[github/Chocobozzz/PeerTube.git] / server / controllers / api / users / token.ts

import * as express from 'express'
import * as RateLimit from 'express-rate-limit'
import { v4 as uuidv4 } from 'uuid'
import { logger } from '@server/helpers/logger'
import { CONFIG } from '@server/initializers/config'
import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
import { handleOAuthToken } from '@server/lib/auth/oauth'
import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
import { Hooks } from '@server/lib/plugins/hooks'
import { asyncMiddleware, authenticate } from '@server/middlewares'
import { ScopedToken } from '@shared/models/users/user-scoped-token'

const tokensRouter = express.Router()

const loginRateLimiter = RateLimit({
  windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
  max: CONFIG.RATES_LIMIT.LOGIN.MAX
})

tokensRouter.post('/token',
  loginRateLimiter,
  asyncMiddleware(handleToken)
)

tokensRouter.post('/revoke-token',
  authenticate,
  asyncMiddleware(handleTokenRevocation)
)

tokensRouter.get('/scoped-tokens',
  authenticate,
  getScopedTokens
)

tokensRouter.post('/scoped-tokens',
  authenticate,
  asyncMiddleware(renewScopedTokens)
)

// ---------------------------------------------------------------------------

export {
  tokensRouter
}
// ---------------------------------------------------------------------------

async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
  const grantType = req.body.grant_type

  try {
    const bypassLogin = await buildByPassLogin(req, grantType)

    const refreshTokenAuthName = grantType === 'refresh_token'
      ? await getAuthNameFromRefreshGrant(req.body.refresh_token)
      : undefined

    const options = {
      refreshTokenAuthName,
      bypassLogin
    }

    const token = await handleOAuthToken(req, options)

    res.set('Cache-Control', 'no-store')
    res.set('Pragma', 'no-cache')

    Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip })

    return res.json({
      token_type: 'Bearer',

      access_token: token.accessToken,
      refresh_token: token.refreshToken,

      expires_in: token.accessTokenExpiresIn,
      refresh_token_expires_in: token.refreshTokenExpiresIn
    })
  } catch (err) {
    logger.warn('Login error', { err })

    return res.status(err.code || 400).json({
      code: err.name,
      error: err.message
    })
  }
}

async function handleTokenRevocation (req: express.Request, res: express.Response) {
  const token = res.locals.oauth.token

  const result = await revokeToken(token, { req, explicitLogout: true })

  return res.json(result)
}

function getScopedTokens (req: express.Request, res: express.Response) {
  const user = res.locals.oauth.token.user

  return res.json({
    feedToken: user.feedToken
  } as ScopedToken)
}

async function renewScopedTokens (req: express.Request, res: express.Response) {
  const user = res.locals.oauth.token.user

  user.feedToken = uuidv4()
  await user.save()

  return res.json({
    feedToken: user.feedToken
  } as ScopedToken)
}

async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
  if (grantType !== 'password') return undefined

  if (req.body.externalAuthToken) {
    // Consistency with the getBypassFromPasswordGrant promise
    return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
  }

  return getBypassFromPasswordGrant(req.body.username, req.body.password)
}
Commit	Line	Data
f43db2f4	1	import * as express from 'express'
e1c55031	2	import * as RateLimit from 'express-rate-limit'
f43db2f4 C	3	import { v4 as uuidv4 } from 'uuid'
f43db2f4 C	4	import { logger } from '@server/helpers/logger'
e1c55031	5	import { CONFIG } from '@server/initializers/config'
f43db2f4 C	6	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
	7	import { handleOAuthToken } from '@server/lib/auth/oauth'
	8	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
e1c55031 C	9	import { Hooks } from '@server/lib/plugins/hooks'
e1c55031 C	10	import { asyncMiddleware, authenticate } from '@server/middlewares'
afff310e	11	import { ScopedToken } from '@shared/models/users/user-scoped-token'
e1c55031 C	12
	13	const tokensRouter = express.Router()
	14
	15	const loginRateLimiter = RateLimit({
	16	windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
	17	max: CONFIG.RATES_LIMIT.LOGIN.MAX
	18	})
	19
	20	tokensRouter.post('/token',
	21	loginRateLimiter,
f43db2f4	22	asyncMiddleware(handleToken)
e1c55031 C	23	)
	24
	25	tokensRouter.post('/revoke-token',
	26	authenticate,
e307e4fc	27	asyncMiddleware(handleTokenRevocation)
e1c55031 C	28	)
e1c55031 C	29
afff310e RK	30	tokensRouter.get('/scoped-tokens',
	31	authenticate,
	32	getScopedTokens
	33	)
	34
	35	tokensRouter.post('/scoped-tokens',
	36	authenticate,
	37	asyncMiddleware(renewScopedTokens)
	38	)
	39
e1c55031 C	40	// ---------------------------------------------------------------------------
	41
	42	export {
	43	tokensRouter
	44	}
	45	// ---------------------------------------------------------------------------
	46
f43db2f4 C	47	async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
	48	const grantType = req.body.grant_type
	49
	50	try {
	51	const bypassLogin = await buildByPassLogin(req, grantType)
	52
	53	const refreshTokenAuthName = grantType === 'refresh_token'
	54	? await getAuthNameFromRefreshGrant(req.body.refresh_token)
	55	: undefined
	56
	57	const options = {
	58	refreshTokenAuthName,
	59	bypassLogin
	60	}
	61
	62	const token = await handleOAuthToken(req, options)
	63
	64	res.set('Cache-Control', 'no-store')
	65	res.set('Pragma', 'no-cache')
	66
	67	Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip })
	68
	69	return res.json({
	70	token_type: 'Bearer',
e1c55031	71
f43db2f4 C	72	access_token: token.accessToken,
	73	refresh_token: token.refreshToken,
	74
	75	expires_in: token.accessTokenExpiresIn,
	76	refresh_token_expires_in: token.refreshTokenExpiresIn
	77	})
	78	} catch (err) {
	79	logger.warn('Login error', { err })
	80
	81	return res.status(err.code \|\| 400).json({
	82	code: err.name,
	83	error: err.message
	84	})
	85	}
	86	}
	87
	88	async function handleTokenRevocation (req: express.Request, res: express.Response) {
	89	const token = res.locals.oauth.token
	90
97aeb3cc	91	const result = await revokeToken(token, { req, explicitLogout: true })
f43db2f4 C	92
f43db2f4 C	93	return res.json(result)
e1c55031	94	}
afff310e RK	95
	96	function getScopedTokens (req: express.Request, res: express.Response) {
	97	const user = res.locals.oauth.token.user
	98
	99	return res.json({
	100	feedToken: user.feedToken
	101	} as ScopedToken)
	102	}
	103
	104	async function renewScopedTokens (req: express.Request, res: express.Response) {
	105	const user = res.locals.oauth.token.user
	106
	107	user.feedToken = uuidv4()
	108	await user.save()
	109
	110	return res.json({
	111	feedToken: user.feedToken
	112	} as ScopedToken)
	113	}
f43db2f4 C	114
	115	async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
	116	if (grantType !== 'password') return undefined
	117
	118	if (req.body.externalAuthToken) {
	119	// Consistency with the getBypassFromPasswordGrant promise
	120	return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
	121	}
	122
	123	return getBypassFromPasswordGrant(req.body.username, req.body.password)
	124	}