diff options
| author | Chocobozzz <me@florianbigard.com> | 2020-04-24 11:33:01 +0200 |
|---|---|---|
| committer | Chocobozzz <chocobozzz@cpy.re> | 2020-05-04 16:21:39 +0200 |
| commit | e307e4fce39853d445d086f92b8c556c363ee15d (patch) | |
| tree | 0f3faaf3c73222db0fb55b72260c787aeeeb05eb /server/lib/oauth-model.ts | |
| parent | e1c5503114deef954731904695cd40dccfcef555 (diff) | |
| download | PeerTube-e307e4fce39853d445d086f92b8c556c363ee15d.tar.gz PeerTube-e307e4fce39853d445d086f92b8c556c363ee15d.tar.zst PeerTube-e307e4fce39853d445d086f92b8c556c363ee15d.zip | |
Add ability for auth plugins to hook tokens validity
Diffstat (limited to 'server/lib/oauth-model.ts')
| -rw-r--r-- | server/lib/oauth-model.ts | 62 |
1 files changed, 44 insertions, 18 deletions
diff --git a/server/lib/oauth-model.ts b/server/lib/oauth-model.ts index 7a6ed63be..6eb0e4473 100644 --- a/server/lib/oauth-model.ts +++ b/server/lib/oauth-model.ts | |||
| @@ -1,4 +1,3 @@ | |||
| 1 | import * as Bluebird from 'bluebird' | ||
| 2 | import * as express from 'express' | 1 | import * as express from 'express' |
| 3 | import { AccessDeniedError } from 'oauth2-server' | 2 | import { AccessDeniedError } from 'oauth2-server' |
| 4 | import { logger } from '../helpers/logger' | 3 | import { logger } from '../helpers/logger' |
| @@ -47,22 +46,33 @@ function clearCacheByToken (token: string) { | |||
| 47 | } | 46 | } |
| 48 | } | 47 | } |
| 49 | 48 | ||
| 50 | function getAccessToken (bearerToken: string) { | 49 | async function getAccessToken (bearerToken: string) { |
| 51 | logger.debug('Getting access token (bearerToken: ' + bearerToken + ').') | 50 | logger.debug('Getting access token (bearerToken: ' + bearerToken + ').') |
| 52 | 51 | ||
| 53 | if (!bearerToken) return Bluebird.resolve(undefined) | 52 | if (!bearerToken) return undefined |
| 54 | 53 | ||
| 55 | if (accessTokenCache.has(bearerToken)) return Bluebird.resolve(accessTokenCache.get(bearerToken)) | 54 | let tokenModel: MOAuthTokenUser |
| 56 | 55 | ||
| 57 | return OAuthTokenModel.getByTokenAndPopulateUser(bearerToken) | 56 | if (accessTokenCache.has(bearerToken)) { |
| 58 | .then(tokenModel => { | 57 | tokenModel = accessTokenCache.get(bearerToken) |
| 59 | if (tokenModel) { | 58 | } else { |
| 60 | accessTokenCache.set(bearerToken, tokenModel) | 59 | tokenModel = await OAuthTokenModel.getByTokenAndPopulateUser(bearerToken) |
| 61 | userHavingToken.set(tokenModel.userId, tokenModel.accessToken) | ||
| 62 | } | ||
| 63 | 60 | ||
| 64 | return tokenModel | 61 | if (tokenModel) { |
| 65 | }) | 62 | accessTokenCache.set(bearerToken, tokenModel) |
| 63 | userHavingToken.set(tokenModel.userId, tokenModel.accessToken) | ||
| 64 | } | ||
| 65 | } | ||
| 66 | |||
| 67 | if (!tokenModel) return undefined | ||
| 68 | |||
| 69 | if (tokenModel.User.pluginAuth) { | ||
| 70 | const valid = await PluginManager.Instance.isTokenValid(tokenModel, 'access') | ||
| 71 | |||
| 72 | if (valid !== true) return undefined | ||
| 73 | } | ||
| 74 | |||
| 75 | return tokenModel | ||
| 66 | } | 76 | } |
| 67 | 77 | ||
| 68 | function getClient (clientId: string, clientSecret: string) { | 78 | function getClient (clientId: string, clientSecret: string) { |
| @@ -71,14 +81,27 @@ function getClient (clientId: string, clientSecret: string) { | |||
| 71 | return OAuthClientModel.getByIdAndSecret(clientId, clientSecret) | 81 | return OAuthClientModel.getByIdAndSecret(clientId, clientSecret) |
| 72 | } | 82 | } |
| 73 | 83 | ||
| 74 | function getRefreshToken (refreshToken: string) { | 84 | async function getRefreshToken (refreshToken: string) { |
| 75 | logger.debug('Getting RefreshToken (refreshToken: ' + refreshToken + ').') | 85 | logger.debug('Getting RefreshToken (refreshToken: ' + refreshToken + ').') |
| 76 | 86 | ||
| 77 | return OAuthTokenModel.getByRefreshTokenAndPopulateClient(refreshToken) | 87 | const tokenInfo = await OAuthTokenModel.getByRefreshTokenAndPopulateClient(refreshToken) |
| 88 | if (!tokenInfo) return undefined | ||
| 89 | |||
| 90 | const tokenModel = tokenInfo.token | ||
| 91 | |||
| 92 | if (tokenModel.User.pluginAuth) { | ||
| 93 | const valid = await PluginManager.Instance.isTokenValid(tokenModel, 'refresh') | ||
| 94 | |||
| 95 | if (valid !== true) return undefined | ||
| 96 | } | ||
| 97 | |||
| 98 | return tokenInfo | ||
| 78 | } | 99 | } |
| 79 | 100 | ||
| 80 | async function getUser (usernameOrEmail: string, password: string) { | 101 | async function getUser (usernameOrEmail: string, password: string) { |
| 81 | const res: express.Response = this.request.res | 102 | const res: express.Response = this.request.res |
| 103 | |||
| 104 | // Special treatment coming from a plugin | ||
| 82 | if (res.locals.bypassLogin && res.locals.bypassLogin.bypass === true) { | 105 | if (res.locals.bypassLogin && res.locals.bypassLogin.bypass === true) { |
| 83 | const obj = res.locals.bypassLogin | 106 | const obj = res.locals.bypassLogin |
| 84 | logger.info('Bypassing oauth login by plugin %s.', obj.pluginName) | 107 | logger.info('Bypassing oauth login by plugin %s.', obj.pluginName) |
| @@ -110,7 +133,7 @@ async function getUser (usernameOrEmail: string, password: string) { | |||
| 110 | return user | 133 | return user |
| 111 | } | 134 | } |
| 112 | 135 | ||
| 113 | async function revokeToken (tokenInfo: TokenInfo) { | 136 | async function revokeToken (tokenInfo: { refreshToken: string }) { |
| 114 | const res: express.Response = this.request.res | 137 | const res: express.Response = this.request.res |
| 115 | const token = await OAuthTokenModel.getByRefreshTokenAndPopulateUser(tokenInfo.refreshToken) | 138 | const token = await OAuthTokenModel.getByRefreshTokenAndPopulateUser(tokenInfo.refreshToken) |
| 116 | 139 | ||
| @@ -133,9 +156,12 @@ async function revokeToken (tokenInfo: TokenInfo) { | |||
| 133 | async function saveToken (token: TokenInfo, client: OAuthClientModel, user: UserModel) { | 156 | async function saveToken (token: TokenInfo, client: OAuthClientModel, user: UserModel) { |
| 134 | const res: express.Response = this.request.res | 157 | const res: express.Response = this.request.res |
| 135 | 158 | ||
| 136 | const authName = res.locals.bypassLogin?.bypass === true | 159 | let authName: string = null |
| 137 | ? res.locals.bypassLogin.authName | 160 | if (res.locals.bypassLogin?.bypass === true) { |
| 138 | : null | 161 | authName = res.locals.bypassLogin.authName |
| 162 | } else if (res.locals.refreshTokenAuthName) { | ||
| 163 | authName = res.locals.refreshTokenAuthName | ||
| 164 | } | ||
| 139 | 165 | ||
| 140 | logger.debug('Saving token ' + token.accessToken + ' for client ' + client.id + ' and user ' + user.id + '.') | 166 | logger.debug('Saving token ' + token.accessToken + ' for client ' + client.id + ' and user ' + user.id + '.') |
| 141 | 167 | ||