From 8cf813ff033bbc98a7dd40db6ac11e2e35c7e997 Mon Sep 17 00:00:00 2001
From: mia <mia@mia.jetzt>
Date: Sat, 8 Jun 2024 22:56:05 -0700
Subject: initial commit

---
 nginx/nginx.js | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 nginx/nginx.js

(limited to 'nginx/nginx.js')

diff --git a/nginx/nginx.js b/nginx/nginx.js
new file mode 100644
index 0000000..03b2dae
--- /dev/null
+++ b/nginx/nginx.js
@@ -0,0 +1,49 @@
+/** @type {import('./nginx.d.ts')} */
+
+/** @param {NginxHTTPRequest} request */
+async function validate(request) {
+    if (request.status !== 0) return;
+
+    const token = request.variables.cookie___proxy_token;
+
+    if (token == undefined) {
+        // missing token
+        request.return(401);
+        return;
+    }
+
+    const cache = ngx.shared.auth_token_cache;
+    if (cache === undefined) throw "missing shared js cache";
+
+    const requiredScope = request.variables.required_scope;
+    if (requiredScope === undefined) throw "missing required scope variable";
+
+    let scopes = cache.get(token);
+
+    if (scopes === undefined) {
+        const subrequest = await request.subrequest(`/.nginx/scopes`, {
+            args: `token=${token}`
+        });
+
+        if (subrequest.status !== 200) {
+            // invalid token
+            return request.return(401);
+        }
+
+        scopes = subrequest.responseText.split("\n");
+
+        cache.set(token, scopes.join(","));
+    } else {
+        scopes = scopes.split(",");
+    }
+
+    if (scopes.indexOf(requiredScope) === -1) {
+        return request.return(403);
+    }
+
+    return request.return(200);
+}
+
+export default {
+    validate,
+}
-- 
cgit 1.4.1