1 import * as Bluebird from 'bluebird'
2 import * as express from 'express'
3 import { AccessDeniedError } from 'oauth2-server'
4 import { logger } from '../helpers/logger'
5 import { UserModel } from '../models/account/user'
6 import { OAuthClientModel } from '../models/oauth/oauth-client'
7 import { OAuthTokenModel } from '../models/oauth/oauth-token'
8 import { LRU_CACHE } from '../initializers/constants'
9 import { Transaction } from 'sequelize'
10 import { CONFIG } from '../initializers/config'
11 import * as LRUCache from 'lru-cache'
12 import { MOAuthTokenUser } from '@server/typings/models/oauth/oauth-token'
13 import { MUser } from '@server/typings/models/user/user'
14 import { UserAdminFlag } from '@shared/models/users/user-flag.model'
15 import { createUserAccountAndChannelAndPlaylist } from './user'
16 import { UserRole } from '@shared/models/users/user-role'
18 type TokenInfo = { accessToken: string, refreshToken: string, accessTokenExpiresAt: Date, refreshTokenExpiresAt: Date }
20 const accessTokenCache = new LRUCache<string, MOAuthTokenUser>({ max: LRU_CACHE.USER_TOKENS.MAX_SIZE })
21 const userHavingToken = new LRUCache<number, string>({ max: LRU_CACHE.USER_TOKENS.MAX_SIZE })
23 // ---------------------------------------------------------------------------
25 function deleteUserToken (userId: number, t?: Transaction) {
26 clearCacheByUserId(userId)
28 return OAuthTokenModel.deleteUserToken(userId, t)
31 function clearCacheByUserId (userId: number) {
32 const token = userHavingToken.get(userId)
34 if (token !== undefined) {
35 accessTokenCache.del(token)
36 userHavingToken.del(userId)
40 function clearCacheByToken (token: string) {
41 const tokenModel = accessTokenCache.get(token)
43 if (tokenModel !== undefined) {
44 userHavingToken.del(tokenModel.userId)
45 accessTokenCache.del(token)
49 function getAccessToken (bearerToken: string) {
50 logger.debug('Getting access token (bearerToken: ' + bearerToken + ').')
52 if (!bearerToken) return Bluebird.resolve(undefined)
54 if (accessTokenCache.has(bearerToken)) return Bluebird.resolve(accessTokenCache.get(bearerToken))
56 return OAuthTokenModel.getByTokenAndPopulateUser(bearerToken)
59 accessTokenCache.set(bearerToken, tokenModel)
60 userHavingToken.set(tokenModel.userId, tokenModel.accessToken)
67 function getClient (clientId: string, clientSecret: string) {
68 logger.debug('Getting Client (clientId: ' + clientId + ', clientSecret: ' + clientSecret + ').')
70 return OAuthClientModel.getByIdAndSecret(clientId, clientSecret)
73 function getRefreshToken (refreshToken: string) {
74 logger.debug('Getting RefreshToken (refreshToken: ' + refreshToken + ').')
76 return OAuthTokenModel.getByRefreshTokenAndPopulateClient(refreshToken)
79 async function getUser (usernameOrEmail: string, password: string) {
80 const res: express.Response = this.request.res
81 if (res.locals.bypassLogin && res.locals.bypassLogin.bypass === true) {
82 const obj = res.locals.bypassLogin
83 logger.info('Bypassing oauth login by plugin %s.', obj.pluginName)
85 let user = await UserModel.loadByEmail(obj.user.username)
86 if (!user) user = await createUserFromExternal(obj.pluginName, obj.user)
88 // This user does not belong to this plugin, skip it
89 if (user.pluginAuth !== obj.pluginName) return null
94 logger.debug('Getting User (username/email: ' + usernameOrEmail + ', password: ******).')
96 const user = await UserModel.loadByUsernameOrEmail(usernameOrEmail)
97 if (!user) return null
99 const passwordMatch = await user.isPasswordMatch(password)
100 if (passwordMatch === false) return null
102 if (user.blocked) throw new AccessDeniedError('User is blocked.')
104 if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION && user.emailVerified === false) {
105 throw new AccessDeniedError('User email is not verified.')
111 async function revokeToken (tokenInfo: TokenInfo) {
112 const token = await OAuthTokenModel.getByRefreshTokenAndPopulateUser(tokenInfo.refreshToken)
114 clearCacheByToken(token.accessToken)
117 .catch(err => logger.error('Cannot destroy token when revoking token.', { err }))
125 async function saveToken (token: TokenInfo, client: OAuthClientModel, user: UserModel) {
126 logger.debug('Saving token ' + token.accessToken + ' for client ' + client.id + ' and user ' + user.id + '.')
128 const tokenToCreate = {
129 accessToken: token.accessToken,
130 accessTokenExpiresAt: token.accessTokenExpiresAt,
131 refreshToken: token.refreshToken,
132 refreshTokenExpiresAt: token.refreshTokenExpiresAt,
133 oAuthClientId: client.id,
137 const tokenCreated = await OAuthTokenModel.create(tokenToCreate)
138 return Object.assign(tokenCreated, { client, user })
141 // ---------------------------------------------------------------------------
143 // See https://github.com/oauthjs/node-oauth2-server/wiki/Model-specification for the model specifications
156 async function createUserFromExternal (pluginAuth: string, options: {
162 const userToCreate = new UserModel({
163 username: options.username,
165 email: options.email,
166 nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
169 videoQuota: CONFIG.USER.VIDEO_QUOTA,
170 videoQuotaDaily: CONFIG.USER.VIDEO_QUOTA_DAILY,
171 adminFlags: UserAdminFlag.NONE,
175 const { user } = await createUserAccountAndChannelAndPlaylist({
177 userDisplayName: options.displayName