+
+function proxifyExternalAuthBypass (req: express.Request, res: express.Response) {
+ const obj = authBypassTokens.get(req.body.externalAuthToken)
+ if (!obj) {
+ logger.error('Cannot authenticate user with unknown bypass token')
+ return res.sendStatus(400)
+ }
+
+ const { expires, user, authName, npmName } = obj
+
+ const now = new Date()
+ if (now.getTime() > expires.getTime()) {
+ logger.error('Cannot authenticate user with an expired external auth token')
+ return res.sendStatus(400)
+ }
+
+ if (user.username !== req.body.username) {
+ logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
+ return res.sendStatus(400)
+ }
+
+ // Bypass oauth library validation
+ req.body.password = 'fake'
+
+ logger.info(
+ 'Auth success with external auth method %s of plugin %s for %s.',
+ authName, npmName, user.email
+ )
+
+ res.locals.bypassLogin = {
+ bypass: true,
+ pluginName: npmName,
+ authName: authName,
+ user
+ }
+}
+
+function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
+ if (!isUserUsernameValid(result.username)) {
+ logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
+ return false
+ }
+
+ if (!result.email) {
+ logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
+ return false
+ }
+
+ // role is optional
+ if (result.role && !isUserRoleValid(result.role)) {
+ logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
+ return false
+ }
+
+ // display name is optional
+ if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
+ logger.error(
+ 'Auth method %s of plugin %s did not provide a valid display name.',
+ authName, npmName, { displayName: result.displayName }
+ )
+ return false
+ }
+
+ return true
+}
+
+function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
+ return {
+ username: pluginResult.username,
+ email: pluginResult.email,
+ role: pluginResult.role ?? UserRole.USER,
+ displayName: pluginResult.displayName || pluginResult.username
+ }
+}