1 | var timespan = require('./lib/timespan');
|
2 | var PS_SUPPORTED = require('./lib/psSupported');
|
3 | var jws = require('jws');
|
4 | var includes = require('lodash.includes');
|
5 | var isBoolean = require('lodash.isboolean');
|
6 | var isInteger = require('lodash.isinteger');
|
7 | var isNumber = require('lodash.isnumber');
|
8 | var isPlainObject = require('lodash.isplainobject');
|
9 | var isString = require('lodash.isstring');
|
10 | var once = require('lodash.once');
|
11 |
|
12 | var SUPPORTED_ALGS = ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none']
|
13 | if (PS_SUPPORTED) {
|
14 | SUPPORTED_ALGS.splice(3, 0, 'PS256', 'PS384', 'PS512');
|
15 | }
|
16 |
|
17 | var sign_options_schema = {
|
18 | expiresIn: { isValid: function(value) { return isInteger(value) || (isString(value) && value); }, message: '"expiresIn" should be a number of seconds or string representing a timespan' },
|
19 | notBefore: { isValid: function(value) { return isInteger(value) || (isString(value) && value); }, message: '"notBefore" should be a number of seconds or string representing a timespan' },
|
20 | audience: { isValid: function(value) { return isString(value) || Array.isArray(value); }, message: '"audience" must be a string or array' },
|
21 | algorithm: { isValid: includes.bind(null, SUPPORTED_ALGS), message: '"algorithm" must be a valid string enum value' },
|
22 | header: { isValid: isPlainObject, message: '"header" must be an object' },
|
23 | encoding: { isValid: isString, message: '"encoding" must be a string' },
|
24 | issuer: { isValid: isString, message: '"issuer" must be a string' },
|
25 | subject: { isValid: isString, message: '"subject" must be a string' },
|
26 | jwtid: { isValid: isString, message: '"jwtid" must be a string' },
|
27 | noTimestamp: { isValid: isBoolean, message: '"noTimestamp" must be a boolean' },
|
28 | keyid: { isValid: isString, message: '"keyid" must be a string' },
|
29 | mutatePayload: { isValid: isBoolean, message: '"mutatePayload" must be a boolean' }
|
30 | };
|
31 |
|
32 | var registered_claims_schema = {
|
33 | iat: { isValid: isNumber, message: '"iat" should be a number of seconds' },
|
34 | exp: { isValid: isNumber, message: '"exp" should be a number of seconds' },
|
35 | nbf: { isValid: isNumber, message: '"nbf" should be a number of seconds' }
|
36 | };
|
37 |
|
38 | function validate(schema, allowUnknown, object, parameterName) {
|
39 | if (!isPlainObject(object)) {
|
40 | throw new Error('Expected "' + parameterName + '" to be a plain object.');
|
41 | }
|
42 | Object.keys(object)
|
43 | .forEach(function(key) {
|
44 | var validator = schema[key];
|
45 | if (!validator) {
|
46 | if (!allowUnknown) {
|
47 | throw new Error('"' + key + '" is not allowed in "' + parameterName + '"');
|
48 | }
|
49 | return;
|
50 | }
|
51 | if (!validator.isValid(object[key])) {
|
52 | throw new Error(validator.message);
|
53 | }
|
54 | });
|
55 | }
|
56 |
|
57 | function validateOptions(options) {
|
58 | return validate(sign_options_schema, false, options, 'options');
|
59 | }
|
60 |
|
61 | function validatePayload(payload) {
|
62 | return validate(registered_claims_schema, true, payload, 'payload');
|
63 | }
|
64 |
|
65 | var options_to_payload = {
|
66 | 'audience': 'aud',
|
67 | 'issuer': 'iss',
|
68 | 'subject': 'sub',
|
69 | 'jwtid': 'jti'
|
70 | };
|
71 |
|
72 | var options_for_objects = [
|
73 | 'expiresIn',
|
74 | 'notBefore',
|
75 | 'noTimestamp',
|
76 | 'audience',
|
77 | 'issuer',
|
78 | 'subject',
|
79 | 'jwtid',
|
80 | ];
|
81 |
|
82 | module.exports = function (payload, secretOrPrivateKey, options, callback) {
|
83 | if (typeof options === 'function') {
|
84 | callback = options;
|
85 | options = {};
|
86 | } else {
|
87 | options = options || {};
|
88 | }
|
89 |
|
90 | var isObjectPayload = typeof payload === 'object' &&
|
91 | !Buffer.isBuffer(payload);
|
92 |
|
93 | var header = Object.assign({
|
94 | alg: options.algorithm || 'HS256',
|
95 | typ: isObjectPayload ? 'JWT' : undefined,
|
96 | kid: options.keyid
|
97 | }, options.header);
|
98 |
|
99 | function failure(err) {
|
100 | if (callback) {
|
101 | return callback(err);
|
102 | }
|
103 | throw err;
|
104 | }
|
105 |
|
106 | if (!secretOrPrivateKey && options.algorithm !== 'none') {
|
107 | return failure(new Error('secretOrPrivateKey must have a value'));
|
108 | }
|
109 |
|
110 | if (typeof payload === 'undefined') {
|
111 | return failure(new Error('payload is required'));
|
112 | } else if (isObjectPayload) {
|
113 | try {
|
114 | validatePayload(payload);
|
115 | }
|
116 | catch (error) {
|
117 | return failure(error);
|
118 | }
|
119 | if (!options.mutatePayload) {
|
120 | payload = Object.assign({},payload);
|
121 | }
|
122 | } else {
|
123 | var invalid_options = options_for_objects.filter(function (opt) {
|
124 | return typeof options[opt] !== 'undefined';
|
125 | });
|
126 |
|
127 | if (invalid_options.length > 0) {
|
128 | return failure(new Error('invalid ' + invalid_options.join(',') + ' option for ' + (typeof payload ) + ' payload'));
|
129 | }
|
130 | }
|
131 |
|
132 | if (typeof payload.exp !== 'undefined' && typeof options.expiresIn !== 'undefined') {
|
133 | return failure(new Error('Bad "options.expiresIn" option the payload already has an "exp" property.'));
|
134 | }
|
135 |
|
136 | if (typeof payload.nbf !== 'undefined' && typeof options.notBefore !== 'undefined') {
|
137 | return failure(new Error('Bad "options.notBefore" option the payload already has an "nbf" property.'));
|
138 | }
|
139 |
|
140 | try {
|
141 | validateOptions(options);
|
142 | }
|
143 | catch (error) {
|
144 | return failure(error);
|
145 | }
|
146 |
|
147 | var timestamp = payload.iat || Math.floor(Date.now() / 1000);
|
148 |
|
149 | if (options.noTimestamp) {
|
150 | delete payload.iat;
|
151 | } else if (isObjectPayload) {
|
152 | payload.iat = timestamp;
|
153 | }
|
154 |
|
155 | if (typeof options.notBefore !== 'undefined') {
|
156 | try {
|
157 | payload.nbf = timespan(options.notBefore, timestamp);
|
158 | }
|
159 | catch (err) {
|
160 | return failure(err);
|
161 | }
|
162 | if (typeof payload.nbf === 'undefined') {
|
163 | return failure(new Error('"notBefore" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60'));
|
164 | }
|
165 | }
|
166 |
|
167 | if (typeof options.expiresIn !== 'undefined' && typeof payload === 'object') {
|
168 | try {
|
169 | payload.exp = timespan(options.expiresIn, timestamp);
|
170 | }
|
171 | catch (err) {
|
172 | return failure(err);
|
173 | }
|
174 | if (typeof payload.exp === 'undefined') {
|
175 | return failure(new Error('"expiresIn" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60'));
|
176 | }
|
177 | }
|
178 |
|
179 | Object.keys(options_to_payload).forEach(function (key) {
|
180 | var claim = options_to_payload[key];
|
181 | if (typeof options[key] !== 'undefined') {
|
182 | if (typeof payload[claim] !== 'undefined') {
|
183 | return failure(new Error('Bad "options.' + key + '" option. The payload already has an "' + claim + '" property.'));
|
184 | }
|
185 | payload[claim] = options[key];
|
186 | }
|
187 | });
|
188 |
|
189 | var encoding = options.encoding || 'utf8';
|
190 |
|
191 | if (typeof callback === 'function') {
|
192 | callback = callback && once(callback);
|
193 |
|
194 | jws.createSign({
|
195 | header: header,
|
196 | privateKey: secretOrPrivateKey,
|
197 | payload: payload,
|
198 | encoding: encoding
|
199 | }).once('error', callback)
|
200 | .once('done', function (signature) {
|
201 | callback(null, signature);
|
202 | });
|
203 | } else {
|
204 | return jws.sign({header: header, payload: payload, secret: secretOrPrivateKey, encoding: encoding});
|
205 | }
|
206 | };
|