]>
Commit | Line | Data |
---|---|---|
1 | import express from 'express' | |
2 | import { logger } from '@server/helpers/logger' | |
3 | import { CONFIG } from '@server/initializers/config' | |
4 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' | |
5 | import { handleOAuthToken } from '@server/lib/auth/oauth' | |
6 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' | |
7 | import { Hooks } from '@server/lib/plugins/hooks' | |
8 | import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares' | |
9 | import { buildUUID } from '@shared/extra-utils' | |
10 | import { ScopedToken } from '@shared/models/users/user-scoped-token' | |
11 | ||
12 | const tokensRouter = express.Router() | |
13 | ||
14 | const loginRateLimiter = buildRateLimiter({ | |
15 | windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, | |
16 | max: CONFIG.RATES_LIMIT.LOGIN.MAX | |
17 | }) | |
18 | ||
19 | tokensRouter.post('/token', | |
20 | loginRateLimiter, | |
21 | openapiOperationDoc({ operationId: 'getOAuthToken' }), | |
22 | asyncMiddleware(handleToken) | |
23 | ) | |
24 | ||
25 | tokensRouter.post('/revoke-token', | |
26 | openapiOperationDoc({ operationId: 'revokeOAuthToken' }), | |
27 | authenticate, | |
28 | asyncMiddleware(handleTokenRevocation) | |
29 | ) | |
30 | ||
31 | tokensRouter.get('/scoped-tokens', | |
32 | authenticate, | |
33 | getScopedTokens | |
34 | ) | |
35 | ||
36 | tokensRouter.post('/scoped-tokens', | |
37 | authenticate, | |
38 | asyncMiddleware(renewScopedTokens) | |
39 | ) | |
40 | ||
41 | // --------------------------------------------------------------------------- | |
42 | ||
43 | export { | |
44 | tokensRouter | |
45 | } | |
46 | // --------------------------------------------------------------------------- | |
47 | ||
48 | async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) { | |
49 | const grantType = req.body.grant_type | |
50 | ||
51 | try { | |
52 | const bypassLogin = await buildByPassLogin(req, grantType) | |
53 | ||
54 | const refreshTokenAuthName = grantType === 'refresh_token' | |
55 | ? await getAuthNameFromRefreshGrant(req.body.refresh_token) | |
56 | : undefined | |
57 | ||
58 | const options = { | |
59 | refreshTokenAuthName, | |
60 | bypassLogin | |
61 | } | |
62 | ||
63 | const token = await handleOAuthToken(req, options) | |
64 | ||
65 | res.set('Cache-Control', 'no-store') | |
66 | res.set('Pragma', 'no-cache') | |
67 | ||
68 | Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip, req, res }) | |
69 | ||
70 | return res.json({ | |
71 | token_type: 'Bearer', | |
72 | ||
73 | access_token: token.accessToken, | |
74 | refresh_token: token.refreshToken, | |
75 | ||
76 | expires_in: token.accessTokenExpiresIn, | |
77 | refresh_token_expires_in: token.refreshTokenExpiresIn | |
78 | }) | |
79 | } catch (err) { | |
80 | logger.warn('Login error', { err }) | |
81 | ||
82 | return res.fail({ | |
83 | status: err.code, | |
84 | message: err.message, | |
85 | type: err.name | |
86 | }) | |
87 | } | |
88 | } | |
89 | ||
90 | async function handleTokenRevocation (req: express.Request, res: express.Response) { | |
91 | const token = res.locals.oauth.token | |
92 | ||
93 | const result = await revokeToken(token, { req, explicitLogout: true }) | |
94 | ||
95 | return res.json(result) | |
96 | } | |
97 | ||
98 | function getScopedTokens (req: express.Request, res: express.Response) { | |
99 | const user = res.locals.oauth.token.user | |
100 | ||
101 | return res.json({ | |
102 | feedToken: user.feedToken | |
103 | } as ScopedToken) | |
104 | } | |
105 | ||
106 | async function renewScopedTokens (req: express.Request, res: express.Response) { | |
107 | const user = res.locals.oauth.token.user | |
108 | ||
109 | user.feedToken = buildUUID() | |
110 | await user.save() | |
111 | ||
112 | return res.json({ | |
113 | feedToken: user.feedToken | |
114 | } as ScopedToken) | |
115 | } | |
116 | ||
117 | async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> { | |
118 | if (grantType !== 'password') return undefined | |
119 | ||
120 | if (req.body.externalAuthToken) { | |
121 | // Consistency with the getBypassFromPasswordGrant promise | |
122 | return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken) | |
123 | } | |
124 | ||
125 | return getBypassFromPasswordGrant(req.body.username, req.body.password) | |
126 | } |