From ff24b00fa04f61a3b8697f0098e95481c3bef8ff Mon Sep 17 00:00:00 2001
From: Ujjwal Ojha <bring2uo@gmail.com>
Date: Sat, 1 Apr 2017 12:56:10 +0545
Subject: [PATCH] token encrypter

---
 README.md | 25 +++++++++++++++++++++++++
 index.js  | 11 +++++++----
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index d98e807..852adc3 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,7 @@ paale(
         useCookie = false,
         cookieOptions = {},
         app = express(),
+        tokenEncrypter = (token, service, req) => Promise.resolve(token),
       } = {}
 )
 ```
@@ -123,6 +124,30 @@ In the above figure, after the application has received the token, it can make q
 Token storage are a way to store the tokens. They map a token to a user. You can store the tokens in a database by creating a custom token storage. 
 By default this package ships with only JWT based token storage. If you use it, the applications can validate the token themselves without querying the `paale-dai` all the time if they have the public key.
 
+## Encrypting token
+The token is transferred to another domain through redirects in query string. 
+If you want to encrypt the token so that it cannot be used by untrusted source by any chance, you can use the option `tokenEncrypter` to provide a callback function which returns a promise of encrypted token.
+
+Here's a very simple example using AES algorithm:
+
+```js
+paale(
+      handler,
+      tokenStorage,
+      {
+        tokenEncrypter: (token, service, req) => {
+          const crypto = require('crypto');
+          const cipher = crypto.createCipher('aes192', 'a password');
+          
+          let encrypted = cipher.update('some clear text data', 'utf8', 'hex');
+          encrypted += cipher.final('hex');
+          
+          return Promise.resolve(encrypted);
+        },
+      }
+)
+```
+
 ## License
 
 [MIT](LICENSE)
diff --git a/index.js b/index.js
index e7ee9fd..186d5a5 100644
--- a/index.js
+++ b/index.js
@@ -13,6 +13,7 @@ module.exports = (
     useCookie = false,
     cookieOptions = {},
     app = express(),
+    tokenEncrypter = token => Promise.resolve(token),
   } = {}
 ) => {
   app.get(landingPath, [
@@ -21,14 +22,15 @@ module.exports = (
       if (!service) {
         return res.status(400).send('Service not present');
       }
-      if (!serviceValidator(service)) {
+      if (!serviceValidator(service, req)) {
         return res.status(403).send('Invalid service');
       }
 
       if (useCookie) {
         const token = req.cookies.get('paale_token', cookieOptions);
         if (token) {
-          return res.redirect(appendQuery(service, `token=${token}`));
+          return tokenEncrypter(token, service, req)
+            .then(encryptedToken => res.redirect(appendQuery(service, `token=${encryptedToken}`)));
         }
       }
 
@@ -40,7 +42,7 @@ module.exports = (
   app.route(callbackPath)[callbackRouteMethod]([
     (req, res, next) => {
       const service = handler.parseService(req);
-      if (!service || !serviceValidator(service)) {
+      if (!service || !serviceValidator(service, req)) {
         return res.status(403).send('Invalid service');
       }
 
@@ -53,7 +55,8 @@ module.exports = (
       if (useCookie) {
         res.cookies.set('paale_token', req.paale_token, cookieOptions);
       }
-      res.redirect(appendQuery(req.paale_service, `token=${req.paale_token}`));
+      tokenEncrypter(req.paale_token, req.paale_service, req)
+        .then(encryptedToken => res.redirect(appendQuery(req.paale_service, `token=${encryptedToken}`)));
     },
   ]);