+// Token is the key, expiration date is the value
+const authBypassTokens = new Map<string, {
+ expires: Date
+ user: {
+ username: string
+ email: string
+ displayName: string
+ role: UserRole
+ }
+ authName: string
+ npmName: string
+}>()
+
+async function handleLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
+ const grantType = req.body.grant_type
+
+ if (grantType === 'password') {
+ if (req.body.externalAuthToken) proxifyExternalAuthBypass(req, res)
+ else await proxifyPasswordGrant(req, res)
+ } else if (grantType === 'refresh_token') {
+ await proxifyRefreshGrant(req, res)
+ }
+
+ return forwardTokenReq(req, res, next)
+}
+
+async function handleTokenRevocation (req: express.Request, res: express.Response) {
+ const token = res.locals.oauth.token
+
+ res.locals.explicitLogout = true
+ const result = await revokeToken(token)
+
+ // FIXME: uncomment when https://github.com/oauthjs/node-oauth2-server/pull/289 is released
+ // oAuthServer.revoke(req, res, err => {
+ // if (err) {
+ // logger.warn('Error in revoke token handler.', { err })
+ //
+ // return res.status(err.status)
+ // .json({
+ // error: err.message,
+ // code: err.name
+ // })
+ // .end()
+ // }
+ // })
+
+ return res.json(result)
+}
+
+async function onExternalUserAuthenticated (options: {
+ npmName: string
+ authName: string
+ authResult: RegisterServerExternalAuthenticatedResult
+}) {
+ const { npmName, authName, authResult } = options
+
+ if (!authResult.req || !authResult.res) {
+ logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
+ return
+ }
+
+ const { res } = authResult
+
+ if (!isAuthResultValid(npmName, authName, authResult)) {
+ res.redirect('/login?externalAuthError=true')
+ return
+ }
+
+ logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
+
+ const bypassToken = await generateRandomString(32)
+
+ const expires = new Date()
+ expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
+
+ const user = buildUserResult(authResult)
+ authBypassTokens.set(bypassToken, {
+ expires,
+ user,
+ npmName,
+ authName
+ })
+
+ // Cleanup
+ const now = new Date()
+ for (const [ key, value ] of authBypassTokens) {
+ if (value.expires.getTime() < now.getTime()) {
+ authBypassTokens.delete(key)
+ }
+ }
+
+ res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
+}
+
+// ---------------------------------------------------------------------------
+
+export { oAuthServer, handleLogin, onExternalUserAuthenticated, handleTokenRevocation }
+
+// ---------------------------------------------------------------------------
+
+function forwardTokenReq (req: express.Request, res: express.Response, next?: express.NextFunction) {
+ return oAuthServer.token()(req, res, err => {
+ if (err) {
+ logger.warn('Login error.', { err })
+
+ return res.status(err.status)
+ .json({
+ error: err.message,
+ code: err.name
+ })
+ }