// @flow import {AUTH_ASAP, AUTH_BASIC, AUTH_BEARER, AUTH_HAWK, AUTH_OAUTH_1, AUTH_OAUTH_2} from '../common/constants'; import getOAuth2Token from './o-auth-2/get-token'; import getOAuth1Token from './o-auth-1/get-token'; import * as Hawk from 'hawk'; import jwtAuthentication from 'jwt-authentication'; import type {RequestAuthentication} from '../models/request'; import {getBasicAuthHeader} from './basic-auth/get-header'; import {getBearerAuthHeader} from './bearer-auth/get-header'; type Header = { name: string, value: string }; export async function getAuthHeader ( requestId: string, url: string, method: string, authentication: RequestAuthentication ): Promise
{ if (authentication.disabled) { return null; } if (authentication.type === AUTH_BASIC) { const {username, password} = authentication; return getBasicAuthHeader(username, password); } if (authentication.type === AUTH_BEARER) { const {token, prefix} = authentication; return getBearerAuthHeader(token, prefix); } if (authentication.type === AUTH_OAUTH_2) { // HACK: GraphQL requests use a child request to fetch the schema with an // ID of "{{request_id}}.graphql". Here we are removing the .graphql suffix and // pretending we are fetching a token for the original request. This makes sure // the same tokens are used for schema fetching. See issue #835 on GitHub. const tokenId = requestId.match(/\.graphql$/) ? requestId.replace(/\.graphql$/, '') : requestId; const oAuth2Token = await getOAuth2Token(tokenId, authentication); if (oAuth2Token) { const token = oAuth2Token.accessToken; return _buildBearerHeader(token, authentication.tokenPrefix); } else { return null; } } if (authentication.type === AUTH_OAUTH_1) { const oAuth1Token = await getOAuth1Token(url, method, authentication); if (oAuth1Token) { return { name: 'Authorization', value: oAuth1Token.Authorization }; } else { return null; } } if (authentication.type === AUTH_HAWK) { const {id, key, algorithm} = authentication; const header = Hawk.client.header(url, method, {credentials: {id, key, algorithm}}); return { name: 'Authorization', value: header.field }; } if (authentication.type === AUTH_ASAP) { const {issuer, subject, audience, keyId, additionalClaims, privateKey} = authentication; const generator = jwtAuthentication.client.create(); let claims = {iss: issuer, sub: subject, aud: audience}; let parsedAdditionalClaims; try { parsedAdditionalClaims = JSON.parse(additionalClaims || '{}'); } catch (err) { throw new Error(`Unable to parse additional-claims: ${err}`); } if (parsedAdditionalClaims) { if (typeof parsedAdditionalClaims !== 'object') { throw new Error(`additional-claims must be an object received: '${typeof parsedAdditionalClaims}' instead`); } claims = Object.assign(parsedAdditionalClaims, claims); } const options = { privateKey, kid: keyId }; return new Promise((resolve, reject) => { generator.generateAuthorizationHeader(claims, options, (error, headerValue) => { if (error) { reject(error); } else { resolve({ name: 'Authorization', value: headerValue }); } }); }); } return null; } function _buildBearerHeader (accessToken, prefix) { if (!accessToken) { return null; } const name = 'Authorization'; const value = `${prefix || 'Bearer'} ${accessToken}`; return {name, value}; }