Merge pull request #1772 from navikt/validate_expiry

401 for expired tokens i tokenx middleware
navikt · Jan 17, 2024 · 9154265 · 9154265
2 parents 01eddbc + 0d4318a
commit 9154265
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 45 deletions.
diff --git a/server/package-lock.json b/server/package-lock.json
diff --git a/server/package.json b/server/package.json
@@ -12,6 +12,7 @@
         "express-http-proxy": "1.6.3",
         "http-proxy-middleware": "3.0.0-beta.1",
         "http-terminator": "3.2.0",
+        "jose": "5.2.0",
         "jsdom": "^16.4.0",
         "mustache": "^4.2.0",
         "openid-client": "5.5.0",

diff --git a/server/tokenx.js b/server/tokenx.js
@@ -1,12 +1,9 @@
-import {Issuer, errors} from 'openid-client';
+import { Issuer, errors } from 'openid-client';
+import { decodeJwt } from 'jose';
 
-const {
-    TOKEN_X_WELL_KNOWN_URL,
-    TOKEN_X_CLIENT_ID,
-    TOKEN_X_PRIVATE_JWK
-} = process.env;
+const { TOKEN_X_WELL_KNOWN_URL, TOKEN_X_CLIENT_ID, TOKEN_X_PRIVATE_JWK } = process.env;
 
-const exchangeToken = async (tokenxClient, {subject_token, audience}) => {
+const exchangeToken = async (tokenxClient, { subject_token, audience }) => {
     return await tokenxClient.grant(
         {
             grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
@@ -32,45 +29,49 @@ const createTokenXClient = async () => {
             client_id: TOKEN_X_CLIENT_ID,
             token_endpoint_auth_method: 'private_key_jwt',
         },
-        {keys: [JSON.parse(TOKEN_X_PRIVATE_JWK)]}
+        { keys: [JSON.parse(TOKEN_X_PRIVATE_JWK)] }
     );
 };
 
 /**
  * onProxyReq does not support async, so using middleware for tokenx instead
  * ref: https://github.com/chimurai/http-proxy-middleware/issues/318
  */
-export const tokenXMiddleware = (
-    {
-        audience,
-        tokenXClientPromise = audience ? createTokenXClient() : null,
-        log
-    }
-) => async (req, res, next) => {
-    try {
-        if (!audience) {
-            next();
-            return;
-        }
+export const tokenXMiddleware =
+    ({ audience, tokenXClientPromise = audience ? createTokenXClient() : null, log }) =>
+    async (req, res, next) => {
+        try {
+            if (!audience) {
+                next();
+                return;
+            }
+
+            const subject_token = (req.headers.authorization || '').replace('Bearer', '').trim();
+            if (subject_token === '') {
+                log.info('no authorization header found, skipping tokenx.');
+                next();
+                return;
+            }
+
+            const { exp } = decodeJwt(subject_token);
+            if (!exp || exp * 1000 <= Date.now()) {
+                log.info('unauthorized request. subject_token is expired.');
+                res.status(401).send();
+                return;
+            }
 
-        const subject_token = (req.headers.authorization || '').replace('Bearer', '').trim();
-        if (subject_token === '') {
-            log.info("no authorization header found, skipping tokenx.")
+            const { access_token } = await exchangeToken(await tokenXClientPromise, {
+                subject_token,
+                audience,
+            });
+            req.headers.authorization = `Bearer ${access_token}`;
             next();
-            return;
+        } catch (err) {
+            if (err instanceof errors.OPError) {
+                log.info(`token exchange feilet ${err.message}`, err);
+                res.status(401).send();
+            } else {
+                next(err);
+            }
         }
-        const {access_token} = await exchangeToken(await tokenXClientPromise, {
-            subject_token,
-            audience
-        });
-        req.headers.authorization = `Bearer ${access_token}`;
-        next();
-    } catch (err) {
-        if (err instanceof errors.OPError) {
-            log.info(`token exchange feilet ${err.message}`, err);
-            res.status(401).send();
-        } else {
-            next(err);
-        }
-    }
-};
+    };