insomnia/packages/insomnia-app/app/network/authentication.js

// @flow
import {
  AUTH_ASAP,
  AUTH_BASIC,
  AUTH_BEARER,
  AUTH_HAWK,
  AUTH_OAUTH_1,
  AUTH_OAUTH_2,
} from '../common/constants';
import getOAuth2Token from './o-auth-2/get-token';
import getOAuth1Token from './o-auth-1/get-token';
import * as Hawk from 'hawk';
import jwtAuthentication from 'jwt-authentication';
import type { RenderedRequest } from '../common/render';
import { getBasicAuthHeader } from './basic-auth/get-header';
import { getBearerAuthHeader } from './bearer-auth/get-header';

type Header = {
  name: string,
  value: string,
};

export async function getAuthHeader(
  renderedRequest: RenderedRequest,
  url: string,
): Promise<Header | null> {
  const { method, authentication } = renderedRequest;
  const requestId = renderedRequest._id;

  if (authentication.disabled) {
    return null;
  }

  if (authentication.type === AUTH_BASIC) {
    const { username, password } = authentication;
    return getBasicAuthHeader(username, password);
  }

  if (authentication.type === AUTH_BEARER) {
    const { token, prefix } = authentication;
    return getBearerAuthHeader(token, prefix);
  }

  if (authentication.type === AUTH_OAUTH_2) {
    // HACK: GraphQL requests use a child request to fetch the schema with an
    // ID of "{{request_id}}.graphql". Here we are removing the .graphql suffix and
    // pretending we are fetching a token for the original request. This makes sure
    // the same tokens are used for schema fetching. See issue #835 on GitHub.
    const tokenId = requestId.match(/\.graphql$/) ? requestId.replace(/\.graphql$/, '') : requestId;

    const oAuth2Token = await getOAuth2Token(tokenId, authentication);
    if (oAuth2Token) {
      const token = oAuth2Token.accessToken;
      return _buildBearerHeader(token, authentication.tokenPrefix);
    } else {
      return null;
    }
  }

  if (authentication.type === AUTH_OAUTH_1) {
    const oAuth1Token = await getOAuth1Token(url, method, authentication);
    if (oAuth1Token) {
      return {
        name: 'Authorization',
        value: oAuth1Token.Authorization,
      };
    } else {
      return null;
    }
  }

  if (authentication.type === AUTH_HAWK) {
    const { id, key, algorithm, ext, validatePayload } = authentication;
    let headerOptions = {
      credentials: { id, key, algorithm },
      ext: ext,
    };

    if (validatePayload) {
      const payloadValidationFields = {
        payload: renderedRequest.body.text,
        contentType: renderedRequest.body.mimeType,
      };
      headerOptions = Object.assign({}, payloadValidationFields, headerOptions);
    }

    const header = Hawk.client.header(url, method, headerOptions);
    return {
      name: 'Authorization',
      value: header.field,
    };
  }

  if (authentication.type === AUTH_ASAP) {
    const { issuer, subject, audience, keyId, additionalClaims, privateKey } = authentication;

    const generator = jwtAuthentication.client.create();
    let claims = { iss: issuer, sub: subject, aud: audience };

    let parsedAdditionalClaims;

    try {
      parsedAdditionalClaims = JSON.parse(additionalClaims || '{}');
    } catch (err) {
      throw new Error(`Unable to parse additional-claims: ${err}`);
    }

    if (parsedAdditionalClaims) {
      if (typeof parsedAdditionalClaims !== 'object') {
        throw new Error(
          `additional-claims must be an object received: '${typeof parsedAdditionalClaims}' instead`,
        );
      }

      claims = Object.assign(parsedAdditionalClaims, claims);
    }

    const options = {
      privateKey,
      kid: keyId,
    };

    return new Promise((resolve, reject) => {
      generator.generateAuthorizationHeader(claims, options, (error, headerValue) => {
        if (error) {
          reject(error);
        } else {
          resolve({
            name: 'Authorization',
            value: headerValue,
          });
        }
      });
    });
  }

  return null;
}

function _buildBearerHeader(accessToken, prefix) {
  if (!accessToken) {
    return null;
  }

  const name = 'Authorization';
  const value = `${prefix || 'Bearer'} ${accessToken}`;

  return { name, value };
}
Added Token to OAuth 1.0 (Rel #197) 2017-11-06 20:44:55 +00:00			`// @flow`
Add Prettier 2018-06-25 17:42:50 +00:00			`import {`
			`AUTH_ASAP,`
			`AUTH_BASIC,`
			`AUTH_BEARER,`
			`AUTH_HAWK,`
			`AUTH_OAUTH_1,`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`AUTH_OAUTH_2,`
Add Prettier 2018-06-25 17:42:50 +00:00			`} from '../common/constants';`
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`import getOAuth2Token from './o-auth-2/get-token';`
oAuth 1.0a Support (#571) 2017-11-06 19:26:31 +00:00			`import getOAuth1Token from './o-auth-1/get-token';`
Implement Hawk Authentication (#446) * Implement Hawk Authentication * fix the missing label of inputs * Fix PR reviews 2017-08-21 17:43:12 +00:00			`import * as Hawk from 'hawk';`
Atlassian ASAP authentication support (https://s2sauth.bitbucket.io/) (#565) (#566) 2017-11-07 18:14:08 +00:00			`import jwtAuthentication from 'jwt-authentication';`
Add ability to optionally use Hawk payload validation. (#1339) * Add ability to optionally use Hawk payload validation. * Simplify signature of 'getAuthHeader' 2019-03-11 21:52:48 +00:00			`import type { RenderedRequest } from '../common/render';`
Add Prettier 2018-06-25 17:42:50 +00:00			`import { getBasicAuthHeader } from './basic-auth/get-header';`
			`import { getBearerAuthHeader } from './bearer-auth/get-header';`
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00
Added Token to OAuth 1.0 (Rel #197) 2017-11-06 20:44:55 +00:00			`type Header = {`
			`name: string,`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`value: string,`
Added Token to OAuth 1.0 (Rel #197) 2017-11-06 20:44:55 +00:00			`};`

Add Prettier 2018-06-25 17:42:50 +00:00			`export async function getAuthHeader(`
Add ability to optionally use Hawk payload validation. (#1339) * Add ability to optionally use Hawk payload validation. * Simplify signature of 'getAuthHeader' 2019-03-11 21:52:48 +00:00			`renderedRequest: RenderedRequest,`
Added Token to OAuth 1.0 (Rel #197) 2017-11-06 20:44:55 +00:00			`url: string,`
			`): Promise<Header \| null> {`
Add ability to optionally use Hawk payload validation. (#1339) * Add ability to optionally use Hawk payload validation. * Simplify signature of 'getAuthHeader' 2019-03-11 21:52:48 +00:00			`const { method, authentication } = renderedRequest;`
			`const requestId = renderedRequest._id;`

First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`if (authentication.disabled) {`
			`return null;`
			`}`

			`if (authentication.type === AUTH_BASIC) {`
Add Prettier 2018-06-25 17:42:50 +00:00			`const { username, password } = authentication;`
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`return getBasicAuthHeader(username, password);`
			`}`

Add Bearer Authorization Support (#274) * add bearer authentication support * remove unexpected trailing comma 2017-06-01 13:18:42 +00:00			`if (authentication.type === AUTH_BEARER) {`
Add Prettier 2018-06-25 17:42:50 +00:00			`const { token, prefix } = authentication;`
Ability to change Bearer prefix (Closes #817) 2018-03-30 12:52:02 +00:00			`return getBearerAuthHeader(token, prefix);`
Add Bearer Authorization Support (#274) * add bearer authentication support * remove unexpected trailing comma 2017-06-01 13:18:42 +00:00			`}`

First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`if (authentication.type === AUTH_OAUTH_2) {`
Introspection queries use same OAuth2 tokens (Closes #835) 2018-03-29 02:32:09 +00:00			`// HACK: GraphQL requests use a child request to fetch the schema with an`
			`// ID of "{{request_id}}.graphql". Here we are removing the .graphql suffix and`
			`// pretending we are fetching a token for the original request. This makes sure`
			`// the same tokens are used for schema fetching. See issue #835 on GitHub.`
prettier entire project 2018-10-17 16:42:33 +00:00			`const tokenId = requestId.match(/\.graphql$/) ? requestId.replace(/\.graphql$/, '') : requestId;`
Introspection queries use same OAuth2 tokens (Closes #835) 2018-03-29 02:32:09 +00:00
			`const oAuth2Token = await getOAuth2Token(tokenId, authentication);`
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`if (oAuth2Token) {`
More 5.0 Fixes and Stuff (#134) * Fix OAuth token, new request content-type, and more * better error messaging around invalid Curl opts * Make XFERINFOFUNCTION an optional option * Fix content-type change prompt and double quotes in prettify * Don't send Expect header on file upload * Remove dead code * Base64 tag * Fix HTML entities in URL clicks * Fix curl paste 2017-04-07 18:10:15 +00:00			`const token = oAuth2Token.accessToken;`
Add token prefex oauth option and foldable advanced options (#420) 2017-08-10 19:34:33 +00:00			`return _buildBearerHeader(token, authentication.tokenPrefix);`
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`} else {`
			`return null;`
			`}`
			`}`

oAuth 1.0a Support (#571) 2017-11-06 19:26:31 +00:00			`if (authentication.type === AUTH_OAUTH_1) {`
			`const oAuth1Token = await getOAuth1Token(url, method, authentication);`
			`if (oAuth1Token) {`
			`return {`
			`name: 'Authorization',`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`value: oAuth1Token.Authorization,`
oAuth 1.0a Support (#571) 2017-11-06 19:26:31 +00:00			`};`
			`} else {`
			`return null;`
			`}`
			`}`

Implement Hawk Authentication (#446) * Implement Hawk Authentication * fix the missing label of inputs * Fix PR reviews 2017-08-21 17:43:12 +00:00			`if (authentication.type === AUTH_HAWK) {`
Add ability to optionally use Hawk payload validation. (#1339) * Add ability to optionally use Hawk payload validation. * Simplify signature of 'getAuthHeader' 2019-03-11 21:52:48 +00:00			`const { id, key, algorithm, ext, validatePayload } = authentication;`
			`let headerOptions = {`
Add Hawk Ext feature (#1266) 2018-11-18 02:04:03 +00:00			`credentials: { id, key, algorithm },`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`ext: ext,`
Add ability to optionally use Hawk payload validation. (#1339) * Add ability to optionally use Hawk payload validation. * Simplify signature of 'getAuthHeader' 2019-03-11 21:52:48 +00:00			`};`

			`if (validatePayload) {`
			`const payloadValidationFields = {`
			`payload: renderedRequest.body.text,`
			`contentType: renderedRequest.body.mimeType,`
			`};`
			`headerOptions = Object.assign({}, payloadValidationFields, headerOptions);`
			`}`

			`const header = Hawk.client.header(url, method, headerOptions);`
Implement Hawk Authentication (#446) * Implement Hawk Authentication * fix the missing label of inputs * Fix PR reviews 2017-08-21 17:43:12 +00:00			`return {`
			`name: 'Authorization',`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`value: header.field,`
Implement Hawk Authentication (#446) * Implement Hawk Authentication * fix the missing label of inputs * Fix PR reviews 2017-08-21 17:43:12 +00:00			`};`
			`}`

Atlassian ASAP authentication support (https://s2sauth.bitbucket.io/) (#565) (#566) 2017-11-07 18:14:08 +00:00			`if (authentication.type === AUTH_ASAP) {`
prettier entire project 2018-10-17 16:42:33 +00:00			`const { issuer, subject, audience, keyId, additionalClaims, privateKey } = authentication;`
Fix ASAP build errors 2017-11-07 18:19:16 +00:00
Atlassian ASAP authentication support (https://s2sauth.bitbucket.io/) (#565) (#566) 2017-11-07 18:14:08 +00:00			`const generator = jwtAuthentication.client.create();`
Add Prettier 2018-06-25 17:42:50 +00:00			`let claims = { iss: issuer, sub: subject, aud: audience };`
Add support for additional claims in ASAP Auth (#822) 2018-03-28 23:27:21 +00:00
			`let parsedAdditionalClaims;`

			`try {`
Atlassian ASAP auth: default additionalClaims to empty object if not provided. Closes #952. (#953) 2018-06-06 20:29:07 +00:00			`parsedAdditionalClaims = JSON.parse(additionalClaims \|\| '{}');`
Add support for additional claims in ASAP Auth (#822) 2018-03-28 23:27:21 +00:00			`} catch (err) {`
			throw new Error(`Unable to parse additional-claims: ${err}`);
			`}`

			`if (parsedAdditionalClaims) {`
			`if (typeof parsedAdditionalClaims !== 'object') {`
Add Prettier 2018-06-25 17:42:50 +00:00			`throw new Error(`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`additional-claims must be an object received: '${typeof parsedAdditionalClaims}' instead`,
Add Prettier 2018-06-25 17:42:50 +00:00			`);`
Add support for additional claims in ASAP Auth (#822) 2018-03-28 23:27:21 +00:00			`}`

			`claims = Object.assign(parsedAdditionalClaims, claims);`
			`}`

Atlassian ASAP authentication support (https://s2sauth.bitbucket.io/) (#565) (#566) 2017-11-07 18:14:08 +00:00			`const options = {`
			`privateKey,`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`kid: keyId,`
Atlassian ASAP authentication support (https://s2sauth.bitbucket.io/) (#565) (#566) 2017-11-07 18:14:08 +00:00			`};`

			`return new Promise((resolve, reject) => {`
prettier entire project 2018-10-17 16:42:33 +00:00			`generator.generateAuthorizationHeader(claims, options, (error, headerValue) => {`
			`if (error) {`
			`reject(error);`
			`} else {`
			`resolve({`
			`name: 'Authorization',`
Add trailing commas to ESLint + Prettier 2018-12-12 17:36:11 +00:00			`value: headerValue,`
prettier entire project 2018-10-17 16:42:33 +00:00			`});`
Atlassian ASAP authentication support (https://s2sauth.bitbucket.io/) (#565) (#566) 2017-11-07 18:14:08 +00:00			`}`
prettier entire project 2018-10-17 16:42:33 +00:00			`});`
Atlassian ASAP authentication support (https://s2sauth.bitbucket.io/) (#565) (#566) 2017-11-07 18:14:08 +00:00			`});`
			`}`

First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`return null;`
			`}`

Add Prettier 2018-06-25 17:42:50 +00:00			`function _buildBearerHeader(accessToken, prefix) {`
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`if (!accessToken) {`
			`return null;`
			`}`

			`const name = 'Authorization';`
Add token prefex oauth option and foldable advanced options (#420) 2017-08-10 19:34:33 +00:00			const value = `${prefix \|\| 'Bearer'} ${accessToken}`;
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00
Add Prettier 2018-06-25 17:42:50 +00:00			`return { name, value };`
First-Party OAuth 2.0 Support (#120) * Proof of concept authorize call * Authorize and Refresh endpoints done * OAuth2 editor started * Some small fixes * Set OAuth headers on request * Started on some OAuth tests * Updated network logic with new OAuth API * OAuth forms and refactor flows * Fix grant type handling * Moved auth handling out of render pipeline * Fixed legacy auth header * Fix vertical center * Prompt user on auth type change * Refresh tokens working (I think) and better UI * Catch same type auth change * POC refresh token and small refactor * Better token handling * LOading state to token refresh * Show o-auth-2 errors * Some minor updates 2017-03-23 22:10:42 +00:00			`}`