function decryptToken(params){
/* var key = Buffer.from(params.serverKey, 'hex');
var keyWords = CryptoJS.lib.WordArray.create(key);
var base64 = base64url.toBase64(params.bearer);
var decoded = CryptoJS.enc.Base64.parse(base64);
var iv = Buffer.alloc(16);
for (var i = 0 ; i < 4 ; i++) {
var currentBuffer = Buffer.from(decoded.words[i].toString(16).match(/../g).map(s=>parseInt(s, 16)));
for (var x = 0 ; x < 4 ; x ++) {
iv[i*4 + x] = currentBuffer[x];
}*/
var token = params.bearer;
var base64Secret = base64url.toBase64(params.serverKey);
var secret = new Buffer(base64Secret, "base64");
try {
var decoded = jwt.verify(
token,
secret);
} catch(err) {
console.log(err);
}
if(!decoded) {
decoded = jwt.decode(token);
}
var token;
try{
token=JSON.parse(CryptoJS.enc.Utf8.stringify(decoded));
}catch(e){
}
return token;
}
function jwsRS256Verify(header, payload, publicKey, signature) {
const verifier = crypto.createVerify('RSA-SHA256');
const securedInput = jwsSecuredInput(header, payload);
signature = base64url.toBase64(signature);
verifier.update(securedInput);
return verifier.verify(publicKey, signature, 'base64');
}
return function verify(thing, signature, publicKey) {
if (!bufferOrString(publicKey))
throw typeError(MSG_INVALID_KEY);
thing = normalizeInput(thing);
signature = base64url.toBase64(signature);
const verifier = crypto.createVerify('RSA-SHA' + bits);
verifier.update(thing);
return verifier.verify(publicKey, signature, 'base64');
}
CallConnector.prototype.getSecretForKey = function (keyId) {
for (var i = 0; i < cachedKeys.length; i++) {
if (cachedKeys[i].kid == keyId) {
var jwt = cachedKeys[i];
var modulus = base64url.toBase64(jwt.n);
var exponent = jwt.e;
return getPem(modulus, exponent);
}
}
return null;
};
OpenIdMetadata.prototype.findKey = function (keyId) {
if (!this.keys) {
return null;
}
for (var i = 0; i < this.keys.length; i++) {
if (this.keys[i].kid == keyId) {
var key = this.keys[i];
if (!key.n || !key.e) {
return null;
}
var modulus = base64url.toBase64(key.n);
var exponent = key.e;
return { key: getPem(modulus, exponent), endorsements: key.endorsements };
}
}
return null;
};
return function (req, res, next) {
res.set('Cache-Control', 'no-cache');
logger.info({ user: req.user ? req.user._json : undefined }, 'sharelock access request');
if (req.user && req.user.provider !== 'twitter' && !req.user._json.email_verified) {
return res.render('invalid', { details: 'Your e-mail has not been verified'});
}
var request_keys;
try {
request_keys = ensure_key(req.params[0]);
}
catch (e) {
return res.render('invalid', { details: 'For security reasons this sharelock is no longer supported.'});
}
var resource = req.params[1].replace(/\//g, '');
var tokens = resource.split('.');
if (tokens.length !== 3 || tokens[0].length === 0 || tokens[1].length === 0 || tokens[2].length === 0)
return res.render('invalid', { details: 'The URL is malformed and cannot be processed.'});
try {
tokens[0] = base64url.toBase64(tokens[0]); // signature
tokens[1] = new Buffer(base64url.toBase64(tokens[1]), 'base64'); // encrypted data
tokens[2] = new Buffer(base64url.toBase64(tokens[2]), 'base64'); // iv
var signature = crypto.createHmac('sha256', request_keys.signature_key).update(tokens[1]).update(tokens[2]).digest('base64');
if (!cryptiles.fixedTimeComparison(signature, tokens[0]))
throw null;
}
catch (e) {
return res.render('invalid', { details: 'Signature verification failed: the data could have been tampered with.'});
}
try {
var cipher = crypto.createDecipheriv('aes-256-ctr', request_keys.encryption_key, tokens[2]);
var plaintext = cipher.update(tokens[1], 'base64', 'utf8') + cipher.final('utf8');
resource = JSON.parse(plaintext);
if (!resource || typeof resource !== 'object' || typeof resource.d !== 'string'
|| !Array.isArray(resource.a))
throw null;
}
catch (e) {
return res.render('invalid', { details: 'Encrypted data is malformed.' });
}
var allowed;
var email = get_email(req.user);
var twitter;
var email_domains = {};
for (var i in resource.a) {
var acl = resource.a[i];
if (acl.k === 'g') {
if (email && normalize_gmail(email) === acl.v) {
allowed = true;
} else {
email_domains[acl.v.substring(acl.v.indexOf('@'))] = 1;
}
}
else if (acl.k === 'e') {
if (email === acl.v) {
allowed = true;
}
else {
email_domains[acl.v.substring(acl.v.indexOf('@'))] = 1;
}
}
else if (acl.k === 'd') {
if (email && email.indexOf(acl.v, email.length - acl.v.length) !== -1) {
allowed = true;
}
else {
email_domains[acl.v] = 1;
}
}
else if (acl.k === 't') {
if (req.user && req.user.provider === 'twitter' && req.user._json.screen_name.toLowerCase() === acl.v) {
allowed = true;
}
else {
twitter = true;
}
}
if (allowed) break;
}
if (allowed) {
var model = {
data: resource.d,
user: req.user,
provider: provider_friendly_name[req.user.provider] || req.user.provider,
logout_url: '/logout'
};
res.render('data', model);
}
else {
email_domains = Object.getOwnPropertyNames(email_domains);
var model = {
auth0_client_id: process.env.AUTH0_CLIENT_ID,
auth0_domain: process.env.AUTH0_DOMAIN,
auth0_callback: process.env.AUTH0_CALLBACK,
user: req.user,
email: req.user ? get_email(req.user) : undefined,
providers: get_provider_config(twitter, email_domains, req.user ? req.user.provider : undefined),
allow_twitter: twitter,
allow_domains: email_domains,
provider: req.user ? (provider_friendly_name[req.user.provider] || req.user.provider) : undefined,
logout_url: '/logout?r=' + req.originalUrl,
provider_friendly_name: provider_friendly_name
};
req.session.bookmark = req.originalUrl;
res.render('login', model);
}
};