1 import express from 'express'
2 import RateLimit from 'express-rate-limit'
3 import { logger } from '@server/helpers/logger'
4 import { CONFIG } from '@server/initializers/config'
5 import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
6 import { handleOAuthToken } from '@server/lib/auth/oauth'
7 import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
8 import { Hooks } from '@server/lib/plugins/hooks'
9 import { asyncMiddleware, authenticate, openapiOperationDoc } from '@server/middlewares'
10 import { buildUUID } from '@shared/extra-utils'
11 import { ScopedToken } from '@shared/models/users/user-scoped-token'
13 const tokensRouter = express.Router()
15 const loginRateLimiter = RateLimit({
16 windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
17 max: CONFIG.RATES_LIMIT.LOGIN.MAX
20 tokensRouter.post('/token',
22 openapiOperationDoc({ operationId: 'getOAuthToken' }),
23 asyncMiddleware(handleToken)
26 tokensRouter.post('/revoke-token',
27 openapiOperationDoc({ operationId: 'revokeOAuthToken' }),
29 asyncMiddleware(handleTokenRevocation)
32 tokensRouter.get('/scoped-tokens',
37 tokensRouter.post('/scoped-tokens',
39 asyncMiddleware(renewScopedTokens)
42 // ---------------------------------------------------------------------------
47 // ---------------------------------------------------------------------------
49 async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
50 const grantType = req.body.grant_type
53 const bypassLogin = await buildByPassLogin(req, grantType)
55 const refreshTokenAuthName = grantType === 'refresh_token'
56 ? await getAuthNameFromRefreshGrant(req.body.refresh_token)
64 const token = await handleOAuthToken(req, options)
66 res.set('Cache-Control', 'no-store')
67 res.set('Pragma', 'no-cache')
69 Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip, req, res })
74 access_token: token.accessToken,
75 refresh_token: token.refreshToken,
77 expires_in: token.accessTokenExpiresIn,
78 refresh_token_expires_in: token.refreshTokenExpiresIn
81 logger.warn('Login error', { err })
91 async function handleTokenRevocation (req: express.Request, res: express.Response) {
92 const token = res.locals.oauth.token
94 const result = await revokeToken(token, { req, explicitLogout: true })
96 return res.json(result)
99 function getScopedTokens (req: express.Request, res: express.Response) {
100 const user = res.locals.oauth.token.user
103 feedToken: user.feedToken
107 async function renewScopedTokens (req: express.Request, res: express.Response) {
108 const user = res.locals.oauth.token.user
110 user.feedToken = buildUUID()
114 feedToken: user.feedToken
118 async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
119 if (grantType !== 'password') return undefined
121 if (req.body.externalAuthToken) {
122 // Consistency with the getBypassFromPasswordGrant promise
123 return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
126 return getBypassFromPasswordGrant(req.body.username, req.body.password)