Actually mostly-compliant introspection endpoint, csrf and documentation

2024-06-06 20:02:18 +03:00 · 2024-06-06 20:02:18 +03:00 · 17821bfda3
commit 17821bfda3
parent 874b4804b9
15 changed files with 140 additions and 46 deletions
--- a/.env.example
+++ b/.env.example
@ -1,14 +1,27 @@
+# Front-end public URL, without leading slash
 PUBLIC_URL=http://localhost:5173
+
+# Site name, displayed on the UI and in emails
 PUBLIC_SITE_NAME=Amanita SSO
+
+# Database connection (mysql)
 DATABASE_HOST=localhost
 DATABASE_DB=icyauth
 DATABASE_USER=icyauth
 DATABASE_PASS=icyauth
+
+# Secret keys for sessions and challenges
+# These keys should be rotated as part of regular maintenance
 SESSION_SECRET=32 char key
 CHALLENGE_SECRET=64 char key
+
+# OpenID Connect JWT (ID token) settings
+# Private keys for JWTs are stored as files in the private directory
 JWT_ALGORITHM=RS256
 JWT_EXPIRATION=7d
 JWT_ISSUER=http://localhost:5173
+
+# SMTP settings
 EMAIL_ENABLED=true
 EMAIL_FROM=no-reply@icynet.eu
 EMAIL_SMTP_HOST=mail.icynet.eu
@ -16,7 +29,13 @@ EMAIL_SMTP_PORT=587
 EMAIL_SMTP_SECURE=false
 EMAIL_SMTP_USER=
 EMAIL_SMTP_PASS=
+
+# Enable new account registrations
 REGISTRATIONS=true
+
+# Trust the first proxy to give us the user's real IP
 ADDRESS_HEADER=X-Forwarded-For
 XFF_DEPTH=1
+
+# Run database migrations automatically on startup
 AUTO_MIGRATE=true
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@ -1,7 +1,9 @@
 import { AUTO_MIGRATE, SESSION_SECRET } from '$env/static/private';
+import { csrf } from '$lib/server/csrf';
 import { DB } from '$lib/server/drizzle';
 import { runSeeds } from '$lib/server/drizzle/seeds';
 import { JWT } from '$lib/server/jwt';
+import { sequence } from '@sveltejs/kit/hooks';
 import { migrate } from 'drizzle-orm/mysql2/migrator';
 import { handleSession } from 'svelte-kit-cookie-session';

@ -14,6 +16,9 @@ if (AUTO_MIGRATE === 'true') {

 await runSeeds();

-export const handle = handleSession({
-	secret: SESSION_SECRET
-});
+export const handle = sequence(
+	csrf(['/oauth2/token', '/oauth2/introspect']),
+	handleSession({
+		secret: SESSION_SECRET
+	})
+);
--- a/src/lib/components/ActionButton.svelte
+++ b/src/lib/components/ActionButton.svelte
@ -13,6 +13,5 @@
 </script>

 <form {action} method="POST" use:enhancer={enhanceFn}>
-	<slot name="form" />
 	<Button {variant} type="submit"><slot /></Button>
 </form>
--- a/src/lib/server/api-utils.ts
+++ b/src/lib/server/api-utils.ts
@ -1,11 +1,4 @@
 export class ApiUtils {
-	static json(data: unknown, status = 200): Response {
-		return new Response(JSON.stringify(data), {
-			status,
-			headers: { 'Content-Type': 'application/json' }
-		});
-	}
-
 	static redirect(url: string, status = 302): Response {
 		return new Response(null, {
 			status,
@ -14,4 +7,24 @@ export class ApiUtils {
 			}
 		});
 	}
+
+	static async getJsonOrFormBody(request: Request) {
+		if (request.headers.get('content-type')?.startsWith('application/json')) {
+			try {
+				const jsonBody = await request.json();
+				return jsonBody;
+			} catch {
+				// Try next...
+			}
+		}
+
+		try {
+			const formBody = await request.formData();
+			return Object.fromEntries(formBody);
+		} catch (err) {
+			// Skip...
+		}
+
+		return {};
+	}
 }
--- a/src/lib/server/csrf.ts
+++ b/src/lib/server/csrf.ts
@ -0,0 +1,33 @@
+import { json, text, type Handle } from '@sveltejs/kit';
+
+const isContentType = (request: Request, ...types: string[]) => {
+	const type = request.headers.get('content-type')?.split(';', 1)[0].trim() ?? '';
+	return types.includes(type);
+};
+
+const isFormContentType = (request: Request) =>
+	isContentType(request, 'application/x-www-form-urlencoded', 'multipart/form-data');
+
+/**
+ * CSRF protection copied from sveltekit but with the ability to turn it off for specific routes.
+ */
+export const csrf =
+	(allowedPaths: string[]): Handle =>
+	async ({ event, resolve }) => {
+		const forbidden =
+			event.request.method === 'POST' &&
+			event.request.headers.get('origin') !== event.url.origin &&
+			isFormContentType(event.request) &&
+			!allowedPaths.includes(event.url.pathname);
+
+		if (forbidden) {
+			const csrfError = `Cross-site ${event.request.method} form submissions are forbidden`;
+			if (event.request.headers.get('accept') === 'application/json') {
+				return json({ error: 'forbidden', error_description: csrfError }, { status: 403 });
+			}
+
+			return text(csrfError, { status: 403 });
+		}
+
+		return resolve(event);
+	};
--- a/src/lib/server/jwt.ts
+++ b/src/lib/server/jwt.ts
@ -9,10 +9,11 @@ import {
 	type JWK,
 	type KeyLike
 } from 'jose';
+import { join } from 'path';
 import { v4 as uuidv4 } from 'uuid';

 /**
- * Generate JWTs using the following commands:
+ * Generate JWT keys using the following commands:
 * Private: openssl genpkey -out jwt.private.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
 * Public:  openssl rsa -in jwt.private.pem -pubout -outform PEM -out jwt.public.pem
 */
@ -23,8 +24,10 @@ export class JWT {
 	static jwksKid: string;

 	static async init() {
-		const privateKeyFile = await readFile('private/jwt.private.pem', { encoding: 'utf-8' });
-		const publicKeyFile = await readFile('private/jwt.public.pem', { encoding: 'utf-8' });
+		const privateKeyFile = await readFile(join('private', 'jwt.private.pem'), {
+			encoding: 'utf-8'
+		});
+		const publicKeyFile = await readFile(join('private', 'jwt.public.pem'), { encoding: 'utf-8' });
 		JWT.privateKey = await importPKCS8(privateKeyFile, JWT_ALGORITHM);
 		JWT.publicKey = await importSPKI(publicKeyFile, JWT_ALGORITHM);
 		JWT.jwks = await exportJWK(JWT.publicKey);
--- a/src/lib/server/oauth2/controller/introspection.ts
+++ b/src/lib/server/oauth2/controller/introspection.ts
@ -1,10 +1,11 @@
-import { InvalidRequest } from '../error';
-import { OAuth2AccessTokens } from '../model';
+import { ApiUtils } from '$lib/server/api-utils';
+import { InvalidClient, InvalidRequest, UnauthorizedClient } from '../error';
+import { OAuth2AccessTokens, OAuth2Clients } from '../model';
 import { OAuth2Response } from '../response';

 export class OAuth2IntrospectionController {
 	static postHandler = async ({ request, url }: { request: Request; url: URL }) => {
-		const body = await request.json().catch(() => ({}));
+		const body = await ApiUtils.getJsonOrFormBody(request);

 		let clientId: string | null = null;
 		let clientSecret: string | null = null;
@ -12,7 +13,7 @@ export class OAuth2IntrospectionController {
 		if (body.client_id && body.client_secret) {
 			clientId = body.client_id as string;
 			clientSecret = body.client_secret as string;
-			console.debug('Client credentials parsed from body parameters ', clientId, clientSecret);
+			// console.debug('Client credentials parsed from body parameters ', clientId, clientSecret);
 		} else {
 			if (!request.headers?.has('authorization')) {
 				throw new InvalidRequest('No authorization header passed');
@ -34,23 +35,34 @@ export class OAuth2IntrospectionController {

 			clientId = pieces[0];
 			clientSecret = pieces[1];
-			console.debug('Client credentials parsed from basic auth header: ', clientId, clientSecret);
+			// console.debug('Client credentials parsed from basic auth header: ', clientId, clientSecret);
 		}

 		if (!body.token) {
 			throw new InvalidRequest('Token not provided in request body');
 		}

-		const token = await OAuth2AccessTokens.fetchByToken(body.token);
-		if (!token) {
-			throw new InvalidRequest('Token does not exist');
+		const client = await OAuth2Clients.fetchById(clientId);
+
+		if (!client) {
+			throw new InvalidClient('Client not found');
+		}
+
+		const valid = OAuth2Clients.checkSecret(client, clientSecret);
+		if (!valid) {
+			throw new UnauthorizedClient('The client authentication was invalid');
+		}
+
+		const token = await OAuth2AccessTokens.fetchByToken(body.token);
+		if (!token || token.clientIdPub !== clientId || token.expires_at.getTime() < Date.now()) {
+			return OAuth2Response.response(url, { active: false });
 		}

-		const ttl = OAuth2AccessTokens.getTTL(token);
 		const resObj = {
-			token_type: 'bearer',
-			token: token.token,
-			expires_in: Math.floor(ttl / 1000)
+			active: true,
+			scope: token.scope || '',
+			client_id: clientId,
+			exp: Math.floor(token.expires_at.getTime() / 1000)
 		};

 		return OAuth2Response.response(url, resObj);
--- a/src/lib/server/oauth2/controller/token.ts
+++ b/src/lib/server/oauth2/controller/token.ts
@ -1,3 +1,4 @@
+import { ApiUtils } from '$lib/server/api-utils';
 import {
 	InvalidRequest,
 	InvalidClient,
@ -16,12 +17,12 @@ export class OAuth2TokenController {
 		let clientSecret: string | null = null;
 		let grantType: string | null = null;

-		const body = await request.json().catch(() => ({}));
+		const body = await ApiUtils.getJsonOrFormBody(request);

 		if (body.client_id && body.client_secret) {
 			clientId = body.client_id as string;
 			clientSecret = body.client_secret as string;
-			console.debug('Client credentials parsed from body parameters', clientId, clientSecret);
+			// console.debug('Client credentials parsed from body parameters', clientId, clientSecret);
 		} else {
 			if (!request.headers?.has('authorization')) {
 				throw new InvalidRequest('No authorization header passed');
@ -43,7 +44,7 @@ export class OAuth2TokenController {

 			clientId = pieces[0];
 			clientSecret = pieces[1];
-			console.debug('Client credentials parsed from basic auth header:', clientId, clientSecret);
+			// console.debug('Client credentials parsed from basic auth header:', clientId, clientSecret);
 		}

 		if (!body.grant_type) {
@ -51,7 +52,7 @@ export class OAuth2TokenController {
 		}

 		grantType = body.grant_type as string;
-		console.debug('Parameter grant_type is', grantType);
+		// console.debug('Parameter grant_type is', grantType);

 		const client = await OAuth2Clients.fetchById(clientId);

@ -67,7 +68,7 @@ export class OAuth2TokenController {
 		if (!OAuth2Clients.checkGrantType(client, grantType) && grantType !== 'refresh_token') {
 			throw new UnauthorizedClient('Invalid grant type for the client');
 		} else {
-			console.debug('Grant type check passed');
+			// console.debug('Grant type check passed');
 		}

 		let tokenResponse: OAuth2TokenResponse = {};
--- a/src/lib/server/oauth2/controller/tokens/authorizationCode.ts
+++ b/src/lib/server/oauth2/controller/tokens/authorizationCode.ts
@ -54,7 +54,7 @@ export async function authorizationCode(
 		throw new InvalidGrant('Code not found');
 	}

-	console.debug('Code fetched', code);
+	// console.debug('Code fetched', code);

 	const scope = code.scope || '';
 	const cleanScope = OAuth2Clients.transformScope(scope);
@ -84,11 +84,11 @@ export async function authorizationCode(
 			}
 		}

-		console.debug('Code passed PCKE check');
+		// console.debug('Code passed PCKE check');
 	}

 	if (!OAuth2Clients.checkGrantType(client, 'refresh_token')) {
-		console.debug('Client does not allow grant type refresh_token, skip creation');
+		// console.debug('Client does not allow grant type refresh_token, skip creation');
 	} else {
 		try {
 			respObj.refresh_token = await OAuth2RefreshTokens.create(userId, clientId, scope);
@ -111,7 +111,7 @@ export async function authorizationCode(
 	}

 	respObj.expires_in = OAuth2Tokens.tokenTtl;
-	console.debug('Access token saved:', respObj.access_token);
+	// console.debug('Access token saved:', respObj.access_token);

 	try {
 		await OAuth2Codes.removeByCode(providedCode);
--- a/src/lib/server/oauth2/response.ts
+++ b/src/lib/server/oauth2/response.ts
@ -15,6 +15,10 @@ export interface OAuth2TokenResponse {
 	expires_in?: number;
 	token_type?: string;
 	state?: string;
+	active?: boolean;
+	scope?: string;
+	client_id?: string;
+	exp?: number;
 }

 export class OAuth2Response {
@ -116,7 +120,8 @@ export class OAuth2Response {
 		fragment: boolean = false
 	) {
 		if (redirectUri) {
-			redirectUri += fragment ? '#' : redirectUri.indexOf('?') === -1 ? '?' : '&';
+			const searchJoinChar = redirectUri.includes('?') ? '&' : '?';
+			redirectUri += fragment ? '#' : searchJoinChar;

 			if (url.searchParams.has('state')) {
 				obj.state = url.searchParams.get('state') as string;
--- a/src/routes/[...wellKnown=wellKnown]/jwks.json/+server.ts
+++ b/src/routes/[...wellKnown=wellKnown]/jwks.json/+server.ts
@ -1,8 +1,8 @@
 import { JWT_ALGORITHM } from '$env/static/private';
-import { ApiUtils } from '$lib/server/api-utils';
 import { JWT } from '$lib/server/jwt';
+import { json } from '@sveltejs/kit';

 export const GET = async () =>
-	ApiUtils.json({
+	json({
 		keys: [{ alg: JWT_ALGORITHM, kid: JWT.jwksKid, ...JWT.jwks, use: 'sig' }]
 	});
--- a/src/routes/[...wellKnown=wellKnown]/openid-configuration/+server.ts
+++ b/src/routes/[...wellKnown=wellKnown]/openid-configuration/+server.ts
@ -1,9 +1,9 @@
 import { JWT_ALGORITHM, JWT_ISSUER } from '$env/static/private';
 import { PUBLIC_URL } from '$env/static/public';
-import { ApiUtils } from '$lib/server/api-utils';
+import { json } from '@sveltejs/kit';

 export const GET = async () =>
-	ApiUtils.json({
+	json({
 		issuer: JWT_ISSUER,
 		authorization_endpoint: `${PUBLIC_URL}/oauth2/authorize`,
 		token_endpoint: `${PUBLIC_URL}/oauth2/token`,
--- a/src/routes/account/+page.svelte
+++ b/src/routes/account/+page.svelte
@ -18,6 +18,7 @@
 	import { PUBLIC_SITE_NAME } from '$env/static/public';
 	import FormErrors from '$lib/components/form/FormErrors.svelte';
 	import TitleRow from '$lib/components/container/TitleRow.svelte';
+	import ActionButton from '$lib/components/ActionButton.svelte';

 	export let data: PageData;
 	export let form: ActionData;
@ -180,9 +181,7 @@
 							>
 						</div>
 						{#if data.hasAvatar}
-							<form action="?/removeAvatar" method="POST" use:enhance>
-								<Button variant="link" type="submit">{$t('account.avatar.remove')}</Button>
-							</form>
+							<ActionButton action="?/removeAvatar">{$t('account.avatar.remove')}</ActionButton>
 						{/if}
 					</ViewColumn>
 				</AvatarCard>
--- a/src/routes/api/user/+server.ts
+++ b/src/routes/api/user/+server.ts
@ -1,11 +1,11 @@
 import { PUBLIC_URL } from '$env/static/public';
-import { ApiUtils } from '$lib/server/api-utils.js';
 import type { User } from '$lib/server/drizzle/schema.js';
 import { OAuth2BearerController } from '$lib/server/oauth2/controller/bearer.js';
 import { AccessDenied, OAuth2Error } from '$lib/server/oauth2/error.js';
 import { OAuth2Clients } from '$lib/server/oauth2/model/client.js';
 import { OAuth2Response } from '$lib/server/oauth2/response.js';
 import { Users } from '$lib/server/users/index.js';
+import { json } from '@sveltejs/kit';

 export const GET = async ({ request, url, locals }) => {
 	let user: User | undefined = undefined;
@ -64,5 +64,5 @@ export const GET = async ({ request, url, locals }) => {
 		userData.privileges = await Users.getUserPrivileges(user, clientId);
 	}

-	return ApiUtils.json(userData);
+	return json(userData);
 };
--- a/svelte.config.js
+++ b/svelte.config.js
@ -11,7 +11,12 @@ const config = {
 		// adapter-auto only supports some environments, see https://kit.svelte.dev/docs/adapter-auto for a list.
 		// If your environment is not supported, or you settled on a specific environment, switch out the adapter.
 		// See https://kit.svelte.dev/docs/adapters for more information about adapters.
-		adapter: adapter()
+		adapter: adapter(),
+
+		// This is reimplemented in hooks.server.ts to allow certain endpoints
+		csrf: {
+			checkOrigin: false
+		}
 	}
 };