sprinklers3/server/authentication.ts

import * as Express from "express";
import Router from "express-promise-router";
import * as jwt from "jsonwebtoken";

import ApiError from "@common/ApiError";
import { ErrorCode } from "@common/ErrorCode";
import {
  TokenGrantPasswordRequest,
  TokenGrantRefreshRequest,
  TokenGrantRequest,
  TokenGrantResponse
} from "@common/httpApi";
import * as tok from "@common/TokenClaims";
import { User } from "@server/entities";
import { ServerState } from "@server/state";

const JWT_SECRET = process.env.JWT_SECRET!;
if (!JWT_SECRET) {
  throw new Error("Must specify JWT_SECRET environment variable");
}

const ISSUER = "sprinklers3";

const ACCESS_TOKEN_LIFETIME = 30 * 60; // 30 minutes
const REFRESH_TOKEN_LIFETIME = 7 * 24 * 60 * 60; // 7 days

function signToken(
  claims: tok.TokenClaimTypes,
  opts?: jwt.SignOptions
): Promise<string> {
  const options: jwt.SignOptions = {
    issuer: ISSUER,
    ...opts
  };
  return new Promise((resolve, reject) => {
    jwt.sign(claims, JWT_SECRET, options, (err: Error, encoded: string) => {
      if (err) {
        reject(err);
      } else {
        resolve(encoded);
      }
    });
  });
}

export function verifyToken<
  TClaims extends tok.TokenClaimTypes = tok.TokenClaimTypes
>(token: string, type?: TClaims["type"]): Promise<TClaims & tok.BaseClaims> {
  return new Promise((resolve, reject) => {
    jwt.verify(
      token,
      JWT_SECRET,
      {
        issuer: ISSUER
      },
      (err, decoded) => {
        if (err) {
          if (err.name === "TokenExpiredError") {
            reject(
              new ApiError(
                "The specified token is expired",
                ErrorCode.BadToken,
                err
              )
            );
          } else if (err.name === "JsonWebTokenError") {
            reject(new ApiError("Invalid token", ErrorCode.BadToken, err));
          } else {
            reject(err);
          }
        } else {
          const claims: tok.TokenClaims = decoded as any;
          if (type != null && claims.type !== type) {
            reject(
              new ApiError(
                `Expected a "${type}" token, received a "${claims.type}" token`,
                ErrorCode.BadToken
              )
            );
          }
          resolve(claims as TClaims & tok.BaseClaims);
        }
      }
    );
  });
}

export function generateAccessToken(user: User): Promise<string> {
  const accessTokenClaims: tok.AccessToken = {
    aud: user.id,
    name: user.name,
    type: "access"
  };

  return signToken(accessTokenClaims, { expiresIn: ACCESS_TOKEN_LIFETIME });
}

export function generateRefreshToken(user: User): Promise<string> {
  const refreshTokenClaims: tok.RefreshToken = {
    aud: user.id,
    name: user.name,
    type: "refresh"
  };

  return signToken(refreshTokenClaims, { expiresIn: REFRESH_TOKEN_LIFETIME });
}

export function generateDeviceRegistrationToken(): Promise<string> {
  const deviceRegTokenClaims: tok.DeviceRegistrationToken = {
    type: "device_reg"
  };
  return signToken(deviceRegTokenClaims);
}

export function generateDeviceToken(
  id: number,
  deviceId: string
): Promise<string> {
  const deviceTokenClaims: tok.DeviceToken = {
    type: "device",
    aud: deviceId,
    id
  };
  return signToken(deviceTokenClaims);
}

export function generateSuperuserToken(): Promise<string> {
  const superuserClaims: tok.SuperuserToken = {
    type: "superuser"
  };
  return signToken(superuserClaims);
}
Refactored out jwt token stuff 6 years ago			`import * as Express from "express";`
			`import Router from "express-promise-router";`
			`import * as jwt from "jsonwebtoken";`

			`import ApiError from "@common/ApiError";`
			`import { ErrorCode } from "@common/ErrorCode";`
			`import {`
Use prettier on everything 6 years ago			`TokenGrantPasswordRequest,`
			`TokenGrantRefreshRequest,`
			`TokenGrantRequest,`
			`TokenGrantResponse`
Refactored out jwt token stuff 6 years ago			`} from "@common/httpApi";`
			`import * as tok from "@common/TokenClaims";`
			`import { User } from "@server/entities";`
			`import { ServerState } from "@server/state";`

			`const JWT_SECRET = process.env.JWT_SECRET!;`
			`if (!JWT_SECRET) {`
Use prettier on everything 6 years ago			`throw new Error("Must specify JWT_SECRET environment variable");`
Refactored out jwt token stuff 6 years ago			`}`

			`const ISSUER = "sprinklers3";`

Use prettier on everything 6 years ago			`const ACCESS_TOKEN_LIFETIME = 30 * 60; // 30 minutes`
Longer refresh token lifetime 6 years ago			`const REFRESH_TOKEN_LIFETIME = 7 * 24 * 60 * 60; // 7 days`
Refactored out jwt token stuff 6 years ago
Use prettier on everything 6 years ago			`function signToken(`
			`claims: tok.TokenClaimTypes,`
			`opts?: jwt.SignOptions`
			`): Promise<string> {`
			`const options: jwt.SignOptions = {`
			`issuer: ISSUER,`
			`...opts`
			`};`
			`return new Promise((resolve, reject) => {`
			`jwt.sign(claims, JWT_SECRET, options, (err: Error, encoded: string) => {`
			`if (err) {`
			`reject(err);`
			`} else {`
			`resolve(encoded);`
			`}`
Refactored out jwt token stuff 6 years ago			`});`
Use prettier on everything 6 years ago			`});`
Refactored out jwt token stuff 6 years ago			`}`

Use prettier on everything 6 years ago			`export function verifyToken<`
			`TClaims extends tok.TokenClaimTypes = tok.TokenClaimTypes`
			`>(token: string, type?: TClaims["type"]): Promise<TClaims & tok.BaseClaims> {`
			`return new Promise((resolve, reject) => {`
			`jwt.verify(`
			`token,`
			`JWT_SECRET,`
			`{`
			`issuer: ISSUER`
			`},`
			`(err, decoded) => {`
			`if (err) {`
			`if (err.name === "TokenExpiredError") {`
			`reject(`
			`new ApiError(`
			`"The specified token is expired",`
			`ErrorCode.BadToken,`
			`err`
			`)`
			`);`
			`} else if (err.name === "JsonWebTokenError") {`
			`reject(new ApiError("Invalid token", ErrorCode.BadToken, err));`
			`} else {`
			`reject(err);`
			`}`
			`} else {`
			`const claims: tok.TokenClaims = decoded as any;`
			`if (type != null && claims.type !== type) {`
			`reject(`
			`new ApiError(`
			`Expected a "${type}" token, received a "${claims.type}" token`,
			`ErrorCode.BadToken`
			`)`
			`);`
			`}`
			`resolve(claims as TClaims & tok.BaseClaims);`
			`}`
			`}`
			`);`
			`});`
Refactored out jwt token stuff 6 years ago			`}`

			`export function generateAccessToken(user: User): Promise<string> {`
Use prettier on everything 6 years ago			`const accessTokenClaims: tok.AccessToken = {`
			`aud: user.id,`
			`name: user.name,`
			`type: "access"`
			`};`
Refactored out jwt token stuff 6 years ago
Use prettier on everything 6 years ago			`return signToken(accessTokenClaims, { expiresIn: ACCESS_TOKEN_LIFETIME });`
Refactored out jwt token stuff 6 years ago			`}`

			`export function generateRefreshToken(user: User): Promise<string> {`
Use prettier on everything 6 years ago			`const refreshTokenClaims: tok.RefreshToken = {`
			`aud: user.id,`
			`name: user.name,`
			`type: "refresh"`
			`};`
Refactored out jwt token stuff 6 years ago
Use prettier on everything 6 years ago			`return signToken(refreshTokenClaims, { expiresIn: REFRESH_TOKEN_LIFETIME });`
Refactored out jwt token stuff 6 years ago			`}`

			`export function generateDeviceRegistrationToken(): Promise<string> {`
Use prettier on everything 6 years ago			`const deviceRegTokenClaims: tok.DeviceRegistrationToken = {`
			`type: "device_reg"`
			`};`
			`return signToken(deviceRegTokenClaims);`
Refactored out jwt token stuff 6 years ago			`}`

Use prettier on everything 6 years ago			`export function generateDeviceToken(`
			`id: number,`
			`deviceId: string`
			`): Promise<string> {`
			`const deviceTokenClaims: tok.DeviceToken = {`
			`type: "device",`
			`aud: deviceId,`
			`id`
			`};`
			`return signToken(deviceTokenClaims);`
Refactored out jwt token stuff 6 years ago			`}`

			`export function generateSuperuserToken(): Promise<string> {`
Use prettier on everything 6 years ago			`const superuserClaims: tok.SuperuserToken = {`
			`type: "superuser"`
			`};`
			`return signToken(superuserClaims);`
Refactored out jwt token stuff 6 years ago			`}`