1 import express from 'express'
2 import { logger } from '@server/helpers/logger'
3 import { CONFIG } from '@server/initializers/config'
4 import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
5 import { handleOAuthToken } from '@server/lib/auth/oauth'
6 import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
7 import { Hooks } from '@server/lib/plugins/hooks'
8 import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
9 import { buildUUID } from '@shared/extra-utils'
10 import { ScopedToken } from '@shared/models/users/user-scoped-token'
12 const tokensRouter = express.Router()
14 const loginRateLimiter = buildRateLimiter({
15 windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
16 max: CONFIG.RATES_LIMIT.LOGIN.MAX
19 tokensRouter.post('/token',
21 openapiOperationDoc({ operationId: 'getOAuthToken' }),
22 asyncMiddleware(handleToken)
25 tokensRouter.post('/revoke-token',
26 openapiOperationDoc({ operationId: 'revokeOAuthToken' }),
28 asyncMiddleware(handleTokenRevocation)
31 tokensRouter.get('/scoped-tokens',
36 tokensRouter.post('/scoped-tokens',
38 asyncMiddleware(renewScopedTokens)
41 // ---------------------------------------------------------------------------
46 // ---------------------------------------------------------------------------
48 async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
49 const grantType = req.body.grant_type
52 const bypassLogin = await buildByPassLogin(req, grantType)
54 const refreshTokenAuthName = grantType === 'refresh_token'
55 ? await getAuthNameFromRefreshGrant(req.body.refresh_token)
63 const token = await handleOAuthToken(req, options)
65 res.set('Cache-Control', 'no-store')
66 res.set('Pragma', 'no-cache')
68 Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip, req, res })
73 access_token: token.accessToken,
74 refresh_token: token.refreshToken,
76 expires_in: token.accessTokenExpiresIn,
77 refresh_token_expires_in: token.refreshTokenExpiresIn
80 logger.warn('Login error', { err })
90 async function handleTokenRevocation (req: express.Request, res: express.Response) {
91 const token = res.locals.oauth.token
93 const result = await revokeToken(token, { req, explicitLogout: true })
95 return res.json(result)
98 function getScopedTokens (req: express.Request, res: express.Response) {
99 const user = res.locals.oauth.token.user
102 feedToken: user.feedToken
106 async function renewScopedTokens (req: express.Request, res: express.Response) {
107 const user = res.locals.oauth.token.user
109 user.feedToken = buildUUID()
113 feedToken: user.feedToken
117 async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
118 if (grantType !== 'password') return undefined
120 if (req.body.externalAuthToken) {
121 // Consistency with the getBypassFromPasswordGrant promise
122 return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
125 return getBypassFromPasswordGrant(req.body.username, req.body.password)