X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fcontrollers%2Fapi%2Fusers%2Ftoken.ts;h=c6afea67c20058103c58ee375d027b0cd00a9bfd;hb=e364e31e25bd1d4b8d801c845a96d6be708f0a18;hp=41aa2676916bf0c0656d717b6fd123ce9836d8e4;hpb=9107d791e2eef9a1b24b0499dac8b9dbba8a792f;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts
index 41aa26769..c6afea67c 100644
--- a/server/controllers/api/users/token.ts
+++ b/server/controllers/api/users/token.ts
@@ -1,28 +1,44 @@
-import { handleLogin, handleTokenRevocation } from '@server/lib/auth'
-import * as RateLimit from 'express-rate-limit'
+import express from 'express'
+import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
-import * as express from 'express'
+import { OTP } from '@server/initializers/constants'
+import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
+import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
+import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
 import { Hooks } from '@server/lib/plugins/hooks'
-import { asyncMiddleware, authenticate } from '@server/middlewares'
+import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
+import { buildUUID } from '@shared/extra-utils'
+import { ScopedToken } from '@shared/models/users/user-scoped-token'
 
 const tokensRouter = express.Router()
 
-const loginRateLimiter = RateLimit({
+const loginRateLimiter = buildRateLimiter({
   windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
   max: CONFIG.RATES_LIMIT.LOGIN.MAX
 })
 
 tokensRouter.post('/token',
   loginRateLimiter,
-  handleLogin,
-  tokenSuccess
+  openapiOperationDoc({ operationId: 'getOAuthToken' }),
+  asyncMiddleware(handleToken)
 )
 
 tokensRouter.post('/revoke-token',
+  openapiOperationDoc({ operationId: 'revokeOAuthToken' }),
   authenticate,
   asyncMiddleware(handleTokenRevocation)
 )
 
+tokensRouter.get('/scoped-tokens',
+  authenticate,
+  getScopedTokens
+)
+
+tokensRouter.post('/scoped-tokens',
+  authenticate,
+  asyncMiddleware(renewScopedTokens)
+)
+
 // ---------------------------------------------------------------------------
 
 export {
@@ -30,8 +46,86 @@ export {
 }
 // ---------------------------------------------------------------------------
 
-function tokenSuccess (req: express.Request) {
-  const username = req.body.username
+async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
+  const grantType = req.body.grant_type
+
+  try {
+    const bypassLogin = await buildByPassLogin(req, grantType)
+
+    const refreshTokenAuthName = grantType === 'refresh_token'
+      ? await getAuthNameFromRefreshGrant(req.body.refresh_token)
+      : undefined
+
+    const options = {
+      refreshTokenAuthName,
+      bypassLogin
+    }
+
+    const token = await handleOAuthToken(req, options)
+
+    res.set('Cache-Control', 'no-store')
+    res.set('Pragma', 'no-cache')
+
+    Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip, req, res })
+
+    return res.json({
+      token_type: 'Bearer',
+
+      access_token: token.accessToken,
+      refresh_token: token.refreshToken,
+
+      expires_in: token.accessTokenExpiresIn,
+      refresh_token_expires_in: token.refreshTokenExpiresIn
+    })
+  } catch (err) {
+    logger.warn('Login error', { err })
+
+    if (err instanceof MissingTwoFactorError) {
+      res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
+    }
+
+    return res.fail({
+      status: err.code,
+      message: err.message,
+      type: err.name
+    })
+  }
+}
+
+async function handleTokenRevocation (req: express.Request, res: express.Response) {
+  const token = res.locals.oauth.token
+
+  const result = await revokeToken(token, { req, explicitLogout: true })
+
+  return res.json(result)
+}
+
+function getScopedTokens (req: express.Request, res: express.Response) {
+  const user = res.locals.oauth.token.user
+
+  return res.json({
+    feedToken: user.feedToken
+  } as ScopedToken)
+}
+
+async function renewScopedTokens (req: express.Request, res: express.Response) {
+  const user = res.locals.oauth.token.user
+
+  user.feedToken = buildUUID()
+  await user.save()
+
+  return res.json({
+    feedToken: user.feedToken
+  } as ScopedToken)
+}
+
+async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
+  if (grantType !== 'password') return undefined
+
+  if (req.body.externalAuthToken) {
+    // Consistency with the getBypassFromPasswordGrant promise
+    return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
+  }
 
-  Hooks.runAction('action:api.user.oauth2-got-token', { username, ip: req.ip })
+  return getBypassFromPasswordGrant(req.body.username, req.body.password)
 }