add RSA support

Author: productioncoder

config/index.js

@@ -1,12 +1,29 @@
+const fs = require("fs");
+
+function loadKey(path) {
+ if (!path) {
+ return null;
+ }
+ try {
+ return fs.readFileSync(path);
+ } catch (err) {
+ console.error(err);
+ // don't use process.exit in prod
+ // rather do a graceful
+ process.exit(1);
+ }
+}
+
 module.exports = {
  partnerServerHost: "localhost",
  partnerServerPort: process.env.PARTNER_SERVER_PORT,
- partnerServerName: process.env.PARTNER_SERVER_NAME,
+ partnerRSAPublicKey: loadKey(process.env.PARTNER_JWT_RSA_PUBLIC_KEY),
 
  hostname: "localhost",
  serverName: process.env.SERVER_NAME,
  port: process.env.PORT,
+ rsaPrivateKey: loadKey(process.env.JWT_RSA_PRIVATE_KEY),
 
  // in prod, use a stronger secret
- tokenSecret: 'mysecret',
+ hmacSecret: process.env.HMAC_SECRET,
 };

controller/producer.js

@@ -6,7 +6,7 @@ async function produce(req, res) {
  const tokenPayload = {
  tokenOrigin: `this token was created by ${config.serverName}`,
  };
- const token = tokenService.buildToken(config.partnerServerName, tokenPayload);
+ const token = tokenService.buildToken(config.serverName, tokenPayload);
 
  const reqConfig = {
  headers: {

package.json

@@ -5,8 +5,10 @@
  "main": "index.js",
  "scripts": {
  "dev-single": "nodemon index.js",
- "serverA": "PORT=3000 PARTNER_SERVER_PORT=8080 SERVER_NAME=serverA PARTNER_SERVER_NAME=serverB nodemon index.js",
- "serverB": "PORT=8080 PARTNER_SERVER_PORT=3000 SERVER_NAME=serverB PARTNER_SERVER_NAME=serverA nodemon index.js",
+ "serverA": "PORT=3000 PARTNER_SERVER_PORT=8080 SERVER_NAME=serverA PARTNER_SERVER_NAME=serverB HMAC_SECRET=myscret nodemon index.js",
+ "serverB": "PORT=8080 PARTNER_SERVER_PORT=3000 SERVER_NAME=serverB PARTNER_SERVER_NAME=serverA HMAC_SECRET=mysecret nodemon index.js",
+ "rsaServerA": "PORT=3000 JWT_RSA_PRIVATE_KEY=./serverA-private.key PARTNER_JWT_RSA_PUBLIC_KEY=./serverB-public.key PARTNER_SERVER_PORT=8080 SERVER_NAME=serverA PARTNER_SERVER_NAME=serverB nodemon index.js",
+ "rsaServerB": "PORT=8080 JWT_RSA_PRIVATE_KEY=./serverB-private.key PARTNER_JWT_RSA_PUBLIC_KEY=./serverA-public.key PARTNER_SERVER_PORT=3000 SERVER_NAME=serverB PARTNER_SERVER_NAME=serverA nodemon index.js",
  "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],

service/token.js

@@ -0,0 +1,23 @@
+const tokenConfig = require('./token-config');
+const jwt = require("jsonwebtoken");
+
+function buildToken(subject, payload = {}) {
+ const {options, secret} = tokenConfig.getSigningConfig(subject);
+ return jwt.sign(payload, secret, options);
+}
+
+function verifyToken(token) {
+ const {options, secret} = tokenConfig.getVerifyConfig();
+ try {
+ return jwt.verify(token, secret, options);
+ } catch (err) {
+ // in prod, don't use console.log because it is synchronous
+ console.log(err);
+ return null;
+ }
+}
+
+module.exports = {
+ buildToken,
+ verifyToken,
+};

service/token/index.js

@@ -0,0 +1,62 @@
+const config = require('../../config');
+
+const defaultSignOptions = {
+ expiresIn: 15 * 60, // expires in 15min
+ issuer: config.serverName,
+ audience: `${config.partnerServerHost}:${config.partnerServerPort}`,
+};
+
+const hmacSignOptions = {
+ algorithm: 'HS256',
+ ...defaultSignOptions
+}
+
+const hmacVerifyOptions = {
+ algorithms: ["HS256"], // only allow HMAC with SHA256
+ // audience: `${config.hostname}:${config.port}`,
+ // issuer: config.partnerServerName,
+};
+
+const rsaVerifyOptions = {
+ // only allow RSA + SHA256
+ algorithms: ["RS256"],
+}
+
+const rsaSignOptions = {
+ algorithm: 'RS256',
+ ...defaultSignOptions
+}
+
+function getSigningConfig(subject) {
+ if (config.rsaPrivateKey) {
+ return {
+ options: {...rsaSignOptions, subject},
+ secret: config.rsaPrivateKey
+ };
+ }
+ return {
+ options: {...hmacSignOptions, subject},
+ secret: config.hmacSecret,
+ }
+}
+
+function getVerifyConfig(subject) {
+ if (config.rsaPrivateKey) {
+ return {
+ options: rsaVerifyOptions,
+ secret: config.partnerRSAPublicKey,
+ };
+ }
+ return {
+ options: hmacVerifyOptions,
+ secret: config.hmacSecret,
+ }
+}
+
+module.exports = {
+ getVerifyConfig,
+ getSigningConfig,
+}
+
+
+