]>
Commit | Line | Data |
---|---|---|
41fb13c3 | 1 | import express from 'express' |
f43db2f4 | 2 | import { logger } from '@server/helpers/logger' |
e1c55031 | 3 | import { CONFIG } from '@server/initializers/config' |
f43db2f4 C |
4 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' |
5 | import { handleOAuthToken } from '@server/lib/auth/oauth' | |
6 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' | |
e1c55031 | 7 | import { Hooks } from '@server/lib/plugins/hooks' |
e5a781ec | 8 | import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares' |
0628157f | 9 | import { buildUUID } from '@shared/extra-utils' |
afff310e | 10 | import { ScopedToken } from '@shared/models/users/user-scoped-token' |
e1c55031 C |
11 | |
12 | const tokensRouter = express.Router() | |
13 | ||
e5a781ec | 14 | const loginRateLimiter = buildRateLimiter({ |
e1c55031 C |
15 | windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, |
16 | max: CONFIG.RATES_LIMIT.LOGIN.MAX | |
17 | }) | |
18 | ||
19 | tokensRouter.post('/token', | |
20 | loginRateLimiter, | |
1333ab1f | 21 | openapiOperationDoc({ operationId: 'getOAuthToken' }), |
f43db2f4 | 22 | asyncMiddleware(handleToken) |
e1c55031 C |
23 | ) |
24 | ||
25 | tokensRouter.post('/revoke-token', | |
1333ab1f | 26 | openapiOperationDoc({ operationId: 'revokeOAuthToken' }), |
e1c55031 | 27 | authenticate, |
e307e4fc | 28 | asyncMiddleware(handleTokenRevocation) |
e1c55031 C |
29 | ) |
30 | ||
afff310e RK |
31 | tokensRouter.get('/scoped-tokens', |
32 | authenticate, | |
33 | getScopedTokens | |
34 | ) | |
35 | ||
36 | tokensRouter.post('/scoped-tokens', | |
37 | authenticate, | |
38 | asyncMiddleware(renewScopedTokens) | |
39 | ) | |
40 | ||
e1c55031 C |
41 | // --------------------------------------------------------------------------- |
42 | ||
43 | export { | |
44 | tokensRouter | |
45 | } | |
46 | // --------------------------------------------------------------------------- | |
47 | ||
f43db2f4 C |
48 | async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) { |
49 | const grantType = req.body.grant_type | |
50 | ||
51 | try { | |
52 | const bypassLogin = await buildByPassLogin(req, grantType) | |
53 | ||
54 | const refreshTokenAuthName = grantType === 'refresh_token' | |
55 | ? await getAuthNameFromRefreshGrant(req.body.refresh_token) | |
56 | : undefined | |
57 | ||
58 | const options = { | |
59 | refreshTokenAuthName, | |
60 | bypassLogin | |
61 | } | |
62 | ||
63 | const token = await handleOAuthToken(req, options) | |
64 | ||
65 | res.set('Cache-Control', 'no-store') | |
66 | res.set('Pragma', 'no-cache') | |
67 | ||
7226e90f | 68 | Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip, req, res }) |
f43db2f4 C |
69 | |
70 | return res.json({ | |
71 | token_type: 'Bearer', | |
e1c55031 | 72 | |
f43db2f4 C |
73 | access_token: token.accessToken, |
74 | refresh_token: token.refreshToken, | |
75 | ||
76 | expires_in: token.accessTokenExpiresIn, | |
77 | refresh_token_expires_in: token.refreshTokenExpiresIn | |
78 | }) | |
79 | } catch (err) { | |
80 | logger.warn('Login error', { err }) | |
81 | ||
76148b27 RK |
82 | return res.fail({ |
83 | status: err.code, | |
84 | message: err.message, | |
85 | type: err.name | |
f43db2f4 C |
86 | }) |
87 | } | |
88 | } | |
89 | ||
90 | async function handleTokenRevocation (req: express.Request, res: express.Response) { | |
91 | const token = res.locals.oauth.token | |
92 | ||
97aeb3cc | 93 | const result = await revokeToken(token, { req, explicitLogout: true }) |
f43db2f4 C |
94 | |
95 | return res.json(result) | |
e1c55031 | 96 | } |
afff310e RK |
97 | |
98 | function getScopedTokens (req: express.Request, res: express.Response) { | |
99 | const user = res.locals.oauth.token.user | |
100 | ||
101 | return res.json({ | |
102 | feedToken: user.feedToken | |
103 | } as ScopedToken) | |
104 | } | |
105 | ||
106 | async function renewScopedTokens (req: express.Request, res: express.Response) { | |
107 | const user = res.locals.oauth.token.user | |
108 | ||
d4a8e7a6 | 109 | user.feedToken = buildUUID() |
afff310e RK |
110 | await user.save() |
111 | ||
112 | return res.json({ | |
113 | feedToken: user.feedToken | |
114 | } as ScopedToken) | |
115 | } | |
f43db2f4 C |
116 | |
117 | async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> { | |
118 | if (grantType !== 'password') return undefined | |
119 | ||
120 | if (req.body.externalAuthToken) { | |
121 | // Consistency with the getBypassFromPasswordGrant promise | |
122 | return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken) | |
123 | } | |
124 | ||
125 | return getBypassFromPasswordGrant(req.body.username, req.body.password) | |
126 | } |