]>
Commit | Line | Data |
---|---|---|
41fb13c3 C |
1 | import express from 'express' |
2 | import RateLimit from 'express-rate-limit' | |
f43db2f4 | 3 | import { logger } from '@server/helpers/logger' |
d4a8e7a6 | 4 | import { buildUUID } from '@server/helpers/uuid' |
e1c55031 | 5 | import { CONFIG } from '@server/initializers/config' |
f43db2f4 C |
6 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' |
7 | import { handleOAuthToken } from '@server/lib/auth/oauth' | |
8 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' | |
e1c55031 | 9 | import { Hooks } from '@server/lib/plugins/hooks' |
1333ab1f | 10 | import { asyncMiddleware, authenticate, openapiOperationDoc } from '@server/middlewares' |
afff310e | 11 | import { ScopedToken } from '@shared/models/users/user-scoped-token' |
e1c55031 C |
12 | |
13 | const tokensRouter = express.Router() | |
14 | ||
15 | const loginRateLimiter = RateLimit({ | |
16 | windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, | |
17 | max: CONFIG.RATES_LIMIT.LOGIN.MAX | |
18 | }) | |
19 | ||
20 | tokensRouter.post('/token', | |
21 | loginRateLimiter, | |
1333ab1f | 22 | openapiOperationDoc({ operationId: 'getOAuthToken' }), |
f43db2f4 | 23 | asyncMiddleware(handleToken) |
e1c55031 C |
24 | ) |
25 | ||
26 | tokensRouter.post('/revoke-token', | |
1333ab1f | 27 | openapiOperationDoc({ operationId: 'revokeOAuthToken' }), |
e1c55031 | 28 | authenticate, |
e307e4fc | 29 | asyncMiddleware(handleTokenRevocation) |
e1c55031 C |
30 | ) |
31 | ||
afff310e RK |
32 | tokensRouter.get('/scoped-tokens', |
33 | authenticate, | |
34 | getScopedTokens | |
35 | ) | |
36 | ||
37 | tokensRouter.post('/scoped-tokens', | |
38 | authenticate, | |
39 | asyncMiddleware(renewScopedTokens) | |
40 | ) | |
41 | ||
e1c55031 C |
42 | // --------------------------------------------------------------------------- |
43 | ||
44 | export { | |
45 | tokensRouter | |
46 | } | |
47 | // --------------------------------------------------------------------------- | |
48 | ||
f43db2f4 C |
49 | async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) { |
50 | const grantType = req.body.grant_type | |
51 | ||
52 | try { | |
53 | const bypassLogin = await buildByPassLogin(req, grantType) | |
54 | ||
55 | const refreshTokenAuthName = grantType === 'refresh_token' | |
56 | ? await getAuthNameFromRefreshGrant(req.body.refresh_token) | |
57 | : undefined | |
58 | ||
59 | const options = { | |
60 | refreshTokenAuthName, | |
61 | bypassLogin | |
62 | } | |
63 | ||
64 | const token = await handleOAuthToken(req, options) | |
65 | ||
66 | res.set('Cache-Control', 'no-store') | |
67 | res.set('Pragma', 'no-cache') | |
68 | ||
69 | Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip }) | |
70 | ||
71 | return res.json({ | |
72 | token_type: 'Bearer', | |
e1c55031 | 73 | |
f43db2f4 C |
74 | access_token: token.accessToken, |
75 | refresh_token: token.refreshToken, | |
76 | ||
77 | expires_in: token.accessTokenExpiresIn, | |
78 | refresh_token_expires_in: token.refreshTokenExpiresIn | |
79 | }) | |
80 | } catch (err) { | |
81 | logger.warn('Login error', { err }) | |
82 | ||
76148b27 RK |
83 | return res.fail({ |
84 | status: err.code, | |
85 | message: err.message, | |
86 | type: err.name | |
f43db2f4 C |
87 | }) |
88 | } | |
89 | } | |
90 | ||
91 | async function handleTokenRevocation (req: express.Request, res: express.Response) { | |
92 | const token = res.locals.oauth.token | |
93 | ||
97aeb3cc | 94 | const result = await revokeToken(token, { req, explicitLogout: true }) |
f43db2f4 C |
95 | |
96 | return res.json(result) | |
e1c55031 | 97 | } |
afff310e RK |
98 | |
99 | function getScopedTokens (req: express.Request, res: express.Response) { | |
100 | const user = res.locals.oauth.token.user | |
101 | ||
102 | return res.json({ | |
103 | feedToken: user.feedToken | |
104 | } as ScopedToken) | |
105 | } | |
106 | ||
107 | async function renewScopedTokens (req: express.Request, res: express.Response) { | |
108 | const user = res.locals.oauth.token.user | |
109 | ||
d4a8e7a6 | 110 | user.feedToken = buildUUID() |
afff310e RK |
111 | await user.save() |
112 | ||
113 | return res.json({ | |
114 | feedToken: user.feedToken | |
115 | } as ScopedToken) | |
116 | } | |
f43db2f4 C |
117 | |
118 | async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> { | |
119 | if (grantType !== 'password') return undefined | |
120 | ||
121 | if (req.body.externalAuthToken) { | |
122 | // Consistency with the getBypassFromPasswordGrant promise | |
123 | return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken) | |
124 | } | |
125 | ||
126 | return getBypassFromPasswordGrant(req.body.username, req.body.password) | |
127 | } |