| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 |
- 'use strict'
- const JWT = require('jsonwebtoken')
- const crypto = require('crypto')
-
- const hashToken = async token => {
- const salt = process.env.APP_SESSION_SALT
- try {
- return crypto.createHmac('sha256', salt).update(token).digest('hex')
- } catch (err) {
- throw new Error(err.message)
- }
- }
-
- module.exports = options => {
- return {
- key: options.jwtKey,
- verifyOptions: {
- algorithms: ['HS256'],
- },
- // TODO: Always check rawAccessToken, if it fails, we check the session, if
- // session is valid, then we reissue it if session is NOT valid, DELETE
- // the session (and kick user back to login)
- // TODO: set up cron job to occassionaly clean up activeSessions
- validate: async (decoded, request, h) => {
- const accessTokenFromHeaders = request.headers.authorization
- const hashedAccessTokenFromHeaders = await hashToken(
- accessTokenFromHeaders,
- )
- const accessToken =
- request.server.app.activeSessions[hashedAccessTokenFromHeaders]
- .accessToken
- const sessionToken =
- request.server.app.activeSessions[hashedAccessTokenFromHeaders]
- .sessionToken
- console.log('sessionToken from jwt strategy :=>', sessionToken)
- try {
- const validatedJwt = JWT.verify(
- accessToken,
- process.env.APP_SECRET,
- )
- return { isValid: true, credentials: validatedJwt.email }
- } catch (err) {
- console.error('ERROR :=>', err)
- return { isValid: false, error: err.message }
- }
- },
- }
- }
|
