From dc67bee735d23730f75d9529e02f505392b1c30c Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Fri, 29 Jun 2018 11:02:13 +0000 Subject: [PATCH] passthru authn and await authz, better logging --- lib/extensions/index.js | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/lib/extensions/index.js b/lib/extensions/index.js index 47d7085..5ee664d 100644 --- a/lib/extensions/index.js +++ b/lib/extensions/index.js @@ -226,8 +226,6 @@ module.exports.pairPin = function (opts) { // From a WS connection module.exports.authenticate = function (opts) { var jwt = require('jsonwebtoken'); - var jwtoken = opts.auth; - var authReq = opts.auth; var state = opts.state; var auth; var decoded; @@ -267,41 +265,44 @@ module.exports.authenticate = function (opts) { return auth.promise; } - if ('object' === typeof authReq && /^.+@.+\..+$/.test(authReq.subject)) { - console.log("[ext token] Looks Like Auth Object"); + // Promise Authz on Auth Creds + // TODO: remove + if ('object' === typeof opts.auth && /^.+@.+\..+$/.test(opts.auth.subject)) { + console.log("[wss.ext.authenticate] [1] Request Pair for Credentials"); return module.exports.pairRequest(opts).then(function (authnData) { - console.log("[ext token] Promises Like Auth Object"); + console.log("[wss.ext.authenticate] [2] Promise Authz on Pair Complete"); var auth = Auths.get(authnData.id); return getPromise(auth); + //getPromise(auth); + //return state.defaults.authenticate(authnData.jwt); }); } - console.log("[ext token] Trying Token Parse"); try { - decoded = jwt.decode(jwtoken, { complete: true }); + decoded = jwt.decode(opts.auth, { complete: true }); auth = Auths.get(decoded.payload.id); } catch(e) { - console.log("[ext token] Token Did Not Parse"); + console.log("[wss.ext.authenticate] [Error] could not parse token"); decoded = null; } - console.log("[ext token] decoded auth token:"); + console.log("[wss.ext.authenticate] incoming token decoded:"); console.log(decoded); if (!auth) { - console.log("[ext token] did not find auth object"); + console.log("[wss.ext.authenticate] missing auth object (incoming token stale?)"); } // TODO technically this could leak the token through a timing attack // but it would require already knowing the semi-secret id and having // completed the pair code - if (auth && (auth.authn === jwtoken || auth.authz === jwtoken)) { + if (auth && (auth.authn === opts.auth || auth.authz === opts.auth)) { if (!auth.authz) { - console.log("[ext token] Promise Authz"); - return getPromise(auth); + console.log("[wss.ext.authenticate] Create authz promise and passthru"); + getPromise(auth); + return state.defaults.authenticate(opts.auth); } - console.log("[ext token] Use Available Authz"); // If they used authn but now authz is available, use authz // (i.e. connects, but no domains or ports) opts.auth = auth.authz; @@ -310,7 +311,7 @@ module.exports.authenticate = function (opts) { auth._claimed = true; } - console.log("[ext token] Continue With Auth Token"); + console.log("[wss.ext.authenticate] Using authz"); return state.defaults.authenticate(opts.auth); };