fosrl.pangolin/server/auth/verifyResourceAccessToken.ts

import db from "@server/db";
import {
    Resource,
    ResourceAccessToken,
    resourceAccessToken,
    resources
} from "@server/db/schemas";
import { and, eq } from "drizzle-orm";
import { isWithinExpirationDate } from "oslo";
import { verifyPassword } from "./password";
import { encodeHexLowerCase } from "@oslojs/encoding";
import { sha256 } from "@oslojs/crypto/sha2";

export async function verifyResourceAccessTokenSHA256({
    accessToken
}: {
    accessToken: string;
}): Promise<{
    valid: boolean;
    error?: string;
    tokenItem?: ResourceAccessToken;
    resource?: Resource;
}> {
    const accessTokenHash = encodeHexLowerCase(
        sha256(new TextEncoder().encode(accessToken))
    );

    const [res] = await db
        .select()
        .from(resourceAccessToken)
        .where(and(eq(resourceAccessToken.tokenHash, accessTokenHash)))
        .innerJoin(
            resources,
            eq(resourceAccessToken.resourceId, resources.resourceId)
        );

    const tokenItem = res?.resourceAccessToken;
    const resource = res?.resources;

    if (!tokenItem || !resource) {
        return {
            valid: false,
            error: "Access token does not exist for resource"
        };
    }

    if (
        tokenItem.expiresAt &&
        !isWithinExpirationDate(new Date(tokenItem.expiresAt))
    ) {
        return {
            valid: false,
            error: "Access token has expired"
        };
    }

    return {
        valid: true,
        tokenItem,
        resource
    };
}

export async function verifyResourceAccessToken({
    resource,
    accessTokenId,
    accessToken
}: {
    resource: Resource;
    accessTokenId: string;
    accessToken: string;
}): Promise<{
    valid: boolean;
    error?: string;
    tokenItem?: ResourceAccessToken;
}> {
    const [result] = await db
        .select()
        .from(resourceAccessToken)
        .where(
            and(
                eq(resourceAccessToken.resourceId, resource.resourceId),
                eq(resourceAccessToken.accessTokenId, accessTokenId)
            )
        )
        .limit(1);

    const tokenItem = result;

    if (!tokenItem) {
        return {
            valid: false,
            error: "Access token does not exist for resource"
        };
    }

    const validCode = await verifyPassword(accessToken, tokenItem.tokenHash);

    if (!validCode) {
        return {
            valid: false,
            error: "Invalid access token"
        };
    }

    if (
        tokenItem.expiresAt &&
        !isWithinExpirationDate(new Date(tokenItem.expiresAt))
    ) {
        return {
            valid: false,
            error: "Access token has expired"
        };
    }

    return {
        valid: true,
        tokenItem
    };
}
allow access token in resource url 2025-01-11 19:47:07 -05:00			`import db from "@server/db";`
			`import {`
			`Resource,`
			`ResourceAccessToken,`
			`resourceAccessToken,`
shorten share links and add migration 2025-04-04 22:58:01 -04:00			`resources`
move schema.ts to module 2025-03-23 17:11:48 -04:00			`} from "@server/db/schemas";`
allow access token in resource url 2025-01-11 19:47:07 -05:00			`import { and, eq } from "drizzle-orm";`
			`import { isWithinExpirationDate } from "oslo";`
			`import { verifyPassword } from "./password";`
shorten share links and add migration 2025-04-04 22:58:01 -04:00			`import { encodeHexLowerCase } from "@oslojs/encoding";`
			`import { sha256 } from "@oslojs/crypto/sha2";`

			`export async function verifyResourceAccessTokenSHA256({`
			`accessToken`
			`}: {`
			`accessToken: string;`
			`}): Promise<{`
			`valid: boolean;`
			`error?: string;`
			`tokenItem?: ResourceAccessToken;`
			`resource?: Resource;`
			`}> {`
			`const accessTokenHash = encodeHexLowerCase(`
			`sha256(new TextEncoder().encode(accessToken))`
			`);`

			`const [res] = await db`
			`.select()`
			`.from(resourceAccessToken)`
			`.where(and(eq(resourceAccessToken.tokenHash, accessTokenHash)))`
			`.innerJoin(`
			`resources,`
			`eq(resourceAccessToken.resourceId, resources.resourceId)`
			`);`

			`const tokenItem = res?.resourceAccessToken;`
			`const resource = res?.resources;`

			`if (!tokenItem \|\| !resource) {`
			`return {`
			`valid: false,`
			`error: "Access token does not exist for resource"`
			`};`
			`}`

			`if (`
			`tokenItem.expiresAt &&`
			`!isWithinExpirationDate(new Date(tokenItem.expiresAt))`
			`) {`
			`return {`
			`valid: false,`
			`error: "Access token has expired"`
			`};`
			`}`

			`return {`
			`valid: true,`
			`tokenItem,`
			`resource`
			`};`
			`}`
allow access token in resource url 2025-01-11 19:47:07 -05:00
			`export async function verifyResourceAccessToken({`
			`resource,`
			`accessTokenId,`
			`accessToken`
			`}: {`
			`resource: Resource;`
			`accessTokenId: string;`
			`accessToken: string;`
			`}): Promise<{`
			`valid: boolean;`
			`error?: string;`
			`tokenItem?: ResourceAccessToken;`
			`}> {`
			`const [result] = await db`
			`.select()`
			`.from(resourceAccessToken)`
			`.where(`
			`and(`
			`eq(resourceAccessToken.resourceId, resource.resourceId),`
			`eq(resourceAccessToken.accessTokenId, accessTokenId)`
			`)`
			`)`
			`.limit(1);`

			`const tokenItem = result;`

			`if (!tokenItem) {`
			`return {`
			`valid: false,`
			`error: "Access token does not exist for resource"`
			`};`
			`}`

			`const validCode = await verifyPassword(accessToken, tokenItem.tokenHash);`

			`if (!validCode) {`
			`return {`
			`valid: false,`
			`error: "Invalid access token"`
			`};`
			`}`

			`if (`
			`tokenItem.expiresAt &&`
			`!isWithinExpirationDate(new Date(tokenItem.expiresAt))`
			`) {`
			`return {`
			`valid: false,`
			`error: "Access token has expired"`
			`};`
			`}`

			`return {`
			`valid: true,`
			`tokenItem`
			`};`
			`}`