'use strict' const JWT = require('jsonwebtoken') const crypto = require('crypto') const hashToken = async token => { const salt = process.env.APP_SESSION_SALT try { return crypto.createHmac('sha256', salt).update(token).digest('hex') } catch (err) { throw new Error(err.message) } } module.exports = options => { return { key: options.jwtKey, verifyOptions: { algorithms: ['HS256'], }, // TODO: Always check rawAccessToken, if it fails, we check the session, if // session is valid, then we reissue it if session is NOT valid, DELETE // the session (and kick user back to login) // TODO: set up cron job to occassionaly clean up activeSessions validate: async (decoded, request, h) => { const accessTokenFromHeaders = request.headers.authorization const hashedAccessTokenFromHeaders = await hashToken( accessTokenFromHeaders, ) const accessToken = request.server.app.activeSessions[hashedAccessTokenFromHeaders] .accessToken const sessionToken = request.server.app.activeSessions[hashedAccessTokenFromHeaders] .sessionToken console.log('sessionToken from jwt strategy :=>', sessionToken) try { const validatedJwt = JWT.verify( accessToken, process.env.APP_SECRET, ) return { isValid: true, credentials: validatedJwt.email } } catch (err) { console.error('ERROR :=>', err) return { isValid: false, error: err.message } } }, } }