From 2877dac9374ac4509615dd0d4df5246b82cea3bd Mon Sep 17 00:00:00 2001
From: Evert Prants <evert@lunasqu.ee>
Date: Wed, 16 Mar 2022 21:37:26 +0200
Subject: [PATCH] jwt bearer

---
 src/middleware.ts  | 18 ++++++++++++++++++
 src/model/model.ts | 19 +++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/src/middleware.ts b/src/middleware.ts
index f2cd9a0..e2245da 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -25,6 +25,9 @@ export const middleware = wrap(async function (req: Request, res, next) {
       'Bearer token parsed from authorization header:',
       token
     );
+  } else if (req.headers['x-access-token']) {
+    token = req.headers['x-access-token'];
+    req.oauth2.logger.debug('Bearer token parsed from x-access-token:', token);
   } else if (req.query?.access_token) {
     token = req.query.access_token;
     req.oauth2.logger.debug('Bearer token parsed from query params:', token);
@@ -35,6 +38,21 @@ export const middleware = wrap(async function (req: Request, res, next) {
     throw new AccessDenied('Bearer token not found');
   }
 
+  if (req.oauth2.model.jwt) {
+    if (req.oauth2.model.jwt.isIdToken(token)) {
+      const valid = await req.oauth2.model.jwt.validateIdToken(token);
+      if (!valid) {
+        throw new AccessDenied('Invalid or expired ID token');
+      }
+
+      const bearer = await req.oauth2.model.jwt.convertIdTokenToBearer(token);
+      res.locals.accessToken = bearer;
+      res.locals.idToken = token;
+      req.oauth2.logger.debug('IdToken fetched', bearer);
+      return next();
+    }
+  }
+
   // Try to fetch access token
   const object = await req.oauth2.model.accessToken.fetchByToken(token);
   if (!object) {
diff --git a/src/model/model.ts b/src/model/model.ts
index 1e6ba76..452fa53 100644
--- a/src/model/model.ts
+++ b/src/model/model.ts
@@ -329,6 +329,25 @@ export interface JWTAdapter {
     scope: string[],
     nonce?: string
   ) => Promise<string>;
+
+  /**
+   * Is the input an ID token or not
+   * @param token Token to check
+   */
+  isIdToken: (token: string) => boolean;
+
+  /**
+   * Check the validity of an ID token
+   * @param token JWT token from user
+   */
+  validateIdToken: (token: string) => Promise<boolean>;
+
+  /**
+   * In order to use the Bearer middleware with ID tokens,
+   * we have to convert it into a common format.
+   * @param token A valid JWT token
+   */
+  convertIdTokenToBearer: (token: string) => Promise<OAuth2AccessToken>;
 }
 
 /**