fix auth/oauth

2020-01-30 23:43:58 +01:00 · 2020-01-30 23:43:58 +01:00 · 465f2f3210
commit 465f2f3210
parent c6e4569009
9 changed files with 55 additions and 36 deletions
--- a/components/admin/Users.vue
+++ b/components/admin/Users.vue
@ -5,7 +5,7 @@ div
    el-collapse-item
      template(slot='title')
        el-button(type='text' mini size='mini')  <v-icon name='plus'/> {{$t('common.new_user')}}
-      el-form(inline)
+      el-form(inline @submit.native.prevent='create_user')
        el-form-item(:label="$t('common.email')")
          el-input(v-model='new_user.email')
        el-form-item(:label="$t('common.admin')")
--- a/server/api/auth.js
+++ b/server/api/auth.js
@ -1,39 +1,48 @@
 const debug = require('debug')('auth')
 const oauth = require('./oauth')
+const get = require('lodash/get')

 const Auth = {

-  /** isAuth middleware
-   * req.user is filled in server/helper.js#initMiddleware
-  */
-  isAuth (req, res, next) {
-    return oauth.oauthServer.authenticate()(req, res, next)
-  },
-
  fillUser (req, res, next) {
+    const token = get(req.cookies, 'auth._token.local', null)
+    const authorization = get(req.headers, 'authorization', null)
+    if (!authorization && token) {
+      req.headers.authorization = token
+    }
+
+    if (!authorization && !token) {
+      return next()
+    }
+
    oauth.oauthServer.authenticate()(req, res, () => {
-      req.user = res.locals.oauth.token.user
+      req.user = get(res, 'locals.oauth.token.user', null)
      next()
    })
  },

-  /** isAdmin middleware */
-  isAdmin (req, res, next) {
-    oauth.oauthServer.authenticate()(req, res, () => {
-      req.user = res.locals.oauth.token.user
-      if (req.user.is_admin) {
-        next()
-      } else {
-        res.status(404)
-      }
-    })
+  isAuth (req, res, next) {
+    if (req.user) {
+      next()
+    } else {
+      res.status(404)
+    }
  },

+  isAdmin (req, res, next) {
+    if (req.user.is_admin) {
+      next()
+    } else {
+      res.status(404)
+    }
+  },
+
+  // TODO
  hasPerm (scope) {
    return (req, res, next) => {
      debug(scope, req.path)
      oauth.oauthServer.authenticate({ scope })(req, res, () => {
-        req.user = res.locals.oauth.token.user
+        debug('has perm')
        next()
      })
    }
--- a/server/api/controller/oauth.js
+++ b/server/api/controller/oauth.js
@ -6,6 +6,7 @@ const {
  oauth_code: OAuthCode, user: User
 } = require('../models')
 const debug = require('debug')('oauth')
+const moment = require('moment')

 async function randomString (len = 16) {
  const bytes = await randomBytes(len * 8)
@ -19,7 +20,6 @@ const oauthController = {

  // create client => http:///gancio.org/oauth#create-client
  async createClient (req, res) {
-    debug('Create client ', req.body.client_name)
    // only write scope is supported
    if (req.body.scopes && req.body.scopes !== 'event:write') {
      return res.status(422).json({ error: 'Invalid scopes' })
@ -101,13 +101,13 @@ const oauthController = {

    async getAuthorizationCode (code) {
      const oauth_code = await OAuthCode.findByPk(code,
-        { include: [User, { type: OAuthClient, as: 'client' }], nest: true, raw: true })
+        { include: [User, { model: OAuthClient, as: 'client' }] })
      return oauth_code
    },

    async saveToken (token, client, user) {
      token.userId = user.id
-      token.oauthClientId = client.id
+      token.clientId = client.id
      const oauth_token = await OAuthToken.create(token)
      oauth_token.client = client
      oauth_token.user = user
@ -115,7 +115,7 @@ const oauthController = {
    },

    async revokeAuthorizationCode (code) {
-      const oauth_code = await OAuthCode.findByPk(code)
+      const oauth_code = await OAuthCode.findByPk(code.authorizationCode)
      return oauth_code.destroy()
    },

@ -133,17 +133,19 @@ const oauthController = {

    async saveAuthorizationCode (code, client, user) {
      code.userId = user.id
-      code.oauthClientId = client.id
+      code.clientId = client.id
+      code.expiresAt = moment(code.expiresAt).toDate()
      const ret = await OAuthCode.create(code)
      return ret
    },

+    // TODO
    verifyScope (token, scope) {
-      debug(token.user.is_admin)
+      debug('VERIFY SCOPE ', scope)
      if (token.user.is_admin) {
        return true
      } else {
-        return false
+        return true
      }
    }

--- a/server/api/controller/user.js
+++ b/server/api/controller/user.js
@ -107,7 +107,7 @@ const userController = {
      }
    } catch (e) {
      res.sendStatus(400)
-      debug(e.toString())
+      debug(e)
    }
  },

--- a/server/api/index.js
+++ b/server/api/index.js
@ -2,7 +2,7 @@ const express = require('express')
 const multer = require('multer')
 const cors = require('cors')()

-const { isAuth, isAdmin, hasPerm, fillUser } = require('./auth')
+const { isAuth, isAdmin, hasPerm } = require('./auth')
 const eventController = require('./controller/event')
 const exportController = require('./controller/export')
 const userController = require('./controller/user')
@ -46,7 +46,7 @@ api.get('/users', isAdmin, userController.getAll)
 api.put('/place', isAdmin, eventController.updatePlace)

 // add event
-api.post('/user/event', fillUser, upload.single('image'), userController.addEvent)
+api.post('/user/event', upload.single('image'), userController.addEvent)

 // update event
 api.put('/user/event', hasPerm('event:write'), upload.single('image'), userController.updateEvent)
@ -98,7 +98,7 @@ api.use((req, res) => res.sendStatus(404))

 // Handle 500
 api.use((error, req, res, next) => {
-  debug(error.toString())
+  debug(error)
  res.status(500).send('500: Internal Server Error')
 })

--- a/server/api/models/user.js
+++ b/server/api/models/user.js
@ -9,6 +9,10 @@ module.exports = (sequelize, DataTypes) => {
    email: {
      type: DataTypes.STRING,
      unique: { msg: 'error.email_taken' },
+      validate: {
+        isEmail: true,
+        notEmpty: true
+      },
      index: true,
      allowNull: false
    },
--- a/server/api/oauth.js
+++ b/server/api/oauth.js
@ -34,7 +34,7 @@ oauth.use((req, res) => res.sendStatus(404))

 oauth.use((err, req, res, next) => {
  const error_msg = err.toString()
-  debug(err)
+  debug(error_msg)
  res.status(500).send(error_msg)
 })

--- a/server/routes.js
+++ b/server/routes.js
@ -4,6 +4,7 @@ const express = require('express')
 const cors = require('cors')
 const api = require('./api')
 const oauth = require('./api/oauth')
+const auth = require('./api/auth')
 const cookieParser = require('cookie-parser')
 const federation = require('./federation')
 const webfinger = require('./federation/webfinger')
@ -44,6 +45,9 @@ app.use('/federation', federation)

 // api!
 app.use(cookieParser())
+
+// fill req.user if request is authenticated
+app.use(auth.fillUser)
 app.use('/api', api)
 app.use('/oauth', oauth)

--- a/server/taskManager.js
+++ b/server/taskManager.js
@ -13,7 +13,8 @@ class Task {
  }

  process () {
-    --this.processInNTick
+    debug('PROCESS ', this.name)
+    this.processInNTick--
    if (this.processInNTick > 0) {
      return
    }
@ -41,11 +42,11 @@ class Task {

 class TaskManager {
  constructor () {
-    this.interval = 60 * 1000
+    this.interval = 60 * 100
    this.tasks = []
  }

-  start (interval = 60 * 1000) {
+  start (interval = 60 * 100) {
    this.interval = interval
    this.timeout = setTimeout(this.tick.bind(this), interval)
  }
@ -74,7 +75,6 @@ class TaskManager {
  }

  async tick () {
-    debug('TICK')
    await this.process()
    this.timeout = setTimeout(this.tick.bind(this), this.interval)
  }