link-stack/apps/metamigo-api/app/plugins/cloudflare-jwt.ts

import * as Boom from "@hapi/boom";
import * as Hoek from "@hapi/hoek";
import * as Hapi from "@hapi/hapi";
import { promisify } from "util";
import jwt from "jsonwebtoken";
import jwksClient, { hapiJwt2KeyAsync } from "jwks-rsa";
import type { IAppConfig } from "../../config";

const CF_JWT_HEADER_NAME = "cf-access-jwt-assertion";
const CF_JWT_ALGOS = ["RS256"];

const verifyToken = (settings: any) => {
  const { audience, issuer } = settings;
  const client = jwksClient({
    jwksUri: `${issuer}/cdn-cgi/access/certs`,
  });

  return async (token: any) => {
    const getKey = (header: any, callback: any) => {
      client.getSigningKey(header.kid, (err, key) => {
        if (err)
          throw Boom.serverUnavailable(
            "failed to fetch cloudflare access jwks"
          );
        callback(undefined, key?.getPublicKey());
      });
    };

    const opts = {
      algorithms: CF_JWT_ALGOS,
      audience,
      issuer,
    };
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
    return (promisify(jwt.verify) as any)(token, getKey, opts);
  };
};

const handleCfJwt = (verify: any) => async (
  request: Hapi.Request,
  h: Hapi.ResponseToolkit
) => {
  const token = request.headers[CF_JWT_HEADER_NAME];
  if (token) {
    try {
      await verify(token);
    } catch (error) {
      console.error(error);
      return Boom.unauthorized("invalid cloudflare access token");
    }
  }

  return h.continue;
};

const defaultOpts = {
  issuer: undefined,
  audience: undefined,
  strategyName: "clouflareaccess",
  validate: undefined,
};

const cfJwtRegister = async (server: Hapi.Server, options: any): Promise<void> => {
  server.dependency(["hapi-auth-jwt2"]);
  const settings = Hoek.applyToDefaults(defaultOpts, options);
  const verify = verifyToken(settings);

  const { validate, strategyName, audience, issuer } = settings;
  server.ext("onPreAuth", handleCfJwt(verify));

  server.auth.strategy(strategyName!, "jwt", {
    key: hapiJwt2KeyAsync({
      jwksUri: `${issuer}/cdn-cgi/access/certs`,
    }),
    cookieKey: false,
    urlKey: false,
    headerKey: CF_JWT_HEADER_NAME,
    validate,
    verifyOptions: {
      audience,
      issuer,
      algorithms: ["RS256"],
    },
  });
};

export const registerCloudflareAccessJwt = async (
  server: Hapi.Server,
  config: IAppConfig
): Promise<void> => {
  const { audience, domain } = config.cfaccess;
  // only enable this plugin if cloudflare access config is configured
  if (audience && domain) {
    server.log(["auth"], "cloudflare access authorization enabled");
    await server.register({
      plugin: {
        name: "cloudflare-jwt",
        version: "0.0.1",
        register: cfJwtRegister,
      },
      options: {
        issuer: `https://${domain}`,
        audience,
        validate: (decoded: any, _request: any) => {
          const { email, name } = decoded;
          return {
            isValid: true,
            credentials: { user: { email, name } },
          };
        },
      },
    });
  }
};
Add all repos 2023-02-13 12:41:30 +00:00			`import * as Boom from "@hapi/boom";`
			`import * as Hoek from "@hapi/hoek";`
			`import * as Hapi from "@hapi/hapi";`
			`import { promisify } from "util";`
			`import jwt from "jsonwebtoken";`
			`import jwksClient, { hapiJwt2KeyAsync } from "jwks-rsa";`
			`import type { IAppConfig } from "../../config";`

			`const CF_JWT_HEADER_NAME = "cf-access-jwt-assertion";`
			`const CF_JWT_ALGOS = ["RS256"];`

			`const verifyToken = (settings: any) => {`
			`const { audience, issuer } = settings;`
			`const client = jwksClient({`
			jwksUri: `${issuer}/cdn-cgi/access/certs`,
			`});`

			`return async (token: any) => {`
			`const getKey = (header: any, callback: any) => {`
			`client.getSigningKey(header.kid, (err, key) => {`
			`if (err)`
			`throw Boom.serverUnavailable(`
			`"failed to fetch cloudflare access jwks"`
			`);`
			`callback(undefined, key?.getPublicKey());`
			`});`
			`};`

			`const opts = {`
			`algorithms: CF_JWT_ALGOS,`
			`audience,`
			`issuer,`
			`};`
			`// eslint-disable-next-line @typescript-eslint/no-explicit-any`
			`return (promisify(jwt.verify) as any)(token, getKey, opts);`
			`};`
			`};`

			`const handleCfJwt = (verify: any) => async (`
			`request: Hapi.Request,`
			`h: Hapi.ResponseToolkit`
			`) => {`
			`const token = request.headers[CF_JWT_HEADER_NAME];`
			`if (token) {`
			`try {`
			`await verify(token);`
			`} catch (error) {`
			`console.error(error);`
			`return Boom.unauthorized("invalid cloudflare access token");`
			`}`
			`}`

			`return h.continue;`
			`};`

			`const defaultOpts = {`
			`issuer: undefined,`
			`audience: undefined,`
			`strategyName: "clouflareaccess",`
			`validate: undefined,`
			`};`

			`const cfJwtRegister = async (server: Hapi.Server, options: any): Promise<void> => {`
			`server.dependency(["hapi-auth-jwt2"]);`
			`const settings = Hoek.applyToDefaults(defaultOpts, options);`
			`const verify = verifyToken(settings);`

			`const { validate, strategyName, audience, issuer } = settings;`
			`server.ext("onPreAuth", handleCfJwt(verify));`

			`server.auth.strategy(strategyName!, "jwt", {`
			`key: hapiJwt2KeyAsync({`
			jwksUri: `${issuer}/cdn-cgi/access/certs`,
			`}),`
			`cookieKey: false,`
			`urlKey: false,`
			`headerKey: CF_JWT_HEADER_NAME,`
			`validate,`
			`verifyOptions: {`
			`audience,`
			`issuer,`
			`algorithms: ["RS256"],`
			`},`
			`});`
			`};`

			`export const registerCloudflareAccessJwt = async (`
			`server: Hapi.Server,`
			`config: IAppConfig`
			`): Promise<void> => {`
			`const { audience, domain } = config.cfaccess;`
			`// only enable this plugin if cloudflare access config is configured`
			`if (audience && domain) {`
			`server.log(["auth"], "cloudflare access authorization enabled");`
			`await server.register({`
			`plugin: {`
			`name: "cloudflare-jwt",`
			`version: "0.0.1",`
			`register: cfJwtRegister,`
			`},`
			`options: {`
			issuer: `https://${domain}`,
			`audience,`
			`validate: (decoded: any, _request: any) => {`
			`const { email, name } = decoded;`
			`return {`
			`isValid: true,`
			`credentials: { user: { email, name } },`
			`};`
			`},`
			`},`
			`});`
			`}`
			`};`