Make the serialization of tokens more robust

mvantellingen · mvantellingen · commit 1d2b7b312ce9 · 2023-12-27T13:12:41.000+01:00
diff --git a/.changeset/orange-mangos-hammer.md b/.changeset/orange-mangos-hammer.md
@@ -0,0 +1,5 @@
+---
+"@labdigital/federated-token": minor
+---
+
+Make the serialization of tokens more robust
diff --git a/src/datasource.ts b/src/datasource.ts
@@ -21,7 +21,7 @@ export class FederatedGraphQLDataSource<
 
 		// TODO: We now blindly sent the access tokens and refresh tokens to all
 		// federated services. This is something we might want to whitelist.
-		const token = context.federatedToken.dumpAccessToken();
+		const token = context.federatedToken.serializeAccessToken();
 		if (token) {
 			headers.set("x-access-token", token);
 		}
@@ -49,7 +49,7 @@ export class FederatedGraphQLDataSource<
 			if (!context.federatedToken) {
 				context.federatedToken = new PublicFederatedToken();
 			}
-			context.federatedToken.loadAccessToken(token, true);
+			context.federatedToken.deserializeAccessToken(token, true);
 		}
 
 		const refreshToken = headers.get("x-refresh-token");
diff --git a/src/plugin.ts b/src/plugin.ts
@@ -18,7 +18,7 @@ export class FederatedAuthPlugin<TContext extends FederatedTokenContext>
 
 		const at = request.http?.headers.get("X-Access-Token");
 		if (at) {
-			contextValue.federatedToken.loadAccessToken(at);
+			contextValue.federatedToken.deserializeAccessToken(at);
 		}
 
 		const rt = request.http?.headers.get("X-Refresh-Token");
@@ -40,7 +40,7 @@ export class FederatedAuthPlugin<TContext extends FederatedTokenContext>
 		const t = contextValue.federatedToken;
 
 		if (t.isAccessTokenModified() || t.isValueModified()) {
-			const val = t.dumpAccessToken();
+			const val = t.serializeAccessToken();
 			if (val) {
 				response.http.headers.set("X-Access-Token", val);
 			}
diff --git a/src/token.test.ts b/src/token.test.ts
@@ -46,7 +46,7 @@ describe("FederatedToken", () => {
 		assert.isTrue(federatedToken.isAccessTokenModified());
 	});
 
-	test("loadAccessToken", () => {
+	test("deserializeAccessToken", () => {
 		const at = Buffer.from(
 			JSON.stringify({
 				tokens: {
@@ -55,13 +55,15 @@ describe("FederatedToken", () => {
 						exp: 1234567890,
 					},
 				},
-				value1: "exampleValue1",
-				value2: "exampleValue2",
+				values: {
+					value1: "exampleValue1",
+					value2: "exampleValue2",
+				},
 			})
 		).toString("base64");
 
 		const federatedToken = new FederatedToken();
-		federatedToken.loadAccessToken(at);
+		federatedToken.deserializeAccessToken(at);
 
 		assert.deepStrictEqual(
 			federatedToken.tokens.exampleName,
@@ -87,7 +89,7 @@ describe("FederatedToken", () => {
 		);
 	});
 
-	test("loadAccessToken with trackModified = true", () => {
+	test("deserializeAccessToken with trackModified = true", () => {
 		const at = Buffer.from(
 			JSON.stringify({
 				tokens: {
@@ -96,13 +98,15 @@ describe("FederatedToken", () => {
 						exp: 1234567890,
 					},
 				},
-				value1: "exampleValue1",
-				value2: "exampleValue2",
+				values: {
+					value1: "exampleValue1",
+					value2: "exampleValue2",
+				}
 			})
 		).toString("base64");
 
 		const federatedToken = new FederatedToken();
-		federatedToken.loadAccessToken(at, true);
+		federatedToken.deserializeAccessToken(at, true);
 
 		assert.deepStrictEqual(
 			federatedToken.tokens.exampleName,
@@ -128,7 +132,7 @@ describe("FederatedToken", () => {
 		);
 	});
 
-	test("dumpAccessToken", () => {
+	test("serializeAccessToken", () => {
 		const federatedToken = new FederatedToken();
 		federatedToken.setAccessToken("exampleName", {
 			token: "exampleToken",
@@ -139,20 +143,22 @@ describe("FederatedToken", () => {
 			value2: "exampleValue2",
 		};
 
-		const expectedDump = Buffer.from(
+		const serialized = Buffer.from(
 			JSON.stringify({
 				tokens: {
 					exampleName: {
 						token: "exampleToken",
 						exp: 1234567890,
 					},
 				},
-				value1: "exampleValue1",
-				value2: "exampleValue2",
+				values: {
+					value1: "exampleValue1",
+					value2: "exampleValue2",
+				}
 			})
 		).toString("base64");
 
-		assert.equal(federatedToken.dumpAccessToken(), expectedDump);
+		assert.equal(federatedToken.serializeAccessToken(), serialized);
 	});
 
 	test("loadRefreshToken", () => {
diff --git a/src/token.ts b/src/token.ts
@@ -4,6 +4,11 @@ export type FederatedTokenContext = {
 	federatedToken?: FederatedToken;
 };
 
+type FederatedTokenValue = {
+	tokens: Record<string, AccessToken>;
+	values: Record<string, any>;
+};
+
 export interface AccessToken {
 	// Expire at, unixtime
 	token: string;
@@ -55,42 +60,50 @@ export class FederatedToken {
 		return this._valueModified;
 	}
 
-	loadAccessToken(at: string, trackModified = false) {
-		const token = JSON.parse(Buffer.from(at, "base64").toString("ascii"));
+	// Return the expire time of the first token that expires
+	getExpireTime() {
+		const values = Object.values(this.tokens);
+		const sorted = values.sort((a, b) => a.exp - b.exp);
+		return sorted[0].exp;
+	}
 
-		// TODO: Validate json
+	// serializeAccessToken serializes the tokens into a base64 encoded string
+	// in order to be sent to downstream services and from the downstream
+	// services back to the gatewa
+	// in order to be sent to downstream services and from the downstream
+	serializeAccessToken(): string | undefined {
+		const data: FederatedTokenValue = {
+			tokens: this.tokens,
+			values: this.values,
+		};
 
-		if (token.refreshTokens) {
-			throw new Error("Refresh tokens are not allowed in the Access Token");
+		if (!data) {
+			return;
 		}
+		return Buffer.from(JSON.stringify(data)).toString("base64");
+	}
+
+	// deserializeAccessToken deserializes the tokens from a base64 encoded string
+	// as received from downstream services
+	deserializeAccessToken(at: string, trackModified = false) {
+		const token: FederatedTokenValue = JSON.parse(
+			Buffer.from(at, "base64").toString("ascii")
+		);
 
-		// Merge tokens into this object
+		// Merge tokens into this object. Checking for modified tokens
 		for (const k in token.tokens) {
 			if (trackModified && !isEqual(this.tokens[k], token.tokens[k])) {
 				this._accessTokenModified = true;
 			}
-
-			this.tokens[k] = token.tokens[k];
-		}
-
-		this.tokens = token.tokens;
-		for (const k in token) {
-			if (k !== "tokens") {
-				this.values[k] = token[k];
-			}
 		}
-	}
-
-	dumpAccessToken(): string | undefined {
-		const data = {
-			tokens: this.tokens,
+		this.tokens = {
+			...this.tokens,
+			...token.tokens,
+		};
+		this.values = {
 			...this.values,
+			...token.values,
 		};
-
-		if (!data) {
-			return;
-		}
-		return Buffer.from(JSON.stringify(data)).toString("base64");
 	}
 
 	loadRefreshToken(value: string, trackModified = false) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@labdigital/federated-token": minor
 +---
++
 +Make the serialization of tokens more robust
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ export class FederatedGraphQLDataSource<`
`21`	`21`
`22`	`22`	`// TODO: We now blindly sent the access tokens and refresh tokens to all`
`23`	`23`	`// federated services. This is something we might want to whitelist.`
`24`		`- const token = context.federatedToken.dumpAccessToken();`
	`24`	`+ const token = context.federatedToken.serializeAccessToken();`
`25`	`25`	`if (token) {`
`26`	`26`	`headers.set("x-access-token", token);`
`27`	`27`	`}`
`@@ -49,7 +49,7 @@ export class FederatedGraphQLDataSource<`
`49`	`49`	`if (!context.federatedToken) {`
`50`	`50`	`context.federatedToken = new PublicFederatedToken();`
`51`	`51`	`}`
`52`		`- context.federatedToken.loadAccessToken(token, true);`
	`52`	`+ context.federatedToken.deserializeAccessToken(token, true);`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`const refreshToken = headers.get("x-refresh-token");`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ export class FederatedAuthPlugin<TContext extends FederatedTokenContext>`
`18`	`18`
`19`	`19`	`const at = request.http?.headers.get("X-Access-Token");`
`20`	`20`	`if (at) {`
`21`		`- contextValue.federatedToken.loadAccessToken(at);`
	`21`	`+ contextValue.federatedToken.deserializeAccessToken(at);`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`const rt = request.http?.headers.get("X-Refresh-Token");`
`@@ -40,7 +40,7 @@ export class FederatedAuthPlugin<TContext extends FederatedTokenContext>`
`40`	`40`	`const t = contextValue.federatedToken;`
`41`	`41`
`42`	`42`	`if (t.isAccessTokenModified() \|\| t.isValueModified()) {`
`43`		`- const val = t.dumpAccessToken();`
	`43`	`+ const val = t.serializeAccessToken();`
`44`	`44`	`if (val) {`
`45`	`45`	`response.http.headers.set("X-Access-Token", val);`
`46`	`46`	`}`