UNPKG

4.09 kBJavaScriptView Raw
1"use strict";
2// *****************************************************************************
3// Copyright (C) 2020 Ericsson and others.
4//
5// This program and the accompanying materials are made available under the
6// terms of the Eclipse Public License v. 2.0 which is available at
7// http://www.eclipse.org/legal/epl-2.0.
8//
9// This Source Code may also be made available under the following Secondary
10// Licenses when the conditions for such availability set forth in the Eclipse
11// Public License v. 2.0 are satisfied: GNU General Public License, version 2
12// with the GNU Classpath Exception which is available at
13// https://www.gnu.org/software/classpath/license.html.
14//
15// SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
16// *****************************************************************************
17var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
18 var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
19 if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
20 else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
21 return c > 3 && r && Object.defineProperty(target, key, r), r;
22};
23var __metadata = (this && this.__metadata) || function (k, v) {
24 if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
25};
26Object.defineProperty(exports, "__esModule", { value: true });
27exports.ElectronTokenValidator = void 0;
28const cookie = require("cookie");
29const crypto = require("crypto");
30const inversify_1 = require("inversify");
31const common_1 = require("../../common");
32const electron_token_1 = require("../../electron-common/electron-token");
33/**
34 * On Electron, we want to make sure that only Electron's browser-windows access the backend services.
35 */
36let ElectronTokenValidator = class ElectronTokenValidator {
37 postConstruct() {
38 this.electronSecurityToken = this.getToken();
39 }
40 allowWsUpgrade(request) {
41 return this.allowRequest(request);
42 }
43 /**
44 * Expects the token to be passed via cookies by default.
45 */
46 allowRequest(request) {
47 const cookieHeader = request.headers.cookie;
48 if ((0, common_1.isString)(cookieHeader)) {
49 const token = cookie.parse(cookieHeader)[electron_token_1.ElectronSecurityToken];
50 if ((0, common_1.isString)(token)) {
51 return this.isTokenValid(JSON.parse(token));
52 }
53 }
54 return false;
55 }
56 /**
57 * Validates a token.
58 *
59 * This method both checks the shape of the parsed token data and its actual value.
60 *
61 * @param token Parsed object sent by the client as the token.
62 */
63 isTokenValid(token) {
64 if ((0, common_1.isObject)(token) && (0, common_1.isString)(token.value)) {
65 try {
66 const received = Buffer.from(token.value, 'utf8');
67 const expected = Buffer.from(this.electronSecurityToken.value, 'utf8');
68 return received.byteLength === expected.byteLength && crypto.timingSafeEqual(received, expected);
69 }
70 catch (error) {
71 console.error(error);
72 }
73 }
74 return false;
75 }
76 /**
77 * Returns the token to compare to when authorizing requests.
78 */
79 getToken() {
80 return JSON.parse(process.env[electron_token_1.ElectronSecurityToken]);
81 }
82};
83__decorate([
84 (0, inversify_1.postConstruct)(),
85 __metadata("design:type", Function),
86 __metadata("design:paramtypes", []),
87 __metadata("design:returntype", void 0)
88], ElectronTokenValidator.prototype, "postConstruct", null);
89ElectronTokenValidator = __decorate([
90 (0, inversify_1.injectable)()
91], ElectronTokenValidator);
92exports.ElectronTokenValidator = ElectronTokenValidator;
93//# sourceMappingURL=electron-token-validator.js.map
\No newline at end of file