alerte-secours/as-services
3
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: debug
All checks were successful
/ build (map[dockerfile:./services/watchers/Dockerfile name:watchers]) (push) Successful in 3m13s
Details
/ build (map[dockerfile:./services/tasks/Dockerfile name:tasks]) (push) Successful in 3m21s
Details
/ build (map[dockerfile:./services/hasura/Dockerfile name:hasura]) (push) Successful in 3m12s
Details
/ build (map[dockerfile:./services/app/Dockerfile name:app]) (push) Successful in 3m2s
Details
/ deploy (push) Successful in 21s
Details
/ build (map[dockerfile:./services/api/Dockerfile name:api]) (push) Successful in 2m32s
Details
/ build (map[dockerfile:./services/web/Dockerfile name:web]) (push) Successful in 3m0s
Details
/ build (map[dockerfile:./services/files/Dockerfile name:files]) (push) Successful in 3m23s
Details

Browse source
This commit is contained in:
devthejo 2025-07-02 12:58:37 +02:00
parent 6d308bf95d
commit a13b07ec9d
1 changed files with 40 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
libs/common/oapi/services/auth.js
View file

@ -29,19 +29,26 @@ module.exports = function () {
return async function auth(jwt, scopes) {
const hasMetaExpUser = scopes.includes("meta.exp-user")
let jwtVerified = false
const logger = ctx.require("logger")
logger.debug({ scopes, hasMetaExpUser }, "Starting authentication")
try {
if (!jwt) {
logger.warn("No JWT provided for authentication")
return false
}
logger.debug("JWT provided, attempting verification")
jwtVerified = await jwtVerify(jwt, JWKSet)
if (!jwtVerified) {
logger.warn("JWT verification failed")
return false
}
} catch (err) {
const logger = ctx.require("logger")
logger.debug("JWT verification successful")
} catch (err) {
// Allow expired JWT only if meta.exp-user scope is present
if (hasMetaExpUser && err.code === "ERR_JWT_EXPIRED") {
logger.debug(
@ -50,30 +57,59 @@ module.exports = function () {
)
// Continue processing with expired JWT
} else {
logger.error({ error: err }, "jwVerify failed")
logger.error({ error: err }, "JWT verification failed")
return false
}
}
logger.debug("Extracting claims from JWT")
const claims = getHasuraClaimsFromJWT(jwt, claimsNamespace)
const session = sessionVarsFromClaims(claims)
logger.debug(
{ userId: session.userId, deviceId: session.deviceId },
"Session variables extracted from claims"
)
// Add exp claim to session if meta.exp-user scope is present
if (hasMetaExpUser) {
logger.debug("Adding exp claim for meta.exp-user scope")
try {
const payload = jwtDecode(jwt)
if (payload && payload.exp) {
session.exp = payload.exp
logger.debug({ exp: session.exp }, "Exp claim added to session")
} else {
logger.debug("No exp claim found in JWT payload")
}
} catch (err) {
const logger = ctx.require("logger")
logger.error({ error: err }, "Failed to decode JWT for exp claim")
}
}
logger.debug(
{ allowedRoles: session.allowedRoles, requestedScopes: scopes },
"Checking scope authorization"
)
if (!isScopeAllowed(session, scopes)) {
logger.warn(
{ allowedRoles: session.allowedRoles, requestedScopes: scopes },
"Scope authorization failed"
)
return false
}
logger.info("Authentication successful")
logger.debug(
{
userId: session.userId,
deviceId: session.deviceId,
allowedRoles: session.allowedRoles,
},
"Setting session context"
)
reqCtx.set("session", session)
return true
}