Skip to content

Commit

Permalink
fix: added verification check if data token is not changed
Browse files Browse the repository at this point in the history
  • Loading branch information
@demeyerthom
demeyerthom committed Jan 16, 2025
1 parent de2a9c7 commit c76ecca
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 10 deletions.
29 changes: 28 additions & 1 deletion packages/apollo/src/gateway.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>

if (accessToken) {
try {
await token.loadAccessJWT(this.signer, accessToken, dataToken);
await token.loadAccessJWT(this.signer, accessToken);
} catch (e: unknown) {
this.tokenSource.deleteAccessToken(contextValue.req, contextValue.res);

Expand Down Expand Up @@ -88,6 +88,33 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>
this.tokenSource.deleteRefreshToken(contextValue.req, contextValue.res);
}
}

if (dataToken) {
try {
await token.loadDataJWT(this.signer, dataToken);
} catch (e: unknown) {
this.tokenSource.deleteDataToken(contextValue.req, contextValue.res);
if (e instanceof TokenExpiredError) {
throw new GraphQLError("Your token has expired.", {
extensions: {
code: "UNAUTHENTICATED",
http: {
statusCode: 401,
},
},
});
} else {
throw new GraphQLError("Your token is invalid.", {
extensions: {
code: "INVALID_TOKEN",
http: {
statusCode: 400,
},
},
});
}
}
}
return this;
}

Expand Down
6 changes: 3 additions & 3 deletions packages/core/src/jwt.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ describe("PublicFederatedToken", async () => {
const dataToken = await token.createDataJWT(signer);

const newToken = new PublicFederatedToken();
await newToken.loadAccessJWT(signer, accessToken, dataToken);
await newToken.loadAccessJWT(signer, accessToken);
expect(newToken.tokens).toStrictEqual(token.tokens);
expect(newToken.refreshTokens).toStrictEqual(token.refreshTokens);
expect(newToken.values).toStrictEqual(token.values);

Check failure on line 47 in packages/core/src/jwt.test.ts

View workflow job for this annotation

GitHub Actions / Build, and test on Node 18.x and ubuntu-latest

packages/core/src/jwt.test.ts > PublicFederatedToken > createAccessJWT 

AssertionError: expected {} to strictly equal { value1: 'exampleValue1', …(1) }

- Expected
+ Received

- Object {
-   "value1": "exampleValue1",
-   "value2": "exampleValue2",
- }
+ Object {}

 ❯ packages/core/src/jwt.test.ts:47:27

Check failure on line 47 in packages/core/src/jwt.test.ts

View workflow job for this annotation

GitHub Actions / Build, and test on Node 22.x and ubuntu-latest

packages/core/src/jwt.test.ts > PublicFederatedToken > createAccessJWT 

AssertionError: expected {} to strictly equal { value1: 'exampleValue1', …(1) }

- Expected
+ Received

- Object {
-   "value1": "exampleValue1",
-   "value2": "exampleValue2",
- }
+ Object {}

 ❯ packages/core/src/jwt.test.ts:47:27
Expand Down Expand Up @@ -71,7 +71,7 @@ describe("PublicFederatedToken", async () => {
const dataToken = await token.createDataJWT(signer);

const newToken = new PublicFederatedToken();
await newToken.loadAccessJWT(signer, accessToken, dataToken);
await newToken.loadAccessJWT(signer, accessToken);
expect(newToken.tokens).toStrictEqual(token.tokens);
expect(newToken.refreshTokens).toStrictEqual(token.refreshTokens);
expect(newToken.values).toStrictEqual(token.values);

Check failure on line 77 in packages/core/src/jwt.test.ts

View workflow job for this annotation

GitHub Actions / Build, and test on Node 18.x and ubuntu-latest

packages/core/src/jwt.test.ts > PublicFederatedToken > createAccessJWT with TokenSigner create hook 

AssertionError: expected {} to strictly equal { value1: 'exampleValue1', …(1) }

- Expected
+ Received

- Object {
-   "value1": "exampleValue1",
-   "value2": "exampleValue2",
- }
+ Object {}

 ❯ packages/core/src/jwt.test.ts:77:27

Check failure on line 77 in packages/core/src/jwt.test.ts

View workflow job for this annotation

GitHub Actions / Build, and test on Node 22.x and ubuntu-latest

packages/core/src/jwt.test.ts > PublicFederatedToken > createAccessJWT with TokenSigner create hook 

AssertionError: expected {} to strictly equal { value1: 'exampleValue1', …(1) }

- Expected
+ Received

- Object {
-   "value1": "exampleValue1",
-   "value2": "exampleValue2",
- }
+ Object {}

 ❯ packages/core/src/jwt.test.ts:77:27
Expand Down Expand Up @@ -101,7 +101,7 @@ describe("PublicFederatedToken", async () => {
);

const token = new PublicFederatedToken();
await token.loadAccessJWT(signer, tokenJWT, dataJWT);
await token.loadAccessJWT(signer, tokenJWT);
expect(token.tokens).toStrictEqual({
exampleName: {
token: "exampleToken",
Expand Down
16 changes: 10 additions & 6 deletions packages/core/src/jwt.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,16 @@ export class PublicFederatedToken extends FederatedToken {
return await signer.encryptJWT(data, exp);
}

async loadAccessJWT(signer: TokenSigner, value: string, data?: string) {
async loadDataJWT(signer: TokenSigner, value: string) {
const result = await signer.verifyJWT(value);
if (!result) {
throw new TokenInvalidError("Invalid JWT");
}

this.values = result.payload.values as Record<string, any>;
}

async loadAccessJWT(signer: TokenSigner, value: string) {
const result = await signer.decryptJWT(value);
if (!result) {
throw new Error("Invalid JWT");
Expand All @@ -67,11 +76,6 @@ export class PublicFederatedToken extends FederatedToken {
} else {
this.setIsAnonymous();
}

if (data) {
const result = await signer.verifyJWT(data);
this.values = result.payload.values as Record<string, any>;
}
}

// createRefreshJWT encrypts the refresh token and return a JWT. The token is
Expand Down

0 comments on commit c76ecca

Please sign in to comment.