gancio-upstream/server/api/controller/oauth.js

const crypto = require('crypto')
const { promisify } = require('util')
const randomBytes = promisify(crypto.randomBytes)

const OAuthClient = require('../models/oauth_client')
const OAuthToken = require('../models/oauth_token')
const OAuthCode = require('../models/oauth_code')
const User = require('../models/user')

const log = require('../../log')
const dayjs = require('dayjs')

async function randomString (len = 16) {
  const bytes = await randomBytes(len * 8)
  return crypto
    .createHash('sha1')
    .update(bytes)
    .digest('hex')
}

const oauthController = {

  // create client => http:///gancio.org/oauth#create-client
  async createClient (req, res) {
    // only write scope is supported
    if (req.body.scopes && req.body.scopes !== 'event:write') {
      return res.status(422).json({ error: 'Invalid scopes' })
    }

    const client = {
      id: await randomString(256),
      name: req.body.client_name,
      redirectUris: req.body.redirect_uris,
      scopes: req.body.scopes || 'event:write',
      website: req.body.website,
      client_secret: await randomString(256)
    }

    try {
      await OAuthClient.create(client)
      client.client_id = client.id
      delete client.id
      res.json(client)
    } catch (e) {
      log.error(e)
      res.status(400).json(e)
    }
  },

  async getClient (req, res) {
    const client = await OAuthClient.findByPk(req.params.client_id, { raw: true })
    if (!client) {
      return res.status(404).send('Not found!')
    }
    res.json({
      client_id: client.id,
      redirect_uris: client.redirectUris,
      name: client.name,
      website: client.website,
      scopes: client.scopes
    })
  },

  async getClients (req, res) {
    const tokens = await OAuthToken.findAll({
      include: [{ model: User, where: { id: req.user.id } }, { model: OAuthClient, as: 'client' }],
      raw: true,
      nest: true
    })
    res.json(tokens)
  },

  model: {

    /**
     * Invoked to retrieve an existing access token previously saved through #saveToken().
     * https://oauth2-server.readthedocs.io/en/latest/model/spec.html#getaccesstoken-accesstoken-callback
     * */
    async getAccessToken (accessToken) {
      const oauth_token = await OAuthToken.findByPk(accessToken,
        { include: [{ model: User, attributes: { exclude: ['password'] } }, { model: OAuthClient, as: 'client' }] })
      return oauth_token
    },

    /**
     * Invoked to retrieve a client using a client id or a client id/client secret combination, depend on the grant type.
     */
    async getClient (client_id, client_secret) {
      const client = await OAuthClient.findByPk(client_id, { raw: true })
      if (client_secret && client_secret !== client.client_secret) {
        return false
      }

      if (client) { client.grants = ['authorization_code', 'password'] }

      return client
    },

    async getRefreshToken (refresh_token) {
      const oauth_token = await OAuthToken.findOne({ where: { refresh_token }, raw: true })
      return oauth_token
    },

    async getAuthorizationCode (code) {
      const oauth_code = await OAuthCode.findByPk(code,
        { include: [User, { model: OAuthClient, as: 'client' }] })
      return oauth_code
    },

    async saveToken (token, client, user) {
      token.userId = user.id
      token.clientId = client.id
      const oauth_token = await OAuthToken.create(token)
      oauth_token.client = client
      oauth_token.user = user
      return oauth_token
    },

    async revokeAuthorizationCode (code) {
      const oauth_code = await OAuthCode.findByPk(code.authorizationCode)
      return oauth_code.destroy()
    },

    async getUser (username, password) {
      const user = await User.findOne({ where: { email: username } })
      if (!user || !user.is_active) {
        return false
      }
      // check if password matches
      if (await user.comparePassword(password)) {
        return user
      }
      return false
    },

    async saveAuthorizationCode (code, client, user) {
      code.userId = user.id
      code.clientId = client.id
      code.expiresAt = dayjs(code.expiresAt).toDate()
      const ret = await OAuthCode.create(code)
      return ret
    },

    // TODO
    verifyScope (token, scope) {
      // const userScope = [
      //   'user:remove',
      //   'user:update',
      //   'event:write',
      //   'event:remove'
      // ]
      log.debug(`VERIFY SCOPE ${scope} ${token.user.email}`)
      if (token.user.is_admin && token.user.is_active) {
        return true
      } else {
        return false
      }
    }

  }
}

module.exports = oauthController
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`const crypto = require('crypto')`
			`const { promisify } = require('util')`
			`const randomBytes = promisify(crypto.randomBytes)`
upgrade sequelize 2020-06-27 02:10:10 +02:00
			`const OAuthClient = require('../models/oauth_client')`
			`const OAuthToken = require('../models/oauth_token')`
			`const OAuthCode = require('../models/oauth_code')`
			`const User = require('../models/user')`

refactoring logs: use winston 2021-03-05 14:17:10 +01:00			`const log = require('../../log')`
			`const dayjs = require('dayjs')`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00
big oauth improvements 2020-01-21 01:24:10 +01:00			`async function randomString (len = 16) {`
			`const bytes = await randomBytes(len * 8)`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`return crypto`
			`.createHash('sha1')`
			`.update(bytes)`
			`.digest('hex')`
			`}`

			`const oauthController = {`

big oauth improvements 2020-01-21 01:24:10 +01:00			`// create client => http:///gancio.org/oauth#create-client`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`async createClient (req, res) {`
big oauth improvements 2020-01-21 01:24:10 +01:00			`// only write scope is supported`
more on oauth 2020-01-21 17:33:33 +01:00			`if (req.body.scopes && req.body.scopes !== 'event:write') {`
big oauth improvements 2020-01-21 01:24:10 +01:00			`return res.status(422).json({ error: 'Invalid scopes' })`
			`}`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00
			`const client = {`
big oauth improvements 2020-01-21 01:24:10 +01:00			`id: await randomString(256),`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`name: req.body.client_name,`
big oauth improvements 2020-01-21 01:24:10 +01:00			`redirectUris: req.body.redirect_uris,`
more on oauth 2020-01-21 17:33:33 +01:00			`scopes: req.body.scopes \|\| 'event:write',`
big oauth improvements 2020-01-21 01:24:10 +01:00			`website: req.body.website,`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`client_secret: await randomString(256)`
			`}`
big oauth improvements 2020-01-21 01:24:10 +01:00
			`try {`
			`await OAuthClient.create(client)`
			`client.client_id = client.id`
			`delete client.id`
			`res.json(client)`
			`} catch (e) {`
refactoring logs: use winston 2021-03-05 14:17:10 +01:00			`log.error(e)`
big oauth improvements 2020-01-21 01:24:10 +01:00			`res.status(400).json(e)`
			`}`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`},`

more on oauth 2020-01-21 17:33:33 +01:00			`async getClient (req, res) {`
			`const client = await OAuthClient.findByPk(req.params.client_id, { raw: true })`
			`if (!client) {`
			`return res.status(404).send('Not found!')`
			`}`
			`res.json({`
			`client_id: client.id,`
			`redirect_uris: client.redirectUris,`
			`name: client.name,`
			`website: client.website,`
			`scopes: client.scopes`
			`})`
			`},`

big oauth improvements 2020-01-21 01:24:10 +01:00			`async getClients (req, res) {`
			`const tokens = await OAuthToken.findAll({`
			`include: [{ model: User, where: { id: req.user.id } }, { model: OAuthClient, as: 'client' }],`
			`raw: true,`
			`nest: true`
			`})`
			`res.json(tokens)`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`},`

			`model: {`
big oauth improvements 2020-01-21 01:24:10 +01:00
			`/**`
			`* Invoked to retrieve an existing access token previously saved through #saveToken().`
			`* https://oauth2-server.readthedocs.io/en/latest/model/spec.html#getaccesstoken-accesstoken-callback`
			`* */`
			`async getAccessToken (accessToken) {`
			`const oauth_token = await OAuthToken.findByPk(accessToken,`
move add/rm/edit event in eventController 2020-01-31 14:56:31 +01:00			`{ include: [{ model: User, attributes: { exclude: ['password'] } }, { model: OAuthClient, as: 'client' }] })`
big oauth improvements 2020-01-21 01:24:10 +01:00			`return oauth_token`
			`},`

			`/**`
use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`* Invoked to retrieve a client using a client id or a client id/client secret combination, depend on the grant type.`
big oauth improvements 2020-01-21 01:24:10 +01:00			`*/`
			`async getClient (client_id, client_secret) {`
			`const client = await OAuthClient.findByPk(client_id, { raw: true })`
			`if (client_secret && client_secret !== client.client_secret) {`
			`return false`
			`}`

use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`if (client) { client.grants = ['authorization_code', 'password'] }`
big oauth improvements 2020-01-21 01:24:10 +01:00
			`return client`
			`},`

			`async getRefreshToken (refresh_token) {`
			`const oauth_token = await OAuthToken.findOne({ where: { refresh_token }, raw: true })`
			`return oauth_token`
			`},`

			`async getAuthorizationCode (code) {`
			`const oauth_code = await OAuthCode.findByPk(code,`
fix auth/oauth 2020-01-30 23:43:58 +01:00			`{ include: [User, { model: OAuthClient, as: 'client' }] })`
big oauth improvements 2020-01-21 01:24:10 +01:00			`return oauth_code`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`},`

big oauth improvements 2020-01-21 01:24:10 +01:00			`async saveToken (token, client, user) {`
			`token.userId = user.id`
fix auth/oauth 2020-01-30 23:43:58 +01:00			`token.clientId = client.id`
big oauth improvements 2020-01-21 01:24:10 +01:00			`const oauth_token = await OAuthToken.create(token)`
			`oauth_token.client = client`
			`oauth_token.user = user`
			`return oauth_token`
			`},`

			`async revokeAuthorizationCode (code) {`
fix auth/oauth 2020-01-30 23:43:58 +01:00			`const oauth_code = await OAuthCode.findByPk(code.authorizationCode)`
big oauth improvements 2020-01-21 01:24:10 +01:00			`return oauth_code.destroy()`
			`},`

use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`async getUser (username, password) {`
			`const user = await User.findOne({ where: { email: username } })`
			`if (!user \|\| !user.is_active) {`
			`return false`
			`}`
			`// check if password matches`
			`if (await user.comparePassword(password)) {`
			`return user`
			`}`
			`return false`
			`},`

big oauth improvements 2020-01-21 01:24:10 +01:00			`async saveAuthorizationCode (code, client, user) {`
			`code.userId = user.id`
fix auth/oauth 2020-01-30 23:43:58 +01:00			`code.clientId = client.id`
refactoring logs: use winston 2021-03-05 14:17:10 +01:00			`code.expiresAt = dayjs(code.expiresAt).toDate()`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`const ret = await OAuthCode.create(code)`
big oauth improvements 2020-01-21 01:24:10 +01:00			`return ret`
use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`},`

fix auth/oauth 2020-01-30 23:43:58 +01:00			`// TODO`
use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`verifyScope (token, scope) {`
refactoring acl 2021-05-19 16:38:22 +02:00			`// const userScope = [`
			`// 'user:remove',`
			`// 'user:update',`
			`// 'event:write',`
			`// 'event:remove'`
			`// ]`
			log.debug(`VERIFY SCOPE ${scope} ${token.user.email}`)
			`if (token.user.is_admin && token.user.is_active) {`
use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`return true`
			`} else {`
refactoring acl 2021-05-19 16:38:22 +02:00			`return false`
use oauth2 password flow for webclient 2020-01-27 00:47:03 +01:00			`}`
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`}`
big oauth improvements 2020-01-21 01:24:10 +01:00
[oauth] start oauth auth_code server implementation 2019-12-26 11:46:21 +01:00			`}`
			`}`

			`module.exports = oauthController`