Merge pull request #14 from topcoder-platform/PM-921_qa-fixes

PM-921 - verify jwt token

Author: vas3a

.env.sample

@@ -1,4 +1,13 @@
 TOPCODER_API_BASE_URL="https://api.topcoder-dev.com/v5"
+AUTH0_CERT="-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEArAV0dmDkedFdlaQ6KQiqUv+UGshfMXx/4jJCLZ9802ynJqAvIt+Z
+V7EiPqjc2J1xVfJJEvQ9ZS5A2TFWAk16NUTU4LN+TkjEnqeg+LlUPWY3Y4RXa2OU
+mmSIG2GsbR0Kx7b3Y3bYdKBNT0vDe396v/TXi0OQMnz8HZ88/hPvg3V7V34kpxon
+XcG/nSm6AtNE7VWey+23oDon1wRon8+qr/JsLLlfnVzYdSujiKvz3vyB/0REDREm
+BHMKuGsgiBjJ7xHNxaJvBzrwdArogHSxEPmT6gNr5rZeXmJUWzrpQIstMXA9gEXX
+LfKzG61idXFIwBa6t5YBCCMx+hoCxhcEiwIDAQAB
+-----END RSA PUBLIC KEY-----"
+AUTH0_CLIENT_ID=BXWXUWnilVUPdN01t2Se29Tw2ZYNGZvH
 
 DB_USERNAME=topcoderuser
 DB_PASSWORD=randompassword

src/core/auth/middleware/tokenValidator.middleware.ts

@@ -1,4 +1,8 @@
-import { Injectable, NestMiddleware } from '@nestjs/common';
+import {
+  Injectable,
+  NestMiddleware,
+  UnauthorizedException,
+} from '@nestjs/common';
 import * as jwt from 'jsonwebtoken';
 
 @Injectable()
@@ -10,11 +14,15 @@ export class TokenValidatorMiddleware implements NestMiddleware {
       return next();
     }
 
-    // TODO: use jwt.verify to verify against auth0 secret
-    const decoded: any = jwt.decode(idToken, {
-      ignoreExpiration: true,
-      ignoreNotBefore: true,
-    });
+    let decoded: any;
+    try {
+      decoded = jwt.verify(idToken, process.env.AUTH0_CERT, {
+        audience: process.env.AUTH0_CLIENT_ID,
+      });
+    } catch (error) {
+      console.error('Error verifying JWT', error);
+      throw new UnauthorizedException('Invalid or expired JWT!');
+    }
 
     // TODO: verify decoded.aud
     if (!decoded) {