Refactor auth flow

Reimplement some node-oauth2-server methods to remove hacky code needed by our external login workflow
author: Chocobozzz <me@florianbigard.com> 2021-03-12 15:20:46 +0100
committer: Chocobozzz <me@florianbigard.com> 2021-03-24 18:18:41 +0100
commit: f43db2f46ee50bacb402a6ef42d768694c2bc9a8 (patch)
tree: bce2574e94d48e8602387615a07ee691e98e23e4 /server/controllers/api/users/token.ts
parent: cae2df6bdc3c3590df32bf7431a617177be30429 (diff)
download: PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.gz
PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.zst
PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.zip
1 files changed, 64 insertions, 8 deletions
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts
index 821429358..3eae28b34 100644
--- a/server/controllers/api/users/token.ts
+++ b/server/controllers/api/users/token.ts
@@ -1,11 +1,14 @@
-import { handleLogin, handleTokenRevocation } from '@server/lib/auth'
+import * as express from 'express'
 import * as RateLimit from 'express-rate-limit'
+import { v4 as uuidv4 } from 'uuid'
+import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
-import * as express from 'express'
+import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
+import { handleOAuthToken } from '@server/lib/auth/oauth'
+import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { asyncMiddleware, authenticate } from '@server/middlewares'
 import { ScopedToken } from '@shared/models/users/user-scoped-token'
-import { v4 as uuidv4 } from 'uuid'
 const tokensRouter = express.Router()
@@ -16,8 +19,7 @@ const loginRateLimiter = RateLimit({
 tokensRouter.post('/token',
  loginRateLimiter,
-  handleLogin,
+  asyncMiddleware(handleToken)
-  tokenSuccess
 )
 tokensRouter.post('/revoke-token',
@@ -42,10 +44,53 @@ export {
 }
 // ---------------------------------------------------------------------------
-function tokenSuccess (req: express.Request) {
+async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
-  const username = req.body.username
+  const grantType = req.body.grant_type
+  try {
+    const bypassLogin = await buildByPassLogin(req, grantType)
+    const refreshTokenAuthName = grantType === 'refresh_token'
+      ? await getAuthNameFromRefreshGrant(req.body.refresh_token)
+      : undefined
+    const options = {
+      refreshTokenAuthName,
+      bypassLogin
+    }
+    const token = await handleOAuthToken(req, options)
+    res.set('Cache-Control', 'no-store')
+    res.set('Pragma', 'no-cache')
+    Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip })
+    return res.json({
+      token_type: 'Bearer',
-  Hooks.runAction('action:api.user.oauth2-got-token', { username, ip: req.ip })
+      access_token: token.accessToken,
+      refresh_token: token.refreshToken,
+      expires_in: token.accessTokenExpiresIn,
+      refresh_token_expires_in: token.refreshTokenExpiresIn
+    })
+  } catch (err) {
+    logger.warn('Login error', { err })
+    return res.status(err.code || 400).json({
+      code: err.name,
+      error: err.message
+    })
+  }
+}
+async function handleTokenRevocation (req: express.Request, res: express.Response) {
+  const token = res.locals.oauth.token
+  const result = await revokeToken(token, true)
+  return res.json(result)
 }
 function getScopedTokens (req: express.Request, res: express.Response) {
@@ -66,3 +111,14 @@ async function renewScopedTokens (req: express.Request, res: express.Response) {
    feedToken: user.feedToken
  } as ScopedToken)
 }
+async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
+  if (grantType !== 'password') return undefined
+  if (req.body.externalAuthToken) {
+    // Consistency with the getBypassFromPasswordGrant promise
+    return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
+  }
+  return getBypassFromPasswordGrant(req.body.username, req.body.password)
+}
author	Chocobozzz <me@florianbigard.com>	2021-03-12 15:20:46 +0100
committer	Chocobozzz <me@florianbigard.com>	2021-03-24 18:18:41 +0100
commit	f43db2f46ee50bacb402a6ef42d768694c2bc9a8 (patch)
tree	bce2574e94d48e8602387615a07ee691e98e23e4 /server/controllers/api/users/token.ts
parent	cae2df6bdc3c3590df32bf7431a617177be30429 (diff)
download	PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.gz PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.zst PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.zip

diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts index 821429358..3eae28b34 100644 --- a/server/controllers/api/users/token.ts +++ b/server/controllers/api/users/token.ts
@@ -1,11 +1,14 @@
1	import { handleLogin, handleTokenRevocation } from '@server/lib/auth'	1	import * as express from 'express'
2	import * as RateLimit from 'express-rate-limit'	2	import * as RateLimit from 'express-rate-limit'
		3	import { v4 as uuidv4 } from 'uuid'
		4	import { logger } from '@server/helpers/logger'
3	import { CONFIG } from '@server/initializers/config'	5	import { CONFIG } from '@server/initializers/config'
4	import * as express from 'express'	6	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
		7	import { handleOAuthToken } from '@server/lib/auth/oauth'
		8	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
5	import { Hooks } from '@server/lib/plugins/hooks'	9	import { Hooks } from '@server/lib/plugins/hooks'
6	import { asyncMiddleware, authenticate } from '@server/middlewares'	10	import { asyncMiddleware, authenticate } from '@server/middlewares'
7	import { ScopedToken } from '@shared/models/users/user-scoped-token'	11	import { ScopedToken } from '@shared/models/users/user-scoped-token'
8	import { v4 as uuidv4 } from 'uuid'
9		12
10	const tokensRouter = express.Router()	13	const tokensRouter = express.Router()
11		14
@@ -16,8 +19,7 @@ const loginRateLimiter = RateLimit({
16		19
17	tokensRouter.post('/token',	20	tokensRouter.post('/token',
18	loginRateLimiter,	21	loginRateLimiter,
19	handleLogin,	22	asyncMiddleware(handleToken)
20	tokenSuccess
21	)	23	)
22		24
23	tokensRouter.post('/revoke-token',	25	tokensRouter.post('/revoke-token',
@@ -42,10 +44,53 @@ export {
42	}	44	}
43	// ---------------------------------------------------------------------------	45	// ---------------------------------------------------------------------------
44		46
45	function tokenSuccess (req: express.Request) {	47	async function handleToken (req: express.Request, res: express.Response, next: express.NextFunction) {
46	const username = req.body.username	48	const grantType = req.body.grant_type
		49
		50	try {
		51	const bypassLogin = await buildByPassLogin(req, grantType)
		52
		53	const refreshTokenAuthName = grantType === 'refresh_token'
		54	? await getAuthNameFromRefreshGrant(req.body.refresh_token)
		55	: undefined
		56
		57	const options = {
		58	refreshTokenAuthName,
		59	bypassLogin
		60	}
		61
		62	const token = await handleOAuthToken(req, options)
		63
		64	res.set('Cache-Control', 'no-store')
		65	res.set('Pragma', 'no-cache')
		66
		67	Hooks.runAction('action:api.user.oauth2-got-token', { username: token.user.username, ip: req.ip })
		68
		69	return res.json({
		70	token_type: 'Bearer',
47		71
48	Hooks.runAction('action:api.user.oauth2-got-token', { username, ip: req.ip })	72	access_token: token.accessToken,
		73	refresh_token: token.refreshToken,
		74
		75	expires_in: token.accessTokenExpiresIn,
		76	refresh_token_expires_in: token.refreshTokenExpiresIn
		77	})
		78	} catch (err) {
		79	logger.warn('Login error', { err })
		80
		81	return res.status(err.code \|\| 400).json({
		82	code: err.name,
		83	error: err.message
		84	})
		85	}
		86	}
		87
		88	async function handleTokenRevocation (req: express.Request, res: express.Response) {
		89	const token = res.locals.oauth.token
		90
		91	const result = await revokeToken(token, true)
		92
		93	return res.json(result)
49	}	94	}
50		95
51	function getScopedTokens (req: express.Request, res: express.Response) {	96	function getScopedTokens (req: express.Request, res: express.Response) {
@@ -66,3 +111,14 @@ async function renewScopedTokens (req: express.Request, res: express.Response) {
66	feedToken: user.feedToken	111	feedToken: user.feedToken
67	} as ScopedToken)	112	} as ScopedToken)
68	}	113	}
		114
		115	async function buildByPassLogin (req: express.Request, grantType: string): Promise<BypassLogin> {
		116	if (grantType !== 'password') return undefined
		117
		118	if (req.body.externalAuthToken) {
		119	// Consistency with the getBypassFromPasswordGrant promise
		120	return getBypassFromExternalAuth(req.body.username, req.body.externalAuthToken)
		121	}
		122
		123	return getBypassFromPasswordGrant(req.body.username, req.body.password)
		124	}