[github/Chocobozzz/PeerTube.git] / server / controllers / api / users / token.ts

import express from 'express'
import { logger } from '@server/helpers/logger'
import { CONFIG } from '@server/initializers/config'
import { OTP } from '@server/initializers/constants'
import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
import { Hooks } from '@server/lib/plugins/hooks'
import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
import { buildUUID } from '@shared/extra-utils'
import { ScopedToken } from '@shared/models/users/user-scoped-token'

const tokensRouter = express.Router()

const loginRateLimiter = buildRateLimiter({
  windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
  max: CONFIG.RATES_LIMIT.LOGIN.MAX
})

tokensRouter.post('/token',
  loginRateLimiter,
  openapiOperationDoc({ operationId: 'getOAuthToken' }),
  asyncMiddleware(handleToken)
)

tokensRouter.post('/revoke-token',
  openapiOperationDoc({ operationId: 'revokeOAuthToken' }),
  authenticate,
  asyncMiddleware(handleTokenRevocation)
)

tokensRouter.get('/scoped-tokens',
  authenticate,
  getScopedTokens
)

tokensRouter.post('/scoped-tokens',
  authenticate,
  asyncMiddleware(renewScopedTokens)
)

// ---------------------------------------------------------------------------

export {
  tokensRouter
}
// ---------------------------------------------------------------------------

async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
  const grantType = req.body.grant_type

  try {
    const bypassLogin = await buildByPassLogin(req, grantType)

    const refreshTokenAuthName = grantType === 'refresh_token'
      ? await getAuthNameFromRefreshGrant(req.body.refresh_token)
      : undefined

    const options = {
      refreshTokenAuthName,
      bypassLogin
    }

    const token = await handleOAuthToken(req, options)

    res.set('Cache-Control', 'no-store')
    res.set('Pragma', 'no-cache')

    Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip, req, res })

    return res.json({
      token_type: 'Bearer',

      access_token: token.accessToken,
      refresh_token: token.refreshToken,

      expires_in: token.accessTokenExpiresIn,
      refresh_token_expires_in: token.refreshTokenExpiresIn
    })
  } catch (err) {
    logger.warn('Login error', { err })

    if (err instanceof MissingTwoFactorError) {
      res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
    }

    return res.fail({
      status: err.code,
      message: err.message,
      type: err.name
    })
  }
}

async function handleTokenRevocation (req: express.Request, res: express.Response) {
  const token = res.locals.oauth.token

  const result = await revokeToken(token, { req, explicitLogout: true })

  return res.json(result)
}

function getScopedTokens (req: express.Request, res: express.Response) {
  const user = res.locals.oauth.token.user

  return res.json({
    feedToken: user.feedToken
  } as ScopedToken)
}

async function renewScopedTokens (req: express.Request, res: express.Response) {
  const user = res.locals.oauth.token.user

  user.feedToken = buildUUID()
  await user.save()

  return res.json({
    feedToken: user.feedToken
  } as ScopedToken)
}

async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
  if (grantType !== 'password') return undefined

  if (req.body.externalAuthToken) {
    // Consistency with the getBypassFromPasswordGrant promise
    return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
  }

  return getBypassFromPasswordGrant(req.body.username, req.body.password)
}
Commit	Line	Data
41fb13c3	1	import express from 'express'
f43db2f4	2	import { logger } from '@server/helpers/logger'
e1c55031	3	import { CONFIG } from '@server/initializers/config'
56f47830	4	import { OTP } from '@server/initializers/constants'
f43db2f4	5	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
56f47830	6	import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
f43db2f4	7	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
e1c55031	8	import { Hooks } from '@server/lib/plugins/hooks'
e5a781ec	9	import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
0628157f	10	import { buildUUID } from '@shared/extra-utils'
afff310e	11	import { ScopedToken } from '@shared/models/users/user-scoped-token'
e1c55031 C	12
	13	const tokensRouter = express.Router()
	14
e5a781ec	15	const loginRateLimiter = buildRateLimiter({
e1c55031 C	16	windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
	17	max: CONFIG.RATES_LIMIT.LOGIN.MAX
	18	})
	19
	20	tokensRouter.post('/token',
	21	loginRateLimiter,
1333ab1f	22	openapiOperationDoc({ operationId: 'getOAuthToken' }),
f43db2f4	23	asyncMiddleware(handleToken)
e1c55031 C	24	)
	25
	26	tokensRouter.post('/revoke-token',
1333ab1f	27	openapiOperationDoc({ operationId: 'revokeOAuthToken' }),
e1c55031	28	authenticate,
e307e4fc	29	asyncMiddleware(handleTokenRevocation)
e1c55031 C	30	)
e1c55031 C	31
afff310e RK	32	tokensRouter.get('/scoped-tokens',
	33	authenticate,
	34	getScopedTokens
	35	)
	36
	37	tokensRouter.post('/scoped-tokens',
	38	authenticate,
	39	asyncMiddleware(renewScopedTokens)
	40	)
	41
e1c55031 C	42	// ---------------------------------------------------------------------------
	43
	44	export {
	45	tokensRouter
	46	}
	47	// ---------------------------------------------------------------------------
	48
f43db2f4 C	49	async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
	50	const grantType = req.body.grant_type
	51
	52	try {
	53	const bypassLogin = await buildByPassLogin(req, grantType)
	54
	55	const refreshTokenAuthName = grantType === 'refresh_token'
	56	? await getAuthNameFromRefreshGrant(req.body.refresh_token)
	57	: undefined
	58
	59	const options = {
	60	refreshTokenAuthName,
	61	bypassLogin
	62	}
	63
	64	const token = await handleOAuthToken(req, options)
	65
	66	res.set('Cache-Control', 'no-store')
	67	res.set('Pragma', 'no-cache')
	68
7226e90f	69	Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip, req, res })
f43db2f4 C	70
	71	return res.json({
	72	token_type: 'Bearer',
e1c55031	73
f43db2f4 C	74	access_token: token.accessToken,
	75	refresh_token: token.refreshToken,
	76
	77	expires_in: token.accessTokenExpiresIn,
	78	refresh_token_expires_in: token.refreshTokenExpiresIn
	79	})
	80	} catch (err) {
	81	logger.warn('Login error', { err })
	82
56f47830 C	83	if (err instanceof MissingTwoFactorError) {
	84	res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
	85	}
	86
76148b27 RK	87	return res.fail({
	88	status: err.code,
	89	message: err.message,
	90	type: err.name
f43db2f4 C	91	})
	92	}
	93	}
	94
	95	async function handleTokenRevocation (req: express.Request, res: express.Response) {
	96	const token = res.locals.oauth.token
	97
97aeb3cc	98	const result = await revokeToken(token, { req, explicitLogout: true })
f43db2f4 C	99
f43db2f4 C	100	return res.json(result)
e1c55031	101	}
afff310e RK	102
	103	function getScopedTokens (req: express.Request, res: express.Response) {
	104	const user = res.locals.oauth.token.user
	105
	106	return res.json({
	107	feedToken: user.feedToken
	108	} as ScopedToken)
	109	}
	110
	111	async function renewScopedTokens (req: express.Request, res: express.Response) {
	112	const user = res.locals.oauth.token.user
	113
d4a8e7a6	114	user.feedToken = buildUUID()
afff310e RK	115	await user.save()
	116
	117	return res.json({
	118	feedToken: user.feedToken
	119	} as ScopedToken)
	120	}
f43db2f4 C	121
	122	async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
	123	if (grantType !== 'password') return undefined
	124
	125	if (req.body.externalAuthToken) {
	126	// Consistency with the getBypassFromPasswordGrant promise
	127	return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
	128	}
	129
	130	return getBypassFromPasswordGrant(req.body.username, req.body.password)
	131	}