Add ability to set subject

mvantellingen · mvantellingen · commit 07c2edc063aa · 2023-12-27T13:13:39.000+01:00
diff --git a/src/gateway.test.ts b/src/gateway.test.ts
@@ -51,6 +51,7 @@ describe("GatewayAuthPlugin", () => {
 					context.federatedToken.setAccessToken("foo", {
 						token: "bar",
 						exp: Date.now() + 1000,
+						sub: "my-user-id",
 					});
 					context.federatedToken.setRefreshToken("foo", "bar");
 				}
@@ -65,6 +66,7 @@ describe("GatewayAuthPlugin", () => {
 				context.federatedToken?.setAccessToken("foo", {
 					token: "bar",
 					exp: Date.now() + 1000,
+					sub: "my-user-id",
 				});
 				return JSON.stringify(context.federatedToken);
 			},
diff --git a/src/jwt.test.ts b/src/jwt.test.ts
@@ -30,6 +30,7 @@ describe("PublicFederatedToken", async () => {
 			exampleName: {
 				token: "exampleToken",
 				exp: expireAt,
+				sub: "exampleSubject",
 			},
 		};
 		token.values = {
@@ -48,17 +49,45 @@ describe("PublicFederatedToken", async () => {
 		expect(newToken.values).toStrictEqual(token.values);
 	});
 
-	test("loadAccessJWT", async () => {
+	test("createAccessJWT with TokenSigner create hook", async () => {
+		const signer = new TokenSigner({
+			...signOptions,
+			getSubject: async (token) => token.tokens.exampleName?.sub,
+		});
+
 		const token = new PublicFederatedToken();
-		const exampleJWT = await signer.signJWT(
-			{
-				exp: Date.now() + 1000,
-				jwe: await signer.encryptObject(token.tokens),
-				value1: "exampleValue1",
-				value2: "exampleValue2",
+		const expireAt = Date.now() + 60;
+		token.tokens = {
+			exampleName: {
+				token: "exampleToken",
+				exp: expireAt,
+				sub: "exampleSubject",
 			},
-			Date.now() + 1000
-		);
+		};
+		token.values = {
+			value1: "exampleValue1",
+			value2: "exampleValue2",
+		};
+
+		const { accessToken, fingerprint } = await token.createAccessJWT(signer);
+
+		expect(fingerprint).lengthOf(32);
+
+		const newToken = new PublicFederatedToken();
+		await newToken.loadAccessJWT(signer, accessToken, fingerprint);
+		expect(newToken.tokens).toStrictEqual(token.tokens);
+		expect(newToken.refreshTokens).toStrictEqual(token.refreshTokens);
+		expect(newToken.values).toStrictEqual(token.values);
+	});
+
+	test("loadAccessJWT", async () => {
+		const token = new PublicFederatedToken();
+		const exampleJWT = await signer.signJWT({
+			exp: Date.now() + 1000,
+			jwe: await signer.encryptObject(token.tokens),
+			value1: "exampleValue1",
+			value2: "exampleValue2",
+		});
 
 		await token.loadAccessJWT(signer, exampleJWT);
 
@@ -75,16 +104,13 @@ describe("PublicFederatedToken", async () => {
 	test("loadAccessJWT with Fingerprint", async () => {
 		const token = new PublicFederatedToken();
 		const fingerprint = generateFingerprint();
-		const exampleJWT = await signer.signJWT(
-			{
-				exp: Date.now() + 1000,
-				jwe: await signer.encryptObject(token.tokens),
-				value1: "exampleValue1",
-				value2: "exampleValue2",
-				_fingerprint: hashFingerprint(fingerprint),
-			},
-			Date.now() + 1000
-		);
+		const exampleJWT = await signer.signJWT({
+			exp: Date.now() + 1000,
+			jwe: await signer.encryptObject(token.tokens),
+			value1: "exampleValue1",
+			value2: "exampleValue2",
+			_fingerprint: hashFingerprint(fingerprint),
+		});
 
 		expect(fingerprint).lengthOf(32);
 		await token.loadAccessJWT(signer, exampleJWT, fingerprint);
diff --git a/src/sign.test.ts b/src/sign.test.ts
@@ -40,12 +40,13 @@ describe("Strings", async () => {
 	});
 
 	test("JWT Sign and verify", async () => {
+		const exp = Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 90;
 		const payload = {
 			foo: "bar",
+			exp: exp,
 		};
 
-		const exp = Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 90;
-		const token = await signer.signJWT(payload, exp);
+		const token = await signer.signJWT(payload);
 		expect(token).toBeDefined();
 
 		const result = await signer.verifyJWT(token);
diff --git a/src/sign.ts b/src/sign.ts
@@ -1,11 +1,14 @@
 import * as jose from "jose";
+import { PublicFederatedToken } from "jwt";
 import { KeyObject } from "node:crypto";
 
+
 type TokenSignerOptions = {
 	encryptKeys: KeyManagerInterface;
 	signKeys: KeyManagerInterface;
 	audience: string;
 	issuer: string;
+	getSubject?: (token: PublicFederatedToken) => Promise<string>;
 };
 
 export class ConfigurationError extends Error {}
@@ -52,10 +55,14 @@ export class TokenSigner {
 		return JSON.parse(data);
 	}
 
-	async signJWT(payload: any, exp: number) {
+	async getSubject(token: PublicFederatedToken): Promise<string | undefined> {
+		return this.config.getSubject ? this.config.getSubject(token) : undefined
+	}
+
+	async signJWT(payload: jose.JWTPayload) {
 		const { id, key } = await this._signKeys.getActiveKey();
-		return await new jose.SignJWT(payload)
-			.setExpirationTime(exp)
+
+		return new jose.SignJWT(payload)
 			.setIssuedAt()
 			.setProtectedHeader({ alg: "HS256", kid: id })
 			.setAudience(this.config.audience)
diff --git a/src/token.test.ts b/src/token.test.ts
@@ -7,6 +7,7 @@ describe("FederatedToken", () => {
 		const token: AccessToken = {
 			token: "exampleToken",
 			exp: 1234567890,
+			sub: "exampleSubject",
 		};
 		federatedToken.setAccessToken("exampleName", token);
 		assert.equal(federatedToken.tokens.exampleName, token);
@@ -42,6 +43,7 @@ describe("FederatedToken", () => {
 		federatedToken.setAccessToken("exampleName", {
 			token: "exampleToken",
 			exp: 1234567890,
+			sub: "exampleSubject",
 		});
 		assert.isTrue(federatedToken.isAccessTokenModified());
 	});
@@ -53,6 +55,7 @@ describe("FederatedToken", () => {
 					exampleName: {
 						token: "exampleToken",
 						exp: 1234567890,
+						sub: "exampleSubject",
 					},
 				},
 				values: {
@@ -70,6 +73,7 @@ describe("FederatedToken", () => {
 			{
 				token: "exampleToken",
 				exp: 1234567890,
+				sub: "exampleSubject",
 			},
 			"Token object should be loaded correctly"
 		);
@@ -96,6 +100,7 @@ describe("FederatedToken", () => {
 					exampleName: {
 						token: "exampleToken",
 						exp: 1234567890,
+						sub: "exampleSubject",
 					},
 				},
 				values: {
@@ -113,6 +118,7 @@ describe("FederatedToken", () => {
 			{
 				token: "exampleToken",
 				exp: 1234567890,
+				sub: "exampleSubject",
 			},
 			"Token object should be loaded correctly"
 		);
@@ -137,6 +143,7 @@ describe("FederatedToken", () => {
 		federatedToken.setAccessToken("exampleName", {
 			token: "exampleToken",
 			exp: 1234567890,
+			sub: "exampleSubject",
 		});
 		federatedToken.values = {
 			value1: "exampleValue1",
@@ -149,6 +156,7 @@ describe("FederatedToken", () => {
 					exampleName: {
 						token: "exampleToken",
 						exp: 1234567890,
+						sub: "exampleSubject",
 					},
 				},
 				values: {
diff --git a/src/token.ts b/src/token.ts
@@ -13,6 +13,9 @@ export interface AccessToken {
 	// Expire at, unixtime
 	token: string;
 	exp: number;
+
+	// Subject, it is most often used for the user-id.
+	sub: string;
 }
 
 export class FederatedToken {

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,9 @@ export interface AccessToken {`
`13`	`13`	`// Expire at, unixtime`
`14`	`14`	`token: string;`
`15`	`15`	`exp: number;`
	`16`	`+`
	`17`	`+ // Subject, it is most often used for the user-id.`
	`18`	`+ sub: string;`
`16`	`19`	`}`
`17`	`20`
`18`	`21`	`export class FederatedToken {`