Newer
Older
const { generateKeyPair, createPublicKey, createPrivateKey } = require('crypto')
exports.generateRsaKeys = async (pass = null) => {
const { config } = require('bootstrap')
return new Promise((resolve, reject) => {
generateKeyPair(
'rsa',
{
modulusLength: 4096,
publicKeyEncoding: {
type: 'spki',
format: 'pem',
},
privateKeyEncoding: {
type: 'pkcs8',
format: 'pem',
cipher: 'aes-256-cbc',
(err, pub, priv) => {
if (err) {
reject(err)
} else {
resolve({ pub: pub.toString(), priv: priv.toString() })
}
},
)
const generateRsaKeys = exports.generateRsaKeys
exports.getKeys = () => {
const { config } = require('bootstrap')
return {
pub: config('app.security.public_key'),
priv: config('app.security.private_key'),
}
}
exports.getJWKS = async (type = 'pub') => {
const { config } = require('bootstrap')
const keys = exports.getKeys()
const kid = config('app.security.key_id')
return {
keys: [
{
kid: `${ exports.jwtOptions.keyid_prefix }${ kid }`,
use: 'sig',
...jwk,
alg: 'RS256',
},
],
}
}
exports.loadKeys = async () => {
const { env, config, patchConfig } = require('bootstrap')
let [pub, priv] = [
config('app.security.public_key'),
config('app.security.private_key'),
]
if (pub != null && priv != null) {
return {
pub,
}
}
if (config('app.security.use_ephemeral')) {
;({ pub, priv } = await generateRsaKeys())
} else {
const publicB64 = config('app.security.public_key_b64')
const privateB64 = config('app.security.private_key_b64')
pub = Buffer.from(publicB64, 'base64').toString('utf-8')
priv = Buffer.from(privateB64, 'base64').toString('utf-8')
}
pub = createPublicKey({ key: pub })
priv = createPrivateKey({
key: priv,
passphrase: config(
'app.security.private_key_passphrase',
env('RSA_PRIVATE_PASSPHRASE', config('app.key')),
),
})
patchConfig('app.security.public_key', pub)
patchConfig('app.security.private_key', priv)
return { pub, priv }
const threadContext = require('core/injection/ThreadContext')
const { config } = require('bootstrap')
return await threadContext.profile('jwt.sign', JSON.stringify(payload), () =>
.setProtectedHeader({ alg: 'RS256', kid: exports.jwtOptions.keyid_prefix + config('app.security.key_id') })
const threadContext = require('core/injection/ThreadContext')
const { getKeys, jwtOptions } = exports
const { pub } = getKeys()
return await threadContext.profile('jwt.verify', undefined, async () => {
const { payload } = await jose.jwtVerify(token, pub, jwtOptions)
exports.getClaims = tokenPayload => {
return tokenPayload[exports.jwtOptions.claims]
}
exports.jwtOptions = {
issuer: 'urn:jetsam:systems:auth',
claims: 'urn:jetsam:resources:claims',