IcyNetwork
/
oauth2-provider
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
oauth2-provider/src/controller/authorization.ts

197 lines
5.9 KiB
TypeScript
Raw Blame History

import {
InvalidRequest,
UnsupportedResponseType,
InvalidClient,
UnauthorizedClient,
InvalidScope,
AccessDenied,
} from '../model/error';
import { OAuth2User } from '../model/model';
import { data as dataResponse } from '../utils/response';
import wrap from '../utils/wrap';
/**
* Authorization and decision endpoint.
*/
export const authorization = wrap(async (req, res) => {
let clientId: string | null = null;
let redirectUri: string | null = null;
let responseType: string | null = null;
let grantTypes: string[] = [];
let scope: string[] | null = null;
let user: OAuth2User | null = null;
const { oauth2 } = req;
if (!req.query.redirect_uri) {
throw new InvalidRequest('redirect_uri field is mandatory for authorization endpoint');
}
redirectUri = req.query.redirect_uri as string;
console.debug('Parameter redirect uri is', redirectUri);
if (!req.query.client_id) {
throw new InvalidRequest('client_id field is mandatory for authorization endpoint');
}
// Check for client_secret (prevent passing it)
if (req.query.client_secret) {
throw new InvalidRequest('client_secret field should not be passed to the authorization endpoint');
}
clientId = req.query.client_id as string;
console.debug('Parameter client_id is', clientId);
if (!req.query.response_type) {
throw new InvalidRequest('response_type field is mandatory for authorization endpoint');
}
responseType = req.query.response_type as string;
console.debug('Parameter response_type is', responseType);
// Support multiple types
const responseTypes = responseType.split(' ');
for (const i in responseTypes) {
switch (responseTypes[i]) {
case 'code':
grantTypes.push('authorization_code');
break;
case 'token':
grantTypes.push('implicit');
break;
// case 'id_token':
case 'none':
grantTypes.push(responseTypes[i]);
break;
default:
throw new UnsupportedResponseType('Unknown response_type parameter passed');
}
}
// Filter out duplicates
grantTypes = grantTypes.filter((value, index, self) => self.indexOf(value) === index);
// "None" type cannot be combined with others
if (grantTypes.length > 1 && grantTypes.indexOf('none') !== -1) {
throw new InvalidRequest('Grant type "none" cannot be combined with other grant types');
}
console.debug('Parameter grant_type is', grantTypes.join(' '));
const client = await oauth2.model.client.fetchById(clientId);
if (!client) {
throw new InvalidClient('Client not found');
}
// TODO: multiple redirect URI
if (!oauth2.model.client.getRedirectUri(client)) {
throw new UnsupportedResponseType('The client has not set a redirect uri');
} else if (!oauth2.model.client.checkRedirectUri(client, redirectUri)) {
throw new InvalidRequest('Wrong RedirectUri provided');
}
console.debug('redirect_uri check passed');
// The client needs to support all grant types
for (const grantType of grantTypes) {
if (!oauth2.model.client.checkGrantType(client, grantType) && grantType !== 'none') {
throw new UnauthorizedClient('This client does not support grant type ' + grantType);
}
}
console.debug('Grant type check passed');
scope = oauth2.model.client.transformScope(req.query.scope as string);
if (!oauth2.model.client.checkScope(client, scope)) {
throw new InvalidScope('Client does not allow access to this scope');
}
console.debug('Scope check passed');
user = await oauth2.model.user.fetchFromRequest(req);
if (!user) {
throw new InvalidRequest('There is no currently logged in user');
} else {
if (!user.username) {
throw new AccessDenied(user.username);
}
console.debug('User fetched from request')
}
let resObj = {};
let consented = false;
if (req.method === 'GET') {
// Check if the user has already consented to this client with this scope
// TODO: reevaluate security implications
consented = await oauth2.model.user.consented(
oauth2.model.user.getId(user),
oauth2.model.client.getId(client),
scope
);
// Ask for consent
if (!consented) return oauth2.decision(req, res, client, scope, user, redirectUri);
}
// Consent pushed, ensure valid session
const { session: { csrf } } = req;
if (req.method === 'POST' && csrf && !(req.body.csrf && req.body.csrf === csrf)) {
throw new InvalidRequest('Invalid session');
}
// Save consent
if (!consented) {
if (!req.body || (typeof req.body.decision) === 'undefined') {
throw new InvalidRequest('No decision parameter passed');
} else if (req.body.decision === '0') {
throw new AccessDenied('User denied access to the resource');
}
console.debug('Decision check passed');
await oauth2.model.user.consent(
oauth2.model.user.getId(user),
oauth2.model.client.getId(client),
scope
);
}
for (const i in grantTypes) {
let data = null
switch (grantTypes[i]) {
case 'authorization_code':
data = await oauth2.model.code.create(
oauth2.model.user.getId(user),
oauth2.model.client.getId(client),
scope,
oauth2.model.code.ttl,
);
resObj = Object.assign({ code: data }, resObj);
break;
case 'implicit':
data = await oauth2.model.accessToken.create(
oauth2.model.user.getId(user),
oauth2.model.client.getId(client),
scope,
oauth2.model.accessToken.ttl
);
resObj = Object.assign({
token_type: 'bearer',
access_token: data,
expires_in: oauth2.model.accessToken.ttl
}, resObj);
break;
case 'none':
resObj = {};
break;
default:
throw new UnsupportedResponseType('Unknown response_type parameter passed');
}
}
// Return non-code response types as fragment instead of query
return dataResponse(req, res, resObj, redirectUri, responseType !== 'code');
}, true);
Reference in New Issue View Git Blame Copy Permalink