forked from ory/examples-archive
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintrospect.js
43 lines (39 loc) · 1.53 KB
/
introspect.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
const express = require('express')
const router = express.Router()
const fetch = require('node-fetch')
const url = require('url')
const qs = require('querystring')
const introspect = (req, res, next) => {
const body = qs.stringify({ token: req.get('Authorization').replace(/bearer\s/gi, '') })
return fetch(process.env.OAUTH2_INTROSPECT_URL, {
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': body.length
},
method: 'POST', body
})
.then(res => res.ok ? res.json() : Promise.reject(new Error(res.statusText)))
.then(body => {
if (!body.active) {
return next(new Error('Bearer token is not active'))
} else if (body.token_type && body.token_type !== 'access_token') {
// ORY Hydra also returns the token type (access_token or refresh_token). Other server's don't do that
// but it will help us to make sure to only accept access tokens here, not refresh tokens
return next(new Error('Bearer token is not an access token'))
}
req.user = body
next()
})
.catch(err => next(err))
}
router.get('/',
introspect,
(req, res, next) => {
res.json({
title: 'What an incredible blog post!',
content: 'This blog post is so interesting, wow! By the way, you have full privileges to read this content as the request has been authorized. Isn\'t that just great? We\'ve even included the user data from the request here! Amazing!',
author: 'Aeneas Rekkas',
user: req.user
})
})
module.exports = router