-
Notifications
You must be signed in to change notification settings - Fork 0
/
app.js
107 lines (92 loc) · 2.43 KB
/
app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
require('dotenv').config();
const express = require('express');
const { auth } = require('express-openid-connect');
const app = express();
const audience = process.env.ALLOWED_AUDIENCES;
const scopes = `openid profile email ${process.env.SCOPE} offline_access`;
app.set('views', __dirname);
app.set('view engine', 'ejs');
const requiresAuth = (req, res, next) => {
if (req.oidc?.isAuthenticated()) {
next();
} else {
next(new ATError('invalid_session', 'The user is not logged in'));
}
};
app.use(
auth({
authRequired: false,
authorizationParams: {
response_type: 'code',
audience,
scope: scopes,
},
})
);
app.get('/', (req, res, next) => {
res.render('frontend.ejs', {
loggedIn: req.oidc.isAuthenticated(),
});
next();
});
/**
* OAuth TMI BFF bit...
*/
class ATError extends Error {
status = 400;
statusCode = 400;
constructor(error, description) {
super(description || error);
this.error = error;
this.error_description = description;
}
}
app.get('/.well-known/bff-sessioninfo', requiresAuth, (req, res, next) => {
const user = req.oidc.user;
res.json(user);
next();
});
app.get('/.well-known/bff-token', requiresAuth, async (req, res, next) => {
try {
const { resource, scope: expected } = req.query;
let {
access_token,
expires_in,
isExpired,
refresh,
// FIXME: express-openid-connect does not expose the 'scope'
scope = scopes,
} = req.oidc.accessToken;
if (!access_token) {
throw new ATError('backend_not_ready', 'Missing Access Token');
}
if (resource !== undefined && resource !== audience) {
throw new ATError('backend_not_ready', 'Resource mismatch');
}
if (scope !== undefined && expected !== undefined) {
const actual = new Set(scope.split());
if (!expected.every(Set.prototype.has.bind(actual))) {
throw new ATError('backend_not_ready', 'Scope mismatch');
}
}
if (isExpired()) {
if (!req.oidc.refreshToken) {
throw new ATError('backend_not_ready', 'Access Token expired');
}
({ access_token, expires_in } = await refresh());
}
res.json({ access_token, expires_in, scope });
next();
} catch (e) {
next(e);
}
});
/**
* End OAuth TMI BFF bit
*/
app.use((err, req, res, next) => {
res
.status(err.status || 500)
.json({ error: err.error, error_description: err.error_description });
});
module.exports = app;