diff options
| author | Chocobozzz <me@florianbigard.com> | 2023-01-09 09:44:00 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2023-01-09 09:44:00 +0100 |
| commit | 0a8a79552cf59c800011c9f63eaa8658230acddc (patch) | |
| tree | e797870a2660ca342722eaea426ed8a588a640b9 /server/lib/auth/external-auth.ts | |
| parent | cde3d90ded5debb24281a444eabb720b721e5600 (diff) | |
| parent | 2570fd9c1c879d1a543fb0dff1e7cfb036234d11 (diff) | |
| download | PeerTube-0a8a79552cf59c800011c9f63eaa8658230acddc.tar.gz PeerTube-0a8a79552cf59c800011c9f63eaa8658230acddc.tar.zst PeerTube-0a8a79552cf59c800011c9f63eaa8658230acddc.zip | |
Merge branch 'feature/SO035' into develop
Diffstat (limited to 'server/lib/auth/external-auth.ts')
| -rw-r--r-- | server/lib/auth/external-auth.ts | 72 |
1 files changed, 42 insertions, 30 deletions
diff --git a/server/lib/auth/external-auth.ts b/server/lib/auth/external-auth.ts index 053112801..bc5b74257 100644 --- a/server/lib/auth/external-auth.ts +++ b/server/lib/auth/external-auth.ts | |||
| @@ -1,26 +1,35 @@ | |||
| 1 | 1 | ||
| 2 | import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users' | 2 | import { |
| 3 | isUserAdminFlagsValid, | ||
| 4 | isUserDisplayNameValid, | ||
| 5 | isUserRoleValid, | ||
| 6 | isUserUsernameValid, | ||
| 7 | isUserVideoQuotaDailyValid, | ||
| 8 | isUserVideoQuotaValid | ||
| 9 | } from '@server/helpers/custom-validators/users' | ||
| 3 | import { logger } from '@server/helpers/logger' | 10 | import { logger } from '@server/helpers/logger' |
| 4 | import { generateRandomString } from '@server/helpers/utils' | 11 | import { generateRandomString } from '@server/helpers/utils' |
| 5 | import { PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants' | 12 | import { PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants' |
| 6 | import { PluginManager } from '@server/lib/plugins/plugin-manager' | 13 | import { PluginManager } from '@server/lib/plugins/plugin-manager' |
| 7 | import { OAuthTokenModel } from '@server/models/oauth/oauth-token' | 14 | import { OAuthTokenModel } from '@server/models/oauth/oauth-token' |
| 15 | import { MUser } from '@server/types/models' | ||
| 8 | import { | 16 | import { |
| 9 | RegisterServerAuthenticatedResult, | 17 | RegisterServerAuthenticatedResult, |
| 10 | RegisterServerAuthPassOptions, | 18 | RegisterServerAuthPassOptions, |
| 11 | RegisterServerExternalAuthenticatedResult | 19 | RegisterServerExternalAuthenticatedResult |
| 12 | } from '@server/types/plugins/register-server-auth.model' | 20 | } from '@server/types/plugins/register-server-auth.model' |
| 13 | import { UserRole } from '@shared/models' | 21 | import { UserAdminFlag, UserRole } from '@shared/models' |
| 22 | import { BypassLogin } from './oauth-model' | ||
| 23 | |||
| 24 | export type ExternalUser = | ||
| 25 | Pick<MUser, 'username' | 'email' | 'role' | 'adminFlags' | 'videoQuotaDaily' | 'videoQuota'> & | ||
| 26 | { displayName: string } | ||
| 14 | 27 | ||
| 15 | // Token is the key, expiration date is the value | 28 | // Token is the key, expiration date is the value |
| 16 | const authBypassTokens = new Map<string, { | 29 | const authBypassTokens = new Map<string, { |
| 17 | expires: Date | 30 | expires: Date |
| 18 | user: { | 31 | user: ExternalUser |
| 19 | username: string | 32 | userUpdater: RegisterServerAuthenticatedResult['userUpdater'] |
| 20 | email: string | ||
| 21 | displayName: string | ||
| 22 | role: UserRole | ||
| 23 | } | ||
| 24 | authName: string | 33 | authName: string |
| 25 | npmName: string | 34 | npmName: string |
| 26 | }>() | 35 | }>() |
| @@ -56,7 +65,8 @@ async function onExternalUserAuthenticated (options: { | |||
| 56 | expires, | 65 | expires, |
| 57 | user, | 66 | user, |
| 58 | npmName, | 67 | npmName, |
| 59 | authName | 68 | authName, |
| 69 | userUpdater: authResult.userUpdater | ||
| 60 | }) | 70 | }) |
| 61 | 71 | ||
| 62 | // Cleanup expired tokens | 72 | // Cleanup expired tokens |
| @@ -78,7 +88,7 @@ async function getAuthNameFromRefreshGrant (refreshToken?: string) { | |||
| 78 | return tokenModel?.authName | 88 | return tokenModel?.authName |
| 79 | } | 89 | } |
| 80 | 90 | ||
| 81 | async function getBypassFromPasswordGrant (username: string, password: string) { | 91 | async function getBypassFromPasswordGrant (username: string, password: string): Promise<BypassLogin> { |
| 82 | const plugins = PluginManager.Instance.getIdAndPassAuths() | 92 | const plugins = PluginManager.Instance.getIdAndPassAuths() |
| 83 | const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = [] | 93 | const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = [] |
| 84 | 94 | ||
| @@ -133,7 +143,8 @@ async function getBypassFromPasswordGrant (username: string, password: string) { | |||
| 133 | bypass: true, | 143 | bypass: true, |
| 134 | pluginName: pluginAuth.npmName, | 144 | pluginName: pluginAuth.npmName, |
| 135 | authName: authOptions.authName, | 145 | authName: authOptions.authName, |
| 136 | user: buildUserResult(loginResult) | 146 | user: buildUserResult(loginResult), |
| 147 | userUpdater: loginResult.userUpdater | ||
| 137 | } | 148 | } |
| 138 | } catch (err) { | 149 | } catch (err) { |
| 139 | logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err }) | 150 | logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err }) |
| @@ -143,7 +154,7 @@ async function getBypassFromPasswordGrant (username: string, password: string) { | |||
| 143 | return undefined | 154 | return undefined |
| 144 | } | 155 | } |
| 145 | 156 | ||
| 146 | function getBypassFromExternalAuth (username: string, externalAuthToken: string) { | 157 | function getBypassFromExternalAuth (username: string, externalAuthToken: string): BypassLogin { |
| 147 | const obj = authBypassTokens.get(externalAuthToken) | 158 | const obj = authBypassTokens.get(externalAuthToken) |
| 148 | if (!obj) throw new Error('Cannot authenticate user with unknown bypass token') | 159 | if (!obj) throw new Error('Cannot authenticate user with unknown bypass token') |
| 149 | 160 | ||
| @@ -167,33 +178,29 @@ function getBypassFromExternalAuth (username: string, externalAuthToken: string) | |||
| 167 | bypass: true, | 178 | bypass: true, |
| 168 | pluginName: npmName, | 179 | pluginName: npmName, |
| 169 | authName, | 180 | authName, |
| 181 | userUpdater: obj.userUpdater, | ||
| 170 | user | 182 | user |
| 171 | } | 183 | } |
| 172 | } | 184 | } |
| 173 | 185 | ||
| 174 | function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) { | 186 | function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) { |
| 175 | if (!isUserUsernameValid(result.username)) { | 187 | const returnError = (field: string) => { |
| 176 | logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username }) | 188 | logger.error('Auth method %s of plugin %s did not provide a valid %s.', authName, npmName, field, { [field]: result[field] }) |
| 177 | return false | 189 | return false |
| 178 | } | 190 | } |
| 179 | 191 | ||
| 180 | if (!result.email) { | 192 | if (!isUserUsernameValid(result.username)) return returnError('username') |
| 181 | logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email }) | 193 | if (!result.email) return returnError('email') |
| 182 | return false | ||
| 183 | } | ||
| 184 | 194 | ||
| 185 | // role is optional | 195 | // Following fields are optional |
| 186 | if (result.role && !isUserRoleValid(result.role)) { | 196 | if (result.role && !isUserRoleValid(result.role)) return returnError('role') |
| 187 | logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role }) | 197 | if (result.displayName && !isUserDisplayNameValid(result.displayName)) return returnError('displayName') |
| 188 | return false | 198 | if (result.adminFlags && !isUserAdminFlagsValid(result.adminFlags)) return returnError('adminFlags') |
| 189 | } | 199 | if (result.videoQuota && !isUserVideoQuotaValid(result.videoQuota + '')) return returnError('videoQuota') |
| 200 | if (result.videoQuotaDaily && !isUserVideoQuotaDailyValid(result.videoQuotaDaily + '')) return returnError('videoQuotaDaily') | ||
| 190 | 201 | ||
| 191 | // display name is optional | 202 | if (result.userUpdater && typeof result.userUpdater !== 'function') { |
| 192 | if (result.displayName && !isUserDisplayNameValid(result.displayName)) { | 203 | logger.error('Auth method %s of plugin %s did not provide a valid user updater function.', authName, npmName) |
| 193 | logger.error( | ||
| 194 | 'Auth method %s of plugin %s did not provide a valid display name.', | ||
| 195 | authName, npmName, { displayName: result.displayName } | ||
| 196 | ) | ||
| 197 | return false | 204 | return false |
| 198 | } | 205 | } |
| 199 | 206 | ||
| @@ -205,7 +212,12 @@ function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) { | |||
| 205 | username: pluginResult.username, | 212 | username: pluginResult.username, |
| 206 | email: pluginResult.email, | 213 | email: pluginResult.email, |
| 207 | role: pluginResult.role ?? UserRole.USER, | 214 | role: pluginResult.role ?? UserRole.USER, |
| 208 | displayName: pluginResult.displayName || pluginResult.username | 215 | displayName: pluginResult.displayName || pluginResult.username, |
| 216 | |||
| 217 | adminFlags: pluginResult.adminFlags ?? UserAdminFlag.NONE, | ||
| 218 | |||
| 219 | videoQuota: pluginResult.videoQuota, | ||
| 220 | videoQuotaDaily: pluginResult.videoQuotaDaily | ||
| 209 | } | 221 | } |
| 210 | } | 222 | } |
| 211 | 223 | ||