IcyNetwork/IcyNet.eu
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

consent dialog fix

Browse Source
This commit is contained in:
Evert Prants 2020-06-15 19:47:03 +03:00
parent b15a4e4773
commit 70551ed482
Signed by: evert
GPG Key ID: 1688DA83D222D0B5
8 changed files with 40 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
server/api/oauth2/controller/authorization.js
View File

@ -1,7 +1,6 @@
import error from '../error' import error from '../error'
import response from '../response' import response from '../response'
import model from '../model' import model from '../model'
import authorization from './code'
import wrap from '../wrap' import wrap from '../wrap'
module.exports = wrap(async (req, res, next) => { module.exports = wrap(async (req, res, next) => {
@ -116,22 +115,40 @@ module.exports = wrap(async (req, res, next) => {
} else { } else {
consented = await model.user.consented(user.id, client.id, scope) consented = await model.user.consented(user.id, client.id, scope)
} }
// Ask for consent
if (!consented) return req.oauth2.decision(req, res, client, scope, user, redirectUri)
} }
// Ask for consent // Consent pushed, ensure valid session
if (!consented) return req.oauth2.decision(req, res, client, scope, user, redirectUri) if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) {
throw new error.InvalidRequest('Invalid session')
}
// Save consent
if (!consented) {
if (!req.body || (typeof req.body.decision) === 'undefined') {
throw new error.InvalidRequest('No decision parameter passed')
} else if (req.body.decision === '0') {
throw new error.AccessDenied('User denied access to the resource')
}
console.debug('Decision check passed')
await model.user.consent(user.id, client.id, scope)
}
for (const i in grantTypes) { for (const i in grantTypes) {
let data = null let data = null
switch (grantTypes[i]) { switch (grantTypes[i]) {
case 'authorization_code': case 'authorization_code':
data = await authorization.Code(req, res, client, scope, user, redirectUri, !consented) data = await model.code.create(model.user.getId(user), model.client.getId(client), scope, model.code.ttl)
resObj = Object.assign({ code: data }, resObj) resObj = Object.assign({ code: data }, resObj)
break break
case 'implicit': case 'implicit':
data = await authorization.Implicit(req, res, client, scope, user, redirectUri, !consented) data = await model.accessToken.create(model.user.getId(user),
model.client.getId(client), scope, model.accessToken.ttl)
resObj = Object.assign({ resObj = Object.assign({
token_type: 'bearer', token_type: 'bearer',

31
server/api/oauth2/controller/code/code.js
View File

@ -1,31 +0,0 @@
import error from '../../error'
import model from '../../model'
module.exports = async (req, res, client, scope, user, redirectUri, consentRequested) => {
let codeValue = null
if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) {
throw new error.InvalidRequest('Invalid session')
}
if (consentRequested) {
if (!req.body || (typeof req.body.decision) === 'undefined') {
throw new error.InvalidRequest('No decision parameter passed')
} else if (req.body.decision === '0') {
throw new error.AccessDenied('User denied access to the resource')
}
console.debug('Decision check passed')
await model.user.consent(user.id, client.id, scope)
}
try {
codeValue = await req.oauth2.model.code.create(req.oauth2.model.user.getId(user),
req.oauth2.model.client.getId(client), scope, req.oauth2.model.code.ttl)
} catch (err) {
console.error(err)
throw new error.ServerError('Failed to call code.create function')
}
return codeValue
}

31
server/api/oauth2/controller/code/implicit.js
View File

@ -1,31 +0,0 @@
import error from '../../error'
import model from '../../model'
module.exports = async (req, res, client, scope, user, redirectUri, consentRequested) => {
let accessTokenValue = null
if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) {
throw new error.InvalidRequest('Invalid session')
}
if (consentRequested) {
if (!req.body || (typeof req.body.decision) === 'undefined') {
throw new error.InvalidRequest('No decision parameter passed')
} else if (req.body.decision === '0') {
throw new error.AccessDenied('User denied access to the resource')
}
console.debug('Decision check passed')
await model.user.consent(user.id, client.id, scope)
}
try {
accessTokenValue = await req.oauth2.model.accessToken.create(req.oauth2.model.user.getId(user),
req.oauth2.model.client.getId(client), scope, req.oauth2.model.accessToken.ttl)
} catch (err) {
console.error(err)
throw new error.ServerError('Failed to call accessToken.create function')
}
return accessTokenValue
}

4
server/api/oauth2/controller/code/index.js
View File

@ -1,4 +0,0 @@
module.exports = {
Code: require('./code'),
Implicit: require('./implicit')
}

9
server/api/oauth2/controller/tokens/authorizationCode.js
View File

@ -33,7 +33,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => {
console.debug('Code fetched ', code) console.debug('Code fetched ', code)
try { try {
await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code)) await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.code.getUserId(code),
oauth2.model.code.getClientId(code))
} catch (err) { } catch (err) {
console.error(err) console.error(err)
throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function') throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function')
@ -45,7 +46,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => {
console.debug('Client does not allow grant type refresh_token, skip creation') console.debug('Client does not allow grant type refresh_token, skip creation')
} else { } else {
try { try {
respObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code)) respObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.code.getUserId(code),
oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code))
} catch (err) { } catch (err) {
console.error(err) console.error(err)
throw new error.ServerError('Failed to call refreshToken.create function') throw new error.ServerError('Failed to call refreshToken.create function')
@ -53,7 +55,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => {
} }
try { try {
respObj.access_token = await oauth2.model.accessToken.create(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code), oauth2.model.accessToken.ttl) respObj.access_token = await oauth2.model.accessToken.create(oauth2.model.code.getUserId(code),
oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code), oauth2.model.accessToken.ttl)
} catch (err) { } catch (err) {
console.error(err) console.error(err)
throw new error.ServerError('Failed to call accessToken.create function') throw new error.ServerError('Failed to call accessToken.create function')

3
server/api/oauth2/controller/tokens/clientCredentials.js
View File

@ -17,7 +17,8 @@ module.exports = async (oauth2, client, wantScope) => {
console.debug('Scope check passed ', scope) console.debug('Scope check passed ', scope)
try { try {
resObj.access_token = await oauth2.model.accessToken.create(null, oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl) resObj.access_token = await oauth2.model.accessToken.create(null, oauth2.model.client.getId(client),
scope, oauth2.model.accessToken.ttl)
} catch (err) { } catch (err) {
throw new error.ServerError('Failed to call accessToken.create function') throw new error.ServerError('Failed to call accessToken.create function')
} }

9
server/api/oauth2/controller/tokens/password.js
View File

@ -38,7 +38,8 @@ module.exports = async (oauth2, client, username, password, scope) => {
} }
try { try {
await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.user.getId(user), oauth2.model.client.getId(client)) await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.user.getId(user),
oauth2.model.client.getId(client))
} catch (err) { } catch (err) {
throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function') throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function')
} }
@ -49,14 +50,16 @@ module.exports = async (oauth2, client, username, password, scope) => {
console.debug('Client does not allow grant type refresh_token, skip creation') console.debug('Client does not allow grant type refresh_token, skip creation')
} else { } else {
try { try {
resObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.user.getId(user), oauth2.model.client.getId(client), scope) resObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.user.getId(user),
oauth2.model.client.getId(client), scope)
} catch (err) { } catch (err) {
throw new error.ServerError('Failed to call refreshToken.create function') throw new error.ServerError('Failed to call refreshToken.create function')
} }
} }
try { try {
resObj.access_token = await oauth2.model.accessToken.create(oauth2.model.user.getId(user), oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl) resObj.access_token = await oauth2.model.accessToken.create(oauth2.model.user.getId(user),
oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl)
} catch (err) { } catch (err) {
throw new error.ServerError('Failed to call accessToken.create function') throw new error.ServerError('Failed to call accessToken.create function')
} }

7
server/api/oauth2/controller/tokens/refreshToken.js
View File

@ -25,8 +25,8 @@ module.exports = async (oauth2, client, pRefreshToken, scope) => {
} }
if (oauth2.model.refreshToken.getClientId(refreshToken) !== oauth2.model.client.getId(client)) { if (oauth2.model.refreshToken.getClientId(refreshToken) !== oauth2.model.client.getId(client)) {
console.warn('Client "' + oauth2.model.client.getId(client) + '" tried to fetch a refresh token which belongs to client"' + console.warn('Client %s tried to fetch a refresh token which belongs to client %s!', oauth2.model.client.getId(client),
oauth2.model.refreshToken.getClientId(refreshToken) + '"') oauth2.model.refreshToken.getClientId(refreshToken))
throw new error.InvalidGrant('Refresh token not found') throw new error.InvalidGrant('Refresh token not found')
} }
@ -41,7 +41,8 @@ module.exports = async (oauth2, client, pRefreshToken, scope) => {
} }
try { try {
accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(oauth2.model.user.getId(user), oauth2.model.client.getId(client)) accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(oauth2.model.user.getId(user),
oauth2.model.client.getId(client))
} catch (err) { } catch (err) {
throw new error.ServerError('Failed to call accessToken.fetchByUserIdClientId function') throw new error.ServerError('Failed to call accessToken.fetchByUserIdClientId function')
} }