function validateRefreshRequest()

in src/lambda-edge/refresh-auth/index.ts [138:183]

• 43 lines of code
• 6 McCabe index (conditional complexity)

function validateRefreshRequest(
  currentNonce?: string | string[],
  nonceHmac?: string,
  originalNonce?: string,
  idToken?: string,
  accessToken?: string,
  refreshToken?: string
) {
  if (!originalNonce) {
    throw new Error(
      "Your browser didn't send the nonce cookie along, but it is required for security (prevent CSRF)."
    );
  } else if (currentNonce !== originalNonce) {
    throw new Error("Nonce mismatch");
  }
  Object.entries({ idToken, accessToken, refreshToken }).forEach(
    ([tokenType, token]) => {
      if (!token) {
        throw new Error(`Missing ${tokenType}`);
      }
    }
  );
  // Nonce should not be too old
  const nonceTimestamp = parseInt(
    currentNonce.slice(0, currentNonce.indexOf("T"))
  );
  if (timestampInSeconds() - nonceTimestamp > CONFIG.nonceMaxAge) {
    throw new RequiresConfirmationError(
      `Nonce is too old (nonce is from ${new Date(
        nonceTimestamp * 1000
      ).toISOString()})`
    );
  }

  // Nonce should have the right signature: proving we were the ones generating it (and e.g. not malicious JS on a subdomain)
  const calculatedHmac = sign(
    currentNonce,
    CONFIG.nonceSigningSecret,
    CONFIG.nonceLength
  );
  if (calculatedHmac !== nonceHmac) {
    throw new RequiresConfirmationError(
      `Nonce signature mismatch! Expected ${calculatedHmac} but got ${nonceHmac}`
    );
  }
}