-
Notifications
You must be signed in to change notification settings - Fork 0
/
userAuth.js
76 lines (64 loc) · 1.72 KB
/
userAuth.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
'use strict'
const express = require('express')
const jwt = require('jsonwebtoken')
const fetch = require('node-fetch')
const keys = {}
function getPublicKey(kid) {
return Promise.resolve().then(() => {
if (keys[kid]) {
return keys[kid];
}
return fetch('https://www.gstatic.com/iap/verify/public_key')
.then((response) => response.json())
.then((newKeys) => {
Object.assign(keys, newKeys)
return keys[kid];
});
});
}
const router = express.Router()
router.use((request, response, next) => {
// IPv6 and IPv4 mapped loopback addresses; ::1, ::ffff:127.0.0.1, or matching /^\:\:ffff\:10\./
if (
request.connection.remoteAddress.match(/^::(1$|ffff:(10\.|127.0.0.1$))/) &&
request.headers['x-forwarded-for'] === undefined
) {
return next();
}
const token = request.headers['x-goog-iap-jwt-assertion'];
const decoded = jwt.decode(token, { complete: true }) || {};
let kid;
try {
({
header: { kid },
} = decoded);
} catch (err) {
return response.status(403).send(`FORBIDDEN`);
}
return getPublicKey(kid)
.then((key) => {
const { email, sub } = jwt.verify(token, key);
request.headers.auth = request.headers.auth || {};
request.headers.auth.requestedEmail = email;
request.headers.auth.verifiedEmail = email;
request.headers.auth.verifiedSub = sub;
next();
})
.catch((error) => {
return response.status(403).send(`FORBIDDEN (BADCOM). ${error.message}`);
});
})
router.use((req, res, next) => {
const {
auth: {
verifiedEmail: email,
verifiedSub: userId
} = {}
} = req.headers || {}
req.userInfo = {
email,
userId,
}
next()
})
module.exports = router