||
throw new Error('Invalid actor token');
|
||||
}
|
||||
return payload;
|
||||
}
|
||||
function verifyAnyActorToken(token) {
|
||||
const decoded = jsonwebtoken_1.default.decode(token);
|
||||
const actorType = decoded?.type;
|
||||
if (actorType !== 'admin' && actorType !== 'employee' && actorType !== 'renter') {
|
||||
throw new Error('Invalid actor token');
|
||||
}
|
||||
return verifyActorToken(token, actorType);
|
||||
}
|
||||
//# sourceMappingURL=tokens.js.map
|
||||
Reference in New Issue
Block a user