-import * as express from 'express'
-import { OAUTH_LIFETIME } from '@server/initializers/constants'
-import * as OAuthServer from 'express-oauth-server'
-import { PluginManager } from '@server/lib/plugins/plugin-manager'
-import { RegisterServerAuthPassOptions } from '@shared/models/plugins/register-server-auth.model'
+import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
import { logger } from '@server/helpers/logger'
-import { UserRole } from '@shared/models'
+import { generateRandomString } from '@server/helpers/utils'
+import { OAUTH_LIFETIME, WEBSERVER } from '@server/initializers/constants'
import { revokeToken } from '@server/lib/oauth-model'
+import { PluginManager } from '@server/lib/plugins/plugin-manager'
import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
-import { isUserUsernameValid, isUserRoleValid, isUserDisplayNameValid } from '@server/helpers/custom-validators/users'
+import { UserRole } from '@shared/models'
+import {
+ RegisterServerAuthenticatedResult,
+ RegisterServerAuthPassOptions,
+ RegisterServerExternalAuthenticatedResult
+} from '@shared/models/plugins/register-server-auth.model'
+import * as express from 'express'
+import * as OAuthServer from 'express-oauth-server'
const oAuthServer = new OAuthServer({
useErrorHandler: true,
model: require('./oauth-model')
})
-function onExternalAuthPlugin (npmName: string, username: string, email: string) {
-
-}
+// Token is the key, expiration date is the value
+const authBypassTokens = new Map<string, {
+ expires: Date
+ user: {
+ username: string
+ email: string
+ displayName: string
+ role: UserRole
+ }
+ authName: string
+ npmName: string
+}>()
async function handleIdAndPassLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
const grantType = req.body.grant_type
- if (grantType === 'password') await proxifyPasswordGrant(req, res)
- else if (grantType === 'refresh_token') await proxifyRefreshGrant(req, res)
+ if (grantType === 'password') {
+ if (req.body.externalAuthToken) proxifyExternalAuthBypass(req, res)
+ else await proxifyPasswordGrant(req, res)
+ } else if (grantType === 'refresh_token') {
+ await proxifyRefreshGrant(req, res)
+ }
return forwardTokenReq(req, res, next)
}
return res.sendStatus(200)
}
-// ---------------------------------------------------------------------------
+async function onExternalUserAuthenticated (options: {
+ npmName: string
+ authName: string
+ authResult: RegisterServerExternalAuthenticatedResult
+}) {
+ const { npmName, authName, authResult } = options
-export {
- oAuthServer,
- handleIdAndPassLogin,
- onExternalAuthPlugin,
- handleTokenRevocation
+ if (!authResult.req || !authResult.res) {
+ logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
+ return
+ }
+
+ if (!isAuthResultValid(npmName, authName, authResult)) return
+
+ const { res } = authResult
+
+ logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
+
+ const bypassToken = await generateRandomString(32)
+ const tokenLifetime = 1000 * 60 * 5 // 5 minutes
+
+ const expires = new Date()
+ expires.setTime(expires.getTime() + tokenLifetime)
+
+ const user = buildUserResult(authResult)
+ authBypassTokens.set(bypassToken, {
+ expires,
+ user,
+ npmName,
+ authName
+ })
+
+ res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
}
// ---------------------------------------------------------------------------
-function forwardTokenReq (req: express.Request, res: express.Response, next: express.NextFunction) {
+export { oAuthServer, handleIdAndPassLogin, onExternalUserAuthenticated, handleTokenRevocation }
+
+// ---------------------------------------------------------------------------
+
+function forwardTokenReq (req: express.Request, res: express.Response, next?: express.NextFunction) {
return oAuthServer.token()(req, res, err => {
if (err) {
logger.warn('Login error.', { err })
return res.status(err.status)
- .json({
- error: err.message,
- code: err.name
- })
- .end()
+ .json({
+ error: err.message,
+ code: err.name
+ })
}
- return next()
+ if (next) return next()
})
}
try {
const loginResult = await authOptions.login(loginOptions)
- if (loginResult) {
- logger.info(
- 'Login success with auth method %s of plugin %s for %s.',
- authName, npmName, loginOptions.id
- )
-
- if (!isUserUsernameValid(loginResult.username)) {
- logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { loginResult })
- continue
- }
-
- if (!loginResult.email) {
- logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { loginResult })
- continue
- }
-
- // role is optional
- if (loginResult.role && !isUserRoleValid(loginResult.role)) {
- logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { loginResult })
- continue
- }
-
- // display name is optional
- if (loginResult.displayName && !isUserDisplayNameValid(loginResult.displayName)) {
- logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { loginResult })
- continue
- }
-
- res.locals.bypassLogin = {
- bypass: true,
- pluginName: pluginAuth.npmName,
- authName: authOptions.authName,
- user: {
- username: loginResult.username,
- email: loginResult.email,
- role: loginResult.role || UserRole.USER,
- displayName: loginResult.displayName || loginResult.username
- }
- }
-
- return
+
+ if (!loginResult) continue
+ if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
+
+ logger.info(
+ 'Login success with auth method %s of plugin %s for %s.',
+ authName, npmName, loginOptions.id
+ )
+
+ res.locals.bypassLogin = {
+ bypass: true,
+ pluginName: pluginAuth.npmName,
+ authName: authOptions.authName,
+ user: buildUserResult(loginResult)
}
+
+ return
} catch (err) {
logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
}
}
}
+
+function proxifyExternalAuthBypass (req: express.Request, res: express.Response) {
+ const obj = authBypassTokens.get(req.body.externalAuthToken)
+ if (!obj) {
+ logger.error('Cannot authenticate user with unknown bypass token')
+ return res.sendStatus(400)
+ }
+
+ const { expires, user, authName, npmName } = obj
+
+ const now = new Date()
+ if (now.getTime() > expires.getTime()) {
+ logger.error('Cannot authenticate user with an expired bypass token')
+ return res.sendStatus(400)
+ }
+
+ if (user.username !== req.body.username) {
+ logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
+ return res.sendStatus(400)
+ }
+
+ // Bypass oauth library validation
+ req.body.password = 'fake'
+
+ logger.info(
+ 'Auth success with external auth method %s of plugin %s for %s.',
+ authName, npmName, user.email
+ )
+
+ res.locals.bypassLogin = {
+ bypass: true,
+ pluginName: npmName,
+ authName: authName,
+ user
+ }
+}
+
+function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
+ if (!isUserUsernameValid(result.username)) {
+ logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { result })
+ return false
+ }
+
+ if (!result.email) {
+ logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { result })
+ return false
+ }
+
+ // role is optional
+ if (result.role && !isUserRoleValid(result.role)) {
+ logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { result })
+ return false
+ }
+
+ // display name is optional
+ if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
+ logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { result })
+ return false
+ }
+
+ return true
+}
+
+function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
+ return {
+ username: pluginResult.username,
+ email: pluginResult.email,
+ role: pluginResult.role || UserRole.USER,
+ displayName: pluginResult.displayName || pluginResult.username
+ }
+}