Refactor auth flow

Reimplement some node-oauth2-server methods to remove hacky code needed by our external login workflow
author: Chocobozzz <me@florianbigard.com> 2021-03-12 15:20:46 +0100
committer: Chocobozzz <me@florianbigard.com> 2021-03-24 18:18:41 +0100
commit: f43db2f46ee50bacb402a6ef42d768694c2bc9a8 (patch)
tree: bce2574e94d48e8602387615a07ee691e98e23e4 /server/lib/auth.ts
parent: cae2df6bdc3c3590df32bf7431a617177be30429 (diff)
download: PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.gz
PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.zst
PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.zip
1 files changed, 0 insertions, 288 deletions
diff --git a/server/lib/auth.ts b/server/lib/auth.ts
deleted file mode 100644
index dbd421a7b..000000000
--- a/server/lib/auth.ts
+++ /dev/null
@@ -1,288 +0,0 @@
-import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
-import { logger } from '@server/helpers/logger'
-import { generateRandomString } from '@server/helpers/utils'
-import { OAUTH_LIFETIME, PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
-import { revokeToken } from '@server/lib/oauth-model'
-import { PluginManager } from '@server/lib/plugins/plugin-manager'
-import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
-import { UserRole } from '@shared/models'
-import {
-  RegisterServerAuthenticatedResult,
-  RegisterServerAuthPassOptions,
-  RegisterServerExternalAuthenticatedResult
-} from '@server/types/plugins/register-server-auth.model'
-import * as express from 'express'
-import * as OAuthServer from 'express-oauth-server'
-import { HttpStatusCode } from '@shared/core-utils/miscs/http-error-codes'
-const oAuthServer = new OAuthServer({
-  useErrorHandler: true,
-  accessTokenLifetime: OAUTH_LIFETIME.ACCESS_TOKEN,
-  refreshTokenLifetime: OAUTH_LIFETIME.REFRESH_TOKEN,
-  allowExtendedTokenAttributes: true,
-  continueMiddleware: true,
-  model: require('./oauth-model')
-})
-// Token is the key, expiration date is the value
-const authBypassTokens = new Map<string, {
-  expires: Date
-  user: {
-    username: string
-    email: string
-    displayName: string
-    role: UserRole
-  }
-  authName: string
-  npmName: string
-}>()
-async function handleLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
-  const grantType = req.body.grant_type
-  if (grantType === 'password') {
-    if (req.body.externalAuthToken) proxifyExternalAuthBypass(req, res)
-    else await proxifyPasswordGrant(req, res)
-  } else if (grantType === 'refresh_token') {
-    await proxifyRefreshGrant(req, res)
-  }
-  return forwardTokenReq(req, res, next)
-}
-async function handleTokenRevocation (req: express.Request, res: express.Response) {
-  const token = res.locals.oauth.token
-  res.locals.explicitLogout = true
-  const result = await revokeToken(token)
-  // FIXME: uncomment when https://github.com/oauthjs/node-oauth2-server/pull/289 is released
-  // oAuthServer.revoke(req, res, err => {
-  //   if (err) {
-  //     logger.warn('Error in revoke token handler.', { err })
-  //
-  //     return res.status(err.status)
-  //               .json({
-  //                 error: err.message,
-  //                 code: err.name
-  //               })
-  //               .end()
-  //   }
-  // })
-  return res.json(result)
-}
-async function onExternalUserAuthenticated (options: {
-  npmName: string
-  authName: string
-  authResult: RegisterServerExternalAuthenticatedResult
-}) {
-  const { npmName, authName, authResult } = options
-  if (!authResult.req || !authResult.res) {
-    logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
-    return
-  }
-  const { res } = authResult
-  if (!isAuthResultValid(npmName, authName, authResult)) {
-    res.redirect('/login?externalAuthError=true')
-    return
-  }
-  logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
-  const bypassToken = await generateRandomString(32)
-  const expires = new Date()
-  expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
-  const user = buildUserResult(authResult)
-  authBypassTokens.set(bypassToken, {
-    expires,
-    user,
-    npmName,
-    authName
-  })
-  // Cleanup
-  const now = new Date()
-  for (const [ key, value ] of authBypassTokens) {
-    if (value.expires.getTime() < now.getTime()) {
-      authBypassTokens.delete(key)
-    }
-  }
-  res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
-}
-// ---------------------------------------------------------------------------
-export { oAuthServer, handleLogin, onExternalUserAuthenticated, handleTokenRevocation }
-// ---------------------------------------------------------------------------
-function forwardTokenReq (req: express.Request, res: express.Response, next?: express.NextFunction) {
-  return oAuthServer.token()(req, res, err => {
-    if (err) {
-      logger.warn('Login error.', { err })
-      return res.status(err.status)
-        .json({
-          error: err.message,
-          code: err.name
-        })
-    }
-    if (next) return next()
-  })
-}
-async function proxifyRefreshGrant (req: express.Request, res: express.Response) {
-  const refreshToken = req.body.refresh_token
-  if (!refreshToken) return
-  const tokenModel = await OAuthTokenModel.loadByRefreshToken(refreshToken)
-  if (tokenModel?.authName) res.locals.refreshTokenAuthName = tokenModel.authName
-}
-async function proxifyPasswordGrant (req: express.Request, res: express.Response) {
-  const plugins = PluginManager.Instance.getIdAndPassAuths()
-  const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = []
-  for (const plugin of plugins) {
-    const auths = plugin.idAndPassAuths
-    for (const auth of auths) {
-      pluginAuths.push({
-        npmName: plugin.npmName,
-        registerAuthOptions: auth
-      })
-    }
-  }
-  pluginAuths.sort((a, b) => {
-    const aWeight = a.registerAuthOptions.getWeight()
-    const bWeight = b.registerAuthOptions.getWeight()
-    // DESC weight order
-    if (aWeight === bWeight) return 0
-    if (aWeight < bWeight) return 1
-    return -1
-  })
-  const loginOptions = {
-    id: req.body.username,
-    password: req.body.password
-  }
-  for (const pluginAuth of pluginAuths) {
-    const authOptions = pluginAuth.registerAuthOptions
-    const authName = authOptions.authName
-    const npmName = pluginAuth.npmName
-    logger.debug(
-      'Using auth method %s of plugin %s to login %s with weight %d.',
-      authName, npmName, loginOptions.id, authOptions.getWeight()
-    )
-    try {
-      const loginResult = await authOptions.login(loginOptions)
-      if (!loginResult) continue
-      if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
-      logger.info(
-        'Login success with auth method %s of plugin %s for %s.',
-        authName, npmName, loginOptions.id
-      )
-      res.locals.bypassLogin = {
-        bypass: true,
-        pluginName: pluginAuth.npmName,
-        authName: authOptions.authName,
-        user: buildUserResult(loginResult)
-      }
-      return
-    } catch (err) {
-      logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
-    }
-  }
-}
-function proxifyExternalAuthBypass (req: express.Request, res: express.Response) {
-  const obj = authBypassTokens.get(req.body.externalAuthToken)
-  if (!obj) {
-    logger.error('Cannot authenticate user with unknown bypass token')
-    return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
-  }
-  const { expires, user, authName, npmName } = obj
-  const now = new Date()
-  if (now.getTime() > expires.getTime()) {
-    logger.error('Cannot authenticate user with an expired external auth token')
-    return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
-  }
-  if (user.username !== req.body.username) {
-    logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
-    return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
-  }
-  // Bypass oauth library validation
-  req.body.password = 'fake'
-  logger.info(
-    'Auth success with external auth method %s of plugin %s for %s.',
-    authName, npmName, user.email
-  )
-  res.locals.bypassLogin = {
-    bypass: true,
-    pluginName: npmName,
-    authName: authName,
-    user
-  }
-}
-function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
-  if (!isUserUsernameValid(result.username)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
-    return false
-  }
-  if (!result.email) {
-    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
-    return false
-  }
-  // role is optional
-  if (result.role && !isUserRoleValid(result.role)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
-    return false
-  }
-  // display name is optional
-  if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
-    logger.error(
-      'Auth method %s of plugin %s did not provide a valid display name.',
-      authName, npmName, { displayName: result.displayName }
-    )
-    return false
-  }
-  return true
-}
-function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
-  return {
-    username: pluginResult.username,
-    email: pluginResult.email,
-    role: pluginResult.role ?? UserRole.USER,
-    displayName: pluginResult.displayName || pluginResult.username
-  }
-}
author	Chocobozzz <me@florianbigard.com>	2021-03-12 15:20:46 +0100
committer	Chocobozzz <me@florianbigard.com>	2021-03-24 18:18:41 +0100
commit	f43db2f46ee50bacb402a6ef42d768694c2bc9a8 (patch)
tree	bce2574e94d48e8602387615a07ee691e98e23e4 /server/lib/auth.ts
parent	cae2df6bdc3c3590df32bf7431a617177be30429 (diff)
download	PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.gz PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.tar.zst PeerTube-f43db2f46ee50bacb402a6ef42d768694c2bc9a8.zip

diff --git a/server/lib/auth.ts b/server/lib/auth.ts deleted file mode 100644 index dbd421a7b..000000000 --- a/server/lib/auth.ts +++ /dev/null
@@ -1,288 +0,0 @@
1	import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
2	import { logger } from '@server/helpers/logger'
3	import { generateRandomString } from '@server/helpers/utils'
4	import { OAUTH_LIFETIME, PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
5	import { revokeToken } from '@server/lib/oauth-model'
6	import { PluginManager } from '@server/lib/plugins/plugin-manager'
7	import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
8	import { UserRole } from '@shared/models'
9	import {
10	RegisterServerAuthenticatedResult,
11	RegisterServerAuthPassOptions,
12	RegisterServerExternalAuthenticatedResult
13	} from '@server/types/plugins/register-server-auth.model'
14	import * as express from 'express'
15	import * as OAuthServer from 'express-oauth-server'
16	import { HttpStatusCode } from '@shared/core-utils/miscs/http-error-codes'
17
18	const oAuthServer = new OAuthServer({
19	useErrorHandler: true,
20	accessTokenLifetime: OAUTH_LIFETIME.ACCESS_TOKEN,
21	refreshTokenLifetime: OAUTH_LIFETIME.REFRESH_TOKEN,
22	allowExtendedTokenAttributes: true,
23	continueMiddleware: true,
24	model: require('./oauth-model')
25	})
26
27	// Token is the key, expiration date is the value
28	const authBypassTokens = new Map<string, {
29	expires: Date
30	user: {
31	username: string
32	email: string
33	displayName: string
34	role: UserRole
35	}
36	authName: string
37	npmName: string
38	}>()
39
40	async function handleLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
41	const grantType = req.body.grant_type
42
43	if (grantType === 'password') {
44	if (req.body.externalAuthToken) proxifyExternalAuthBypass(req, res)
45	else await proxifyPasswordGrant(req, res)
46	} else if (grantType === 'refresh_token') {
47	await proxifyRefreshGrant(req, res)
48	}
49
50	return forwardTokenReq(req, res, next)
51	}
52
53	async function handleTokenRevocation (req: express.Request, res: express.Response) {
54	const token = res.locals.oauth.token
55
56	res.locals.explicitLogout = true
57	const result = await revokeToken(token)
58
59	// FIXME: uncomment when https://github.com/oauthjs/node-oauth2-server/pull/289 is released
60	// oAuthServer.revoke(req, res, err => {
61	// if (err) {
62	// logger.warn('Error in revoke token handler.', { err })
63	//
64	// return res.status(err.status)
65	// .json({
66	// error: err.message,
67	// code: err.name
68	// })
69	// .end()
70	// }
71	// })
72
73	return res.json(result)
74	}
75
76	async function onExternalUserAuthenticated (options: {
77	npmName: string
78	authName: string
79	authResult: RegisterServerExternalAuthenticatedResult
80	}) {
81	const { npmName, authName, authResult } = options
82
83	if (!authResult.req \|\| !authResult.res) {
84	logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
85	return
86	}
87
88	const { res } = authResult
89
90	if (!isAuthResultValid(npmName, authName, authResult)) {
91	res.redirect('/login?externalAuthError=true')
92	return
93	}
94
95	logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
96
97	const bypassToken = await generateRandomString(32)
98
99	const expires = new Date()
100	expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
101
102	const user = buildUserResult(authResult)
103	authBypassTokens.set(bypassToken, {
104	expires,
105	user,
106	npmName,
107	authName
108	})
109
110	// Cleanup
111	const now = new Date()
112	for (const [ key, value ] of authBypassTokens) {
113	if (value.expires.getTime() < now.getTime()) {
114	authBypassTokens.delete(key)
115	}
116	}
117
118	res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
119	}
120
121	// ---------------------------------------------------------------------------
122
123	export { oAuthServer, handleLogin, onExternalUserAuthenticated, handleTokenRevocation }
124
125	// ---------------------------------------------------------------------------
126
127	function forwardTokenReq (req: express.Request, res: express.Response, next?: express.NextFunction) {
128	return oAuthServer.token()(req, res, err => {
129	if (err) {
130	logger.warn('Login error.', { err })
131
132	return res.status(err.status)
133	.json({
134	error: err.message,
135	code: err.name
136	})
137	}
138
139	if (next) return next()
140	})
141	}
142
143	async function proxifyRefreshGrant (req: express.Request, res: express.Response) {
144	const refreshToken = req.body.refresh_token
145	if (!refreshToken) return
146
147	const tokenModel = await OAuthTokenModel.loadByRefreshToken(refreshToken)
148	if (tokenModel?.authName) res.locals.refreshTokenAuthName = tokenModel.authName
149	}
150
151	async function proxifyPasswordGrant (req: express.Request, res: express.Response) {
152	const plugins = PluginManager.Instance.getIdAndPassAuths()
153	const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = []
154
155	for (const plugin of plugins) {
156	const auths = plugin.idAndPassAuths
157
158	for (const auth of auths) {
159	pluginAuths.push({
160	npmName: plugin.npmName,
161	registerAuthOptions: auth
162	})
163	}
164	}
165
166	pluginAuths.sort((a, b) => {
167	const aWeight = a.registerAuthOptions.getWeight()
168	const bWeight = b.registerAuthOptions.getWeight()
169
170	// DESC weight order
171	if (aWeight === bWeight) return 0
172	if (aWeight < bWeight) return 1
173	return -1
174	})
175
176	const loginOptions = {
177	id: req.body.username,
178	password: req.body.password
179	}
180
181	for (const pluginAuth of pluginAuths) {
182	const authOptions = pluginAuth.registerAuthOptions
183	const authName = authOptions.authName
184	const npmName = pluginAuth.npmName
185
186	logger.debug(
187	'Using auth method %s of plugin %s to login %s with weight %d.',
188	authName, npmName, loginOptions.id, authOptions.getWeight()
189	)
190
191	try {
192	const loginResult = await authOptions.login(loginOptions)
193
194	if (!loginResult) continue
195	if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
196
197	logger.info(
198	'Login success with auth method %s of plugin %s for %s.',
199	authName, npmName, loginOptions.id
200	)
201
202	res.locals.bypassLogin = {
203	bypass: true,
204	pluginName: pluginAuth.npmName,
205	authName: authOptions.authName,
206	user: buildUserResult(loginResult)
207	}
208
209	return
210	} catch (err) {
211	logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
212	}
213	}
214	}
215
216	function proxifyExternalAuthBypass (req: express.Request, res: express.Response) {
217	const obj = authBypassTokens.get(req.body.externalAuthToken)
218	if (!obj) {
219	logger.error('Cannot authenticate user with unknown bypass token')
220	return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
221	}
222
223	const { expires, user, authName, npmName } = obj
224
225	const now = new Date()
226	if (now.getTime() > expires.getTime()) {
227	logger.error('Cannot authenticate user with an expired external auth token')
228	return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
229	}
230
231	if (user.username !== req.body.username) {
232	logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
233	return res.sendStatus(HttpStatusCode.BAD_REQUEST_400)
234	}
235
236	// Bypass oauth library validation
237	req.body.password = 'fake'
238
239	logger.info(
240	'Auth success with external auth method %s of plugin %s for %s.',
241	authName, npmName, user.email
242	)
243
244	res.locals.bypassLogin = {
245	bypass: true,
246	pluginName: npmName,
247	authName: authName,
248	user
249	}
250	}
251
252	function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
253	if (!isUserUsernameValid(result.username)) {
254	logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
255	return false
256	}
257
258	if (!result.email) {
259	logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
260	return false
261	}
262
263	// role is optional
264	if (result.role && !isUserRoleValid(result.role)) {
265	logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
266	return false
267	}
268
269	// display name is optional
270	if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
271	logger.error(
272	'Auth method %s of plugin %s did not provide a valid display name.',
273	authName, npmName, { displayName: result.displayName }
274	)
275	return false
276	}
277
278	return true
279	}
280
281	function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
282	return {
283	username: pluginResult.username,
284	email: pluginResult.email,
285	role: pluginResult.role ?? UserRole.USER,
286	displayName: pluginResult.displayName \|\| pluginResult.username
287	}
288	}