153 lines
5.2 KiB
JavaScript
153 lines
5.2 KiB
JavaScript
import error from '../error'
|
|
import response from '../response'
|
|
import model from '../model'
|
|
import authorization from './code'
|
|
import wrap from '../../../../scripts/asyncRoute'
|
|
|
|
const usermodel = model.user
|
|
|
|
module.exports = wrap(async (req, res, next) => {
|
|
let clientId = null
|
|
let redirectUri = null
|
|
let responseType = null
|
|
let grantType = null
|
|
let scope = null
|
|
let user = null
|
|
|
|
if (!req.query.redirect_uri) {
|
|
return response.error(req, res, new error.InvalidRequest('redirect_uri field is mandatory for authorization endpoint'), redirectUri)
|
|
}
|
|
|
|
redirectUri = req.query.redirect_uri
|
|
console.debug('Parameter redirect uri is', redirectUri)
|
|
|
|
if (!req.query.client_id) {
|
|
return response.error(req, res, new error.InvalidRequest('client_id field is mandatory for authorization endpoint'), redirectUri)
|
|
}
|
|
|
|
// Check for client_secret (prevent passing it)
|
|
if (req.query.client_secret) {
|
|
return response.error(req, res, new error.InvalidRequest('client_secret field should not be passed to the authorization endpoint'), redirectUri)
|
|
}
|
|
|
|
clientId = req.query.client_id
|
|
console.debug('Parameter client_id is', clientId)
|
|
|
|
if (!req.query.response_type) {
|
|
return response.error(req, res, new error.InvalidRequest('response_type field is mandatory for authorization endpoint'), redirectUri)
|
|
}
|
|
|
|
responseType = req.query.response_type
|
|
console.debug('Parameter response_type is', responseType)
|
|
|
|
switch (responseType) {
|
|
case 'code':
|
|
grantType = 'authorization_code'
|
|
break
|
|
case 'token':
|
|
grantType = 'implicit'
|
|
break
|
|
default:
|
|
return response.error(req, res, new error.UnsupportedResponseType('Unknown response_type parameter passed'), redirectUri)
|
|
}
|
|
console.debug('Parameter response_type is', responseType)
|
|
|
|
const client = await req.oauth2.model.client.fetchById(clientId)
|
|
if (!client) {
|
|
return response.error(req, res, new error.InvalidClient('Client not found'), redirectUri)
|
|
}
|
|
|
|
if (!req.oauth2.model.client.getRedirectUri(client)) {
|
|
return response.error(req, res, new error.UnsupportedResponseType('The client has not set a redirect uri'), redirectUri)
|
|
} else if (!req.oauth2.model.client.checkRedirectUri(client, redirectUri)) {
|
|
return response.error(req, res, new error.InvalidRequest('Wrong RedirectUri provided'), redirectUri)
|
|
} else {
|
|
console.debug('redirect_uri check passed')
|
|
}
|
|
|
|
if (!req.oauth2.model.client.checkGrantType(client, grantType)) {
|
|
return response.error(req, res, new error.UnauthorizedClient('This client does not support this grant type'), redirectUri)
|
|
} else {
|
|
console.debug('Grant type check passed')
|
|
}
|
|
|
|
scope = req.oauth2.model.client.transformScope(req.query.scope)
|
|
scope = req.oauth2.model.client.checkScope(client, scope)
|
|
if (!scope) {
|
|
return response.error(req, res, new error.InvalidScope('Client does not allow access to this scope'), redirectUri)
|
|
} else {
|
|
console.debug('Scope check passed')
|
|
}
|
|
|
|
user = await req.oauth2.model.user.fetchFromRequest(req)
|
|
if (!user) {
|
|
return response.error(req, res, new error.InvalidRequest('There is no currently logged in user'), redirectUri)
|
|
} else {
|
|
if (!user.username) {
|
|
return response.error(req, res, new error.Forbidden(user), redirectUri)
|
|
}
|
|
console.debug('User fetched from request')
|
|
}
|
|
|
|
let data = null
|
|
|
|
if (req.method === 'GET') {
|
|
let hasAuthorizedAlready = await usermodel.clientAllowed(user.id, client.id, scope)
|
|
if (client.verified === 1) {
|
|
hasAuthorizedAlready = true
|
|
}
|
|
|
|
if (hasAuthorizedAlready) {
|
|
if (grantType === 'authorization_code') {
|
|
try {
|
|
data = await authorization.Code(req, res, client, scope, user, redirectUri, false)
|
|
} catch (err) {
|
|
return response.error(req, res, err, redirectUri)
|
|
}
|
|
|
|
return response.data(req, res, { code: data }, redirectUri)
|
|
} else if (grantType === 'implicit') {
|
|
try {
|
|
data = await authorization.Implicit(req, res, client, scope, user, redirectUri, false)
|
|
} catch (err) {
|
|
return response.error(req, res, err, redirectUri)
|
|
}
|
|
|
|
return response.data(req, res, {
|
|
token_type: 'bearer',
|
|
access_token: data,
|
|
expires_in: req.oauth2.model.accessToken.ttl
|
|
}, redirectUri)
|
|
}
|
|
} else {
|
|
return req.oauth2.decision(req, res, client, scope, user, redirectUri)
|
|
}
|
|
|
|
return response.error(req, res, new error.InvalidRequest('Invalid request method'), redirectUri)
|
|
}
|
|
|
|
if (grantType === 'authorization_code') {
|
|
try {
|
|
data = await authorization.Code(req, res, client, scope, user, redirectUri, true)
|
|
} catch (err) {
|
|
return response.error(req, res, err, redirectUri)
|
|
}
|
|
|
|
return response.data(req, res, { code: data }, redirectUri)
|
|
} else if (grantType === 'implicit') {
|
|
try {
|
|
data = await authorization.Implicit(req, res, client, scope, user, redirectUri, true)
|
|
} catch (err) {
|
|
return response.error(req, res, err, redirectUri)
|
|
}
|
|
|
|
return response.data(req, res, {
|
|
token_type: 'bearer',
|
|
access_token: data,
|
|
expires_in: req.oauth2.model.accessToken.ttl
|
|
}, redirectUri)
|
|
} else {
|
|
return response.error(req, res, new error.InvalidRequest('Invalid request method'), redirectUri)
|
|
}
|
|
})
|