1 files changed, 219 insertions, 0 deletions
diff --git a/server/lib/auth/external-auth.ts b/server/lib/auth/external-auth.ts
new file mode 100644
index 000000000..80f5064b6
--- /dev/null
+++ b/server/lib/auth/external-auth.ts
@@ -0,0 +1,219 @@
+import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
+import { logger } from '@server/helpers/logger'
+import { generateRandomString } from '@server/helpers/utils'
+import { PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
+import { PluginManager } from '@server/lib/plugins/plugin-manager'
+import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
+import {
+  RegisterServerAuthenticatedResult,
+  RegisterServerAuthPassOptions,
+  RegisterServerExternalAuthenticatedResult
+} from '@server/types/plugins/register-server-auth.model'
+import { UserRole } from '@shared/models'
+// Token is the key, expiration date is the value
+const authBypassTokens = new Map<string, {
+  expires: Date
+  user: {
+    username: string
+    email: string
+    displayName: string
+    role: UserRole
+  }
+  authName: string
+  npmName: string
+}>()
+async function onExternalUserAuthenticated (options: {
+  npmName: string
+  authName: string
+  authResult: RegisterServerExternalAuthenticatedResult
+}) {
+  const { npmName, authName, authResult } = options
+  if (!authResult.req || !authResult.res) {
+    logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
+    return
+  }
+  const { res } = authResult
+  if (!isAuthResultValid(npmName, authName, authResult)) {
+    res.redirect('/login?externalAuthError=true')
+    return
+  }
+  logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
+  const bypassToken = await generateRandomString(32)
+  const expires = new Date()
+  expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
+  const user = buildUserResult(authResult)
+  authBypassTokens.set(bypassToken, {
+    expires,
+    user,
+    npmName,
+    authName
+  })
+  // Cleanup expired tokens
+  const now = new Date()
+  for (const [ key, value ] of authBypassTokens) {
+    if (value.expires.getTime() < now.getTime()) {
+      authBypassTokens.delete(key)
+    }
+  }
+  res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
+}
+async function getAuthNameFromRefreshGrant (refreshToken?: string) {
+  if (!refreshToken) return undefined
+  const tokenModel = await OAuthTokenModel.loadByRefreshToken(refreshToken)
+  return tokenModel?.authName
+}
+async function getBypassFromPasswordGrant (username: string, password: string) {
+  const plugins = PluginManager.Instance.getIdAndPassAuths()
+  const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = []
+  for (const plugin of plugins) {
+    const auths = plugin.idAndPassAuths
+    for (const auth of auths) {
+      pluginAuths.push({
+        npmName: plugin.npmName,
+        registerAuthOptions: auth
+      })
+    }
+  }
+  pluginAuths.sort((a, b) => {
+    const aWeight = a.registerAuthOptions.getWeight()
+    const bWeight = b.registerAuthOptions.getWeight()
+    // DESC weight order
+    if (aWeight === bWeight) return 0
+    if (aWeight < bWeight) return 1
+    return -1
+  })
+  const loginOptions = {
+    id: username,
+    password
+  }
+  for (const pluginAuth of pluginAuths) {
+    const authOptions = pluginAuth.registerAuthOptions
+    const authName = authOptions.authName
+    const npmName = pluginAuth.npmName
+    logger.debug(
+      'Using auth method %s of plugin %s to login %s with weight %d.',
+      authName, npmName, loginOptions.id, authOptions.getWeight()
+    )
+    try {
+      const loginResult = await authOptions.login(loginOptions)
+      if (!loginResult) continue
+      if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
+      logger.info(
+        'Login success with auth method %s of plugin %s for %s.',
+        authName, npmName, loginOptions.id
+      )
+      return {
+        bypass: true,
+        pluginName: pluginAuth.npmName,
+        authName: authOptions.authName,
+        user: buildUserResult(loginResult)
+      }
+    } catch (err) {
+      logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
+    }
+  }
+  return undefined
+}
+function getBypassFromExternalAuth (username: string, externalAuthToken: string) {
+  const obj = authBypassTokens.get(externalAuthToken)
+  if (!obj) throw new Error('Cannot authenticate user with unknown bypass token')
+  const { expires, user, authName, npmName } = obj
+  const now = new Date()
+  if (now.getTime() > expires.getTime()) {
+    throw new Error('Cannot authenticate user with an expired external auth token')
+  }
+  if (user.username !== username) {
+    throw new Error(`Cannot authenticate user ${user.username} with invalid username ${username}`)
+  }
+  logger.info(
+    'Auth success with external auth method %s of plugin %s for %s.',
+    authName, npmName, user.email
+  )
+  return {
+    bypass: true,
+    pluginName: npmName,
+    authName: authName,
+    user
+  }
+}
+function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
+  if (!isUserUsernameValid(result.username)) {
+    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
+    return false
+  }
+  if (!result.email) {
+    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
+    return false
+  }
+  // role is optional
+  if (result.role && !isUserRoleValid(result.role)) {
+    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
+    return false
+  }
+  // display name is optional
+  if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
+    logger.error(
+      'Auth method %s of plugin %s did not provide a valid display name.',
+      authName, npmName, { displayName: result.displayName }
+    )
+    return false
+  }
+  return true
+}
+function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
+  return {
+    username: pluginResult.username,
+    email: pluginResult.email,
+    role: pluginResult.role ?? UserRole.USER,
+    displayName: pluginResult.displayName || pluginResult.username
+  }
+}
+// ---------------------------------------------------------------------------
+export {
+  onExternalUserAuthenticated,
+  getBypassFromExternalAuth,
+  getAuthNameFromRefreshGrant,
+  getBypassFromPasswordGrant
+}

diff --git a/server/lib/auth/external-auth.ts b/server/lib/auth/external-auth.ts new file mode 100644 index 000000000..80f5064b6 --- /dev/null +++ b/server/lib/auth/external-auth.ts
@@ -0,0 +1,219 @@
	1
	2	import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
	3	import { logger } from '@server/helpers/logger'
	4	import { generateRandomString } from '@server/helpers/utils'
	5	import { PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
	6	import { PluginManager } from '@server/lib/plugins/plugin-manager'
	7	import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
	8	import {
	9	RegisterServerAuthenticatedResult,
	10	RegisterServerAuthPassOptions,
	11	RegisterServerExternalAuthenticatedResult
	12	} from '@server/types/plugins/register-server-auth.model'
	13	import { UserRole } from '@shared/models'
	14
	15	// Token is the key, expiration date is the value
	16	const authBypassTokens = new Map<string, {
	17	expires: Date
	18	user: {
	19	username: string
	20	email: string
	21	displayName: string
	22	role: UserRole
	23	}
	24	authName: string
	25	npmName: string
	26	}>()
	27
	28	async function onExternalUserAuthenticated (options: {
	29	npmName: string
	30	authName: string
	31	authResult: RegisterServerExternalAuthenticatedResult
	32	}) {
	33	const { npmName, authName, authResult } = options
	34
	35	if (!authResult.req \|\| !authResult.res) {
	36	logger.error('Cannot authenticate external user for auth %s of plugin %s: no req or res are provided.', authName, npmName)
	37	return
	38	}
	39
	40	const { res } = authResult
	41
	42	if (!isAuthResultValid(npmName, authName, authResult)) {
	43	res.redirect('/login?externalAuthError=true')
	44	return
	45	}
	46
	47	logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
	48
	49	const bypassToken = await generateRandomString(32)
	50
	51	const expires = new Date()
	52	expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
	53
	54	const user = buildUserResult(authResult)
	55	authBypassTokens.set(bypassToken, {
	56	expires,
	57	user,
	58	npmName,
	59	authName
	60	})
	61
	62	// Cleanup expired tokens
	63	const now = new Date()
	64	for (const [ key, value ] of authBypassTokens) {
	65	if (value.expires.getTime() < now.getTime()) {
	66	authBypassTokens.delete(key)
	67	}
	68	}
	69
	70	res.redirect(`/login?externalAuthToken=${bypassToken}&username=${user.username}`)
	71	}
	72
	73	async function getAuthNameFromRefreshGrant (refreshToken?: string) {
	74	if (!refreshToken) return undefined
	75
	76	const tokenModel = await OAuthTokenModel.loadByRefreshToken(refreshToken)
	77
	78	return tokenModel?.authName
	79	}
	80
	81	async function getBypassFromPasswordGrant (username: string, password: string) {
	82	const plugins = PluginManager.Instance.getIdAndPassAuths()
	83	const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = []
	84
	85	for (const plugin of plugins) {
	86	const auths = plugin.idAndPassAuths
	87
	88	for (const auth of auths) {
	89	pluginAuths.push({
	90	npmName: plugin.npmName,
	91	registerAuthOptions: auth
	92	})
	93	}
	94	}
	95
	96	pluginAuths.sort((a, b) => {
	97	const aWeight = a.registerAuthOptions.getWeight()
	98	const bWeight = b.registerAuthOptions.getWeight()
	99
	100	// DESC weight order
	101	if (aWeight === bWeight) return 0
	102	if (aWeight < bWeight) return 1
	103	return -1
	104	})
	105
	106	const loginOptions = {
	107	id: username,
	108	password
	109	}
	110
	111	for (const pluginAuth of pluginAuths) {
	112	const authOptions = pluginAuth.registerAuthOptions
	113	const authName = authOptions.authName
	114	const npmName = pluginAuth.npmName
	115
	116	logger.debug(
	117	'Using auth method %s of plugin %s to login %s with weight %d.',
	118	authName, npmName, loginOptions.id, authOptions.getWeight()
	119	)
	120
	121	try {
	122	const loginResult = await authOptions.login(loginOptions)
	123
	124	if (!loginResult) continue
	125	if (!isAuthResultValid(pluginAuth.npmName, authOptions.authName, loginResult)) continue
	126
	127	logger.info(
	128	'Login success with auth method %s of plugin %s for %s.',
	129	authName, npmName, loginOptions.id
	130	)
	131
	132	return {
	133	bypass: true,
	134	pluginName: pluginAuth.npmName,
	135	authName: authOptions.authName,
	136	user: buildUserResult(loginResult)
	137	}
	138	} catch (err) {
	139	logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
	140	}
	141	}
	142
	143	return undefined
	144	}
	145
	146	function getBypassFromExternalAuth (username: string, externalAuthToken: string) {
	147	const obj = authBypassTokens.get(externalAuthToken)
	148	if (!obj) throw new Error('Cannot authenticate user with unknown bypass token')
	149
	150	const { expires, user, authName, npmName } = obj
	151
	152	const now = new Date()
	153	if (now.getTime() > expires.getTime()) {
	154	throw new Error('Cannot authenticate user with an expired external auth token')
	155	}
	156
	157	if (user.username !== username) {
	158	throw new Error(`Cannot authenticate user ${user.username} with invalid username ${username}`)
	159	}
	160
	161	logger.info(
	162	'Auth success with external auth method %s of plugin %s for %s.',
	163	authName, npmName, user.email
	164	)
	165
	166	return {
	167	bypass: true,
	168	pluginName: npmName,
	169	authName: authName,
	170	user
	171	}
	172	}
	173
	174	function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
	175	if (!isUserUsernameValid(result.username)) {
	176	logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
	177	return false
	178	}
	179
	180	if (!result.email) {
	181	logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
	182	return false
	183	}
	184
	185	// role is optional
	186	if (result.role && !isUserRoleValid(result.role)) {
	187	logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
	188	return false
	189	}
	190
	191	// display name is optional
	192	if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
	193	logger.error(
	194	'Auth method %s of plugin %s did not provide a valid display name.',
	195	authName, npmName, { displayName: result.displayName }
	196	)
	197	return false
	198	}
	199
	200	return true
	201	}
	202
	203	function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
	204	return {
	205	username: pluginResult.username,
	206	email: pluginResult.email,
	207	role: pluginResult.role ?? UserRole.USER,
	208	displayName: pluginResult.displayName \|\| pluginResult.username
	209	}
	210	}
	211
	212	// ---------------------------------------------------------------------------
	213
	214	export {
	215	onExternalUserAuthenticated,
	216	getBypassFromExternalAuth,
	217	getAuthNameFromRefreshGrant,
	218	getBypassFromPasswordGrant
	219	}