-
Notifications
You must be signed in to change notification settings - Fork 202
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Proposed refactoring of API Plugin from Scratch with OAuth to separat…
…e middleware from app
- Loading branch information
Showing
3 changed files
with
32 additions
and
13 deletions.
There are no files selected for viewing
33 changes: 23 additions & 10 deletions
33
templates/ts/api-plugin-from-scratch-oauth/src/functions/middleware/authMiddleware.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,43 +1,56 @@ | ||
| import { HttpRequest } from "@azure/functions"; | ||
| import { TokenValidator } from "./tokenValidator"; | ||
| import { TokenValidator, EntraJwtPayload } from "./tokenValidator"; | ||
| import config from "./config"; | ||
| import { getEntraJwksUri, CloudType } from "./utils"; | ||
|
|
||
| // Export symbols app devs will need to use | ||
| export { CloudType } from "./utils"; | ||
| export { EntraJwtPayload } from "./tokenValidator"; | ||
|
|
||
| /** | ||
| * Middleware function to handle authorization using JWT. | ||
| * | ||
| * @param {HttpRequest} req - The HTTP request. | ||
| * @returns {Promise<boolean>} - A promise that resolves to a boolean value. | ||
| * @returns {Promise<EntraJwtPayload | false>} - A promise that resolves to an array of JWT claims or false if authentication failed | ||
| */ | ||
| export async function authMiddleware(req?: HttpRequest): Promise<boolean> { | ||
| export async function authMiddleware(req: HttpRequest, | ||
| scope: string | [string], | ||
| allowedTenants: [string] = [config.aadAppTenantId], | ||
| cloud: CloudType = CloudType.Public, | ||
| issuer: string = `https://login.microsoftonline.com/${config.aadAppTenantId}/v2.0` | ||
| ): Promise<EntraJwtPayload | false> { | ||
|
|
||
| // Get the token from the request headers | ||
| const token = req.headers.get("authorization")?.split(" ")[1]; | ||
| if (!token) { | ||
| return false; | ||
| } | ||
|
|
||
| try { | ||
| // Get the JWKS URL for the Microsoft Entra common tenant | ||
| const entraJwksUri = await getEntraJwksUri(config.aadAppTenantId, CloudType.Public); | ||
| // Get the JWKS URL for the specified Microsoft Entra cloud | ||
| const entraJwksUri = await getEntraJwksUri(config.aadAppTenantId, cloud); | ||
|
|
||
| // Create a new token validator with the JWKS URL | ||
| const validator = new TokenValidator({ | ||
| jwksUri: entraJwksUri, | ||
| }); | ||
|
|
||
| const options = { | ||
| allowedTenants: [config.aadAppTenantId], | ||
| allowedTenants: allowedTenants, | ||
| audience: config.aadAppClientId, | ||
| issuer: `https://login.microsoftonline.com/${config.aadAppTenantId}/v2.0`, | ||
| scp: ["repairs_read"], | ||
| issuer: issuer, | ||
| scp: typeof scope === 'string' ? [scope] : scope | ||
| }; | ||
| // Validate the token | ||
| await validator.validateToken(token, options); | ||
| const claims = await validator.validateToken(token, options); | ||
|
|
||
| return claims; | ||
|
|
||
| return true; | ||
| } catch (err) { | ||
|
|
||
| // Handle JWT verification errors | ||
| console.error("Token is invalid:", err); | ||
| return false; | ||
|
|
||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters