sprinklers3/server/express/authentication.ts

import log from "@common/logger";
import * as Express from "express";
import Router from "express-promise-router";
import * as jwt from "jsonwebtoken";
import { User } from "../models/User";
import { ServerState } from "../state";
import { ApiError } from "./errors";

const ACCESS_TOKEN_LIFETIME = (30 * 60); // 30 minutes
const REFRESH_TOKEN_LIFETIME = (24 * 60 * 60); // 24 hours

/**
 * @param {number} lifetime in seconds
 */
function getExpTime(lifetime: number) {
    return Math.floor(Date.now() / 1000) + lifetime;
}

interface TokenClaims {
    iss: string;
    type: "access" | "refresh";
    aud: string;
    name: string;
    exp: number;
}

function signToken(claims: TokenClaims, secret: string): Promise<string> {
    return new Promise((resolve, reject) => {
        jwt.sign(claims, secret, (err: Error, encoded: string) => {
            if (err) {
                reject(err);
            } else {
                resolve(encoded);
            }
        });
    });
}

function verifyToken(token: string, secret: string): Promise<TokenClaims> {
    return new Promise((resolve, reject) => {
        jwt.verify(token, secret, (err, decoded) => {
            if (err) {
                if (err.name === "TokenExpiredError") {
                    reject(new ApiError(401, "The specified token is expired", err));
                } else if (err.name === "JsonWebTokenError") {
                    reject(new ApiError(400, "Invalid token", err));
                } else {
                    reject(err);
                }
            } else {
                resolve(decoded as any);
            }
        });
    });
}

function generateAccessToken(user: User, secret: string): Promise<string> {
    const access_token_claims: TokenClaims = {
        iss: "sprinklers3",
        aud: user.id || "",
        name: user.name,
        type: "access",
        exp: getExpTime(ACCESS_TOKEN_LIFETIME),
    };

    return signToken(access_token_claims, secret);
}

function generateRefreshToken(user: User, secret: string): Promise<string> {
    const refresh_token_claims: TokenClaims = {
        iss: "sprinklers3",
        aud: user.id || "",
        name: user.name,
        type: "refresh",
        exp: getExpTime(REFRESH_TOKEN_LIFETIME),
    };

    return signToken(refresh_token_claims, secret);
}

export function authentication(state: ServerState) {
    const JWT_SECRET = process.env.JWT_SECRET!;
    if (!JWT_SECRET) {
        throw new Error("Must specify JWT_SECRET environment variable");
    }

    const router = Router();

    async function passwordGrant(req: Express.Request, res: Express.Response) {
        const { body } = req;
        const { username, password } = body;
        if (!body || !username || !password) {
            throw new ApiError(400, "Must specify username and password");
        }
        const user = await User.loadByUsername(state.database, username);
        if (!user) {
            throw new ApiError(401, "User does not exist");
        }
        const passwordMatches = user.comparePassword(password);
        if (passwordMatches) {
            const [access_token, refresh_token] = await Promise.all(
                [await generateAccessToken(user, JWT_SECRET),
                    await generateRefreshToken(user, JWT_SECRET)]);
            res.json({
                access_token, refresh_token,
            });
        } else {
            res.status(400)
                .json({
                    message: "incorrect login",
                });
        }
    }

    async function refreshGrant(req: Express.Request, res: Express.Response) {
        const { body } = req;
        const { refresh_token } = body;
        if (!body || !refresh_token) {
            throw new ApiError(400, "Must specify a refresh_token");
        }
        const claims = await verifyToken(refresh_token, JWT_SECRET);
        if (claims.type !== "refresh") {
            throw new ApiError(400, "Not a refresh token");
        }
        const user = await User.load(state.database, claims.aud);
        if (!user) {
            throw new ApiError(400, "User does not exist");
        }
        const [access_token, new_refresh_token] = await Promise.all(
            [await generateAccessToken(user, JWT_SECRET),
                await generateRefreshToken(user, JWT_SECRET)]);
        res.json({
            access_token, refresh_token: new_refresh_token,
        });
    }

    router.post("/token/grant", async (req, res) => {
        const { body } = req;
        const { grant_type } = body;
        if (grant_type === "password") {
            await passwordGrant(req, res);
        } else if (grant_type === "refresh") {
            await refreshGrant(req, res);
        } else {
            throw new ApiError(400, "Invalid grant_type");
        }
    });

    router.post("/token/verify", async (req, res) => {
        const bearer = req.headers.authorization;
        if (!bearer) {
            throw new ApiError(401, "No bearer token specified");
        }
        const matches = /^Bearer (.*)$/.exec(bearer);
        if (!matches || !matches[1]) {
            throw new ApiError(400, "Invalid bearer token specified");
        }
        const token = matches[1];

        log.info({ token });

        const decoded = await verifyToken(token, JWT_SECRET);
        res.json({
            ok: true,
            decoded,
        });
    });

    return router;
}
Some great token routes and stuff 7 years ago			`import log from "@common/logger";`
			`import * as Express from "express";`
			`import Router from "express-promise-router";`
			`import * as jwt from "jsonwebtoken";`
			`import { User } from "../models/User";`
			`import { ServerState } from "../state";`
			`import { ApiError } from "./errors";`

			`const ACCESS_TOKEN_LIFETIME = (30 * 60); // 30 minutes`
			`const REFRESH_TOKEN_LIFETIME = (24 * 60 * 60); // 24 hours`

			`/**`
			`* @param {number} lifetime in seconds`
			`*/`
			`function getExpTime(lifetime: number) {`
			`return Math.floor(Date.now() / 1000) + lifetime;`
			`}`

			`interface TokenClaims {`
			`iss: string;`
			`type: "access" \| "refresh";`
			`aud: string;`
			`name: string;`
			`exp: number;`
			`}`

			`function signToken(claims: TokenClaims, secret: string): Promise<string> {`
			`return new Promise((resolve, reject) => {`
			`jwt.sign(claims, secret, (err: Error, encoded: string) => {`
			`if (err) {`
			`reject(err);`
			`} else {`
			`resolve(encoded);`
			`}`
			`});`
			`});`
			`}`

			`function verifyToken(token: string, secret: string): Promise<TokenClaims> {`
			`return new Promise((resolve, reject) => {`
			`jwt.verify(token, secret, (err, decoded) => {`
			`if (err) {`
			`if (err.name === "TokenExpiredError") {`
			`reject(new ApiError(401, "The specified token is expired", err));`
			`} else if (err.name === "JsonWebTokenError") {`
			`reject(new ApiError(400, "Invalid token", err));`
			`} else {`
			`reject(err);`
			`}`
			`} else {`
			`resolve(decoded as any);`
			`}`
			`});`
			`});`
			`}`

			`function generateAccessToken(user: User, secret: string): Promise<string> {`
			`const access_token_claims: TokenClaims = {`
			`iss: "sprinklers3",`
			`aud: user.id \|\| "",`
			`name: user.name,`
			`type: "access",`
			`exp: getExpTime(ACCESS_TOKEN_LIFETIME),`
			`};`

			`return signToken(access_token_claims, secret);`
			`}`

			`function generateRefreshToken(user: User, secret: string): Promise<string> {`
			`const refresh_token_claims: TokenClaims = {`
			`iss: "sprinklers3",`
			`aud: user.id \|\| "",`
			`name: user.name,`
			`type: "refresh",`
			`exp: getExpTime(REFRESH_TOKEN_LIFETIME),`
			`};`

			`return signToken(refresh_token_claims, secret);`
			`}`

			`export function authentication(state: ServerState) {`
			`const JWT_SECRET = process.env.JWT_SECRET!;`
			`if (!JWT_SECRET) {`
			`throw new Error("Must specify JWT_SECRET environment variable");`
			`}`

			`const router = Router();`

			`async function passwordGrant(req: Express.Request, res: Express.Response) {`
			`const { body } = req;`
			`const { username, password } = body;`
			`if (!body \|\| !username \|\| !password) {`
			`throw new ApiError(400, "Must specify username and password");`
			`}`
			`const user = await User.loadByUsername(state.database, username);`
			`if (!user) {`
			`throw new ApiError(401, "User does not exist");`
			`}`
			`const passwordMatches = user.comparePassword(password);`
			`if (passwordMatches) {`
			`const [access_token, refresh_token] = await Promise.all(`
			`[await generateAccessToken(user, JWT_SECRET),`
			`await generateRefreshToken(user, JWT_SECRET)]);`
			`res.json({`
			`access_token, refresh_token,`
			`});`
			`} else {`
			`res.status(400)`
			`.json({`
			`message: "incorrect login",`
			`});`
			`}`
			`}`

			`async function refreshGrant(req: Express.Request, res: Express.Response) {`
			`const { body } = req;`
			`const { refresh_token } = body;`
			`if (!body \|\| !refresh_token) {`
			`throw new ApiError(400, "Must specify a refresh_token");`
			`}`
			`const claims = await verifyToken(refresh_token, JWT_SECRET);`
			`if (claims.type !== "refresh") {`
			`throw new ApiError(400, "Not a refresh token");`
			`}`
			`const user = await User.load(state.database, claims.aud);`
			`if (!user) {`
			`throw new ApiError(400, "User does not exist");`
			`}`
			`const [access_token, new_refresh_token] = await Promise.all(`
			`[await generateAccessToken(user, JWT_SECRET),`
			`await generateRefreshToken(user, JWT_SECRET)]);`
			`res.json({`
			`access_token, refresh_token: new_refresh_token,`
			`});`
			`}`

			`router.post("/token/grant", async (req, res) => {`
			`const { body } = req;`
			`const { grant_type } = body;`
			`if (grant_type === "password") {`
			`await passwordGrant(req, res);`
			`} else if (grant_type === "refresh") {`
			`await refreshGrant(req, res);`
			`} else {`
			`throw new ApiError(400, "Invalid grant_type");`
			`}`
			`});`

			`router.post("/token/verify", async (req, res) => {`
			`const bearer = req.headers.authorization;`
			`if (!bearer) {`
			`throw new ApiError(401, "No bearer token specified");`
			`}`
			`const matches = /^Bearer (.*)$/.exec(bearer);`
			`if (!matches \|\| !matches[1]) {`
			`throw new ApiError(400, "Invalid bearer token specified");`
			`}`
			`const token = matches[1];`

			`log.info({ token });`

			`const decoded = await verifyToken(token, JWT_SECRET);`
			`res.json({`
			`ok: true,`
			`decoded,`
			`});`
			`});`

			`return router;`
			`}`