feat(auth): support legacy authentication

Author: FlandiaYingman

src/plugins/auth.ts

@@ -6,6 +6,7 @@ import fp from "fastify-plugin";
 import jwt, { JwtHeader, SigningKeyCallback } from "jsonwebtoken";
 import { JwksClient } from "jwks-rsa";
 import * as client from "openid-client";
+import { skipSubjectCheck, WWWAuthenticateChallengeError } from "openid-client";
 
 export interface AuthPluginOptions {
   /** The discovery URL of the OpenID Connect provider. */
@@ -52,6 +53,15 @@ export const AuthResponseSchema: ResponseSchema = {
   ),
 };
 
+class UnauthorizedError extends Error {
+  cause: Error;
+  constructor(cause: Error) {
+    super();
+    this.cause = cause;
+    this.name = "UnauthorizedError";
+  }
+}
+
 /**
  * The Auth plugin adds authentication ability to the Fastify instance.
  *
@@ -66,21 +76,28 @@ export default fp<AuthPluginOptions>(async (fastify, opts) => {
     fastify.log.warn("Skip Auth: ON");
   }
 
-  const key = await (async () => {
+  const config = await (async () => {
     if (skip) {
       return null;
     } else {
-      const config = await client.discovery(
+      return await client.discovery(
         new URL(opts.authDiscoveryURL),
         opts.authClientID,
       );
+    }
+  })();
+
+  const key = await (async () => {
+    if (skip) {
+      return null;
+    } else {
       fastify.log.info(
-        { opts, metadata: config?.serverMetadata() },
+        { opts, metadata: config!.serverMetadata() },
         "Successfully discovered the OpenID Connect provider.",
       );
 
       const jwksClient = new JwksClient({
-        jwksUri: config.serverMetadata().jwks_uri ?? "",
+        jwksUri: config!.serverMetadata().jwks_uri ?? "",
       });
       return async (header: JwtHeader, callback: SigningKeyCallback) => {
         jwksClient.getSigningKey(header.kid, (err, key) => {
@@ -91,9 +108,47 @@ export default fp<AuthPluginOptions>(async (fastify, opts) => {
     }
   })();
 
+  async function verify(token: string) {
+    try {
+      const info = await new Promise<jwt.JwtPayload>((resolve, reject) => {
+        jwt.verify(token, key!, (err, info) => {
+          if (err) {
+            return reject(err);
+          }
+          resolve(info as jwt.JwtPayload);
+        });
+      });
+      return info.email && getUsernameFromEmail(info.email);
+    } catch (e) {
+      if (
+        e instanceof jwt.JsonWebTokenError ||
+        e instanceof jwt.TokenExpiredError ||
+        e instanceof jwt.NotBeforeError
+      ) {
+        throw new UnauthorizedError(e);
+      }
+      throw e;
+    }
+  }
+
+  async function verifyLegacy(token: string) {
+    try {
+      const info = await client.fetchUserInfo(config!, token, skipSubjectCheck);
+      return info.email && getUsernameFromEmail(info.email);
+    } catch (e) {
+      if (
+        e instanceof WWWAuthenticateChallengeError &&
+        e.response?.status === 401
+      ) {
+        throw new UnauthorizedError(new Error(await e.response.text()));
+      }
+      throw e;
+    }
+  }
+
   fastify.decorateRequest("user", undefined);
   fastify.decorate(
-    "auth",
+    "authPlugin",
     async function (request: FastifyRequest, reply: FastifyReply) {
       if (skip) return;
       if (!key) return;
@@ -115,23 +170,24 @@ export default fp<AuthPluginOptions>(async (fastify, opts) => {
       }
 
       try {
-        const info = await new Promise<jwt.JwtPayload>((resolve, reject) => {
-          jwt.verify(token, key, (err, info) => {
-            if (err) {
-              return reject(err);
-            }
-            resolve(info as jwt.JwtPayload);
-          });
+        // Verify the token and set the user in the request.
+        // If the token cannot be verified by the modern method,
+        // fall back to the legacy method.
+        request.user = await verify(token).catch(async (e) => {
+          if (e instanceof UnauthorizedError) {
+            fastify.log.debug(
+              "Modern verification failed, falling back to legacy method.",
+            );
+            return await verifyLegacy(token).catch(() => {
+              throw e;
+            });
+          }
+          throw e;
         });
-        request.user = info.email && getUsernameFromEmail(info.email);
       } catch (e) {
-        console.log(e);
-        if (
-          e instanceof jwt.JsonWebTokenError ||
-          e instanceof jwt.TokenExpiredError ||
-          e instanceof jwt.NotBeforeError
-        ) {
-          return reply.status(401).send(`${e.name}: ${e.message}`);
+        if (e instanceof UnauthorizedError) {
+          const cause = e.cause;
+          return reply.status(401).send(`${cause.name}: ${cause.message}`);
         }
         throw e;
       }
@@ -140,12 +196,13 @@ export default fp<AuthPluginOptions>(async (fastify, opts) => {
 });
 
 function getUsernameFromEmail(email: string): string {
-  return email.split("@")[0];
+  const [username] = email.split("@");
+  return username;
 }
 
 declare module "fastify" {
   export interface FastifyInstance {
-    auth(request: FastifyRequest, reply: FastifyReply): Promise<void>;
+    authPlugin(request: FastifyRequest, reply: FastifyReply): Promise<void>;
   }
 
   export interface FastifyRequest {

src/routes/auth-example/index.ts

@@ -8,7 +8,7 @@ const authExample: FastifyPluginAsync = async (
   fastify: FastifyTypebox,
   opts,
 ): Promise<void> => {
-  // Applying auth to this route
+  // Applying authPlugin to this route
   fastify.get(
     "/",
     {
@@ -23,17 +23,17 @@ const authExample: FastifyPluginAsync = async (
           AuthResponseSchema,
         ]),
       },
-      preHandler: fastify.auth,
+      preHandler: fastify.authPlugin,
     },
     async function (request, reply) {
       return `${request.user} is authenticated`;
     },
   );
 
-  // Applying auth to the prefix /sub-auth
+  // Applying authPlugin to the prefix /sub-auth
   fastify.register(
     async function (fastify) {
-      fastify.addHook("preHandler", fastify.auth);
+      fastify.addHook("preHandler", fastify.authPlugin);
       fastify.get(
         "/",
         {

test/plugins/auth.test.ts

@@ -16,7 +16,7 @@ await suite("auth plugin", async () => {
     });
     fastify.get(
       "/secret",
-      { preHandler: fastify.auth },
+      { preHandler: fastify.authPlugin },
       async (request) => request.user,
     );
     await fastify.ready();
@@ -98,7 +98,11 @@ await suite("auth plugin with skipping", async () => {
       authClientID: "",
       authSkip: true,
     });
-    fastify.get("/secret", { preHandler: fastify.auth }, async () => "ok");
+    fastify.get(
+      "/secret",
+      { preHandler: fastify.authPlugin },
+      async () => "ok",
+    );
     await fastify.ready();
   });
   afterEach(async () => {