Define dynamicStrategy

Implement a passport.js plugin for Dynamic. It is heavily based
on the passport-jwt strategy for the MVP

Author: fredericboivin

src/index.ts

@@ -1,5 +1 @@
-export class Hello {
-  public sayHello() {
-    return 'hello, world!';
-  }
-}
+export * from './lib/dynamicStrategy';

src/lib/dynamicStrategy.ts

@@ -0,0 +1,99 @@
+import { IncomingHttpHeaders } from 'http2';
+import { Jwt, JwtPayload, Secret } from 'jsonwebtoken';
+import type { StrategyCreated, StrategyCreatedStatic } from 'passport';
+// eslint-disable-next-line no-duplicate-imports
+import { Strategy } from 'passport';
+import { verifyToken } from './verifyToken';
+
+interface StrategyOptions {
+  publicKey: string;
+}
+
+interface Request {
+  headers: IncomingHttpHeaders;
+}
+
+export class DynamicStrategy extends Strategy {
+  authHeaderRegex = /(\S+)\s+(\S+)/;
+
+  _secretOrKeyProvider: (request: Request, rawJwtToken: any, done: any) => void;
+  verify: (payload: Jwt | JwtPayload | string | undefined, done: any) => void;
+
+  constructor(
+    options: StrategyOptions,
+    verify: (payload: Jwt | JwtPayload | string | undefined, done: any) => void,
+  ) {
+    super();
+
+    const publicKey = options.publicKey;
+
+    if (!publicKey) {
+      throw new Error(
+        'You must provide your Dynamic public key for verification.',
+      );
+    }
+
+    this.name = 'dynamicStrategy';
+
+    this.verify = verify;
+
+    // Passport expects this to be a callback. Our publicKey is static so
+    // we wrap it in a simple function that returns it
+    this._secretOrKeyProvider = (_request, _rawJwtToken, done) => {
+      done(null, publicKey);
+    };
+  }
+
+  authenticate(
+    this: StrategyCreated<this, this & StrategyCreatedStatic>,
+    req: Request,
+    _options?: any,
+  ) {
+    const token = this.jwtFromRequest(req);
+
+    if (!token) {
+      return this.fail('Missing JWT token');
+    }
+
+    this._secretOrKeyProvider(
+      req,
+      token,
+      (_secretOrKeyError: any, secretOrKey: Secret) => {
+        return verifyToken(token, secretOrKey, (err, payload) => {
+          if (err) {
+            return this.fail('Invalid token');
+          } else {
+            const verified = (error: any, user: object, info: object) => {
+              if (error) {
+                return this.error(error);
+              } else if (!user) {
+                return this.fail('User not found');
+              } else {
+                return this.success(user, info);
+              }
+            };
+
+            try {
+              this.verify(payload, verified);
+            } catch (ex) {
+              return this.error(ex);
+            }
+          }
+        });
+      },
+    );
+  }
+
+  jwtFromRequest(request: Request) {
+    let jwtToken = null;
+
+    const authHeader = request.headers.authorization;
+
+    if (authHeader) {
+      const bearerSchemeMatches = authHeader.match(this.authHeaderRegex);
+      jwtToken = bearerSchemeMatches ? bearerSchemeMatches[2] : null;
+    }
+
+    return jwtToken;
+  }
+}

src/lib/verifyToken.ts

@@ -0,0 +1,21 @@
+import {
+  VerifyCallback,
+  JwtPayload,
+  Secret,
+  verify as jwtVerify,
+  VerifyOptions,
+} from 'jsonwebtoken';
+// eslint-disable-next-line no-duplicate-imports
+import type { Jwt } from 'jsonwebtoken';
+
+export const verifyToken = (
+  token: string,
+  key: Secret,
+  callback: VerifyCallback<string | Jwt | JwtPayload>,
+) => {
+  const verifyOptions: VerifyOptions = {
+    algorithms: ['RS256'],
+    complete: false,
+  };
+  return jwtVerify(token, key, verifyOptions, callback);
+};

src/test/TestServer.ts

@@ -0,0 +1,88 @@
+import { createServer, Server as HttpServer } from 'http';
+
+import express from 'express';
+import passport from 'passport';
+import supertest from 'supertest';
+
+afterAll(async () => {
+  await testServer.close();
+});
+
+beforeAll(async () => {
+  await testServer.init();
+});
+
+beforeEach(() => {
+  jest.clearAllMocks();
+});
+
+const isAuthorized = () => (req: any, res: any, next: any) => {
+  try {
+    return passport.authenticate('dynamicStrategy', {
+      session: false,
+      failWithError: true,
+    })(req, res, next);
+  } catch (err) {
+    return next(err);
+  }
+};
+
+class Server {
+  private readonly expressApp: express.Application = express();
+
+  public constructor() {
+    this.expressApp.get(
+      '/user',
+      isAuthorized(),
+      function (req, res) {
+        res.status(200).json(req.user);
+      },
+      function (err: any, _req: any, res: any, next: any) {
+        const status = err.status || 500;
+        const errorMessage = err.message;
+
+        res.status(status);
+
+        res.json({
+          error: errorMessage,
+          status,
+        });
+
+        next();
+      },
+    );
+  }
+
+  public get app(): express.Application {
+    return this.expressApp;
+  }
+}
+
+export default Server;
+
+class TestServer {
+  private testApp!: express.Application;
+
+  private testServer!: HttpServer;
+
+  private Klass: typeof Server;
+
+  public constructor(cls = Server) {
+    this.Klass = cls;
+  }
+
+  public get app(): supertest.SuperTest<supertest.Test> {
+    return supertest(this.testServer);
+  }
+
+  public async init(): Promise<void> {
+    this.testApp = new this.Klass().app;
+    this.testServer = createServer(this.testApp);
+  }
+
+  public async close(): Promise<void> {
+    await this.testServer.close();
+  }
+}
+
+export const testServer: TestServer = new TestServer();

test/dynamicStrategy.spec.ts

@@ -0,0 +1,166 @@
+import { sign as jwtSign } from 'jsonwebtoken';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import keypair from 'keypair';
+import passport from 'passport';
+import { DynamicStrategy } from '../src/lib/dynamicStrategy';
+import { testServer } from '../src/test/TestServer';
+
+const keys = keypair();
+
+const user = {
+  chain: 'ETH',
+  environmentId: 'fb6dd9d1-09f5-43c3-8a8c-eab6e44c37f9',
+  lists: [],
+  userId: '382c1002-e9c1-4fc1-b17c-a887b693b940',
+  wallet: 'metamask',
+  walletPublicKey: '0x9249Ecdc1c83e5479289e0bDD9AB96738C51C9Da',
+};
+
+const defaultOptions = { publicKey: keys.public };
+const passportVerify = async (decodedToken: any, done: any) => {
+  try {
+    return done(null, decodedToken.payload);
+  } catch (err) {
+    return done(err, false);
+  }
+};
+
+const usePassport = (
+  options: any = defaultOptions,
+  verifyCallback = passportVerify,
+) => {
+  passport.use(new DynamicStrategy(options, verifyCallback));
+};
+
+describe('DynamicStrategy', () => {
+  afterEach(() => {
+    passport.unuse('dynamicStrategy');
+  });
+
+  const generateJWT = (alg = 'RS256') => {
+    const header = { alg: alg };
+    const payload = user;
+    const signedToken = jwtSign(
+      {
+        header: header,
+        payload: payload,
+        encoding: 'utf8',
+      },
+      keys.private,
+      { algorithm: 'RS256' },
+    );
+
+    return signedToken;
+  };
+
+  it('throws an error if the strategy does not have a `publicKey`', async () => {
+    expect(() => {
+      usePassport({});
+    }).toThrowError(
+      'You must provide your Dynamic public key for verification.',
+    );
+  });
+
+  it('returns 401 if no header is provided', async () => {
+    usePassport();
+
+    const response = await (await testServer).app.get('/user');
+
+    expect(response.status).toEqual(401);
+    expect(response.headers['www-authenticate']).toEqual('Missing JWT token');
+  });
+
+  it('returns 401 if the Authorization header has no value', async () => {
+    usePassport();
+
+    const response = await (await testServer).app
+      .get('/user')
+      .set('Authorization', '');
+
+    expect(response.status).toEqual(401);
+    expect(response.headers['www-authenticate']).toEqual('Missing JWT token');
+  });
+
+  it('returns 401 if the Authorization header does not match the Bearer format', async () => {
+    usePassport();
+
+    const response = await (await testServer).app
+      .get('/user')
+      .set('Authorization', 'Bearer');
+
+    expect(response.status).toEqual(401);
+    expect(response.headers['www-authenticate']).toEqual('Missing JWT token');
+  });
+
+  it('returns 401 if the JWT is invalid', async () => {
+    usePassport();
+
+    const signedToken = 'Token';
+    const response = await (await testServer).app
+      .get('/user')
+      .set('Authorization', `Bearer ${signedToken}`);
+
+    expect(response.status).toEqual(401);
+    expect(response.headers['www-authenticate']).toEqual('Invalid token');
+  });
+
+  it('returns 500 if the verify callback throws an error', async () => {
+    const errorVerify = (_payload: any, _done: any) => {
+      throw new Error('Bad API');
+    };
+
+    usePassport(defaultOptions, errorVerify);
+
+    const signedToken = generateJWT();
+    const response = await (await testServer).app
+      .get('/user')
+      .set('Authorization', `Bearer ${signedToken}`);
+
+    expect(response.status).toEqual(500);
+    expect(response.body.error).toEqual('Bad API');
+  });
+
+  it('returns 500 if the the verify callback returns an error', async () => {
+    const errorVerify = async (_payload: any, done: any) => {
+      return done(new Error('Unexpected error'), false);
+    };
+
+    usePassport(defaultOptions, errorVerify);
+
+    const signedToken = generateJWT();
+    const response = await (await testServer).app
+      .get('/user')
+      .set('Authorization', `Bearer ${signedToken}`);
+
+    expect(response.status).toEqual(500);
+    expect(response.body.error).toEqual('Unexpected error');
+  });
+
+  it('returns 401 if the verify callback does not return a user', async () => {
+    const verifyNoUser = async (_payload: any, done: any) => {
+      return done(null, false);
+    };
+
+    usePassport(defaultOptions, verifyNoUser);
+
+    const signedToken = generateJWT();
+    const response = await (await testServer).app
+      .get('/user')
+      .set('Authorization', `Bearer ${signedToken}`);
+
+    expect(response.status).toEqual(401);
+    expect(response.headers['www-authenticate']).toEqual('User not found');
+  });
+
+  it('returns 200 if the user can be authenticated', async () => {
+    usePassport();
+
+    const signedToken = generateJWT();
+    const response = await (await testServer).app
+      .get('/user')
+      .set('Authorization', `Bearer ${signedToken}`);
+
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual(user);
+  });
+});