From 70551ed4829aa2e798f064405de57d0a515ee115 Mon Sep 17 00:00:00 2001 From: Evert Prants Date: Mon, 15 Jun 2020 19:47:03 +0300 Subject: [PATCH] consent dialog fix --- server/api/oauth2/controller/authorization.js | 27 +++++++++++++--- server/api/oauth2/controller/code/code.js | 31 ------------------- server/api/oauth2/controller/code/implicit.js | 31 ------------------- server/api/oauth2/controller/code/index.js | 4 --- .../controller/tokens/authorizationCode.js | 9 ++++-- .../controller/tokens/clientCredentials.js | 3 +- .../api/oauth2/controller/tokens/password.js | 9 ++++-- .../oauth2/controller/tokens/refreshToken.js | 7 +++-- 8 files changed, 40 insertions(+), 81 deletions(-) delete mode 100644 server/api/oauth2/controller/code/code.js delete mode 100644 server/api/oauth2/controller/code/implicit.js delete mode 100644 server/api/oauth2/controller/code/index.js diff --git a/server/api/oauth2/controller/authorization.js b/server/api/oauth2/controller/authorization.js index bf8e50c..c740656 100644 --- a/server/api/oauth2/controller/authorization.js +++ b/server/api/oauth2/controller/authorization.js @@ -1,7 +1,6 @@ import error from '../error' import response from '../response' import model from '../model' -import authorization from './code' import wrap from '../wrap' module.exports = wrap(async (req, res, next) => { @@ -116,22 +115,40 @@ module.exports = wrap(async (req, res, next) => { } else { consented = await model.user.consented(user.id, client.id, scope) } + + // Ask for consent + if (!consented) return req.oauth2.decision(req, res, client, scope, user, redirectUri) } - // Ask for consent - if (!consented) return req.oauth2.decision(req, res, client, scope, user, redirectUri) + // Consent pushed, ensure valid session + if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) { + throw new error.InvalidRequest('Invalid session') + } + + // Save consent + if (!consented) { + if (!req.body || (typeof req.body.decision) === 'undefined') { + throw new error.InvalidRequest('No decision parameter passed') + } else if (req.body.decision === '0') { + throw new error.AccessDenied('User denied access to the resource') + } + console.debug('Decision check passed') + + await model.user.consent(user.id, client.id, scope) + } for (const i in grantTypes) { let data = null switch (grantTypes[i]) { case 'authorization_code': - data = await authorization.Code(req, res, client, scope, user, redirectUri, !consented) + data = await model.code.create(model.user.getId(user), model.client.getId(client), scope, model.code.ttl) resObj = Object.assign({ code: data }, resObj) break case 'implicit': - data = await authorization.Implicit(req, res, client, scope, user, redirectUri, !consented) + data = await model.accessToken.create(model.user.getId(user), + model.client.getId(client), scope, model.accessToken.ttl) resObj = Object.assign({ token_type: 'bearer', diff --git a/server/api/oauth2/controller/code/code.js b/server/api/oauth2/controller/code/code.js deleted file mode 100644 index ea55347..0000000 --- a/server/api/oauth2/controller/code/code.js +++ /dev/null @@ -1,31 +0,0 @@ -import error from '../../error' -import model from '../../model' - -module.exports = async (req, res, client, scope, user, redirectUri, consentRequested) => { - let codeValue = null - - if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) { - throw new error.InvalidRequest('Invalid session') - } - - if (consentRequested) { - if (!req.body || (typeof req.body.decision) === 'undefined') { - throw new error.InvalidRequest('No decision parameter passed') - } else if (req.body.decision === '0') { - throw new error.AccessDenied('User denied access to the resource') - } - console.debug('Decision check passed') - - await model.user.consent(user.id, client.id, scope) - } - - try { - codeValue = await req.oauth2.model.code.create(req.oauth2.model.user.getId(user), - req.oauth2.model.client.getId(client), scope, req.oauth2.model.code.ttl) - } catch (err) { - console.error(err) - throw new error.ServerError('Failed to call code.create function') - } - - return codeValue -} diff --git a/server/api/oauth2/controller/code/implicit.js b/server/api/oauth2/controller/code/implicit.js deleted file mode 100644 index 99076a2..0000000 --- a/server/api/oauth2/controller/code/implicit.js +++ /dev/null @@ -1,31 +0,0 @@ -import error from '../../error' -import model from '../../model' - -module.exports = async (req, res, client, scope, user, redirectUri, consentRequested) => { - let accessTokenValue = null - - if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) { - throw new error.InvalidRequest('Invalid session') - } - - if (consentRequested) { - if (!req.body || (typeof req.body.decision) === 'undefined') { - throw new error.InvalidRequest('No decision parameter passed') - } else if (req.body.decision === '0') { - throw new error.AccessDenied('User denied access to the resource') - } - console.debug('Decision check passed') - - await model.user.consent(user.id, client.id, scope) - } - - try { - accessTokenValue = await req.oauth2.model.accessToken.create(req.oauth2.model.user.getId(user), - req.oauth2.model.client.getId(client), scope, req.oauth2.model.accessToken.ttl) - } catch (err) { - console.error(err) - throw new error.ServerError('Failed to call accessToken.create function') - } - - return accessTokenValue -} diff --git a/server/api/oauth2/controller/code/index.js b/server/api/oauth2/controller/code/index.js deleted file mode 100644 index df2b072..0000000 --- a/server/api/oauth2/controller/code/index.js +++ /dev/null @@ -1,4 +0,0 @@ -module.exports = { - Code: require('./code'), - Implicit: require('./implicit') -} diff --git a/server/api/oauth2/controller/tokens/authorizationCode.js b/server/api/oauth2/controller/tokens/authorizationCode.js index b711bab..4e79578 100644 --- a/server/api/oauth2/controller/tokens/authorizationCode.js +++ b/server/api/oauth2/controller/tokens/authorizationCode.js @@ -33,7 +33,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => { console.debug('Code fetched ', code) try { - await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code)) + await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.code.getUserId(code), + oauth2.model.code.getClientId(code)) } catch (err) { console.error(err) throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function') @@ -45,7 +46,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => { console.debug('Client does not allow grant type refresh_token, skip creation') } else { try { - respObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code)) + respObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.code.getUserId(code), + oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code)) } catch (err) { console.error(err) throw new error.ServerError('Failed to call refreshToken.create function') @@ -53,7 +55,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => { } try { - respObj.access_token = await oauth2.model.accessToken.create(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code), oauth2.model.accessToken.ttl) + respObj.access_token = await oauth2.model.accessToken.create(oauth2.model.code.getUserId(code), + oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code), oauth2.model.accessToken.ttl) } catch (err) { console.error(err) throw new error.ServerError('Failed to call accessToken.create function') diff --git a/server/api/oauth2/controller/tokens/clientCredentials.js b/server/api/oauth2/controller/tokens/clientCredentials.js index 17cf35a..0fa6088 100644 --- a/server/api/oauth2/controller/tokens/clientCredentials.js +++ b/server/api/oauth2/controller/tokens/clientCredentials.js @@ -17,7 +17,8 @@ module.exports = async (oauth2, client, wantScope) => { console.debug('Scope check passed ', scope) try { - resObj.access_token = await oauth2.model.accessToken.create(null, oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl) + resObj.access_token = await oauth2.model.accessToken.create(null, oauth2.model.client.getId(client), + scope, oauth2.model.accessToken.ttl) } catch (err) { throw new error.ServerError('Failed to call accessToken.create function') } diff --git a/server/api/oauth2/controller/tokens/password.js b/server/api/oauth2/controller/tokens/password.js index b24f45b..ba41d37 100644 --- a/server/api/oauth2/controller/tokens/password.js +++ b/server/api/oauth2/controller/tokens/password.js @@ -38,7 +38,8 @@ module.exports = async (oauth2, client, username, password, scope) => { } try { - await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.user.getId(user), oauth2.model.client.getId(client)) + await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.user.getId(user), + oauth2.model.client.getId(client)) } catch (err) { throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function') } @@ -49,14 +50,16 @@ module.exports = async (oauth2, client, username, password, scope) => { console.debug('Client does not allow grant type refresh_token, skip creation') } else { try { - resObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.user.getId(user), oauth2.model.client.getId(client), scope) + resObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.user.getId(user), + oauth2.model.client.getId(client), scope) } catch (err) { throw new error.ServerError('Failed to call refreshToken.create function') } } try { - resObj.access_token = await oauth2.model.accessToken.create(oauth2.model.user.getId(user), oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl) + resObj.access_token = await oauth2.model.accessToken.create(oauth2.model.user.getId(user), + oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl) } catch (err) { throw new error.ServerError('Failed to call accessToken.create function') } diff --git a/server/api/oauth2/controller/tokens/refreshToken.js b/server/api/oauth2/controller/tokens/refreshToken.js index 61fd069..75added 100644 --- a/server/api/oauth2/controller/tokens/refreshToken.js +++ b/server/api/oauth2/controller/tokens/refreshToken.js @@ -25,8 +25,8 @@ module.exports = async (oauth2, client, pRefreshToken, scope) => { } if (oauth2.model.refreshToken.getClientId(refreshToken) !== oauth2.model.client.getId(client)) { - console.warn('Client "' + oauth2.model.client.getId(client) + '" tried to fetch a refresh token which belongs to client"' + - oauth2.model.refreshToken.getClientId(refreshToken) + '"') + console.warn('Client %s tried to fetch a refresh token which belongs to client %s!', oauth2.model.client.getId(client), + oauth2.model.refreshToken.getClientId(refreshToken)) throw new error.InvalidGrant('Refresh token not found') } @@ -41,7 +41,8 @@ module.exports = async (oauth2, client, pRefreshToken, scope) => { } try { - accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(oauth2.model.user.getId(user), oauth2.model.client.getId(client)) + accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(oauth2.model.user.getId(user), + oauth2.model.client.getId(client)) } catch (err) { throw new error.ServerError('Failed to call accessToken.fetchByUserIdClientId function') }