Skip to content

Commit

Permalink
feat(api): check if access token is revoked in authentication process
Browse files Browse the repository at this point in the history
  • Loading branch information
@EmmanuelleBonnemay
EmmanuelleBonnemay committed Jan 29, 2025
1 parent 50cece4 commit 3f62d1c
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion api/lib/infrastructure/authentication.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import boom from '@hapi/boom';
import lodash from 'lodash';

import * as revokedUserAccessRepository from '../../src/identity-access-management/infrastructure/repositories/revoked-user-access.repository.js';
import { getForwardedOrigin } from '../../src/identity-access-management/infrastructure/utils/network.js';
import { config } from '../../src/shared/config.js';
import { tokenService } from '../../src/shared/domain/services/token-service.js';
Expand Down Expand Up @@ -88,9 +89,14 @@ async function _checkIsAuthenticated(request, h, { key, validate }) {
return boom.unauthorized();
}

const userId = decodedAccessToken.user_id;
// Only tokens including user_id are User Access Tokens.
// This is why applications Access Tokens are not subject to audience validation for now.
if (decodedAccessToken.user_id && config.featureToggles.isUserTokenAudConfinementEnabled) {
if (config.featureToggles.isUserTokenAudConfinementEnabled && userId) {
const revokedUserAccess = await revokedUserAccessRepository.findByUserId(userId);
if (revokedUserAccess.isAccessTokenRevoked(decodedAccessToken)) {
return boom.unauthorized();
}
const audience = getForwardedOrigin(request.headers);
if (decodedAccessToken.aud !== audience) {
return boom.unauthorized();
Expand Down

0 comments on commit 3f62d1c

Please sign in to comment.