1 files changed, 286 insertions, 0 deletions
diff --git a/server/lib/auth.ts b/server/lib/auth.ts
new file mode 100644
index 000000000..8579bdbb4
--- /dev/null
+++ b/server/lib/auth.ts
@@ -0,0 +1,286 @@
+import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
+import { logger } from '@server/helpers/logger'
+import { generateRandomString } from '@server/helpers/utils'
+import { OAUTH_LIFETIME, PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
+import { revokeToken } from '@server/lib/oauth-model'
+import { PluginManager } from '@server/lib/plugins/plugin-manager'
+import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
+import { UserRole } from '@shared/models'
+import {
+  RegisterServerAuthenticatedResult,
+  RegisterServerAuthPassOptions,
+  RegisterServerExternalAuthenticatedResult
+} from '@shared/models/plugins/register-server-auth.model'
+import * as express from 'express'
+import * as OAuthServer from 'express-oauth-server'
+const oAuthServer = new OAuthServer({
+  useErrorHandler: true,
+  accessTokenLifetime: OAUTH_LIFETIME.ACCESS_TOKEN,
+  refreshTokenLifetime: OAUTH_LIFETIME.REFRESH_TOKEN,
+  continueMiddleware: true,
+  model: require('./oauth-model')
+})
+// Token is the key, expiration date is the value
+const authBypassTokens = new Map<string, {
+  expires: Date
+  user: {
+    username: string
+    email: string
+    displayName: string
+    role: UserRole
+  }
+  authName: string
+  npmName: string
+}>()
+async function handleLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
+  const grantType = req.body.grant_type
+  if (grantType === 'password') {
+    if (req.body.externalAuthToken) proxifyExternalAuthBypass(req, res)
+    else await proxifyPasswordGrant(req, res)
+  } else if (grantType === 'refresh_token') {
+    await proxifyRefreshGrant(req, res)
+  }
+  return forwardTokenReq(req, res, next)
+}
+async function handleTokenRevocation (req: express.Request, res: express.Response) {
+  const token = res.locals.oauth.token
+  res.locals.explicitLogout = true
+  await revokeToken(token)
+  // FIXME: uncomment when https://github.com/oauthjs/node-oauth2-server/pull/289 is released
+  // oAuthServer.revoke(req, res, err => {
+  //   if (err) {
+  //     logger.warn('Error in revoke token handler.', { err })
+  //
+  //     return res.status(err.status)
+  //               .json({
+  //                 error: err.message,
+  //                 code: err.name
+  //               })
+  //               .end()
+  //   }
+  // })
+  return res.json()
+}
+async function onExternalUserAuthenticated (options: {
+  npmName: string
+  authName: string
+  authResult: RegisterServerExternalAuthenticatedResult
+}) {
+  const { npmName, authName, authResult } = options
+  if (!authResult.req || !authResult.res) {
+    logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
+    return
+  }
+  const { res } = authResult
+  if (!isAuthResultValid(npmName, authName, authResult)) {
+    res.redirect('/login?externalAuthError=true')
+    return
+  }
+  logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
+  const bypassToken = await generateRandomString(32)
+  const expires = new Date()
+  expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
+  const user = buildUserResult(authResult)
+  authBypassTokens.set(bypassToken, {
+    expires,
+    user,
+    npmName,
+    authName
+  })
+  // Cleanup
+  const now = new Date()
+  for (const [ key, value ] of authBypassTokens) {
+    if (value.expires.getTime() < now.getTime()) {
+      authBypassTokens.delete(key)
+    }
+  }
+  res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
+}
+// ---------------------------------------------------------------------------
+export { oAuthServer, handleLogin, onExternalUserAuthenticated, handleTokenRevocation }
+// ---------------------------------------------------------------------------
+function forwardTokenReq (req: express.Request, res: express.Response, next?: express.NextFunction) {
+  return oAuthServer.token()(req, res, err => {
+    if (err) {
+      logger.warn('Login error.', { err })
+      return res.status(err.status)
+        .json({
+          error: err.message,
+          code: err.name
+        })
+    }
+    if (next) return next()
+  })
+}
+async function proxifyRefreshGrant (req: express.Request, res: express.Response) {
+  const refreshToken = req.body.refresh_token
+  if (!refreshToken) return
+  const tokenModel = await OAuthTokenModel.loadByRefreshToken(refreshToken)
+  if (tokenModel?.authName) res.locals.refreshTokenAuthName = tokenModel.authName
+}
+async function proxifyPasswordGrant (req: express.Request, res: express.Response) {
+  const plugins = PluginManager.Instance.getIdAndPassAuths()
+  const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = []
+  for (const plugin of plugins) {
+    const auths = plugin.idAndPassAuths
+    for (const auth of auths) {
+      pluginAuths.push({
+        npmName: plugin.npmName,
+        registerAuthOptions: auth
+      })
+    }
+  }
+  pluginAuths.sort((a, b) => {
+    const aWeight = a.registerAuthOptions.getWeight()
+    const bWeight = b.registerAuthOptions.getWeight()
+    // DESC weight order
+    if (aWeight === bWeight) return 0
+    if (aWeight < bWeight) return 1
+    return -1
+  })
+  const loginOptions = {
+    id: req.body.username,
+    password: req.body.password
+  }
+  for (const pluginAuth of pluginAuths) {
+    const authOptions = pluginAuth.registerAuthOptions
+    const authName = authOptions.authName
+    const npmName = pluginAuth.npmName
+    logger.debug(
+      'Using auth method %s of plugin %s to login %s with weight %d.',
+      authName, npmName, loginOptions.id, authOptions.getWeight()
+    )
+    try {
+      const loginResult = await authOptions.login(loginOptions)
+      if (!loginResult) continue
+      if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
+      logger.info(
+        'Login success with auth method %s of plugin %s for %s.',
+        authName, npmName, loginOptions.id
+      )
+      res.locals.bypassLogin = {
+        bypass: true,
+        pluginName: pluginAuth.npmName,
+        authName: authOptions.authName,
+        user: buildUserResult(loginResult)
+      }
+      return
+    } catch (err) {
+      logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
+    }
+  }
+}
+function proxifyExternalAuthBypass (req: express.Request, res: express.Response) {
+  const obj = authBypassTokens.get(req.body.externalAuthToken)
+  if (!obj) {
+    logger.error('Cannot authenticate user with unknown bypass token')
+    return res.sendStatus(400)
+  }
+  const { expires, user, authName, npmName } = obj
+  const now = new Date()
+  if (now.getTime() > expires.getTime()) {
+    logger.error('Cannot authenticate user with an expired external auth token')
+    return res.sendStatus(400)
+  }
+  if (user.username !== req.body.username) {
+    logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
+    return res.sendStatus(400)
+  }
+  // Bypass oauth library validation
+  req.body.password = 'fake'
+  logger.info(
+    'Auth success with external auth method %s of plugin %s for %s.',
+    authName, npmName, user.email
+  )
+  res.locals.bypassLogin = {
+    bypass: true,
+    pluginName: npmName,
+    authName: authName,
+    user
+  }
+}
+function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
+  if (!isUserUsernameValid(result.username)) {
+    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
+    return false
+  }
+  if (!result.email) {
+    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
+    return false
+  }
+  // role is optional
+  if (result.role && !isUserRoleValid(result.role)) {
+    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
+    return false
+  }
+  // display name is optional
+  if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
+    logger.error(
+      'Auth method %s of plugin %s did not provide a valid display name.',
+      authName, npmName, { displayName: result.displayName }
+    )
+    return false
+  }
+  return true
+}
+function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
+  return {
+    username: pluginResult.username,
+    email: pluginResult.email,
+    role: pluginResult.role ?? UserRole.USER,
+    displayName: pluginResult.displayName || pluginResult.username
+  }
+}

diff --git a/server/lib/auth.ts b/server/lib/auth.ts new file mode 100644 index 000000000..8579bdbb4 --- /dev/null +++ b/server/lib/auth.ts
@@ -0,0 +1,286 @@
	1	import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
	2	import { logger } from '@server/helpers/logger'
	3	import { generateRandomString } from '@server/helpers/utils'
	4	import { OAUTH_LIFETIME, PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
	5	import { revokeToken } from '@server/lib/oauth-model'
	6	import { PluginManager } from '@server/lib/plugins/plugin-manager'
	7	import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
	8	import { UserRole } from '@shared/models'
	9	import {
	10	RegisterServerAuthenticatedResult,
	11	RegisterServerAuthPassOptions,
	12	RegisterServerExternalAuthenticatedResult
	13	} from '@shared/models/plugins/register-server-auth.model'
	14	import * as express from 'express'
	15	import * as OAuthServer from 'express-oauth-server'
	16
	17	const oAuthServer = new OAuthServer({
	18	useErrorHandler: true,
	19	accessTokenLifetime: OAUTH_LIFETIME.ACCESS_TOKEN,
	20	refreshTokenLifetime: OAUTH_LIFETIME.REFRESH_TOKEN,
	21	continueMiddleware: true,
	22	model: require('./oauth-model')
	23	})
	24
	25	// Token is the key, expiration date is the value
	26	const authBypassTokens = new Map<string, {
	27	expires: Date
	28	user: {
	29	username: string
	30	email: string
	31	displayName: string
	32	role: UserRole
	33	}
	34	authName: string
	35	npmName: string
	36	}>()
	37
	38	async function handleLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
	39	const grantType = req.body.grant_type
	40
	41	if (grantType === 'password') {
	42	if (req.body.externalAuthToken) proxifyExternalAuthBypass(req, res)
	43	else await proxifyPasswordGrant(req, res)
	44	} else if (grantType === 'refresh_token') {
	45	await proxifyRefreshGrant(req, res)
	46	}
	47
	48	return forwardTokenReq(req, res, next)
	49	}
	50
	51	async function handleTokenRevocation (req: express.Request, res: express.Response) {
	52	const token = res.locals.oauth.token
	53
	54	res.locals.explicitLogout = true
	55	await revokeToken(token)
	56
	57	// FIXME: uncomment when https://github.com/oauthjs/node-oauth2-server/pull/289 is released
	58	// oAuthServer.revoke(req, res, err => {
	59	// if (err) {
	60	// logger.warn('Error in revoke token handler.', { err })
	61	//
	62	// return res.status(err.status)
	63	// .json({
	64	// error: err.message,
	65	// code: err.name
	66	// })
	67	// .end()
	68	// }
	69	// })
	70
	71	return res.json()
	72	}
	73
	74	async function onExternalUserAuthenticated (options: {
	75	npmName: string
	76	authName: string
	77	authResult: RegisterServerExternalAuthenticatedResult
	78	}) {
	79	const { npmName, authName, authResult } = options
	80
	81	if (!authResult.req \|\| !authResult.res) {
	82	logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
	83	return
	84	}
	85
	86	const { res } = authResult
	87
	88	if (!isAuthResultValid(npmName, authName, authResult)) {
	89	res.redirect('/login?externalAuthError=true')
	90	return
	91	}
	92
	93	logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
	94
	95	const bypassToken = await generateRandomString(32)
	96
	97	const expires = new Date()
	98	expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
	99
	100	const user = buildUserResult(authResult)
	101	authBypassTokens.set(bypassToken, {
	102	expires,
	103	user,
	104	npmName,
	105	authName
	106	})
	107
	108	// Cleanup
	109	const now = new Date()
	110	for (const [ key, value ] of authBypassTokens) {
	111	if (value.expires.getTime() < now.getTime()) {
	112	authBypassTokens.delete(key)
	113	}
	114	}
	115
	116	res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
	117	}
	118
	119	// ---------------------------------------------------------------------------
	120
	121	export { oAuthServer, handleLogin, onExternalUserAuthenticated, handleTokenRevocation }
	122
	123	// ---------------------------------------------------------------------------
	124
	125	function forwardTokenReq (req: express.Request, res: express.Response, next?: express.NextFunction) {
	126	return oAuthServer.token()(req, res, err => {
	127	if (err) {
	128	logger.warn('Login error.', { err })
	129
	130	return res.status(err.status)
	131	.json({
	132	error: err.message,
	133	code: err.name
	134	})
	135	}
	136
	137	if (next) return next()
	138	})
	139	}
	140
	141	async function proxifyRefreshGrant (req: express.Request, res: express.Response) {
	142	const refreshToken = req.body.refresh_token
	143	if (!refreshToken) return
	144
	145	const tokenModel = await OAuthTokenModel.loadByRefreshToken(refreshToken)
	146	if (tokenModel?.authName) res.locals.refreshTokenAuthName = tokenModel.authName
	147	}
	148
	149	async function proxifyPasswordGrant (req: express.Request, res: express.Response) {
	150	const plugins = PluginManager.Instance.getIdAndPassAuths()
	151	const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = []
	152
	153	for (const plugin of plugins) {
	154	const auths = plugin.idAndPassAuths
	155
	156	for (const auth of auths) {
	157	pluginAuths.push({
	158	npmName: plugin.npmName,
	159	registerAuthOptions: auth
	160	})
	161	}
	162	}
	163
	164	pluginAuths.sort((a, b) => {
	165	const aWeight = a.registerAuthOptions.getWeight()
	166	const bWeight = b.registerAuthOptions.getWeight()
	167
	168	// DESC weight order
	169	if (aWeight === bWeight) return 0
	170	if (aWeight < bWeight) return 1
	171	return -1
	172	})
	173
	174	const loginOptions = {
	175	id: req.body.username,
	176	password: req.body.password
	177	}
	178
	179	for (const pluginAuth of pluginAuths) {
	180	const authOptions = pluginAuth.registerAuthOptions
	181	const authName = authOptions.authName
	182	const npmName = pluginAuth.npmName
	183
	184	logger.debug(
	185	'Using auth method %s of plugin %s to login %s with weight %d.',
	186	authName, npmName, loginOptions.id, authOptions.getWeight()
	187	)
	188
	189	try {
	190	const loginResult = await authOptions.login(loginOptions)
	191
	192	if (!loginResult) continue
	193	if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
	194
	195	logger.info(
	196	'Login success with auth method %s of plugin %s for %s.',
	197	authName, npmName, loginOptions.id
	198	)
	199
	200	res.locals.bypassLogin = {
	201	bypass: true,
	202	pluginName: pluginAuth.npmName,
	203	authName: authOptions.authName,
	204	user: buildUserResult(loginResult)
	205	}
	206
	207	return
	208	} catch (err) {
	209	logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
	210	}
	211	}
	212	}
	213
	214	function proxifyExternalAuthBypass (req: express.Request, res: express.Response) {
	215	const obj = authBypassTokens.get(req.body.externalAuthToken)
	216	if (!obj) {
	217	logger.error('Cannot authenticate user with unknown bypass token')
	218	return res.sendStatus(400)
	219	}
	220
	221	const { expires, user, authName, npmName } = obj
	222
	223	const now = new Date()
	224	if (now.getTime() > expires.getTime()) {
	225	logger.error('Cannot authenticate user with an expired external auth token')
	226	return res.sendStatus(400)
	227	}
	228
	229	if (user.username !== req.body.username) {
	230	logger.error('Cannot authenticate user %s with invalid username %s.', req.body.username)
	231	return res.sendStatus(400)
	232	}
	233
	234	// Bypass oauth library validation
	235	req.body.password = 'fake'
	236
	237	logger.info(
	238	'Auth success with external auth method %s of plugin %s for %s.',
	239	authName, npmName, user.email
	240	)
	241
	242	res.locals.bypassLogin = {
	243	bypass: true,
	244	pluginName: npmName,
	245	authName: authName,
	246	user
	247	}
	248	}
	249
	250	function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
	251	if (!isUserUsernameValid(result.username)) {
	252	logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
	253	return false
	254	}
	255
	256	if (!result.email) {
	257	logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
	258	return false
	259	}
	260
	261	// role is optional
	262	if (result.role && !isUserRoleValid(result.role)) {
	263	logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
	264	return false
	265	}
	266
	267	// display name is optional
	268	if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
	269	logger.error(
	270	'Auth method %s of plugin %s did not provide a valid display name.',
	271	authName, npmName, { displayName: result.displayName }
	272	)
	273	return false
	274	}
	275
	276	return true
	277	}
	278
	279	function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
	280	return {
	281	username: pluginResult.username,
	282	email: pluginResult.email,
	283	role: pluginResult.role ?? UserRole.USER,
	284	displayName: pluginResult.displayName \|\| pluginResult.username
	285	}
	286	}