4 files changed, 34 insertions, 16 deletions

diff --git a/server/lib/auth.ts b/server/lib/auth.ts
index eaae5fdf3..2ef77bc9c 100644
--- a/server/lib/auth.ts
+++ b/server/lib/auth.ts
@@ -1,7 +1,7 @@
 import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
 import { logger } from '@server/helpers/logger'
 import { generateRandomString } from '@server/helpers/utils'
-import { OAUTH_LIFETIME, WEBSERVER } from '@server/initializers/constants'
+import { OAUTH_LIFETIME, PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
 import { revokeToken } from '@server/lib/oauth-model'
 import { PluginManager } from '@server/lib/plugins/plugin-manager'
 import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
@@ -35,7 +35,7 @@ const authBypassTokens = new Map<string, {
   npmName: string
 }>()
 
-async function handleIdAndPassLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
+async function handleLogin (req: express.Request, res: express.Response, next: express.NextFunction) {
   const grantType = req.body.grant_type
 
   if (grantType === 'password') {
@@ -90,10 +90,9 @@ async function onExternalUserAuthenticated (options: {
   logger.info('Generating auth bypass token for %s in auth %s of plugin %s.', authResult.username, authName, npmName)
 
   const bypassToken = await generateRandomString(32)
-  const tokenLifetime = 1000 * 60 * 5 // 5 minutes
 
   const expires = new Date()
-  expires.setTime(expires.getTime() + tokenLifetime)
+  expires.setTime(expires.getTime() + PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME)
 
   const user = buildUserResult(authResult)
   authBypassTokens.set(bypassToken, {
@@ -108,7 +107,7 @@ async function onExternalUserAuthenticated (options: {
 
 // ---------------------------------------------------------------------------
 
-export { oAuthServer, handleIdAndPassLogin, onExternalUserAuthenticated, handleTokenRevocation }
+export { oAuthServer, handleLogin, onExternalUserAuthenticated, handleTokenRevocation }
 
 // ---------------------------------------------------------------------------
 
@@ -212,7 +211,7 @@ function proxifyExternalAuthBypass (req: express.Request, res: express.Response)
 
   const now = new Date()
   if (now.getTime() > expires.getTime()) {
-    logger.error('Cannot authenticate user with an expired bypass token')
+    logger.error('Cannot authenticate user with an expired external auth token')
     return res.sendStatus(400)
   }
 
@@ -267,7 +266,7 @@ function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
   return {
     username: pluginResult.username,
     email: pluginResult.email,
-    role: pluginResult.role || UserRole.USER,
+    role: pluginResult.role ?? UserRole.USER,
     displayName: pluginResult.displayName || pluginResult.username
   }
 }
diff --git a/server/lib/oauth-model.ts b/server/lib/oauth-model.ts
index 8b9975bb4..8d8a6d85e 100644
--- a/server/lib/oauth-model.ts
+++ b/server/lib/oauth-model.ts
@@ -139,7 +139,7 @@ async function revokeToken (tokenInfo: { refreshToken: string }) {
 
   if (token) {
     if (res.locals.explicitLogout === true && token.User.pluginAuth && token.authName) {
-      PluginManager.Instance.onLogout(token.User.pluginAuth, token.authName)
+      PluginManager.Instance.onLogout(token.User.pluginAuth, token.authName, token.User)
     }
 
     clearCacheByToken(token.accessToken)
diff --git a/server/lib/plugins/plugin-manager.ts b/server/lib/plugins/plugin-manager.ts
index c64ca60aa..38336bcc6 100644
--- a/server/lib/plugins/plugin-manager.ts
+++ b/server/lib/plugins/plugin-manager.ts
@@ -21,7 +21,8 @@ import { ClientHtml } from '../client-html'
 import { PluginTranslation } from '../../../shared/models/plugins/plugin-translation.model'
 import { RegisterHelpersStore } from './register-helpers-store'
 import { RegisterServerHookOptions } from '@shared/models/plugins/register-server-hook.model'
-import { MOAuthTokenUser } from '@server/typings/models'
+import { MOAuthTokenUser, MUser } from '@server/typings/models'
+import { RegisterServerAuthPassOptions, RegisterServerAuthExternalOptions } from '@shared/models/plugins/register-server-auth.model'
 
 export interface RegisteredPlugin {
   npmName: string
@@ -133,14 +134,14 @@ export class PluginManager implements ServerHook {
     return this.translations[locale] || {}
   }
 
-  onLogout (npmName: string, authName: string) {
+  onLogout (npmName: string, authName: string, user: MUser) {
     const auth = this.getAuth(npmName, authName)
 
     if (auth?.onLogout) {
       logger.info('Running onLogout function from auth %s of plugin %s', authName, npmName)
 
       try {
-        auth.onLogout()
+        auth.onLogout(user)
       } catch (err) {
         logger.warn('Cannot run onLogout function from auth %s of plugin %s.', authName, npmName, { err })
       }
@@ -478,8 +479,10 @@ export class PluginManager implements ServerHook {
     const plugin = this.getRegisteredPluginOrTheme(npmName)
     if (!plugin || plugin.type !== PluginType.PLUGIN) return null
 
-    return plugin.registerHelpersStore.getIdAndPassAuths()
-                 .find(a => a.authName === authName)
+    let auths: (RegisterServerAuthPassOptions | RegisterServerAuthExternalOptions)[] = plugin.registerHelpersStore.getIdAndPassAuths()
+    auths = auths.concat(plugin.registerHelpersStore.getExternalAuths())
+
+    return auths.find(a => a.authName === authName)
   }
 
   // ###################### Private getters ######################
diff --git a/server/lib/plugins/register-helpers-store.ts b/server/lib/plugins/register-helpers-store.ts
index 277f2b687..151196bf1 100644
--- a/server/lib/plugins/register-helpers-store.ts
+++ b/server/lib/plugins/register-helpers-store.ts
@@ -1,5 +1,12 @@
+import * as express from 'express'
 import { logger } from '@server/helpers/logger'
-import { VIDEO_CATEGORIES, VIDEO_LANGUAGES, VIDEO_LICENCES, VIDEO_PLAYLIST_PRIVACIES, VIDEO_PRIVACIES } from '@server/initializers/constants'
+import {
+  VIDEO_CATEGORIES,
+  VIDEO_LANGUAGES,
+  VIDEO_LICENCES,
+  VIDEO_PLAYLIST_PRIVACIES,
+  VIDEO_PRIVACIES
+} from '@server/initializers/constants'
 import { onExternalUserAuthenticated } from '@server/lib/auth'
 import { PluginModel } from '@server/models/server/plugin'
 import { RegisterServerOptions } from '@server/typings/plugins'
@@ -10,11 +17,15 @@ import { PluginVideoCategoryManager } from '@shared/models/plugins/plugin-video-
 import { PluginVideoLanguageManager } from '@shared/models/plugins/plugin-video-language-manager.model'
 import { PluginVideoLicenceManager } from '@shared/models/plugins/plugin-video-licence-manager.model'
 import { PluginVideoPrivacyManager } from '@shared/models/plugins/plugin-video-privacy-manager.model'
-import { RegisterServerAuthExternalOptions, RegisterServerAuthExternalResult, RegisterServerAuthPassOptions, RegisterServerExternalAuthenticatedResult } from '@shared/models/plugins/register-server-auth.model'
+import {
+  RegisterServerAuthExternalOptions,
+  RegisterServerAuthExternalResult,
+  RegisterServerAuthPassOptions,
+  RegisterServerExternalAuthenticatedResult
+} from '@shared/models/plugins/register-server-auth.model'
 import { RegisterServerHookOptions } from '@shared/models/plugins/register-server-hook.model'
 import { RegisterServerSettingOptions } from '@shared/models/plugins/register-server-setting.model'
 import { serverHookObject } from '@shared/models/plugins/server-hook.model'
-import * as express from 'express'
 import { buildPluginHelpers } from './plugin-helpers'
 
 type AlterableVideoConstant = 'language' | 'licence' | 'category' | 'privacy' | 'playlistPrivacy'
@@ -174,6 +185,11 @@ export class RegisterHelpersStore {
     const self = this
 
     return (options: RegisterServerAuthExternalOptions) => {
+      if (!options.authName || !options.onAuthRequest || typeof options.onAuthRequest !== 'function') {
+        logger.error('Cannot register auth plugin %s: authName of getWeight or login are not valid.', this.npmName)
+        return
+      }
+
       this.externalAuths.push(options)
 
       return {