aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/lib
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2020-04-28 14:49:03 +0200
committerChocobozzz <chocobozzz@cpy.re>2020-05-04 16:21:39 +0200
commit4a8d113b9b57d97ff13ad1608798eabca99643e4 (patch)
tree7c6e1ba86bff31680ba6c8ba4bd903b997592269 /server/lib
parent98813e69bccc568eff771cfcaf907ccdd82ce3f1 (diff)
downloadPeerTube-4a8d113b9b57d97ff13ad1608798eabca99643e4.tar.gz
PeerTube-4a8d113b9b57d97ff13ad1608798eabca99643e4.tar.zst
PeerTube-4a8d113b9b57d97ff13ad1608798eabca99643e4.zip
Begin support for external auths
Diffstat (limited to 'server/lib')
-rw-r--r--server/lib/auth.ts225
-rw-r--r--server/lib/oauth-model.ts2
-rw-r--r--server/lib/plugins/register-helpers-store.ts42
3 files changed, 179 insertions, 90 deletions
diff --git a/server/lib/auth.ts b/server/lib/auth.ts
index 5a6dd9dec..eaae5fdf3 100644
--- a/server/lib/auth.ts
+++ b/server/lib/auth.ts
@@ -1,13 +1,18 @@
1import * as express from 'express' 1import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
2import { OAUTH_LIFETIME } from '@server/initializers/constants'
3import * as OAuthServer from 'express-oauth-server'
4import { PluginManager } from '@server/lib/plugins/plugin-manager'
5import { RegisterServerAuthPassOptions } from '@shared/models/plugins/register-server-auth.model'
6import { logger } from '@server/helpers/logger' 2import { logger } from '@server/helpers/logger'
7import { UserRole } from '@shared/models' 3import { generateRandomString } from '@server/helpers/utils'
4import { OAUTH_LIFETIME, WEBSERVER } from '@server/initializers/constants'
8import { revokeToken } from '@server/lib/oauth-model' 5import { revokeToken } from '@server/lib/oauth-model'
6import { PluginManager } from '@server/lib/plugins/plugin-manager'
9import { OAuthTokenModel } from '@server/models/oauth/oauth-token' 7import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
10import { isUserUsernameValid, isUserRoleValid, isUserDisplayNameValid } from '@server/helpers/custom-validators/users' 8import { UserRole } from '@shared/models'
9import {
10 RegisterServerAuthenticatedResult,
11 RegisterServerAuthPassOptions,
12 RegisterServerExternalAuthenticatedResult
13} from '@shared/models/plugins/register-server-auth.model'
14import * as express from 'express'
15import * as OAuthServer from 'express-oauth-server'
11 16
12const oAuthServer = new OAuthServer({ 17const oAuthServer = new OAuthServer({
13 useErrorHandler: true, 18 useErrorHandler: true,
@@ -17,15 +22,28 @@ const oAuthServer = new OAuthServer({
17 model: require('./oauth-model') 22 model: require('./oauth-model')
18}) 23})
19 24
20function onExternalAuthPlugin (npmName: string, username: string, email: string) { 25// Token is the key, expiration date is the value
21 26const authBypassTokens = new Map<string, {
22} 27 expires: Date
28 user: {
29 username: string
30 email: string
31 displayName: string
32 role: UserRole
33 }
34 authName: string
35 npmName: string
36}>()
23 37
24async function handleIdAndPassLogin (req: express.Request, res: express.Response, next: express.NextFunction) { 38async function handleIdAndPassLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
25 const grantType = req.body.grant_type 39 const grantType = req.body.grant_type
26 40
27 if (grantType === 'password') await proxifyPasswordGrant(req, res) 41 if (grantType === 'password') {
28 else if (grantType === 'refresh_token') await proxifyRefreshGrant(req, res) 42 if (req.body.externalAuthToken) proxifyExternalAuthBypass(req, res)
43 else await proxifyPasswordGrant(req, res)
44 } else if (grantType === 'refresh_token') {
45 await proxifyRefreshGrant(req, res)
46 }
29 47
30 return forwardTokenReq(req, res, next) 48 return forwardTokenReq(req, res, next)
31} 49}
@@ -53,31 +71,60 @@ async function handleTokenRevocation (req: express.Request, res: express.Respons
53 return res.sendStatus(200) 71 return res.sendStatus(200)
54} 72}
55 73
56// --------------------------------------------------------------------------- 74async function onExternalUserAuthenticated (options: {
75 npmName: string
76 authName: string
77 authResult: RegisterServerExternalAuthenticatedResult
78}) {
79 const { npmName, authName, authResult } = options
57 80
58export { 81 if (!authResult.req || !authResult.res) {
59 oAuthServer, 82 logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
60 handleIdAndPassLogin, 83 return
61 onExternalAuthPlugin, 84 }
62 handleTokenRevocation 85
86 if (!isAuthResultValid(npmName, authName, authResult)) return
87
88 const { res } = authResult
89
90 logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
91
92 const bypassToken = await generateRandomString(32)
93 const tokenLifetime = 1000 * 60 * 5 // 5 minutes
94
95 const expires = new Date()
96 expires.setTime(expires.getTime() + tokenLifetime)
97
98 const user = buildUserResult(authResult)
99 authBypassTokens.set(bypassToken, {
100 expires,
101 user,
102 npmName,
103 authName
104 })
105
106 res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
63} 107}
64 108
65// --------------------------------------------------------------------------- 109// ---------------------------------------------------------------------------
66 110
67function forwardTokenReq (req: express.Request, res: express.Response, next: express.NextFunction) { 111export { oAuthServer, handleIdAndPassLogin, onExternalUserAuthenticated, handleTokenRevocation }
112
113// ---------------------------------------------------------------------------
114
115function forwardTokenReq (req: express.Request, res: express.Response, next?: express.NextFunction) {
68 return oAuthServer.token()(req, res, err => { 116 return oAuthServer.token()(req, res, err => {
69 if (err) { 117 if (err) {
70 logger.warn('Login error.', { err }) 118 logger.warn('Login error.', { err })
71 119
72 return res.status(err.status) 120 return res.status(err.status)
73 .json({ 121 .json({
74 error: err.message, 122 error: err.message,
75 code: err.name 123 code: err.name
76 }) 124 })
77 .end()
78 } 125 }
79 126
80 return next() 127 if (next) return next()
81 }) 128 })
82} 129}
83 130
@@ -131,50 +178,96 @@ async function proxifyPasswordGrant (req: express.Request, res: express.Response
131 178
132 try { 179 try {
133 const loginResult = await authOptions.login(loginOptions) 180 const loginResult = await authOptions.login(loginOptions)
134 if (loginResult) { 181
135 logger.info( 182 if (!loginResult) continue
136 'Login success with auth method %s of plugin %s for %s.', 183 if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
137 authName, npmName, loginOptions.id 184
138 ) 185 logger.info(
139 186 'Login success with auth method %s of plugin %s for %s.',
140 if (!isUserUsernameValid(loginResult.username)) { 187 authName, npmName, loginOptions.id
141 logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { loginResult }) 188 )
142 continue 189
143 } 190 res.locals.bypassLogin = {
144 191 bypass: true,
145 if (!loginResult.email) { 192 pluginName: pluginAuth.npmName,
146 logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { loginResult }) 193 authName: authOptions.authName,
147 continue 194 user: buildUserResult(loginResult)
148 }
149
150 // role is optional
151 if (loginResult.role && !isUserRoleValid(loginResult.role)) {
152 logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { loginResult })
153 continue
154 }
155
156 // display name is optional
157 if (loginResult.displayName && !isUserDisplayNameValid(loginResult.displayName)) {
158 logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { loginResult })
159 continue
160 }
161
162 res.locals.bypassLogin = {
163 bypass: true,
164 pluginName: pluginAuth.npmName,
165 authName: authOptions.authName,
166 user: {
167 username: loginResult.username,
168 email: loginResult.email,
169 role: loginResult.role || UserRole.USER,
170 displayName: loginResult.displayName || loginResult.username
171 }
172 }
173
174 return
175 } 195 }
196
197 return
176 } catch (err) { 198 } catch (err) {
177 logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err }) 199 logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
178 } 200 }
179 } 201 }
180} 202}
203
204function proxifyExternalAuthBypass (req: express.Request, res: express.Response) {
205 const obj = authBypassTokens.get(req.body.externalAuthToken)
206 if (!obj) {
207 logger.error('Cannot authenticate user with unknown bypass token')
208 return res.sendStatus(400)
209 }
210
211 const { expires, user, authName, npmName } = obj
212
213 const now = new Date()
214 if (now.getTime() > expires.getTime()) {
215 logger.error('Cannot authenticate user with an expired bypass token')
216 return res.sendStatus(400)
217 }
218
219 if (user.username !== req.body.username) {
220 logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
221 return res.sendStatus(400)
222 }
223
224 // Bypass oauth library validation
225 req.body.password = 'fake'
226
227 logger.info(
228 'Auth success with external auth method %s of plugin %s for %s.',
229 authName, npmName, user.email
230 )
231
232 res.locals.bypassLogin = {
233 bypass: true,
234 pluginName: npmName,
235 authName: authName,
236 user
237 }
238}
239
240function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
241 if (!isUserUsernameValid(result.username)) {
242 logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { result })
243 return false
244 }
245
246 if (!result.email) {
247 logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { result })
248 return false
249 }
250
251 // role is optional
252 if (result.role && !isUserRoleValid(result.role)) {
253 logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { result })
254 return false
255 }
256
257 // display name is optional
258 if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
259 logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { result })
260 return false
261 }
262
263 return true
264}
265
266function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
267 return {
268 username: pluginResult.username,
269 email: pluginResult.email,
270 role: pluginResult.role || UserRole.USER,
271 displayName: pluginResult.displayName || pluginResult.username
272 }
273}
diff --git a/server/lib/oauth-model.ts b/server/lib/oauth-model.ts
index 6eb0e4473..8b9975bb4 100644
--- a/server/lib/oauth-model.ts
+++ b/server/lib/oauth-model.ts
@@ -98,7 +98,7 @@ async function getRefreshToken (refreshToken: string) {
98 return tokenInfo 98 return tokenInfo
99} 99}
100 100
101async function getUser (usernameOrEmail: string, password: string) { 101async function getUser (usernameOrEmail?: string, password?: string) {
102 const res: express.Response = this.request.res 102 const res: express.Response = this.request.res
103 103
104 // Special treatment coming from a plugin 104 // Special treatment coming from a plugin
diff --git a/server/lib/plugins/register-helpers-store.ts b/server/lib/plugins/register-helpers-store.ts
index 687974ccf..277f2b687 100644
--- a/server/lib/plugins/register-helpers-store.ts
+++ b/server/lib/plugins/register-helpers-store.ts
@@ -1,31 +1,21 @@
1import { PluginSettingsManager } from '@shared/models/plugins/plugin-settings-manager.model' 1import { logger } from '@server/helpers/logger'
2import { VIDEO_CATEGORIES, VIDEO_LANGUAGES, VIDEO_LICENCES, VIDEO_PLAYLIST_PRIVACIES, VIDEO_PRIVACIES } from '@server/initializers/constants'
3import { onExternalUserAuthenticated } from '@server/lib/auth'
2import { PluginModel } from '@server/models/server/plugin' 4import { PluginModel } from '@server/models/server/plugin'
5import { RegisterServerOptions } from '@server/typings/plugins'
6import { PluginPlaylistPrivacyManager } from '@shared/models/plugins/plugin-playlist-privacy-manager.model'
7import { PluginSettingsManager } from '@shared/models/plugins/plugin-settings-manager.model'
3import { PluginStorageManager } from '@shared/models/plugins/plugin-storage-manager.model' 8import { PluginStorageManager } from '@shared/models/plugins/plugin-storage-manager.model'
9import { PluginVideoCategoryManager } from '@shared/models/plugins/plugin-video-category-manager.model'
4import { PluginVideoLanguageManager } from '@shared/models/plugins/plugin-video-language-manager.model' 10import { PluginVideoLanguageManager } from '@shared/models/plugins/plugin-video-language-manager.model'
5import {
6 VIDEO_CATEGORIES,
7 VIDEO_LANGUAGES,
8 VIDEO_LICENCES,
9 VIDEO_PLAYLIST_PRIVACIES,
10 VIDEO_PRIVACIES
11} from '@server/initializers/constants'
12import { PluginVideoLicenceManager } from '@shared/models/plugins/plugin-video-licence-manager.model' 11import { PluginVideoLicenceManager } from '@shared/models/plugins/plugin-video-licence-manager.model'
13import { PluginVideoCategoryManager } from '@shared/models/plugins/plugin-video-category-manager.model' 12import { PluginVideoPrivacyManager } from '@shared/models/plugins/plugin-video-privacy-manager.model'
14import { RegisterServerOptions } from '@server/typings/plugins' 13import { RegisterServerAuthExternalOptions, RegisterServerAuthExternalResult, RegisterServerAuthPassOptions, RegisterServerExternalAuthenticatedResult } from '@shared/models/plugins/register-server-auth.model'
15import { buildPluginHelpers } from './plugin-helpers'
16import { logger } from '@server/helpers/logger'
17import { RegisterServerHookOptions } from '@shared/models/plugins/register-server-hook.model' 14import { RegisterServerHookOptions } from '@shared/models/plugins/register-server-hook.model'
18import { serverHookObject } from '@shared/models/plugins/server-hook.model'
19import { RegisterServerSettingOptions } from '@shared/models/plugins/register-server-setting.model' 15import { RegisterServerSettingOptions } from '@shared/models/plugins/register-server-setting.model'
16import { serverHookObject } from '@shared/models/plugins/server-hook.model'
20import * as express from 'express' 17import * as express from 'express'
21import { PluginVideoPrivacyManager } from '@shared/models/plugins/plugin-video-privacy-manager.model' 18import { buildPluginHelpers } from './plugin-helpers'
22import { PluginPlaylistPrivacyManager } from '@shared/models/plugins/plugin-playlist-privacy-manager.model'
23import {
24 RegisterServerAuthExternalOptions,
25 RegisterServerAuthExternalResult,
26 RegisterServerAuthPassOptions
27} from '@shared/models/plugins/register-server-auth.model'
28import { onExternalAuthPlugin } from '@server/lib/auth'
29 19
30type AlterableVideoConstant = 'language' | 'licence' | 'category' | 'privacy' | 'playlistPrivacy' 20type AlterableVideoConstant = 'language' | 'licence' | 'category' | 'privacy' | 'playlistPrivacy'
31type VideoConstant = { [key in number | string]: string } 21type VideoConstant = { [key in number | string]: string }
@@ -187,8 +177,14 @@ export class RegisterHelpersStore {
187 this.externalAuths.push(options) 177 this.externalAuths.push(options)
188 178
189 return { 179 return {
190 onAuth (options: { username: string, email: string }): void { 180 userAuthenticated (result: RegisterServerExternalAuthenticatedResult): void {
191 onExternalAuthPlugin(self.npmName, options.username, options.email) 181 onExternalUserAuthenticated({
182 npmName: self.npmName,
183 authName: options.authName,
184 authResult: result
185 }).catch(err => {
186 logger.error('Cannot execute onExternalUserAuthenticated.', { npmName: self.npmName, authName: options.authName, err })
187 })
192 } 188 }
193 } as RegisterServerAuthExternalResult 189 } as RegisterServerAuthExternalResult
194 } 190 }