-
-
Notifications
You must be signed in to change notification settings - Fork 8
/
oauth.ts
342 lines (316 loc) · 10.8 KB
/
oauth.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
import { Logger } from "../singleton/logger";
const log = Logger.getLogger().child({ from: "oauth-model" });
import { Redis } from "../singleton/redis";
import { Configuration } from "../singleton/configuration";
import AuthorizationCodeModel from "./mongo/authorization-code";
import ClientModel from "./mongo/client";
import TokenModel from "./mongo/token";
import UserModel, { IUser } from "./mongo/user";
import Role from "../enum/role";
import { ScopeManager } from "../singleton/scope-manager";
import { Falsey } from "@node-oauth/oauth2-server";
interface Token {
accessToken: string;
accessTokenExpiresAt?: Date | undefined;
refreshToken?: string | undefined;
refreshTokenExpiresAt?: Date | undefined;
scope?: Scope;
client: Client;
user: User;
[key: string]: any;
}
interface Client {
id: string;
redirectUris?: string[];
grants: string | string[];
displayName: string;
role: string;
scope: string;
accessTokenLifetime?: number | undefined;
refreshTokenLifetime?: number | undefined;
[key: string]: any;
}
interface User {
[key: string]: any;
}
interface AuthorizationCode {
authorizationCode: string;
expiresAt: Date;
redirectUri: string;
scope?: string | string[] | undefined;
client: Client;
user: User;
codeChallenge?: string;
codeChallengeMethod?: string;
[key: string]: any;
}
type Scope = string | string[] | undefined;
const useTokenCache = Configuration.get("privilege.can-use-cache");
const tokenPrefix = "token:";
const getPrefixedToken = (token: string) => `${tokenPrefix}${token}`;
const codePrefix = "code:";
const getPrefixedCode = (code: string) => `${codePrefix}${code}`;
const userIdPrefix = "user:";
const getPrefixedUserId = (userId: string) => `${userIdPrefix}${userId}`;
export const flushUserInfoFromRedis = async (userId: string) => {
await Redis.client.del(getPrefixedUserId(userId));
log.debug("User info for %s flushed from cache.", userId);
};
const getUserInfo = async (userId: string) => {
let userInfo = await Redis.client.get(getPrefixedUserId(userId));
if (!userInfo) {
userInfo = await UserModel.findById(userId).lean();
await Redis.client.set(
getPrefixedUserId(userId),
JSON.stringify(userInfo),
"EX",
Configuration.get("oauth.refresh-token-lifetime") as number
);
log.debug("User info for %s written to cache.", userId);
} else {
userInfo = JSON.parse(userInfo);
}
return userInfo;
};
const isApplicationClient = (user: any) => {
const appplicationClient = user.role === Role.INTERNAL_CLIENT || user.role === Role.EXTERNAL_CLIENT;
return appplicationClient;
};
const OAuthModel = {
getClient: async function (clientId: string, clientSecret: string) {
try {
let query: any = {};
if (clientSecret) {
query = {
$and: [{ id: clientId }, { secret: clientSecret }],
};
} else {
query = { id: clientId };
}
const dbClient = await ClientModel.findOne(query).lean();
return dbClient as unknown as Client;
} catch (err) {
log.error("Error fetching client.");
log.error(err);
throw err;
}
},
getUserFromClient: (client: Client) => {
return new Promise<User>((resolve) => {
// There is no notion of users in client_credentials grant.
// So we simply return the client id for the username.
// See more here: https://github.com/node-oauth/node-oauth2-server/issues/71#issuecomment-1181515928
resolve({ _id: client._id, username: client.id, role: client.role, scope: client.scope });
});
},
saveToken: async (token: Token, client: Client, user: User) => {
try {
token.client = client;
if (!isApplicationClient(user)) {
// No need to store the full user as _id is resolved to full object while retrieving from cache/db.
token.user = { _id: user._id };
} else {
token.user = user;
}
if (useTokenCache) {
const serialized = JSON.stringify(token);
await Redis.client.set(
getPrefixedToken(token.accessToken),
serialized,
"EX",
Configuration.get("oauth.access-token-lifetime") as number
);
if (token.refreshToken)
await Redis.client.set(
getPrefixedToken(token.refreshToken),
serialized,
"EX",
Configuration.get("oauth.refresh-token-lifetime") as number
);
return token;
}
const dbToken = new TokenModel(token);
await dbToken.save();
return dbToken.toObject() as unknown as Token;
} catch (err) {
log.error("Error saving token.");
log.error(err);
throw err;
}
},
getAccessToken: async (accessToken: string) => {
try {
if (useTokenCache) {
let cacheToken: any = await Redis.client.get(getPrefixedToken(accessToken));
cacheToken = JSON.parse(cacheToken);
if (!cacheToken) return null;
if (!isApplicationClient(cacheToken.user)) {
cacheToken.user = await getUserInfo(cacheToken.user._id);
}
cacheToken.accessTokenExpiresAt = new Date(cacheToken.accessTokenExpiresAt);
return cacheToken;
}
const dbTokenObject = await TokenModel.findOne({
accessToken,
}).lean();
return dbTokenObject as unknown as Token;
} catch (err) {
log.error("Error retrieving access token.");
log.error(err);
throw err;
}
},
getRefreshToken: async (refreshToken: string) => {
if (useTokenCache) {
let cacheToken: any = await Redis.client.get(getPrefixedToken(refreshToken));
cacheToken = JSON.parse(cacheToken);
if (!cacheToken) return null;
if (!isApplicationClient(cacheToken.user)) {
cacheToken.user = await getUserInfo(cacheToken.user._id);
}
cacheToken.refreshTokenExpiresAt = new Date(cacheToken.refreshTokenExpiresAt);
log.debug("Refresh token retrieved from cache.");
return cacheToken;
}
const dbTokenObject = await TokenModel.findOne({
refreshToken,
}).lean();
log.debug("Refresh token retrieved from database.");
return dbTokenObject as unknown as Token;
},
revokeToken: async (token: Token) => {
if (!token) return false;
if (useTokenCache) {
if (token.refreshToken) {
await Redis.client.del(getPrefixedToken(token.refreshToken));
}
if (token.accessToken) {
await Redis.client.del(getPrefixedToken(token.accessToken));
}
return true;
}
if (token.refreshToken) {
await TokenModel.deleteOne({
refreshToken: token.refreshToken,
}).exec();
}
return true;
},
saveAuthorizationCode: async (code: AuthorizationCode, client: Client, user: User) => {
try {
const authorizationCode = {
authorizationCode: code.authorizationCode,
expiresAt: code.expiresAt,
redirectUri: code.redirectUri,
client: client || {},
user: user || {},
codeChallenge: code.codeChallenge,
codeChallengeMethod: code.codeChallengeMethod,
scope: code.scope,
};
if (useTokenCache) {
await Redis.client.set(
getPrefixedCode(authorizationCode.authorizationCode),
JSON.stringify(authorizationCode),
"EX",
Configuration.get("oauth.authorization-code-lifetime") as number
);
return authorizationCode;
}
const mongoInstance = new AuthorizationCodeModel(authorizationCode);
const dbAuthorizationCode = (await mongoInstance.save()).toObject();
return dbAuthorizationCode as unknown as AuthorizationCode;
} catch (err) {
log.error("Error saving authorization code.");
log.error(err);
throw err;
}
},
getAuthorizationCode: async (authorizationCode: any) => {
try {
if (useTokenCache) {
let cacheCode: any = (await Redis.client.get(getPrefixedCode(authorizationCode))) as string;
if (!cacheCode) return null;
cacheCode = JSON.parse(cacheCode) as AuthorizationCode;
cacheCode.expiresAt = new Date(cacheCode.expiresAt);
return cacheCode;
}
const dbResult = await AuthorizationCodeModel.findOne({
authorizationCode,
}).lean();
return dbResult as unknown as AuthorizationCode;
} catch (err) {
log.error("Error retrieving auth code.");
log.error(err);
throw err;
}
},
revokeAuthorizationCode: async (authorizationCode: any): Promise<boolean> => {
try {
const code = authorizationCode.authorizationCode;
if (useTokenCache) {
await Redis.client.del(getPrefixedCode(code));
return true;
}
await AuthorizationCodeModel.deleteOne({
authorizationCode: code,
}).exec();
return true;
} catch (err) {
log.error("Error deleting authorization code.");
log.error(err);
throw err;
}
},
validateScope: (user: IUser, client: Client, scope: string | string[]): Promise<string | string[] | Falsey> => {
log.debug("Validating scope %s for client %s and user %s.", scope, client.id, user.username);
return new Promise((resolve) => {
const clientHasAccess = ScopeManager.canRequestScope(scope, client);
if (!clientHasAccess) {
log.debug(
"Scope validation for client %s failed due to insufficient access. Requested scope: %s",
client.id,
scope
);
return resolve(false);
}
if (client.id === user.username) {
// For client credentials grant, there is no notion of user.
return resolve(scope);
}
if (!user.scope) {
user.scope = ["user.delegated.all"];
}
// Sometimes, the frontends do not know the scopes a user can request ahead of time.
// Since there is usually a higher amount of trust for internal clients in the system,
// it is okay to return all scopes that a user has access to.
if (client.role === Role.INTERNAL_CLIENT) {
scope = user.scope.join(",");
log.debug(
"Granting all allowed scopes (%s) for user %s due to request from internal client",
scope,
user.username
);
return resolve(scope);
}
const userHasAccess = ScopeManager.canRequestScope(scope, user);
if (userHasAccess) {
resolve(scope);
} else {
resolve(false);
}
});
},
verifyScope: (token: Token, scope: string): Promise<boolean> => {
log.info("Verifying scope for token %s...", token.accessToken);
return new Promise((resolve) => {
if (!token.scope) {
return false;
}
let requestedScopes = scope.split(",");
let authorizedScopes = typeof token.scope === "string" ? token.scope.split(",") : token.scope;
return resolve(requestedScopes.every((s) => authorizedScopes.indexOf(s) >= 0));
});
},
};
export default OAuthModel;