Endpoint for getting auth token #103
Conversation
src/routes/auth.js
Outdated
| verify(requestToken, keys.privateKey, { | ||
| algorithms: ['HS256'], | ||
| }); |
There was a problem hiding this comment.
Change this to keys.publicKey, and algorithms to ['RS256']. This is because the token was originally signed by CASI's private key and should be verified by its public key.
| verify(requestToken, keys.privateKey, { | ||
| algorithms: ['HS256'], | ||
| }); | ||
|
|
There was a problem hiding this comment.
The verification is to be done here, after requestToken and client are verified.
src/utils/utils.js
Outdated
| const createAuthToken = (user) => { | ||
| const payload = { | ||
| user: { | ||
| id: user.id, | ||
| email: user.email, | ||
| firstname: user.firstname, | ||
| lastname: user.lastname, | ||
| username: user.username, | ||
| roles: user.roles, | ||
| privilege: getUserPrivilege(user), | ||
| isverified: user.isverified, | ||
| }, | ||
| }; | ||
| const exp = keys.authExpTime; | ||
| // create a token | ||
| const token = jwt.sign(payload, keys.privateKey, { | ||
| expiresIn: exp, // in seconds | ||
| issuer: keys.iss, | ||
| algorithm: 'RS256', | ||
| }); | ||
|
|
||
| return token; | ||
| }; | ||
|
|
There was a problem hiding this comment.
Please see the createJWTCookie method in utils.js. Link.
Instead of creating a separate method for token creation, split the createJWTCookie method into two methods - First for token creation (similar to this createAuthToken), second for cookie creation (the latter part of createJWTCookie). Use the tokenName argument to choose the expiry time of the token.
src/routes/auth.js
Outdated
| const { q } = req.query; | ||
| const { requestToken } = decode(q); |
There was a problem hiding this comment.
Is q a JWT token? If yes then you need to verify it. If no, then just use const {reqToken} = req.body. I think there is no need for JWT signing at this stage since this parameter will be publicly visible in the URL. The /getAuthToken method would then check if the request token correctly maps to the client that is trying to exchange it. This would ensure that even if the request token is compromised, a malicious entity would not be able to get access to the auth token.
src/routes/auth.js
Outdated
| } | ||
| }); | ||
|
|
||
| router.post('/getToken', async (req, res) => { |
There was a problem hiding this comment.
Can you please change this name to /getAuthToken or something similar? It is kind of confusing >.<
|
|
||
| router.post('/getToken', async (req, res) => { | ||
| try { | ||
| const { token } = req.body; |
There was a problem hiding this comment.
You need to verify this token with client.accessToken
No description provided.