Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
if (!ticket.grant) {
return reissue();
}
// User ticket
const { grant, ext } = await options.loadGrantFunc(ticket.grant);
if (!grant ||
(grant.app !== ticket.app && grant.app !== ticket.dlg) ||
grant.user !== ticket.user ||
!grant.exp ||
grant.exp <= Hawk.utils.now()) {
throw Hawk.utils.unauthorized('Invalid grant');
}
return reissue(grant, ext);
};
}, async (clientId) => {
let ext = undefined;
// Parse authorization header for ext
let attrs = hawk.utils.parseAuthorizationHeader(
req.authorization
);
// Extra ext
if (!(attrs instanceof Error)) {
ext = attrs.ext;
}
// Get credentials with ext
return loadCredentials(clientId, ext);
}, {
// Not sure if JSON stringify is not deterministic by specification.
authorize: function (request) {
var params = this,
result;
if (!params || !params.authId || !params.authKey) {
return request; // Nothing to do if no parameters are present.
}
params.nonce = params.nonce || _.randomString(6);
params.timestamp = _.parseInt(params.timestamp) ||
// Hawk has this function in their Node distribution, but not in the browsers :/
(_.isFunction(Hawk.utils.nowSecs) ? Hawk.utils.nowSecs() : Hawk.utils.now());
request.removeHeader('Authorization', { ignoreCase: true });
result = this.sign({
credentials: {
id: params.authId,
key: params.authKey,
algorithm: params.algorithm
},
nonce: params.nonce,
timestamp: params.timestamp,
ext: params.extraData,
app: params.app,
dlg: params.delegation,
user: params.user,
url: request.url.toString(true), // force toString to add a protocol to the URL.
method: request.method
exports.reissue = async function (req, payload, options) {
payload = payload || {};
await internals.validate('reissue', payload);
const { ticket } = await Server._authenticate(req, options.encryptionPassword, false, options);
// Load ticket
const app = await options.loadAppFunc(ticket.app);
if (!app) {
throw Hawk.utils.unauthorized('Invalid application');
}
if (payload.issueTo &&
!app.delegate) {
throw Boom.forbidden('Application has no delegation rights');
}
const reissue = (grant, ext) => {
const ticketOptions = Object.assign({}, options.ticket); // Shallow cloned
if (ext) {
ticketOptions.ext = ext;
}
const credentialsFunc = async function (id) {
// Parse ticket id
const ticket = await Ticket.parse(id, encryptionPassword, options.ticket);
// Check expiration
if (checkExpiration &&
ticket.exp <= Hawk.utils.now()) {
const error = Hawk.utils.unauthorized('Expired ticket');
error.output.payload.expired = true;
throw error;
}
return ticket;
};
const error = Hawk.utils.unauthorized('Expired ticket');
error.output.payload.expired = true;
throw error;
}
return ticket;
};
// Hawk authentication
const { credentials, artifacts } = await Hawk.server.authenticate(req, credentialsFunc, options.hawk);
// Check application
if (credentials.app !== artifacts.app) {
throw Hawk.utils.unauthorized('Mismatching application id');
}
if ((credentials.dlg || artifacts.dlg) &&
credentials.dlg !== artifacts.dlg) {
throw Hawk.utils.unauthorized('Mismatching delegated application id');
}
// Return result
return { ticket: credentials, artifacts };
};
if (grant && (!grant.id || !grant.user || !grant.exp)) {
throw Boom.internal('Invalid grant object');
}
if (grant || parentTicket.grant) {
if (!grant ||
!parentTicket.grant ||
parentTicket.grant !== grant.id) {
throw Boom.internal('Parent ticket grant does not match options.grant');
}
}
// Construct ticket
let exp = (Hawk.utils.now() + (options.ttl || internals.defaults.ticketTTL));
if (grant) {
exp = Math.min(exp, grant.exp);
}
const ticket = {
exp,
app: options.issueTo || parentTicket.app,
scope: options.scope || parentTicket.scope
};
if (!options.ext &&
parentTicket.ext) {
options = Object.assign({}, options); // Shallow cloned
options.ext = parentTicket.ext;
}
'and \'authorization\' header',
};
}
// If no authentication is provided, we just return valid with zero scopes
if ((!req.query || !req.query.bewit) &&
(!req.headers || !req.headers.authorization)) {
return {
status: 'no-auth',
scheme: 'none',
scopes: [],
};
}
// Parse host header
const host = hawk.utils.parseHost(req);
// Find port, overwrite if forwarded by reverse proxy
let port = host.port;
if (req.headers['x-forwarded-port'] !== undefined) {
port = parseInt(req.headers['x-forwarded-port'], 10);
} else if (req.headers['x-forwarded-proto'] !== undefined) {
port = req.headers['x-forwarded-proto'] === 'https' ? 443 : port;
}
// Send input to signatureValidator (auth server or local validator)
let result = await Promise.resolve(signatureValidator({
method: req.method.toLowerCase(),
resource: req.originalUrl,
host: host.name,
port: parseInt(port, 10),
authorization: req.headers.authorization,
sourceIp: req.ip,