-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathtoken.js
More file actions
205 lines (168 loc) · 5.13 KB
/
token.js
File metadata and controls
205 lines (168 loc) · 5.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
/**
* Token-based authentication
*
* Supports multiple modes:
* 1. Simple tokens (for local/dev use): base64(JSON({webId, iat, exp})) + HMAC signature
* 2. Solid-OIDC DPoP tokens (for federation): verified via external IdP JWKS
* 3. Nostr NIP-98 tokens: Schnorr signatures, returns did:nostr identity
*/
import crypto from 'crypto';
import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
import { verifyNostrAuth, hasNostrAuth } from './nostr.js';
// Secret for signing tokens (in production, use env var)
const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
/**
* Create a simple token for a WebID
* @param {string} webId - The WebID to create token for
* @param {number} expiresIn - Expiration time in seconds (default 1 hour)
* @returns {string} Token string
*/
export function createToken(webId, expiresIn = 3600) {
const payload = {
webId,
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + expiresIn
};
const data = Buffer.from(JSON.stringify(payload)).toString('base64url');
const signature = crypto
.createHmac('sha256', SECRET)
.update(data)
.digest('base64url');
return `${data}.${signature}`;
}
/**
* Verify and decode a token (simple 2-part or JWT 3-part)
* @param {string} token - The token to verify
* @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
*/
export function verifyToken(token) {
if (!token || typeof token !== 'string') {
return null;
}
const parts = token.split('.');
// Handle JWT tokens (3 parts) from credentials endpoint
if (parts.length === 3) {
return verifyJwtToken(token);
}
if (parts.length !== 2) {
return null;
}
const [data, signature] = parts;
// Verify signature
const expectedSig = crypto
.createHmac('sha256', SECRET)
.update(data)
.digest('base64url');
if (signature !== expectedSig) {
return null;
}
// Decode payload
try {
const payload = JSON.parse(Buffer.from(data, 'base64url').toString());
// Check expiration
if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
return null;
}
return payload;
} catch {
return null;
}
}
/**
* Verify a JWT token from credentials endpoint
* JWT tokens are self-contained and signed with the IdP's private key
* @param {string} token - JWT token
* @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
*/
function verifyJwtToken(token) {
try {
const parts = token.split('.');
if (parts.length !== 3) {
return null;
}
// Decode the payload (middle part)
const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
// Check expiration
if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
return null;
}
// JWT from credentials endpoint uses 'webid' claim (lowercase)
if (payload.webid) {
return { webId: payload.webid, iat: payload.iat, exp: payload.exp };
}
// Also check uppercase WebId for compatibility
if (payload.webId) {
return payload;
}
return null;
} catch {
return null;
}
}
/**
* Extract token from Authorization header
* @param {string} authHeader - Authorization header value
* @returns {string | null} Token or null
*/
export function extractToken(authHeader) {
if (!authHeader || typeof authHeader !== 'string') {
return null;
}
// Support "Bearer <token>" format
if (authHeader.startsWith('Bearer ')) {
return authHeader.slice(7);
}
// Also support raw token
return authHeader;
}
/**
* Extract WebID from request (sync version for simple tokens only)
* @param {object} request - Fastify request object
* @returns {string | null} WebID or null if not authenticated
*/
export function getWebIdFromRequest(request) {
const authHeader = request.headers.authorization;
// Skip DPoP tokens - use async version for those
if (authHeader && authHeader.startsWith('DPoP ')) {
return null;
}
// Skip Nostr tokens - use async version for those
if (authHeader && authHeader.startsWith('Nostr ')) {
return null;
}
const token = extractToken(authHeader);
if (!token) {
return null;
}
const payload = verifyToken(token);
return payload?.webId || null;
}
/**
* Extract WebID from request (async version supporting Solid-OIDC)
* @param {object} request - Fastify request object
* @returns {Promise<{webId: string|null, error: string|null}>}
*/
export async function getWebIdFromRequestAsync(request) {
const authHeader = request.headers.authorization;
if (!authHeader) {
return { webId: null, error: null };
}
// Try Solid-OIDC first (DPoP tokens)
if (hasSolidOidcAuth(request)) {
return verifySolidOidc(request);
}
// Try Nostr NIP-98 (Schnorr signatures)
if (hasNostrAuth(request)) {
return verifyNostrAuth(request);
}
// Fall back to simple Bearer tokens
const token = extractToken(authHeader);
if (!token) {
return { webId: null, error: null };
}
const payload = verifyToken(token);
if (payload?.webId) {
return { webId: payload.webId, error: null };
}
return { webId: null, error: 'Invalid token' };
}