Pass custom domain into the service client token generation.

wparad · Mar 1, 2023 · d951f0d · d951f0d
1 parent a5cb71b
commit d951f0d
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ This is the changelog for [Authress SDK](readme.md).
 * Enable passing just the access token as a string to `AuthressClient`.
 * Fix the issuer path for service client tokens to include the accountId when the custom domain is not specified. The default issuer is converted from `api.authress.io` to `accountId.api.authress.io`. if this fallback issuer domain was specified in your authorizer, upgrading this library without changing your defined issuer, which prevent future access.
 * Add automatic retries to all requests.
+* Fix service client token generated tokens so that they automatically get the custom domain injected in during using in the SDK.
 
 ## 1.3 ##
 * Add new `Pagination` type which pagination `next.cursor` to enable paging through resources.

diff --git a/index.d.ts b/index.d.ts
@@ -1368,7 +1368,7 @@ export class ServiceClientTokenProvider {
    * Generate the url to redirect the user back to your application from your authentication server after their credentials have been successfully verified. All these parameters should be found passed through from the user's login attempt along with their credentials. The authentication server receives a request from the user to login, with these values. Then these are constructed and sent back to Authress to verify the generated login data.
    * @summary Generate the url to redirect the user back to your application from your authentication server after their credentials have been successfully verified.
    * @type {Function<Promise<string>>}
-   * @param {string} authressCustomDomainLoginUrl The url sent with the request for the user to login, this should match the Authress custom domain: https://authress.io/app/#/setup?focus=domain and end in /login for example https://login.domain.com/login. This value is sent as the `redirect_uri` query string parameter in the request for simplicity.
+   * @param {string} authressCustomDomainLoginUrl The url sent with the request for the user to login, this should match the Authress custom domain: https://authress.io/app/#/setup?focus=domain and end in /login for example https://login.domain.com/login. This value is sent as the `redirect_uri` query string parameter in the request and should be passed directly into the SDK for simplicity. Avoid trying to manually construct this url.
    * @param {string} state The state parameter sent to the authentication server.
    * @param {string} clientId The clientId parameter sent to the authentication server. This will be validated against the client's credentials specified in the {@link ServiceClientTokenProvider}
    * @param {string} userId The user to request a JWT for.

diff --git a/index.js b/index.js
@@ -14,7 +14,7 @@ const ServiceClientTokenProvider = require('./src/serviceClientTokenProvider');
 class AuthressClient {
   constructor(settings, tokenProvider) {
     this.settings = settings || {};
-    this.tokenProvider = (tokenProvider && typeof tokenProvider === 'string') ? new ServiceClientTokenProvider(tokenProvider) : tokenProvider;
+    this.tokenProvider = typeof tokenProvider === 'string' ? new ServiceClientTokenProvider(tokenProvider, this.settings.baseUrl) : tokenProvider;
 
     this.httpClient = new httpClient(this.settings.baseUrl, this.tokenProvider);
     this.accessRecords = new AccessRecordsApi(this.httpClient);

diff --git a/src/httpClient.js b/src/httpClient.js
@@ -32,7 +32,7 @@ class HttpClient {
     const client = axios.create({ baseURL: this.baseUrl });
 
     client.interceptors.request.use(async config => {
-      const token = await (typeof this.tokenProvider === 'function' ? this.tokenProvider() : this.tokenProvider.getToken());
+      const token = await (typeof this.tokenProvider === 'function' ? this.tokenProvider(this.baseUrl) : this.tokenProvider.getToken(this.baseUrl));
       config.headers = {
         ...config.headers,
         Authorization: `Bearer ${token}`

diff --git a/src/serviceClientTokenProvider.js b/src/serviceClientTokenProvider.js
@@ -14,15 +14,19 @@ module.exports = function(accessKey, authressCustomDomain) {
     audience: `${accountId}.accounts.authress.io`, privateKey: accessKey.split('.')[3]
   };
 
-  const innerGetToken = async () => {
+  // Injects the custom domain in case the original service provider wasn't specified with it initially
+  const innerGetToken = async fallbackAuthressCustomDomain => {
     if (this.cachedKeyData && this.cachedKeyData.token && this.cachedKeyData.expires > Date.now() + 3600000) {
       return this.cachedKeyData.token;
     }
 
+    // Do not set the issuer to be ${accountId}.api-region.authress.io it should always be set as the authress custom domain, the custom domain, or the generic api.authress.io one
+    const useFallbackAuthressCustomDomain = fallbackAuthressCustomDomain && !fallbackAuthressCustomDomain.match(/authress\.io/);
+
     const now = Math.round(Date.now() / 1000);
     const jwt = {
       aud: decodedAccessKey.audience,
-      iss: getIssuer(authressCustomDomain || `${accountId}.api.authress.io`, decodedAccessKey),
+      iss: getIssuer(authressCustomDomain || useFallbackAuthressCustomDomain && fallbackAuthressCustomDomain || `${accountId}.api.authress.io`, decodedAccessKey),
       sub: decodedAccessKey.clientId,
       iat: now,
       // valid for 24 hours

diff --git a/tests/serviceClientTokenProvider.test.js b/tests/serviceClientTokenProvider.test.js
@@ -9,7 +9,7 @@ beforeEach(() => { sandbox = sinon.createSandbox(); });
 afterEach(() => sandbox.restore());
 
 describe('serviceClientTokenProvider.js', () => {
-  describe('getToken', () => {
+  describe('tokenProvider as a function itself', () => {
     it('Validate cache tokens work', async () => {
       const accessKey = 'SC|uEsXtFNjUbf1LEgAGeUhC3.uDeF.a43706ca-9647-40e4-aeae-7dcaa54bbab3.MC4CAQAwBQYDK2VwBCIEIE99LFw2c3DCiYwrY/Qkg1nIDiagoHtdCwb88RxarVYA';
       const tokenProvider = new ServiceClientTokenProvider(accessKey);
@@ -19,7 +19,7 @@ describe('serviceClientTokenProvider.js', () => {
     });
   });
 
-  describe('getToken() function', () => {
+  describe('getToken() function property', () => {
     it('Validate cache tokens work', async () => {
       const accessKey = 'SC|uEsXtFNjUbf1LEgAGeUhC3.uDeF.a43706ca-9647-40e4-aeae-7dcaa54bbab3.MC4CAQAwBQYDK2VwBCIEIE99LFw2c3DCiYwrY/Qkg1nIDiagoHtdCwb88RxarVYA';
       const tokenProvider = new ServiceClientTokenProvider(accessKey);