X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Flib%2Fauth.ts;h=3f8e186334bef7d6b01eb79b6a015ab6cad7bfe7;hb=d573926e9b94fb19c8f51c53f71fc853182e1761;hp=eaae5fdf3d36d00564cd6af06badcc902f16e945;hpb=4a8d113b9b57d97ff13ad1608798eabca99643e4;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/lib/auth.ts b/server/lib/auth.ts
index eaae5fdf3..3f8e18633 100644
--- a/server/lib/auth.ts
+++ b/server/lib/auth.ts
@@ -1,7 +1,7 @@
 import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
 import { logger } from '@server/helpers/logger'
 import { generateRandomString } from '@server/helpers/utils'
-import { OAUTH_LIFETIME, WEBSERVER } from '@server/initializers/constants'
+import { OAUTH_LIFETIME, PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
 import { revokeToken } from '@server/lib/oauth-model'
 import { PluginManager } from '@server/lib/plugins/plugin-manager'
 import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
@@ -10,7 +10,7 @@ import {
   RegisterServerAuthenticatedResult,
   RegisterServerAuthPassOptions,
   RegisterServerExternalAuthenticatedResult
-} from '@shared/models/plugins/register-server-auth.model'
+} from '@server/types/plugins/register-server-auth.model'
 import * as express from 'express'
 import * as OAuthServer from 'express-oauth-server'
 
@@ -35,7 +35,7 @@ const authBypassTokens = new Map<string, {
   npmName: string
 }>()
 
-async function handleIdAndPassLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function handleLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
   const grantType = req.body.grant_type
 
   if (grantType === 'password') {
@@ -68,7 +68,7 @@ async function handleTokenRevocation (req: express.Request, res: express.Respons
   //   }
   // })
 
-  return res.sendStatus(200)
+  return res.json()
 }
 
 async function onExternalUserAuthenticated (options: {
@@ -83,17 +83,19 @@ async function onExternalUserAuthenticated (options: {
     return
   }
 
-  if (!isAuthResultValid(npmName, authName, authResult)) return
-
   const { res } = authResult
 
+  if (!isAuthResultValid(npmName, authName, authResult)) {
+    res.redirect('/login?externalAuthError=true')
+    return
+  }
+
   logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
 
   const bypassToken = await generateRandomString(32)
-  const tokenLifetime = 1000 * 60 * 5 // 5 minutes
 
   const expires = new Date()
-  expires.setTime(expires.getTime() + tokenLifetime)
+  expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
 
   const user = buildUserResult(authResult)
   authBypassTokens.set(bypassToken, {
@@ -103,12 +105,20 @@ async function onExternalUserAuthenticated (options: {
     authName
   })
 
+  // Cleanup
+  const now = new Date()
+  for (const [ key, value ] of authBypassTokens) {
+    if (value.expires.getTime() < now.getTime()) {
+      authBypassTokens.delete(key)
+    }
+  }
+
   res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
 }
 
 // ---------------------------------------------------------------------------
 
-export { oAuthServer, handleIdAndPassLogin, onExternalUserAuthenticated, handleTokenRevocation }
+export { oAuthServer, handleLogin, onExternalUserAuthenticated, handleTokenRevocation }
 
 // ---------------------------------------------------------------------------
 
@@ -212,7 +222,7 @@ function proxifyExternalAuthBypass (req: express.Request, res: express.Response)
 
   const now = new Date()
   if (now.getTime() > expires.getTime()) {
-    logger.error('Cannot authenticate user with an expired bypass token')
+    logger.error('Cannot authenticate user with an expired external auth token')
     return res.sendStatus(400)
   }
 
@@ -239,24 +249,27 @@ function proxifyExternalAuthBypass (req: express.Request, res: express.Response)
 
 function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
   if (!isUserUsernameValid(result.username)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { result })
+    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
     return false
   }
 
   if (!result.email) {
-    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { result })
+    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
     return false
   }
 
   // role is optional
   if (result.role && !isUserRoleValid(result.role)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { result })
+    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
     return false
   }
 
   // display name is optional
   if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { result })
+    logger.error(
+      'Auth method %s of plugin %s did not provide a valid display name.',
+      authName, npmName, { displayName: result.displayName }
+    )
     return false
   }
 
@@ -267,7 +280,7 @@ function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
   return {
     username: pluginResult.username,
     email: pluginResult.email,
-    role: pluginResult.role || UserRole.USER,
+    role: pluginResult.role ?? UserRole.USER,
     displayName: pluginResult.displayName || pluginResult.username
   }
 }