feat(auth): Authorise 'external' requests through JWT (#17224)

server/middlewares/jwt-authorization.js

@@ -0,0 +1,50 @@
+import jwt from 'jsonwebtoken';
+import { isBefore } from 'date-fns';
+import { wrapHandledError } from '../utils/create-handled-error';
+
+export default () => function authorizeByJWT(req, res, next) {
+  const path = req.path.split('/')[1];
+  if (/external/.test(path)) {
+    const cookie = req.signedCookies && req.signedCookies['jwt_access_token'];
+    if (!cookie) {
+      throw wrapHandledError(
+        new Error('Access token is required for this request'),
+        {
+          type: 'info',
+          redirect: '/signin',
+          message: 'Access token is required for this request',
+          status: 403
+        }
+      );
+    }
+    let token;
+    try {
+      token = jwt.verify(cookie, process.env.JWT_SECRET);
+    } catch (err) {
+      throw wrapHandledError(
+        new Error(err.message),
+        {
+          type: 'info',
+          redirct: '/signin',
+          message: 'Your access token is invalid',
+          status: 403
+        }
+      );
+    }
+    const { accessToken: {created, ttl }} = token;
+    const valid = isBefore(Date.now(), Date.parse(created) + ttl);
+    if (!valid) {
+      throw wrapHandledError(
+        new Error('Access token is no longer vaild'),
+        {
+          type: 'info',
+          redirect: '/signin',
+          message: 'Access token is no longer vaild',
+          status: 403
+        }
+      );
+    }
+    return next();
+  }
+  return next();
+};