fosrl.pangolin/server/auth/verifyResourceAccessToken.ts

import db from "@server/db";
import {
    Resource,
    ResourceAccessToken,
    resourceAccessToken,
    resources
} from "@server/db/schemas";
import { and, eq } from "drizzle-orm";
import { isWithinExpirationDate } from "oslo";
import { verifyPassword } from "./password";
import { encodeHexLowerCase } from "@oslojs/encoding";
import { sha256 } from "@oslojs/crypto/sha2";

export async function verifyResourceAccessToken({
    accessToken,
    accessTokenId,
    resourceId
}: {
    accessToken: string;
    accessTokenId?: string;
    resourceId?: number; // IF THIS IS NOT SET, THE TOKEN IS VALID FOR ALL RESOURCES
}): Promise<{
    valid: boolean;
    error?: string;
    tokenItem?: ResourceAccessToken;
    resource?: Resource;
}> {
    const accessTokenHash = encodeHexLowerCase(
        sha256(new TextEncoder().encode(accessToken))
    );

    let tokenItem: ResourceAccessToken | undefined;
    let resource: Resource | undefined;

    if (!accessTokenId) {
        const [res] = await db
            .select()
            .from(resourceAccessToken)
            .where(and(eq(resourceAccessToken.tokenHash, accessTokenHash)))
            .innerJoin(
                resources,
                eq(resourceAccessToken.resourceId, resources.resourceId)
            );

        tokenItem = res?.resourceAccessToken;
        resource = res?.resources;
    } else {
        const [res] = await db
            .select()
            .from(resourceAccessToken)
            .where(and(eq(resourceAccessToken.accessTokenId, accessTokenId)))
            .innerJoin(
                resources,
                eq(resourceAccessToken.resourceId, resources.resourceId)
            );

        if (res && res.resourceAccessToken) {
            if (res.resourceAccessToken.tokenHash?.startsWith("$argon")) {
                const validCode = await verifyPassword(
                    accessToken,
                    res.resourceAccessToken.tokenHash
                );

                if (!validCode) {
                    return {
                        valid: false,
                        error: "Invalid access token"
                    };
                }
            } else {
                const tokenHash = encodeHexLowerCase(
                    sha256(new TextEncoder().encode(accessToken))
                );

                if (res.resourceAccessToken.tokenHash !== tokenHash) {
                    return {
                        valid: false,
                        error: "Invalid access token"
                    };
                }
            }
        }

        tokenItem = res?.resourceAccessToken;
        resource = res?.resources;
    }

    if (!tokenItem || !resource) {
        return {
            valid: false,
            error: "Access token does not exist for resource"
        };
    }

    if (
        tokenItem.expiresAt &&
        !isWithinExpirationDate(new Date(tokenItem.expiresAt))
    ) {
        return {
            valid: false,
            error: "Access token has expired"
        };
    }

    if (resourceId && resource.resourceId !== resourceId) {
        return {
            valid: false,
            error: "Resource ID does not match"
        };
    }

    return {
        valid: true,
        tokenItem,
        resource
    };
}
allow access token in resource url 2025-01-11 19:47:07 -05:00			`import db from "@server/db";`
			`import {`
			`Resource,`
			`ResourceAccessToken,`
			`resourceAccessToken,`
shorten share links and add migration 2025-04-04 22:58:01 -04:00			`resources`
move schema.ts to module 2025-03-23 17:11:48 -04:00			`} from "@server/db/schemas";`
allow access token in resource url 2025-01-11 19:47:07 -05:00			`import { and, eq } from "drizzle-orm";`
			`import { isWithinExpirationDate } from "oslo";`
			`import { verifyPassword } from "./password";`
shorten share links and add migration 2025-04-04 22:58:01 -04:00			`import { encodeHexLowerCase } from "@oslojs/encoding";`
			`import { sha256 } from "@oslojs/crypto/sha2";`

add pass access token in headers 2025-04-05 22:28:47 -04:00			`export async function verifyResourceAccessToken({`
			`accessToken,`
check resource id on verify access token 2025-04-06 13:08:55 -04:00			`accessTokenId,`
			`resourceId`
shorten share links and add migration 2025-04-04 22:58:01 -04:00			`}: {`
			`accessToken: string;`
add pass access token in headers 2025-04-05 22:28:47 -04:00			`accessTokenId?: string;`
check resource id on verify access token 2025-04-06 13:08:55 -04:00			`resourceId?: number; // IF THIS IS NOT SET, THE TOKEN IS VALID FOR ALL RESOURCES`
shorten share links and add migration 2025-04-04 22:58:01 -04:00			`}): Promise<{`
			`valid: boolean;`
			`error?: string;`
			`tokenItem?: ResourceAccessToken;`
			`resource?: Resource;`
			`}> {`
			`const accessTokenHash = encodeHexLowerCase(`
			`sha256(new TextEncoder().encode(accessToken))`
			`);`

add pass access token in headers 2025-04-05 22:28:47 -04:00			`let tokenItem: ResourceAccessToken \| undefined;`
			`let resource: Resource \| undefined;`
shorten share links and add migration 2025-04-04 22:58:01 -04:00
add pass access token in headers 2025-04-05 22:28:47 -04:00			`if (!accessTokenId) {`
			`const [res] = await db`
			`.select()`
			`.from(resourceAccessToken)`
			`.where(and(eq(resourceAccessToken.tokenHash, accessTokenHash)))`
			`.innerJoin(`
			`resources,`
			`eq(resourceAccessToken.resourceId, resources.resourceId)`
			`);`
shorten share links and add migration 2025-04-04 22:58:01 -04:00
add pass access token in headers 2025-04-05 22:28:47 -04:00			`tokenItem = res?.resourceAccessToken;`
			`resource = res?.resources;`
			`} else {`
			`const [res] = await db`
			`.select()`
			`.from(resourceAccessToken)`
			`.where(and(eq(resourceAccessToken.accessTokenId, accessTokenId)))`
			`.innerJoin(`
			`resources,`
			`eq(resourceAccessToken.resourceId, resources.resourceId)`
			`);`
shorten share links and add migration 2025-04-04 22:58:01 -04:00
add pass access token in headers 2025-04-05 22:28:47 -04:00			`if (res && res.resourceAccessToken) {`
			`if (res.resourceAccessToken.tokenHash?.startsWith("$argon")) {`
			`const validCode = await verifyPassword(`
			`accessToken,`
			`res.resourceAccessToken.tokenHash`
			`);`
allow access token in resource url 2025-01-11 19:47:07 -05:00
add pass access token in headers 2025-04-05 22:28:47 -04:00			`if (!validCode) {`
			`return {`
			`valid: false,`
			`error: "Invalid access token"`
			`};`
			`}`
			`} else {`
			`const tokenHash = encodeHexLowerCase(`
			`sha256(new TextEncoder().encode(accessToken))`
			`);`
allow access token in resource url 2025-01-11 19:47:07 -05:00
add pass access token in headers 2025-04-05 22:28:47 -04:00			`if (res.resourceAccessToken.tokenHash !== tokenHash) {`
			`return {`
			`valid: false,`
			`error: "Invalid access token"`
			`};`
			`}`
			`}`
			`}`
allow access token in resource url 2025-01-11 19:47:07 -05:00
add pass access token in headers 2025-04-05 22:28:47 -04:00			`tokenItem = res?.resourceAccessToken;`
			`resource = res?.resources;`
allow access token in resource url 2025-01-11 19:47:07 -05:00			`}`

add pass access token in headers 2025-04-05 22:28:47 -04:00			`if (!tokenItem \|\| !resource) {`
allow access token in resource url 2025-01-11 19:47:07 -05:00			`return {`
			`valid: false,`
add pass access token in headers 2025-04-05 22:28:47 -04:00			`error: "Access token does not exist for resource"`
allow access token in resource url 2025-01-11 19:47:07 -05:00			`};`
			`}`

			`if (`
			`tokenItem.expiresAt &&`
			`!isWithinExpirationDate(new Date(tokenItem.expiresAt))`
			`) {`
			`return {`
			`valid: false,`
			`error: "Access token has expired"`
			`};`
			`}`

check resource id on verify access token 2025-04-06 13:08:55 -04:00			`if (resourceId && resource.resourceId !== resourceId) {`
			`return {`
			`valid: false,`
			`error: "Resource ID does not match"`
			`};`
			`}`

allow access token in resource url 2025-01-11 19:47:07 -05:00			`return {`
			`valid: true,`
add pass access token in headers 2025-04-05 22:28:47 -04:00			`tokenItem,`
			`resource`
allow access token in resource url 2025-01-11 19:47:07 -05:00			`};`
			`}`