X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Flib%2Fauth.ts;h=466c9bdd4b86461bce57f6d47d705ebe59a5cd33;hb=75dd1b641f987e1e09dbaa3329e08c6e98a858f3;hp=1fa896f6ef6ec9324f3b497c1ea1f82ed7cb3f77;hpb=dadc90bca257f2d785713a37949c3a1bf6a5243d;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/lib/auth.ts b/server/lib/auth.ts
index 1fa896f6e..466c9bdd4 100644
--- a/server/lib/auth.ts
+++ b/server/lib/auth.ts
@@ -10,9 +10,10 @@ import {
   RegisterServerAuthenticatedResult,
   RegisterServerAuthPassOptions,
   RegisterServerExternalAuthenticatedResult
-} from '@shared/models/plugins/register-server-auth.model'
+} from '@server/types/plugins/register-server-auth.model'
 import * as express from 'express'
 import * as OAuthServer from 'express-oauth-server'
+import { HttpStatusCode } from '@shared/core-utils/miscs/http-error-codes'
 
 const oAuthServer = new OAuthServer({
   useErrorHandler: true,
@@ -52,7 +53,7 @@ async function handleTokenRevocation (req: express.Request, res: express.Respons
   const token = res.locals.oauth.token
 
   res.locals.explicitLogout = true
-  await revokeToken(token)
+  const result = await revokeToken(token)
 
   // FIXME: uncomment when https://github.com/oauthjs/node-oauth2-server/pull/289 is released
   // oAuthServer.revoke(req, res, err => {
@@ -68,7 +69,7 @@ async function handleTokenRevocation (req: express.Request, res: express.Respons
   //   }
   // })
 
-  return res.json()
+  return res.json(result)
 }
 
 async function onExternalUserAuthenticated (options: {
@@ -83,10 +84,13 @@ async function onExternalUserAuthenticated (options: {
     return
   }
 
-  if (!isAuthResultValid(npmName, authName, authResult)) return
-
   const { res } = authResult
 
+  if (!isAuthResultValid(npmName, authName, authResult)) {
+    res.redirect('/login?externalAuthError=true')
+    return
+  }
+
   logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
 
   const bypassToken = await generateRandomString(32)
@@ -102,6 +106,14 @@ async function onExternalUserAuthenticated (options: {
     authName
   })
 
+  // Cleanup
+  const now = new Date()
+  for (const [ key, value ] of authBypassTokens) {
+    if (value.expires.getTime() < now.getTime()) {
+      authBypassTokens.delete(key)
+    }
+  }
+
   res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
 }
 
@@ -204,7 +216,7 @@ function proxifyExternalAuthBypass (req: express.Request, res: express.Response)
   const obj = authBypassTokens.get(req.body.externalAuthToken)
   if (!obj) {
     logger.error('Cannot authenticate user with unknown bypass token')
-    return res.sendStatus(400)
+    return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
   }
 
   const { expires, user, authName, npmName } = obj
@@ -212,12 +224,12 @@ function proxifyExternalAuthBypass (req: express.Request, res: express.Response)
   const now = new Date()
   if (now.getTime() > expires.getTime()) {
     logger.error('Cannot authenticate user with an expired external auth token')
-    return res.sendStatus(400)
+    return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
   }
 
   if (user.username !== req.body.username) {
     logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
-    return res.sendStatus(400)
+    return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
   }
 
   // Bypass oauth library validation
@@ -238,24 +250,27 @@ function proxifyExternalAuthBypass (req: express.Request, res: express.Response)
 
 function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
   if (!isUserUsernameValid(result.username)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { result })
+    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
     return false
   }
 
   if (!result.email) {
-    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { result })
+    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
     return false
   }
 
   // role is optional
   if (result.role && !isUserRoleValid(result.role)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { result })
+    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
     return false
   }
 
   // display name is optional
   if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { result })
+    logger.error(
+      'Auth method %s of plugin %s did not provide a valid display name.',
+      authName, npmName, { displayName: result.displayName }
+    )
     return false
   }