X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Flib%2Foauth-model.ts;h=a2c53a2c9afb6fed41f543097a9b39a13fb0b288;hb=db4b15f21fbf4e33434e930ffc7fb768cdcf9d42;hp=dbcba897a39d9fb037232251c8c9c19d3fa8abcb;hpb=610d0be13b3d01f653ef269271dd667a57c85ef2;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/lib/oauth-model.ts b/server/lib/oauth-model.ts index dbcba897a..a2c53a2c9 100644 --- a/server/lib/oauth-model.ts +++ b/server/lib/oauth-model.ts @@ -1,19 +1,20 @@ import * as express from 'express' +import * as LRUCache from 'lru-cache' import { AccessDeniedError } from 'oauth2-server' +import { Transaction } from 'sequelize' +import { PluginManager } from '@server/lib/plugins/plugin-manager' +import { ActorModel } from '@server/models/activitypub/actor' +import { MOAuthTokenUser } from '@server/types/models/oauth/oauth-token' +import { MUser } from '@server/types/models/user/user' +import { UserAdminFlag } from '@shared/models/users/user-flag.model' +import { UserRole } from '@shared/models/users/user-role' import { logger } from '../helpers/logger' +import { CONFIG } from '../initializers/config' +import { LRU_CACHE } from '../initializers/constants' import { UserModel } from '../models/account/user' import { OAuthClientModel } from '../models/oauth/oauth-client' import { OAuthTokenModel } from '../models/oauth/oauth-token' -import { LRU_CACHE } from '../initializers/constants' -import { Transaction } from 'sequelize' -import { CONFIG } from '../initializers/config' -import * as LRUCache from 'lru-cache' -import { MOAuthTokenUser } from '@server/typings/models/oauth/oauth-token' -import { MUser } from '@server/typings/models/user/user' -import { UserAdminFlag } from '@shared/models/users/user-flag.model' import { createUserAccountAndChannelAndPlaylist } from './user' -import { UserRole } from '@shared/models/users/user-role' -import { PluginManager } from '@server/lib/plugins/plugin-manager' type TokenInfo = { accessToken: string, refreshToken: string, accessTokenExpiresAt: Date, refreshTokenExpiresAt: Date } @@ -109,12 +110,17 @@ async function getUser (usernameOrEmail?: string, password?: string) { let user = await UserModel.loadByEmail(obj.user.email) if (!user) user = await createUserFromExternal(obj.pluginName, obj.user) + // Cannot create a user + if (!user) throw new AccessDeniedError('Cannot create such user: an actor with that name already exists.') + // If the user does not belongs to a plugin, it was created before its installation // Then we just go through a regular login process if (user.pluginAuth !== null) { // This user does not belong to this plugin, skip it if (user.pluginAuth !== obj.pluginName) return null + checkUserValidityOrThrow(user) + return user } } @@ -123,12 +129,12 @@ async function getUser (usernameOrEmail?: string, password?: string) { const user = await UserModel.loadByUsernameOrEmail(usernameOrEmail) // If we don't find the user, or if the user belongs to a plugin - if (!user || user.pluginAuth !== null) return null + if (!user || user.pluginAuth !== null || !password) return null const passwordMatch = await user.isPasswordMatch(password) if (passwordMatch !== true) return null - if (user.blocked) throw new AccessDeniedError('User is blocked.') + checkUserValidityOrThrow(user) if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION && user.emailVerified === false) { throw new AccessDeniedError('User email is not verified.') @@ -137,13 +143,15 @@ async function getUser (usernameOrEmail?: string, password?: string) { return user } -async function revokeToken (tokenInfo: { refreshToken: string }) { +async function revokeToken (tokenInfo: { refreshToken: string }): Promise<{ success: boolean, redirectUrl?: string }> { const res: express.Response = this.request.res const token = await OAuthTokenModel.getByRefreshTokenAndPopulateUser(tokenInfo.refreshToken) if (token) { + let redirectUrl: string + if (res.locals.explicitLogout === true && token.User.pluginAuth && token.authName) { - PluginManager.Instance.onLogout(token.User.pluginAuth, token.authName, token.User) + redirectUrl = await PluginManager.Instance.onLogout(token.User.pluginAuth, token.authName, token.User, this.request) } clearCacheByToken(token.accessToken) @@ -151,10 +159,10 @@ async function revokeToken (tokenInfo: { refreshToken: string }) { token.destroy() .catch(err => logger.error('Cannot destroy token when revoking token.', { err })) - return true + return { success: true, redirectUrl } } - return false + return { success: false } } async function saveToken (token: TokenInfo, client: OAuthClientModel, user: UserModel) { @@ -184,7 +192,15 @@ async function saveToken (token: TokenInfo, client: OAuthClientModel, user: User user.lastLoginDate = new Date() await user.save() - return Object.assign(tokenCreated, { client, user }) + return { + accessToken: tokenCreated.accessToken, + accessTokenExpiresAt: tokenCreated.accessTokenExpiresAt, + refreshToken: tokenCreated.refreshToken, + refreshTokenExpiresAt: tokenCreated.refreshTokenExpiresAt, + client, + user, + refresh_token_expires_in: Math.floor((tokenCreated.refreshTokenExpiresAt.getTime() - new Date().getTime()) / 1000) + } } // --------------------------------------------------------------------------- @@ -208,6 +224,10 @@ async function createUserFromExternal (pluginAuth: string, options: { role: UserRole displayName: string }) { + // Check an actor does not already exists with that name (removed user) + const actor = await ActorModel.loadLocalByName(options.username) + if (actor) return null + const userToCreate = new UserModel({ username: options.username, password: null, @@ -228,3 +248,7 @@ async function createUserFromExternal (pluginAuth: string, options: { return user } + +function checkUserValidityOrThrow (user: MUser) { + if (user.blocked) throw new AccessDeniedError('User is blocked.') +}