]>
Commit | Line | Data |
---|---|---|
f43db2f4 | 1 | import * as express from 'express' |
e1c55031 | 2 | import * as RateLimit from 'express-rate-limit' |
f43db2f4 C |
3 | import { v4 as uuidv4 } from 'uuid' |
4 | import { logger } from '@server/helpers/logger' | |
e1c55031 | 5 | import { CONFIG } from '@server/initializers/config' |
f43db2f4 C |
6 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' |
7 | import { handleOAuthToken } from '@server/lib/auth/oauth' | |
8 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' | |
e1c55031 C |
9 | import { Hooks } from '@server/lib/plugins/hooks' |
10 | import { asyncMiddleware, authenticate } from '@server/middlewares' | |
afff310e | 11 | import { ScopedToken } from '@shared/models/users/user-scoped-token' |
e1c55031 C |
12 | |
13 | const tokensRouter = express.Router() | |
14 | ||
15 | const loginRateLimiter = RateLimit({ | |
16 | windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, | |
17 | max: CONFIG.RATES_LIMIT.LOGIN.MAX | |
18 | }) | |
19 | ||
20 | tokensRouter.post('/token', | |
21 | loginRateLimiter, | |
f43db2f4 | 22 | asyncMiddleware(handleToken) |
e1c55031 C |
23 | ) |
24 | ||
25 | tokensRouter.post('/revoke-token', | |
26 | authenticate, | |
e307e4fc | 27 | asyncMiddleware(handleTokenRevocation) |
e1c55031 C |
28 | ) |
29 | ||
afff310e RK |
30 | tokensRouter.get('/scoped-tokens', |
31 | authenticate, | |
32 | getScopedTokens | |
33 | ) | |
34 | ||
35 | tokensRouter.post('/scoped-tokens', | |
36 | authenticate, | |
37 | asyncMiddleware(renewScopedTokens) | |
38 | ) | |
39 | ||
e1c55031 C |
40 | // --------------------------------------------------------------------------- |
41 | ||
42 | export { | |
43 | tokensRouter | |
44 | } | |
45 | // --------------------------------------------------------------------------- | |
46 | ||
f43db2f4 C |
47 | async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) { |
48 | const grantType = req.body.grant_type | |
49 | ||
50 | try { | |
51 | const bypassLogin = await buildByPassLogin(req, grantType) | |
52 | ||
53 | const refreshTokenAuthName = grantType === 'refresh_token' | |
54 | ? await getAuthNameFromRefreshGrant(req.body.refresh_token) | |
55 | : undefined | |
56 | ||
57 | const options = { | |
58 | refreshTokenAuthName, | |
59 | bypassLogin | |
60 | } | |
61 | ||
62 | const token = await handleOAuthToken(req, options) | |
63 | ||
64 | res.set('Cache-Control', 'no-store') | |
65 | res.set('Pragma', 'no-cache') | |
66 | ||
67 | Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip }) | |
68 | ||
69 | return res.json({ | |
70 | token_type: 'Bearer', | |
e1c55031 | 71 | |
f43db2f4 C |
72 | access_token: token.accessToken, |
73 | refresh_token: token.refreshToken, | |
74 | ||
75 | expires_in: token.accessTokenExpiresIn, | |
76 | refresh_token_expires_in: token.refreshTokenExpiresIn | |
77 | }) | |
78 | } catch (err) { | |
79 | logger.warn('Login error', { err }) | |
80 | ||
81 | return res.status(err.code || 400).json({ | |
82 | code: err.name, | |
83 | error: err.message | |
84 | }) | |
85 | } | |
86 | } | |
87 | ||
88 | async function handleTokenRevocation (req: express.Request, res: express.Response) { | |
89 | const token = res.locals.oauth.token | |
90 | ||
97aeb3cc | 91 | const result = await revokeToken(token, { req, explicitLogout: true }) |
f43db2f4 C |
92 | |
93 | return res.json(result) | |
e1c55031 | 94 | } |
afff310e RK |
95 | |
96 | function getScopedTokens (req: express.Request, res: express.Response) { | |
97 | const user = res.locals.oauth.token.user | |
98 | ||
99 | return res.json({ | |
100 | feedToken: user.feedToken | |
101 | } as ScopedToken) | |
102 | } | |
103 | ||
104 | async function renewScopedTokens (req: express.Request, res: express.Response) { | |
105 | const user = res.locals.oauth.token.user | |
106 | ||
107 | user.feedToken = uuidv4() | |
108 | await user.save() | |
109 | ||
110 | return res.json({ | |
111 | feedToken: user.feedToken | |
112 | } as ScopedToken) | |
113 | } | |
f43db2f4 C |
114 | |
115 | async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> { | |
116 | if (grantType !== 'password') return undefined | |
117 | ||
118 | if (req.body.externalAuthToken) { | |
119 | // Consistency with the getBypassFromPasswordGrant promise | |
120 | return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken) | |
121 | } | |
122 | ||
123 | return getBypassFromPasswordGrant(req.body.username, req.body.password) | |
124 | } |