]>
Commit | Line | Data |
---|---|---|
1 | import * as express from 'express' | |
2 | import * as RateLimit from 'express-rate-limit' | |
3 | import { v4 as uuidv4 } from 'uuid' | |
4 | import { logger } from '@server/helpers/logger' | |
5 | import { CONFIG } from '@server/initializers/config' | |
6 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' | |
7 | import { handleOAuthToken } from '@server/lib/auth/oauth' | |
8 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' | |
9 | import { Hooks } from '@server/lib/plugins/hooks' | |
10 | import { asyncMiddleware, authenticate } from '@server/middlewares' | |
11 | import { ScopedToken } from '@shared/models/users/user-scoped-token' | |
12 | ||
13 | const tokensRouter = express.Router() | |
14 | ||
15 | const loginRateLimiter = RateLimit({ | |
16 | windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, | |
17 | max: CONFIG.RATES_LIMIT.LOGIN.MAX | |
18 | }) | |
19 | ||
20 | tokensRouter.post('/token', | |
21 | loginRateLimiter, | |
22 | asyncMiddleware(handleToken) | |
23 | ) | |
24 | ||
25 | tokensRouter.post('/revoke-token', | |
26 | authenticate, | |
27 | asyncMiddleware(handleTokenRevocation) | |
28 | ) | |
29 | ||
30 | tokensRouter.get('/scoped-tokens', | |
31 | authenticate, | |
32 | getScopedTokens | |
33 | ) | |
34 | ||
35 | tokensRouter.post('/scoped-tokens', | |
36 | authenticate, | |
37 | asyncMiddleware(renewScopedTokens) | |
38 | ) | |
39 | ||
40 | // --------------------------------------------------------------------------- | |
41 | ||
42 | export { | |
43 | tokensRouter | |
44 | } | |
45 | // --------------------------------------------------------------------------- | |
46 | ||
47 | async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) { | |
48 | const grantType = req.body.grant_type | |
49 | ||
50 | try { | |
51 | const bypassLogin = await buildByPassLogin(req, grantType) | |
52 | ||
53 | const refreshTokenAuthName = grantType === 'refresh_token' | |
54 | ? await getAuthNameFromRefreshGrant(req.body.refresh_token) | |
55 | : undefined | |
56 | ||
57 | const options = { | |
58 | refreshTokenAuthName, | |
59 | bypassLogin | |
60 | } | |
61 | ||
62 | const token = await handleOAuthToken(req, options) | |
63 | ||
64 | res.set('Cache-Control', 'no-store') | |
65 | res.set('Pragma', 'no-cache') | |
66 | ||
67 | Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip }) | |
68 | ||
69 | return res.json({ | |
70 | token_type: 'Bearer', | |
71 | ||
72 | access_token: token.accessToken, | |
73 | refresh_token: token.refreshToken, | |
74 | ||
75 | expires_in: token.accessTokenExpiresIn, | |
76 | refresh_token_expires_in: token.refreshTokenExpiresIn | |
77 | }) | |
78 | } catch (err) { | |
79 | logger.warn('Login error', { err }) | |
80 | ||
81 | return res.status(err.code || 400).json({ | |
82 | code: err.name, | |
83 | error: err.message | |
84 | }) | |
85 | } | |
86 | } | |
87 | ||
88 | async function handleTokenRevocation (req: express.Request, res: express.Response) { | |
89 | const token = res.locals.oauth.token | |
90 | ||
91 | const result = await revokeToken(token, { req, explicitLogout: true }) | |
92 | ||
93 | return res.json(result) | |
94 | } | |
95 | ||
96 | function getScopedTokens (req: express.Request, res: express.Response) { | |
97 | const user = res.locals.oauth.token.user | |
98 | ||
99 | return res.json({ | |
100 | feedToken: user.feedToken | |
101 | } as ScopedToken) | |
102 | } | |
103 | ||
104 | async function renewScopedTokens (req: express.Request, res: express.Response) { | |
105 | const user = res.locals.oauth.token.user | |
106 | ||
107 | user.feedToken = uuidv4() | |
108 | await user.save() | |
109 | ||
110 | return res.json({ | |
111 | feedToken: user.feedToken | |
112 | } as ScopedToken) | |
113 | } | |
114 | ||
115 | async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> { | |
116 | if (grantType !== 'password') return undefined | |
117 | ||
118 | if (req.body.externalAuthToken) { | |
119 | // Consistency with the getBypassFromPasswordGrant promise | |
120 | return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken) | |
121 | } | |
122 | ||
123 | return getBypassFromPasswordGrant(req.body.username, req.body.password) | |
124 | } |