Authorization header are even more complex than what's currently being handled by the codebase
We should consider moving to cloudflare/privacypass-ts for token validation. The library allows to parse an RFC 9110 header, and extract only PrivateToken ones.
For the verification case, we could use
import { AuthorizationHeader, publicVerif, TOKEN_TYPES } from '@cloudflare/privacypass-ts'
const { BlindRSAMode, Origin } = publicVerif;
// some code
// we assume we have
// * `request: Request` - client request with a PrivateToken in Authorization header
// * `issuerPublicKey: CryptoKey` - public key of teh issuer
const authorizationHeader = response.headers.get('Authorization')
if (!authorizationHeader) {
throw new Error('no authorization')
}
const authorizations = AuthorizationHeader.deserialize(TOKEN_TYPES.BLIND_RSA, authorizationHeader)
const origin = new Origin(BlindRSAMode.PSS, [env.ORIGIN_NAME])
for (const authorization of authorizations) {
if (await origin.verify(authorization.token, issuerPublicKey)) {
return new Response('you\'re in')
}
}
return new Response('Not allowed', {status: 401})
I have not tested that code yet, it's based on code for AuthorizationHeader and the Origin section of the examplehttps://github.com/cloudflare/privacypass-ts/blob/main/examples/pub_verif.example.ts#L53.
Authorization header are even more complex than what's currently being handled by the codebase
We should consider moving to cloudflare/privacypass-ts for token validation. The library allows to parse an RFC 9110 header, and extract only PrivateToken ones.
For the verification case, we could use
I have not tested that code yet, it's based on code for AuthorizationHeader and the Origin section of the examplehttps://github.com/cloudflare/privacypass-ts/blob/main/examples/pub_verif.example.ts#L53.