67 lines
2.0 KiB
JavaScript
67 lines
2.0 KiB
JavaScript
/*! @azure/msal-common v14.4.0 2023-11-07 */
|
|
'use strict';
|
|
import { createClientAuthError } from '../error/ClientAuthError.mjs';
|
|
import { tokenParsingError, nullOrEmptyToken, maxAgeTranspired } from '../error/ClientAuthErrorCodes.mjs';
|
|
|
|
/*
|
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
* Licensed under the MIT License.
|
|
*/
|
|
/**
|
|
* Extract token by decoding the rawToken
|
|
*
|
|
* @param encodedToken
|
|
*/
|
|
function extractTokenClaims(encodedToken, base64Decode) {
|
|
const jswPayload = getJWSPayload(encodedToken);
|
|
// token will be decoded to get the username
|
|
try {
|
|
// base64Decode() should throw an error if there is an issue
|
|
const base64Decoded = base64Decode(jswPayload);
|
|
return JSON.parse(base64Decoded);
|
|
}
|
|
catch (err) {
|
|
throw createClientAuthError(tokenParsingError);
|
|
}
|
|
}
|
|
/**
|
|
* decode a JWT
|
|
*
|
|
* @param authToken
|
|
*/
|
|
function getJWSPayload(authToken) {
|
|
if (!authToken) {
|
|
throw createClientAuthError(nullOrEmptyToken);
|
|
}
|
|
const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
|
|
const matches = tokenPartsRegex.exec(authToken);
|
|
if (!matches || matches.length < 4) {
|
|
throw createClientAuthError(tokenParsingError);
|
|
}
|
|
/**
|
|
* const crackedToken = {
|
|
* header: matches[1],
|
|
* JWSPayload: matches[2],
|
|
* JWSSig: matches[3],
|
|
* };
|
|
*/
|
|
return matches[2];
|
|
}
|
|
/**
|
|
* Determine if the token's max_age has transpired
|
|
*/
|
|
function checkMaxAge(authTime, maxAge) {
|
|
/*
|
|
* per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
* To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access,
|
|
* provide a value of 0 for the max_age parameter and the AS will force a fresh login.
|
|
*/
|
|
const fiveMinuteSkew = 300000; // five minutes in milliseconds
|
|
if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) {
|
|
throw createClientAuthError(maxAgeTranspired);
|
|
}
|
|
}
|
|
|
|
export { checkMaxAge, extractTokenClaims, getJWSPayload };
|
|
//# sourceMappingURL=AuthToken.mjs.map
|