Update the function and add types

Author: bcbogdan

lib/ts/recipe/session/nextjs/getSessionOrRedirect.tsx

@@ -1,109 +1,86 @@
-import jwksClient from "jwks-rsa";
-import JsonWebToken from "jsonwebtoken";
-import type { JwtHeader, JwtPayload, SigningKeyCallback } from "jsonwebtoken";
-
+import jose from "jose";
 import { cookies, headers } from "next/headers";
 import { redirect } from "next/navigation";
 
+import SuperTokens from "../../../superTokens";
+
+import type { AccessTokenPayload, LoadedSessionContext } from "../types";
+
 // const ACCESS_TOKEN_NAME = "st-access-token";
 const ACCESS_TOKEN_NAME = "sAccessToken";
 const FRONT_TOKEN_NAME = "sFrontToken";
 
-const REFRESH_TOKEN_PATH = "/api/refresh";
-const AUTH_PATH = "/auth";
-
 // TODO:
-// - Update the api paths based on the SDK config
 // - Add error handling
 // - Figure out the correct token name. Is it sAccessToken or st-access-token?
-export async function getSessionOrRedirect() {
+export async function getSessionOrRedirect(): Promise<LoadedSessionContext> {
     const headersList = await headers();
     const cookieStore = await cookies();
-
     const frontToken = cookieStore.get(FRONT_TOKEN_NAME)?.value;
-
+    const authPagePage = getWebsiteBasePath();
     if (!frontToken) {
-        redirect(AUTH_PATH);
+        redirect(authPagePage);
     }
 
-    // const lastAccessTokenUpdate = cookieStore.get(LAST_ACCESS_TOKEN_UPDATE)?.value;
-    // if (!lastAccessTokenUpdate) {
-    //     redirect(REFRESH_TOKEN_PATH);
-    // }
-    // const parsedLastAccessTokenUpdate = parseInt(lastAccessTokenUpdate);
-
+    const refreshTokenPath = `${getApiBasePath()}/refresh`;
     const parsedFrontToken = parseFrontToken(frontToken);
     if (parsedFrontToken.up?.exp && parsedFrontToken.up.exp < Date.now()) {
-        redirect(REFRESH_TOKEN_PATH);
+        redirect(refreshTokenPath);
     }
 
     const accessToken = cookieStore.get(ACCESS_TOKEN_NAME)?.value || headersList.get(ACCESS_TOKEN_NAME);
     if (!accessToken) {
         // TODO: Should redirect to auth page?
-        redirect(REFRESH_TOKEN_PATH);
+        redirect(refreshTokenPath);
     }
 
-    const parsedAccessToken = await verifyToken(accessToken);
-    if (!areTokenPayloadsEqual(parsedFrontToken, parsedAccessToken)) {
-        redirect(REFRESH_TOKEN_PATH);
+    const parsedAccessToken = await parseAccessToken(accessToken);
+    if (!comparePayloads(parsedFrontToken, parsedAccessToken)) {
+        redirect(refreshTokenPath);
     }
 
-    // TODO: Return the actual session object
-    return {};
+    return {
+        userId: parsedAccessToken.up.sub,
+        accessTokenPayload: parsedAccessToken,
+        doesSessionExist: true,
+        loading: false,
+        invalidClaims: [],
+        accessDeniedValidatorError: undefined,
+    };
 }
 
-function parseFrontToken(frontToken: string): TokenPayload {
-    return JSON.parse(decodeURIComponent(escape(atob(frontToken))));
-}
+const getApiBasePath = () => {
+    return SuperTokens.getInstanceOrThrow().appInfo.apiBasePath.getAsStringDangerous();
+};
 
-type TokenPayload = {
-    uid: string;
-    ate: number;
-    up: {
-        iat: number;
-        exp: number;
-        sub: string;
-        tId: string;
-        rsub: string;
-        sessionHandle: string;
-        refrehTokenHash1: string;
-        parentRefereshTokenHash1: string | null;
-        antiCsrfToken: string | null;
-        iss: string;
-        "st-role": {
-            v: string;
-            t: number[];
-        };
-        "st-perm": {
-            v: string[];
-            t: number;
-        };
-    };
+const getWebsiteBasePath = () => {
+    return SuperTokens.getInstanceOrThrow().appInfo.websiteBasePath.getAsStringDangerous();
 };
 
-const client = jwksClient({
-    jwksUri: `<api-domain>/<api-base-path>/jwt/jwks.json`,
-});
+function parseFrontToken(frontToken: string): AccessTokenPayload {
+    return JSON.parse(decodeURIComponent(escape(atob(frontToken))));
+}
 
-async function verifyToken(token: string): Promise<JwtPayload> {
-    const getPublicKey = (header: JwtHeader, callback: SigningKeyCallback) => {
-        client.getSigningKey(header.kid, (err, key) => {
-            if (err) {
-                callback(err);
-            } else {
-                const signingKey = key?.getPublicKey();
-                callback(null, signingKey);
-            }
-        });
-    };
+async function parseAccessToken(token: string): Promise<AccessTokenPayload> {
+    const JWKS = jose.createRemoteJWKSet(new URL(`${getApiBasePath()}/authjwt/jwks.json`));
+    const { payload } = await jose.jwtVerify(token, JWKS);
+    return payload;
+}
 
-    return new Promise((resolve, reject) => {
-        JsonWebToken.verify(token, getPublicKey, {}, (err, decoded) => {
-            if (err) {
-                reject(err);
-            } else {
-                resolve(decoded as JwtPayload);
-            }
-        });
-    });
+function comparePayloads(payload1: AccessTokenPayload, payload2: AccessTokenPayload): boolean {
+    return (
+        payload1.uid === payload2.uid &&
+        payload1.ate === payload2.ate &&
+        payload1.up.sub === payload2.up.sub &&
+        payload1.up.tId === payload2.up.tId &&
+        payload1.up.sessionHandle === payload2.up.sessionHandle &&
+        payload1.up.refrehTokenHash1 === payload2.up.refrehTokenHash1 &&
+        payload1.up.parentRefereshTokenHash1 === payload2.up.parentRefereshTokenHash1 &&
+        payload1.up.antiCsrfToken === payload2.up.antiCsrfToken &&
+        payload1.up.iss === payload2.up.iss &&
+        payload1.up["st-role"].v === payload2.up["st-role"].v &&
+        payload1.up["st-role"].t.toString() === payload2.up["st-role"].t.toString() &&
+        payload1.up["st-perm"].v.toString() === payload2.up["st-perm"].v.toString() &&
+        payload1.up["st-perm"].t === payload2.up["st-perm"].t
+    );
 }

lib/ts/recipe/session/types.ts

@@ -75,3 +75,28 @@ export type AccessDeniedThemeProps = {
 export type ComponentOverrideMap = {
     SessionAccessDenied_Override?: ComponentOverride<typeof AccessDeniedScreenTheme>;
 };
+
+export type AccessTokenPayload = {
+    uid: string;
+    ate: number;
+    up: {
+        iat: number;
+        exp: number;
+        sub: string;
+        tId: string;
+        rsub: string;
+        sessionHandle: string;
+        refrehTokenHash1: string;
+        parentRefereshTokenHash1: string | null;
+        antiCsrfToken: string | null;
+        iss: string;
+        "st-role": {
+            v: string;
+            t: number[];
+        };
+        "st-perm": {
+            v: string[];
+            t: number;
+        };
+    };
+};