add jwt model, logger wrapper, prettier formatting
This commit is contained in:
parent
0f726741f9
commit
f8640e40d1
5
.prettierrc
Normal file
5
.prettierrc
Normal file
@ -0,0 +1,5 @@
|
||||
{
|
||||
"semi": true,
|
||||
"singleQuote": true,
|
||||
"printWidth": 80
|
||||
}
|
23
package-lock.json
generated
23
package-lock.json
generated
@ -1,11 +1,11 @@
|
||||
{
|
||||
"name": "@icynet/oauth2",
|
||||
"name": "@icynet/oauth2-provider",
|
||||
"version": "1.0.0",
|
||||
"lockfileVersion": 2,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "@icynet/oauth2",
|
||||
"name": "@icynet/oauth2-provider",
|
||||
"version": "1.0.0",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
@ -16,6 +16,7 @@
|
||||
"@types/express": "^4.17.13",
|
||||
"@types/express-session": "^1.17.4",
|
||||
"@types/node": "^17.0.21",
|
||||
"prettier": "^2.5.1",
|
||||
"typescript": "^4.5.5"
|
||||
}
|
||||
},
|
||||
@ -470,6 +471,18 @@
|
||||
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
|
||||
"integrity": "sha1-32BBeABfUi8V60SQ5yR6G/qmf4w="
|
||||
},
|
||||
"node_modules/prettier": {
|
||||
"version": "2.5.1",
|
||||
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.5.1.tgz",
|
||||
"integrity": "sha512-vBZcPRUR5MZJwoyi3ZoyQlc1rXeEck8KgeC9AwwOn+exuxLxq5toTRDTSaVrXHxelDMHy9zlicw8u66yxoSUFg==",
|
||||
"dev": true,
|
||||
"bin": {
|
||||
"prettier": "bin-prettier.js"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=10.13.0"
|
||||
}
|
||||
},
|
||||
"node_modules/proxy-addr": {
|
||||
"version": "2.0.7",
|
||||
"resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
|
||||
@ -1038,6 +1051,12 @@
|
||||
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
|
||||
"integrity": "sha1-32BBeABfUi8V60SQ5yR6G/qmf4w="
|
||||
},
|
||||
"prettier": {
|
||||
"version": "2.5.1",
|
||||
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.5.1.tgz",
|
||||
"integrity": "sha512-vBZcPRUR5MZJwoyi3ZoyQlc1rXeEck8KgeC9AwwOn+exuxLxq5toTRDTSaVrXHxelDMHy9zlicw8u66yxoSUFg==",
|
||||
"dev": true
|
||||
},
|
||||
"proxy-addr": {
|
||||
"version": "2.0.7",
|
||||
"resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
|
||||
|
@ -15,6 +15,7 @@
|
||||
"@types/express": "^4.17.13",
|
||||
"@types/express-session": "^1.17.4",
|
||||
"@types/node": "^17.0.21",
|
||||
"prettier": "^2.5.1",
|
||||
"typescript": "^4.5.5"
|
||||
},
|
||||
"dependencies": {
|
||||
|
@ -24,30 +24,38 @@ export const authorization = wrap(async (req, res) => {
|
||||
const { oauth2 } = req;
|
||||
|
||||
if (!req.query.redirect_uri) {
|
||||
throw new InvalidRequest('redirect_uri field is mandatory for authorization endpoint');
|
||||
throw new InvalidRequest(
|
||||
'redirect_uri field is mandatory for authorization endpoint'
|
||||
);
|
||||
}
|
||||
|
||||
redirectUri = req.query.redirect_uri as string;
|
||||
console.debug('Parameter redirect uri is', redirectUri);
|
||||
req.oauth2.logger.debug('Parameter redirect uri is', redirectUri);
|
||||
|
||||
if (!req.query.client_id) {
|
||||
throw new InvalidRequest('client_id field is mandatory for authorization endpoint');
|
||||
throw new InvalidRequest(
|
||||
'client_id field is mandatory for authorization endpoint'
|
||||
);
|
||||
}
|
||||
|
||||
// Check for client_secret (prevent passing it)
|
||||
if (req.query.client_secret) {
|
||||
throw new InvalidRequest('client_secret field should not be passed to the authorization endpoint');
|
||||
throw new InvalidRequest(
|
||||
'client_secret field should not be passed to the authorization endpoint'
|
||||
);
|
||||
}
|
||||
|
||||
clientId = req.query.client_id as string;
|
||||
console.debug('Parameter client_id is', clientId);
|
||||
req.oauth2.logger.debug('Parameter client_id is', clientId);
|
||||
|
||||
if (!req.query.response_type) {
|
||||
throw new InvalidRequest('response_type field is mandatory for authorization endpoint');
|
||||
throw new InvalidRequest(
|
||||
'response_type field is mandatory for authorization endpoint'
|
||||
);
|
||||
}
|
||||
|
||||
responseType = req.query.response_type as string;
|
||||
console.debug('Parameter response_type is', responseType);
|
||||
req.oauth2.logger.debug('Parameter response_type is', responseType);
|
||||
|
||||
// Support multiple types
|
||||
const responseTypes = responseType.split(' ');
|
||||
@ -59,24 +67,32 @@ export const authorization = wrap(async (req, res) => {
|
||||
case 'token':
|
||||
grantTypes.push('implicit');
|
||||
break;
|
||||
// case 'id_token':
|
||||
case 'id_token':
|
||||
grantTypes.push('id_token');
|
||||
break;
|
||||
case 'none':
|
||||
grantTypes.push(responseTypes[i]);
|
||||
break;
|
||||
default:
|
||||
throw new UnsupportedResponseType('Unknown response_type parameter passed');
|
||||
throw new UnsupportedResponseType(
|
||||
'Unknown response_type parameter passed'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Filter out duplicates
|
||||
grantTypes = grantTypes.filter((value, index, self) => self.indexOf(value) === index);
|
||||
grantTypes = grantTypes.filter(
|
||||
(value, index, self) => self.indexOf(value) === index
|
||||
);
|
||||
|
||||
// "None" type cannot be combined with others
|
||||
if (grantTypes.length > 1 && grantTypes.indexOf('none') !== -1) {
|
||||
throw new InvalidRequest('Grant type "none" cannot be combined with other grant types');
|
||||
throw new InvalidRequest(
|
||||
'Grant type "none" cannot be combined with other grant types'
|
||||
);
|
||||
}
|
||||
|
||||
console.debug('Parameter grant_type is', grantTypes.join(' '));
|
||||
req.oauth2.logger.debug('Parameter grant_type is', grantTypes.join(' '));
|
||||
|
||||
const client = await oauth2.model.client.fetchById(clientId);
|
||||
if (!client) {
|
||||
@ -89,21 +105,26 @@ export const authorization = wrap(async (req, res) => {
|
||||
} else if (!oauth2.model.client.checkRedirectUri(client, redirectUri)) {
|
||||
throw new InvalidRequest('Wrong RedirectUri provided');
|
||||
}
|
||||
console.debug('redirect_uri check passed');
|
||||
req.oauth2.logger.debug('redirect_uri check passed');
|
||||
|
||||
// The client needs to support all grant types
|
||||
for (const grantType of grantTypes) {
|
||||
if (!oauth2.model.client.checkGrantType(client, grantType) && grantType !== 'none') {
|
||||
throw new UnauthorizedClient('This client does not support grant type ' + grantType);
|
||||
if (
|
||||
!oauth2.model.client.checkGrantType(client, grantType) &&
|
||||
grantType !== 'none'
|
||||
) {
|
||||
throw new UnauthorizedClient(
|
||||
'This client does not support grant type ' + grantType
|
||||
);
|
||||
}
|
||||
}
|
||||
console.debug('Grant type check passed');
|
||||
req.oauth2.logger.debug('Grant type check passed');
|
||||
|
||||
scope = oauth2.model.client.transformScope(req.query.scope as string);
|
||||
if (!oauth2.model.client.checkScope(client, scope)) {
|
||||
throw new InvalidScope('Client does not allow access to this scope');
|
||||
}
|
||||
console.debug('Scope check passed');
|
||||
req.oauth2.logger.debug('Scope check passed');
|
||||
|
||||
user = await oauth2.model.user.fetchFromRequest(req);
|
||||
if (!user) {
|
||||
@ -112,10 +133,10 @@ export const authorization = wrap(async (req, res) => {
|
||||
if (!user.username) {
|
||||
throw new AccessDenied(user.username);
|
||||
}
|
||||
console.debug('User fetched from request')
|
||||
req.oauth2.logger.debug('User fetched from request');
|
||||
}
|
||||
|
||||
let resObj = {};
|
||||
let resObj: Record<string, string | number> = {};
|
||||
let consented = false;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
@ -128,24 +149,31 @@ export const authorization = wrap(async (req, res) => {
|
||||
);
|
||||
|
||||
// Ask for consent
|
||||
if (!consented) return oauth2.decision(req, res, client, scope, user, redirectUri);
|
||||
if (!consented)
|
||||
return oauth2.decision(req, res, client, scope, user, redirectUri);
|
||||
}
|
||||
|
||||
// Consent pushed, ensure valid session
|
||||
const { session: { csrf } } = req;
|
||||
if (req.method === 'POST' && csrf && !(req.body.csrf && req.body.csrf === csrf)) {
|
||||
const {
|
||||
session: { csrf },
|
||||
} = req;
|
||||
if (
|
||||
req.method === 'POST' &&
|
||||
csrf &&
|
||||
!(req.body.csrf && req.body.csrf === csrf)
|
||||
) {
|
||||
throw new InvalidRequest('Invalid session');
|
||||
}
|
||||
|
||||
// Save consent
|
||||
if (!consented) {
|
||||
if (!req.body || (typeof req.body.decision) === 'undefined') {
|
||||
if (!req.body || typeof req.body.decision === 'undefined') {
|
||||
throw new InvalidRequest('No decision parameter passed');
|
||||
} else if (req.body.decision === '0') {
|
||||
throw new AccessDenied('User denied access to the resource');
|
||||
}
|
||||
|
||||
console.debug('Decision check passed');
|
||||
req.oauth2.logger.debug('Decision check passed');
|
||||
|
||||
await oauth2.model.user.consent(
|
||||
oauth2.model.user.getId(user),
|
||||
@ -155,17 +183,17 @@ export const authorization = wrap(async (req, res) => {
|
||||
}
|
||||
|
||||
for (const i in grantTypes) {
|
||||
let data = null
|
||||
let data = null;
|
||||
switch (grantTypes[i]) {
|
||||
case 'authorization_code':
|
||||
data = await oauth2.model.code.create(
|
||||
oauth2.model.user.getId(user),
|
||||
oauth2.model.client.getId(client),
|
||||
scope,
|
||||
oauth2.model.code.ttl,
|
||||
oauth2.model.code.ttl
|
||||
);
|
||||
|
||||
resObj = Object.assign({ code: data }, resObj);
|
||||
resObj = { code: data, ...resObj };
|
||||
|
||||
break;
|
||||
case 'implicit':
|
||||
@ -176,18 +204,36 @@ export const authorization = wrap(async (req, res) => {
|
||||
oauth2.model.accessToken.ttl
|
||||
);
|
||||
|
||||
resObj = Object.assign({
|
||||
resObj = {
|
||||
token_type: 'bearer',
|
||||
access_token: data,
|
||||
expires_in: oauth2.model.accessToken.ttl
|
||||
}, resObj);
|
||||
expires_in: oauth2.model.accessToken.ttl,
|
||||
...resObj,
|
||||
};
|
||||
|
||||
break;
|
||||
case 'id_token':
|
||||
if (!oauth2.model.jwt || !scope.includes('openid')) {
|
||||
break;
|
||||
}
|
||||
|
||||
data = await oauth2.model.jwt.issueIdToken(
|
||||
user,
|
||||
scope,
|
||||
resObj.access_token as string | undefined
|
||||
);
|
||||
|
||||
resObj = {
|
||||
id_token: data,
|
||||
...resObj,
|
||||
};
|
||||
case 'none':
|
||||
resObj = {};
|
||||
break;
|
||||
default:
|
||||
throw new UnsupportedResponseType('Unknown response_type parameter passed');
|
||||
throw new UnsupportedResponseType(
|
||||
'Unknown response_type parameter passed'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -11,7 +11,11 @@ export const introspection = wrap(async function (req, res) {
|
||||
if (req.body.client_id && req.body.client_secret) {
|
||||
clientId = req.body.client_id as string;
|
||||
clientSecret = req.body.client_secret as string;
|
||||
console.debug('Client credentials parsed from body parameters ', clientId, clientSecret);
|
||||
req.oauth2.logger.debug(
|
||||
'Client credentials parsed from body parameters ',
|
||||
clientId,
|
||||
clientSecret
|
||||
);
|
||||
} else {
|
||||
if (!req.headers || !req.headers.authorization) {
|
||||
throw new InvalidRequest('No authorization header passed');
|
||||
@ -23,7 +27,9 @@ export const introspection = wrap(async function (req, res) {
|
||||
}
|
||||
|
||||
if (pieces[0] !== 'Basic') {
|
||||
throw new InvalidRequest(`Unsupported authorization method: ${pieces[0]}`);
|
||||
throw new InvalidRequest(
|
||||
`Unsupported authorization method: ${pieces[0]}`
|
||||
);
|
||||
}
|
||||
|
||||
pieces = Buffer.from(pieces[1], 'base64').toString('ascii').split(':', 2);
|
||||
@ -33,7 +39,11 @@ export const introspection = wrap(async function (req, res) {
|
||||
|
||||
clientId = pieces[0];
|
||||
clientSecret = pieces[1];
|
||||
console.debug('Client credentials parsed from basic auth header: ', clientId, clientSecret);
|
||||
req.oauth2.logger.debug(
|
||||
'Client credentials parsed from basic auth header: ',
|
||||
clientId,
|
||||
clientSecret
|
||||
);
|
||||
}
|
||||
|
||||
if (!req.body.token) {
|
||||
@ -49,7 +59,7 @@ export const introspection = wrap(async function (req, res) {
|
||||
const resObj = {
|
||||
token_type: 'bearer',
|
||||
token: token.token,
|
||||
expires_in: Math.floor(ttl / 1000)
|
||||
expires_in: Math.floor(ttl / 1000),
|
||||
};
|
||||
|
||||
dataResponse(req, res, resObj);
|
||||
|
@ -1,13 +1,16 @@
|
||||
import * as tokens from './tokens'
|
||||
import * as tokens from './tokens';
|
||||
import {
|
||||
InvalidRequest,
|
||||
InvalidClient,
|
||||
UnauthorizedClient,
|
||||
UnsupportedGrantType,
|
||||
OAuth2Error
|
||||
} from '../model/error'
|
||||
import { data as dataResponse, error as errorResponse } from '../utils/response'
|
||||
import wrap from '../utils/wrap'
|
||||
OAuth2Error,
|
||||
} from '../model/error';
|
||||
import {
|
||||
data as dataResponse,
|
||||
error as errorResponse,
|
||||
} from '../utils/response';
|
||||
import wrap from '../utils/wrap';
|
||||
import { OAuth2TokenResponse } from '../model/model';
|
||||
|
||||
export const token = wrap(async (req, res) => {
|
||||
@ -20,7 +23,11 @@ export const token = wrap(async (req, res) => {
|
||||
if (req.body.client_id && req.body.client_secret) {
|
||||
clientId = req.body.client_id as string;
|
||||
clientSecret = req.body.client_secret as string;
|
||||
console.debug('Client credentials parsed from body parameters', clientId, clientSecret);
|
||||
req.oauth2.logger.debug(
|
||||
'Client credentials parsed from body parameters',
|
||||
clientId,
|
||||
clientSecret
|
||||
);
|
||||
} else {
|
||||
if (!req.headers || !req.headers.authorization) {
|
||||
throw new InvalidRequest('No authorization header passed');
|
||||
@ -32,7 +39,9 @@ export const token = wrap(async (req, res) => {
|
||||
}
|
||||
|
||||
if (pieces[0] !== 'Basic') {
|
||||
throw new InvalidRequest(`Unsupported authorization method: ${pieces[0]}`);
|
||||
throw new InvalidRequest(
|
||||
`Unsupported authorization method: ${pieces[0]}`
|
||||
);
|
||||
}
|
||||
|
||||
pieces = Buffer.from(pieces[1], 'base64').toString('ascii').split(':', 2);
|
||||
@ -42,15 +51,21 @@ export const token = wrap(async (req, res) => {
|
||||
|
||||
clientId = pieces[0];
|
||||
clientSecret = pieces[1];
|
||||
console.debug('Client credentials parsed from basic auth header:', clientId, clientSecret);
|
||||
req.oauth2.logger.debug(
|
||||
'Client credentials parsed from basic auth header:',
|
||||
clientId,
|
||||
clientSecret
|
||||
);
|
||||
}
|
||||
|
||||
if (!req.body.grant_type) {
|
||||
throw new InvalidRequest('Request body does not contain grant_type parameter');
|
||||
throw new InvalidRequest(
|
||||
'Request body does not contain grant_type parameter'
|
||||
);
|
||||
}
|
||||
|
||||
grantType = req.body.grant_type as string;
|
||||
console.debug('Parameter grant_type is', grantType);
|
||||
req.oauth2.logger.debug('Parameter grant_type is', grantType);
|
||||
|
||||
const client = await oauth2.model.client.fetchById(clientId);
|
||||
|
||||
@ -63,36 +78,58 @@ export const token = wrap(async (req, res) => {
|
||||
throw new UnauthorizedClient('Invalid client secret');
|
||||
}
|
||||
|
||||
if (!oauth2.model.client.checkGrantType(client, grantType) && grantType !== 'refresh_token') {
|
||||
if (
|
||||
!oauth2.model.client.checkGrantType(client, grantType) &&
|
||||
grantType !== 'refresh_token'
|
||||
) {
|
||||
throw new UnauthorizedClient('Invalid grant type for the client');
|
||||
} else {
|
||||
console.debug('Grant type check passed');
|
||||
req.oauth2.logger.debug('Grant type check passed');
|
||||
}
|
||||
|
||||
let tokenResponse: OAuth2TokenResponse;
|
||||
try {
|
||||
switch (grantType) {
|
||||
case 'authorization_code':
|
||||
tokenResponse = await tokens.authorizationCode(oauth2, client, req.body.code);
|
||||
tokenResponse = await tokens.authorizationCode(
|
||||
oauth2,
|
||||
client,
|
||||
req.body.code
|
||||
);
|
||||
break;
|
||||
case 'password':
|
||||
tokenResponse = await tokens.password(oauth2, client, req.body.username, req.body.password, req.body.scope);
|
||||
tokenResponse = await tokens.password(
|
||||
oauth2,
|
||||
client,
|
||||
req.body.username,
|
||||
req.body.password,
|
||||
req.body.scope
|
||||
);
|
||||
break;
|
||||
case 'client_credentials':
|
||||
tokenResponse = await tokens.clientCredentials(oauth2, client, req.body.scope);
|
||||
tokenResponse = await tokens.clientCredentials(
|
||||
oauth2,
|
||||
client,
|
||||
req.body.scope
|
||||
);
|
||||
break;
|
||||
case 'refresh_token':
|
||||
tokenResponse = await tokens.refreshToken(oauth2, client, req.body.refresh_token);
|
||||
tokenResponse = await tokens.refreshToken(
|
||||
oauth2,
|
||||
client,
|
||||
req.body.refresh_token
|
||||
);
|
||||
break;
|
||||
default:
|
||||
throw new UnsupportedGrantType('Grant type does not match any supported type');
|
||||
throw new UnsupportedGrantType(
|
||||
'Grant type does not match any supported type'
|
||||
);
|
||||
}
|
||||
|
||||
if (tokenResponse) {
|
||||
dataResponse(req, res, tokenResponse);
|
||||
}
|
||||
|
||||
} catch (e) {
|
||||
errorResponse(req, res, e as OAuth2Error);
|
||||
}
|
||||
})
|
||||
});
|
||||
|
@ -1,5 +1,10 @@
|
||||
import { InvalidRequest, ServerError, InvalidGrant } from '../../model/error';
|
||||
import { OAuth2, OAuth2Client, OAuth2Code, OAuth2TokenResponse } from '../../model/model';
|
||||
import {
|
||||
OAuth2,
|
||||
OAuth2Client,
|
||||
OAuth2Code,
|
||||
OAuth2TokenResponse,
|
||||
} from '../../model/model';
|
||||
|
||||
/**
|
||||
* Issue an access token by authorization code
|
||||
@ -14,24 +19,28 @@ export async function authorizationCode(
|
||||
providedCode: string
|
||||
): Promise<OAuth2TokenResponse> {
|
||||
const respObj: OAuth2TokenResponse = {
|
||||
token_type: 'bearer'
|
||||
token_type: 'bearer',
|
||||
};
|
||||
|
||||
let code: OAuth2Code | null = null;
|
||||
|
||||
if (!providedCode) {
|
||||
throw new InvalidRequest('code is mandatory for authorization_code grant type');
|
||||
throw new InvalidRequest(
|
||||
'code is mandatory for authorization_code grant type'
|
||||
);
|
||||
}
|
||||
|
||||
try {
|
||||
code = await oauth2.model.code.fetchByCode(providedCode);
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
oauth2.logger.error(err);
|
||||
throw new ServerError('Failed to call code.fetchByCode function');
|
||||
}
|
||||
|
||||
if (code) {
|
||||
if (oauth2.model.code.getClientId(code) !== oauth2.model.client.getId(client)) {
|
||||
if (
|
||||
oauth2.model.code.getClientId(code) !== oauth2.model.client.getId(client)
|
||||
) {
|
||||
throw new InvalidGrant('Code was issued by another client');
|
||||
}
|
||||
|
||||
@ -42,56 +51,81 @@ export async function authorizationCode(
|
||||
throw new InvalidGrant('Code not found');
|
||||
}
|
||||
|
||||
console.debug('Code fetched', code);
|
||||
oauth2.logger.debug('Code fetched', code);
|
||||
|
||||
const scope = oauth2.model.code.getScope(code);
|
||||
const cleanScope = oauth2.model.client.transformScope(scope);
|
||||
const userId = oauth2.model.code.getUserId(code);
|
||||
const clientId = oauth2.model.code.getClientId(code);
|
||||
|
||||
if (oauth2.model.refreshToken.invalidateOld) {
|
||||
try {
|
||||
await oauth2.model.refreshToken.removeByUserIdClientId(
|
||||
oauth2.model.code.getUserId(code),
|
||||
oauth2.model.code.getClientId(code)
|
||||
);
|
||||
await oauth2.model.refreshToken.removeByUserIdClientId(userId, clientId);
|
||||
} catch (err) {
|
||||
console.error(err)
|
||||
throw new ServerError('Failed to call refreshToken.removeByUserIdClientId function');
|
||||
oauth2.logger.error(err);
|
||||
throw new ServerError(
|
||||
'Failed to call refreshToken.removeByUserIdClientId function'
|
||||
);
|
||||
}
|
||||
|
||||
console.debug('Refresh token removed');
|
||||
oauth2.logger.debug('Refresh token removed');
|
||||
}
|
||||
|
||||
if (!oauth2.model.client.checkGrantType(client, 'refresh_token')) {
|
||||
console.debug('Client does not allow grant type refresh_token, skip creation');
|
||||
oauth2.logger.debug(
|
||||
'Client does not allow grant type refresh_token, skip creation'
|
||||
);
|
||||
} else {
|
||||
try {
|
||||
respObj.refresh_token = await oauth2.model.refreshToken.create(
|
||||
oauth2.model.code.getUserId(code),
|
||||
oauth2.model.code.getClientId(code),
|
||||
oauth2.model.code.getScope(code)
|
||||
userId,
|
||||
clientId,
|
||||
scope
|
||||
);
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
oauth2.logger.error(err);
|
||||
throw new ServerError('Failed to call refreshToken.create function');
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
respObj.access_token = await oauth2.model.accessToken.create(
|
||||
oauth2.model.code.getUserId(code),
|
||||
oauth2.model.code.getClientId(code),
|
||||
oauth2.model.code.getScope(code),
|
||||
userId,
|
||||
clientId,
|
||||
scope,
|
||||
oauth2.model.accessToken.ttl
|
||||
);
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
oauth2.logger.error(err);
|
||||
throw new ServerError('Failed to call accessToken.create function');
|
||||
}
|
||||
|
||||
respObj.expires_in = oauth2.model.accessToken.ttl;
|
||||
console.debug('Access token saved:', respObj.access_token);
|
||||
oauth2.logger.debug('Access token saved:', respObj.access_token);
|
||||
|
||||
try {
|
||||
await oauth2.model.code.removeByCode(providedCode);
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
oauth2.logger.error(err);
|
||||
throw new ServerError('Failed to call code.removeByCode function');
|
||||
}
|
||||
|
||||
if (cleanScope.includes('openid') && oauth2.model.jwt) {
|
||||
const user = await oauth2.model.user.fetchById(
|
||||
oauth2.model.code.getUserId(code)
|
||||
);
|
||||
|
||||
try {
|
||||
respObj.id_token = await oauth2.model.jwt.issueIdToken(
|
||||
user,
|
||||
cleanScope,
|
||||
respObj.access_token
|
||||
);
|
||||
} catch (err) {
|
||||
oauth2.logger.error(err);
|
||||
throw new ServerError('Failed to issue an ID token');
|
||||
}
|
||||
}
|
||||
|
||||
return respObj;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
import { ServerError, InvalidScope } from '../../model/error'
|
||||
import { ServerError, InvalidScope } from '../../model/error';
|
||||
import { OAuth2, OAuth2Client, OAuth2TokenResponse } from '../../model/model';
|
||||
|
||||
/**
|
||||
@ -16,7 +16,7 @@ export async function clientCredentials(
|
||||
let scope: string[] = [];
|
||||
|
||||
const resObj: OAuth2TokenResponse = {
|
||||
token_type: 'bearer'
|
||||
token_type: 'bearer',
|
||||
};
|
||||
|
||||
scope = oauth2.model.client.transformScope(wantScope);
|
||||
@ -24,7 +24,7 @@ export async function clientCredentials(
|
||||
throw new InvalidScope('Client does not allow access to this scope');
|
||||
}
|
||||
|
||||
console.debug('Scope check passed ', scope);
|
||||
oauth2.logger.debug('Scope check passed', scope);
|
||||
|
||||
try {
|
||||
resObj.access_token = await oauth2.model.accessToken.create(
|
||||
|
@ -1,4 +1,4 @@
|
||||
export * from './authorizationCode'
|
||||
export * from './clientCredentials'
|
||||
export * from './password'
|
||||
export * from './refreshToken'
|
||||
export * from './authorizationCode';
|
||||
export * from './clientCredentials';
|
||||
export * from './password';
|
||||
export * from './refreshToken';
|
||||
|
@ -1,5 +1,15 @@
|
||||
import { ServerError, InvalidRequest, InvalidScope, InvalidClient } from '../../model/error'
|
||||
import { OAuth2, OAuth2Client, OAuth2User, OAuth2TokenResponse } from '../../model/model';
|
||||
import {
|
||||
ServerError,
|
||||
InvalidRequest,
|
||||
InvalidScope,
|
||||
InvalidClient,
|
||||
} from '../../model/error';
|
||||
import {
|
||||
OAuth2,
|
||||
OAuth2Client,
|
||||
OAuth2User,
|
||||
OAuth2TokenResponse,
|
||||
} from '../../model/model';
|
||||
|
||||
/**
|
||||
* Implicit access token response
|
||||
@ -20,8 +30,8 @@ export async function password(
|
||||
let user: OAuth2User | null = null;
|
||||
|
||||
const resObj: OAuth2TokenResponse = {
|
||||
token_type: 'bearer'
|
||||
}
|
||||
token_type: 'bearer',
|
||||
};
|
||||
|
||||
if (!username) {
|
||||
throw new InvalidRequest('Username is mandatory for password grant type');
|
||||
@ -35,7 +45,7 @@ export async function password(
|
||||
if (!oauth2.model.client.checkScope(client, scope)) {
|
||||
throw new InvalidScope('Client does not allow access to this scope');
|
||||
} else {
|
||||
console.debug('Scope check passed: ', scope);
|
||||
oauth2.logger.debug('Scope check passed: ', scope);
|
||||
}
|
||||
|
||||
try {
|
||||
@ -59,13 +69,17 @@ export async function password(
|
||||
oauth2.model.client.getId(client)
|
||||
);
|
||||
} catch (err) {
|
||||
throw new ServerError('Failed to call refreshToken.removeByUserIdClientId function');
|
||||
throw new ServerError(
|
||||
'Failed to call refreshToken.removeByUserIdClientId function'
|
||||
);
|
||||
}
|
||||
|
||||
console.debug('Refresh token removed');
|
||||
oauth2.logger.debug('Refresh token removed');
|
||||
|
||||
if (!oauth2.model.client.checkGrantType(client, 'refresh_token')) {
|
||||
console.debug('Client does not allow grant type refresh_token, skip creation');
|
||||
oauth2.logger.debug(
|
||||
'Client does not allow grant type refresh_token, skip creation'
|
||||
);
|
||||
} else {
|
||||
try {
|
||||
resObj.refresh_token = await oauth2.model.refreshToken.create(
|
||||
@ -90,7 +104,7 @@ export async function password(
|
||||
}
|
||||
|
||||
resObj.expires_in = oauth2.model.accessToken.ttl;
|
||||
console.debug('Access token saved ', resObj.access_token);
|
||||
oauth2.logger.debug('Access token saved ', resObj.access_token);
|
||||
|
||||
return resObj;
|
||||
}
|
||||
|
@ -1,24 +1,29 @@
|
||||
import { InvalidRequest, ServerError, InvalidGrant, InvalidClient } from '../../model/error';
|
||||
import {
|
||||
InvalidRequest,
|
||||
ServerError,
|
||||
InvalidGrant,
|
||||
InvalidClient,
|
||||
} from '../../model/error';
|
||||
import {
|
||||
OAuth2,
|
||||
OAuth2AccessToken,
|
||||
OAuth2Client,
|
||||
OAuth2RefreshToken,
|
||||
OAuth2User,
|
||||
OAuth2TokenResponse
|
||||
OAuth2TokenResponse,
|
||||
} from '../../model/model';
|
||||
|
||||
/**
|
||||
* Get a new access token from a refresh token. Scope change may not be requested.
|
||||
* @param oauth2 - OAuth2 instance
|
||||
* @param client - OAuth2 client
|
||||
* @param pRefreshToken - Refresh token
|
||||
* @param providedToken - Refresh token
|
||||
* @returns Access token
|
||||
*/
|
||||
export async function refreshToken(
|
||||
oauth2: OAuth2,
|
||||
client: OAuth2Client,
|
||||
pRefreshToken: string,
|
||||
providedToken: string
|
||||
): Promise<OAuth2TokenResponse> {
|
||||
let user: OAuth2User | null = null;
|
||||
let ttl: number | null = null;
|
||||
@ -26,15 +31,17 @@ export async function refreshToken(
|
||||
let accessToken: OAuth2AccessToken | null = null;
|
||||
|
||||
const resObj: OAuth2TokenResponse = {
|
||||
token_type: 'bearer'
|
||||
token_type: 'bearer',
|
||||
};
|
||||
|
||||
if (!pRefreshToken) {
|
||||
throw new InvalidRequest('refresh_token is mandatory for refresh_token grant type');
|
||||
if (!providedToken) {
|
||||
throw new InvalidRequest(
|
||||
'refresh_token is mandatory for refresh_token grant type'
|
||||
);
|
||||
}
|
||||
|
||||
try {
|
||||
refreshToken = await oauth2.model.refreshToken.fetchByToken(pRefreshToken);
|
||||
refreshToken = await oauth2.model.refreshToken.fetchByToken(providedToken);
|
||||
} catch (err) {
|
||||
throw new ServerError('Failed to call refreshToken.fetchByToken function');
|
||||
}
|
||||
@ -43,8 +50,12 @@ export async function refreshToken(
|
||||
throw new InvalidGrant('Refresh token not found');
|
||||
}
|
||||
|
||||
if (oauth2.model.refreshToken.getClientId(refreshToken) !== oauth2.model.client.getId(client)) {
|
||||
console.warn('Client %s tried to fetch a refresh token which belongs to client %s!',
|
||||
if (
|
||||
oauth2.model.refreshToken.getClientId(refreshToken) !==
|
||||
oauth2.model.client.getId(client)
|
||||
) {
|
||||
oauth2.logger.warn(
|
||||
'Client %s tried to fetch a refresh token which belongs to client %s!',
|
||||
oauth2.model.client.getId(client),
|
||||
oauth2.model.refreshToken.getClientId(refreshToken)
|
||||
);
|
||||
@ -52,7 +63,9 @@ export async function refreshToken(
|
||||
}
|
||||
|
||||
try {
|
||||
user = await oauth2.model.user.fetchById(oauth2.model.refreshToken.getUserId(refreshToken));
|
||||
user = await oauth2.model.user.fetchById(
|
||||
oauth2.model.refreshToken.getUserId(refreshToken)
|
||||
);
|
||||
} catch (err) {
|
||||
throw new InvalidClient('User not found');
|
||||
}
|
||||
@ -62,10 +75,14 @@ export async function refreshToken(
|
||||
}
|
||||
|
||||
try {
|
||||
accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(oauth2.model.user.getId(user),
|
||||
oauth2.model.client.getId(client));
|
||||
accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(
|
||||
oauth2.model.user.getId(user),
|
||||
oauth2.model.client.getId(client)
|
||||
);
|
||||
} catch (err) {
|
||||
throw new ServerError('Failed to call accessToken.fetchByUserIdClientId function');
|
||||
throw new ServerError(
|
||||
'Failed to call accessToken.fetchByUserIdClientId function'
|
||||
);
|
||||
}
|
||||
|
||||
if (accessToken) {
|
||||
|
@ -3,7 +3,7 @@ import { AccessDenied } from './model/error';
|
||||
import wrap from './utils/wrap';
|
||||
|
||||
export const middleware = wrap(async function (req: Request, res, next) {
|
||||
console.debug('Parsing bearer token');
|
||||
req.oauth2.logger.debug('Parsing bearer token');
|
||||
let token = null;
|
||||
|
||||
// Look for token in header
|
||||
@ -21,13 +21,16 @@ export const middleware = wrap(async function (req: Request, res, next) {
|
||||
}
|
||||
|
||||
token = pieces[1];
|
||||
console.debug('Bearer token parsed from authorization header:', token);
|
||||
req.oauth2.logger.debug(
|
||||
'Bearer token parsed from authorization header:',
|
||||
token
|
||||
);
|
||||
} else if (req.query?.access_token) {
|
||||
token = req.query.access_token;
|
||||
console.debug('Bearer token parsed from query params:', token);
|
||||
req.oauth2.logger.debug('Bearer token parsed from query params:', token);
|
||||
} else if (req.body?.access_token) {
|
||||
token = req.body.access_token;
|
||||
console.debug('Bearer token parsed from body params:', token);
|
||||
req.oauth2.logger.debug('Bearer token parsed from body params:', token);
|
||||
} else {
|
||||
throw new AccessDenied('Bearer token not found');
|
||||
}
|
||||
@ -40,7 +43,7 @@ export const middleware = wrap(async function (req: Request, res, next) {
|
||||
throw new AccessDenied('Token is expired');
|
||||
} else {
|
||||
res.locals.accessToken = object;
|
||||
console.debug('AccessToken fetched', object);
|
||||
req.oauth2.logger.debug('AccessToken fetched', object);
|
||||
next();
|
||||
}
|
||||
});
|
||||
|
@ -2,8 +2,12 @@ export class OAuth2Error extends Error {
|
||||
public name = 'OAuth2AbstractError';
|
||||
public logLevel = 'error';
|
||||
|
||||
constructor (public code: string, public message: string, public status: number) {
|
||||
super()
|
||||
constructor(
|
||||
public code: string,
|
||||
public message: string,
|
||||
public status: number
|
||||
) {
|
||||
super();
|
||||
Error.captureStackTrace(this, this.constructor);
|
||||
}
|
||||
}
|
||||
|
@ -1,4 +1,5 @@
|
||||
import { Request, Response } from 'express';
|
||||
import { OAuth2Logger } from '../utils/logger';
|
||||
|
||||
/**
|
||||
* OAuth2 client object
|
||||
@ -46,7 +47,6 @@ export interface OAuth2RefreshToken {
|
||||
* OAuth2 implicit user model
|
||||
*/
|
||||
export interface OAuth2User {
|
||||
id: string | number;
|
||||
username: string;
|
||||
password: string;
|
||||
}
|
||||
@ -55,6 +55,7 @@ export interface OAuth2User {
|
||||
* OAuth2 token response
|
||||
*/
|
||||
export interface OAuth2TokenResponse {
|
||||
id_token?: string;
|
||||
access_token?: string;
|
||||
refresh_token?: string;
|
||||
expires_in?: number;
|
||||
@ -89,7 +90,9 @@ export interface OAuth2AccessTokenAdapter {
|
||||
/**
|
||||
* Fetch an access token by the token string from the database
|
||||
*/
|
||||
fetchByToken: (token: OAuth2AccessToken | string) => Promise<OAuth2AccessToken>;
|
||||
fetchByToken: (
|
||||
token: OAuth2AccessToken | string
|
||||
) => Promise<OAuth2AccessToken>;
|
||||
|
||||
/**
|
||||
* Check the time-to-live value
|
||||
@ -209,6 +212,11 @@ export interface OAuth2CodeAdapter {
|
||||
* OAuth2 refresh token adapter model
|
||||
*/
|
||||
export interface OAuth2RefreshTokenAdapter {
|
||||
/**
|
||||
* Invalidate all previous refresh tokens for user/client when new one is issued.
|
||||
*/
|
||||
invalidateOld: boolean;
|
||||
|
||||
/**
|
||||
* Create a new refresh token
|
||||
*/
|
||||
@ -221,7 +229,9 @@ export interface OAuth2RefreshTokenAdapter {
|
||||
/**
|
||||
* Fetch a token from the database
|
||||
*/
|
||||
fetchByToken: (token: OAuth2RefreshToken | string) => Promise<OAuth2RefreshToken>;
|
||||
fetchByToken: (
|
||||
token: OAuth2RefreshToken | string
|
||||
) => Promise<OAuth2RefreshToken>;
|
||||
|
||||
/**
|
||||
* Remove refresh token by user ID and client ID
|
||||
@ -300,6 +310,25 @@ export interface OAuth2UserAdapter {
|
||||
) => Promise<boolean>;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adapter for managing the `openid` scope.
|
||||
*/
|
||||
export interface JWTAdapter {
|
||||
/**
|
||||
* Issue a new ID token for user.
|
||||
*/
|
||||
issueIdToken: (
|
||||
user: OAuth2User,
|
||||
scope: string[],
|
||||
accessToken?: string
|
||||
) => Promise<string>;
|
||||
|
||||
/**
|
||||
* Validate an ID token
|
||||
*/
|
||||
validateIdToken: (idToken: string) => Promise<boolean>;
|
||||
}
|
||||
|
||||
/**
|
||||
* Render the OAuth2 decision page
|
||||
*/
|
||||
@ -321,6 +350,7 @@ export interface OAuth2AdapterModel {
|
||||
user: OAuth2UserAdapter;
|
||||
client: OAuth2ClientAdapter;
|
||||
code: OAuth2CodeAdapter;
|
||||
jwt?: JWTAdapter;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -328,5 +358,6 @@ export interface OAuth2AdapterModel {
|
||||
*/
|
||||
export interface OAuth2 {
|
||||
model: OAuth2AdapterModel;
|
||||
logger: OAuth2Logger;
|
||||
decision: RenderOAuth2Decision;
|
||||
}
|
||||
|
@ -1,22 +1,28 @@
|
||||
import { RequestHandler } from 'express';
|
||||
import * as controller from './controller';
|
||||
import { middleware } from './middleware';
|
||||
import { RenderOAuth2Decision, OAuth2, OAuth2AdapterModel } from './model/model';
|
||||
import {
|
||||
RenderOAuth2Decision,
|
||||
OAuth2,
|
||||
OAuth2AdapterModel,
|
||||
} from './model/model';
|
||||
import { OAuth2Logger } from './utils/logger';
|
||||
|
||||
export class OAuth2Provider implements OAuth2 {
|
||||
public bearer = middleware;
|
||||
public controller = controller;
|
||||
public logger = new OAuth2Logger('info');
|
||||
|
||||
constructor(
|
||||
public model: OAuth2AdapterModel,
|
||||
public decision: RenderOAuth2Decision,
|
||||
public decision: RenderOAuth2Decision
|
||||
) {}
|
||||
|
||||
express(): RequestHandler {
|
||||
return (req, _res, next) => {
|
||||
console.debug('OAuth2 Injected into request');
|
||||
req.oauth2.logger.debug('OAuth2 Injected into request');
|
||||
req.oauth2 = this;
|
||||
next();
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
|
43
src/utils/logger.ts
Normal file
43
src/utils/logger.ts
Normal file
@ -0,0 +1,43 @@
|
||||
export type LoggerLevel = 'none' | 'info' | 'warn' | 'error' | 'debug';
|
||||
type LoggerFunction = (...args: any[]) => void;
|
||||
|
||||
const LOG_LEVELS = ['none', 'info', 'warn', 'error', 'debug'];
|
||||
|
||||
interface LoggerType {
|
||||
info: LoggerFunction;
|
||||
warn: LoggerFunction;
|
||||
error: LoggerFunction;
|
||||
debug: LoggerFunction;
|
||||
}
|
||||
|
||||
export class OAuth2Logger {
|
||||
constructor(
|
||||
public logLevel: LoggerLevel,
|
||||
public logger: LoggerType | undefined = console
|
||||
) {}
|
||||
|
||||
public setLogLevel(logLevel: LoggerLevel): void {
|
||||
this.logLevel = logLevel;
|
||||
}
|
||||
|
||||
public setLogger(logger?: LoggerType): void {
|
||||
this.logger = logger;
|
||||
}
|
||||
|
||||
public log(level: LoggerLevel, ...args: any[]): void {
|
||||
if (!this.logger || this.logLevel === 'none') {
|
||||
return;
|
||||
}
|
||||
|
||||
if (LOG_LEVELS.indexOf(this.logLevel) < LOG_LEVELS.indexOf(level)) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.logger[level as 'info' | 'warn' | 'error' | 'debug'](...args);
|
||||
}
|
||||
|
||||
public info = this.log.bind(this, 'info');
|
||||
public warn = this.log.bind(this, 'warn');
|
||||
public error = this.log.bind(this, 'error');
|
||||
public debug = this.log.bind(this, 'debug');
|
||||
}
|
@ -13,40 +13,49 @@ function dataRes(req: Request, res: Response, code: number, data: any): void {
|
||||
res.header('Cache-Control', 'no-store');
|
||||
res.header('Pragma', 'no-cache');
|
||||
res.status(code).send(data);
|
||||
console.debug('Response:', data);
|
||||
req.oauth2.logger.debug('Response:', data);
|
||||
}
|
||||
|
||||
function redirect(req: Request, res: Response, redirectUri: string): void {
|
||||
res.header('Location', redirectUri);
|
||||
res.status(302).end();
|
||||
console.debug('Redirecting to', redirectUri);
|
||||
req.oauth2.logger.debug('Redirecting to', redirectUri);
|
||||
}
|
||||
|
||||
export function error(req: Request, res: Response, err: OAuth2Error, redirectUri?: string): void {
|
||||
export function error(
|
||||
req: Request,
|
||||
res: Response,
|
||||
err: OAuth2Error,
|
||||
redirectUri?: string
|
||||
): void {
|
||||
// Transform unknown error
|
||||
if (!(err instanceof OAuth2Error)) {
|
||||
console.error((err as Error).stack);
|
||||
req.oauth2.logger.error((err as Error).stack);
|
||||
err = new ServerError('Uncaught exception');
|
||||
} else {
|
||||
console.error('Exception caught', err.stack);
|
||||
req.oauth2.logger.error('Exception caught', err.stack);
|
||||
}
|
||||
|
||||
if (redirectUri) {
|
||||
const obj: ErrorResponseData = {
|
||||
error: err.code,
|
||||
error_description: err.message
|
||||
error_description: err.message,
|
||||
};
|
||||
|
||||
if (req.query.state) {
|
||||
obj.state = req.query.state as string;
|
||||
}
|
||||
|
||||
redirectUri += '?' + (new URLSearchParams(obj as Record<string, string>).toString());
|
||||
redirectUri +=
|
||||
'?' + new URLSearchParams(obj as Record<string, string>).toString();
|
||||
redirect(req, res, redirectUri);
|
||||
return;
|
||||
}
|
||||
|
||||
dataRes(req, res, err.status, { error: err.code, error_description: err.message });
|
||||
dataRes(req, res, err.status, {
|
||||
error: err.code,
|
||||
error_description: err.message,
|
||||
});
|
||||
}
|
||||
|
||||
export function data(
|
||||
@ -57,15 +66,15 @@ export function data(
|
||||
fragment: boolean = false
|
||||
): void {
|
||||
if (redirectUri) {
|
||||
redirectUri += fragment
|
||||
? '#'
|
||||
: (redirectUri.indexOf('?') === -1 ? '?' : '&');
|
||||
redirectUri += fragment ? '#' : redirectUri.indexOf('?') === -1 ? '?' : '&';
|
||||
|
||||
if (req.query.state) {
|
||||
obj.state = req.query.state as string;
|
||||
}
|
||||
|
||||
redirectUri += new URLSearchParams(obj as Record<string, string>).toString();
|
||||
redirectUri += new URLSearchParams(
|
||||
obj as Record<string, string>
|
||||
).toString();
|
||||
redirect(req, res, redirectUri);
|
||||
return;
|
||||
}
|
||||
|
@ -1,6 +1,8 @@
|
||||
import { RequestHandler } from 'express';
|
||||
import { error } from './response';
|
||||
|
||||
export default (fn: RequestHandler, redir?: boolean): RequestHandler => (req, res, next) =>
|
||||
(fn(req, res, next) as unknown as Promise<void>).catch(e =>
|
||||
error(req, res, e, redir ? (req.query.redirect_uri as string) : undefined));
|
||||
export default (fn: RequestHandler, redir?: boolean): RequestHandler =>
|
||||
(req, res, next) =>
|
||||
(fn(req, res, next) as unknown as Promise<void>).catch((e) =>
|
||||
error(req, res, e, redir ? (req.query.redirect_uri as string) : undefined)
|
||||
);
|
||||
|
Reference in New Issue
Block a user