From 0649227fb80072b0d306411e5195c64a783255af Mon Sep 17 00:00:00 2001 From: tigerbot Date: Mon, 24 Jul 2017 14:45:25 -0600 Subject: [PATCH] implemented getting token using one-time-password --- models.js | 5 ++ rest.js | 177 +++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 146 insertions(+), 36 deletions(-) diff --git a/models.js b/models.js index 6f5b59e..2cdfee3 100644 --- a/models.js +++ b/models.js @@ -14,6 +14,11 @@ module.exports = [ idname: 'id', indices: baseFields.concat([ 'code', 'expires' ]), }, + { + tablename: apiname + '_accounts', + idname: 'username', + indices: baseFields.concat([ 'accountId' ]), + }, { tablename: apiname + '_jwks', idname: 'id', diff --git a/rest.js b/rest.js index 79bb634..fca54f4 100644 --- a/rest.js +++ b/rest.js @@ -11,7 +11,7 @@ function makeB64UrlSafe(b64) { module.exports.create = function (bigconf, deps, app) { var Jwks = { restful: {} }; var Grants = { restful: {} }; - var Tokens = { restful: {} }; + var Accounts = { restful: {} }; // This tablename is based on the tablename found in the objects in model.js. // Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3. @@ -26,13 +26,11 @@ module.exports.create = function (bigconf, deps, app) { next(); } - - function authorizeIssuer(req, res, next) { - var promise = PromiseA.resolve().then(function () { - // It might seem unnecessary to wrap a promise in another promise, but this way it will - // catch the error thrown when a token isn't provided and verifyAsync isn't a function. - return req.oauth3.verifyAsync(); - }).then(function (token) { + function checkIsserToken(req, expectedSub) { + if (!req.oauth3 || !req.oauth3.verifyAsync) { + return PromiseA.reject(new OpErr("request requires a token for authorization")); + } + return req.oauth3.verifyAsync().then(function (token) { // Now that we've confirmed the token is valid we also need to make sure the issuer, audience, // and authorized party are all us, because no other app should be managing user identity. if (token.iss !== req.experienceId || token.aud !== token.iss || token.azp !== token.iss) { @@ -41,22 +39,27 @@ module.exports.create = function (bigconf, deps, app) { var sub = token.sub || token.ppid || (token.acx && (token.acx.id || token.acx.appScopedId)); if (!sub) { - if (!Array.isArray(token.axs) || !token.axs.length) { + if (!expectedSub || !Array.isArray(token.axs) || !token.axs.length) { throw new OpErr("no account pairwise identifier"); } var allowed = token.axs.some(function (acc) { - return req.params.sub === (acc.id || acc.ppid || acc.appScopedId); + return expectedSub === (acc.id || acc.ppid || acc.appScopedId); }); if (!allowed) { - throw new OpErr("no account pairwise identifier matching '" + req.params.sub + "'"); + throw new OpErr("no account pairwise identifier matching '" + expectedSub + "'"); } - sub = req.params.sub; + sub = expectedSub; } - if (req.params.sub !== sub) { - throw new OpErr("token does not allow access to resources for '"+req.params.sub+"'"); + if (expectedSub && expectedSub !== sub) { + throw new OpErr("token does not allow access to resources for '"+expectedSub+"'"); } + return sub; + }); + } + function authorizeIssuer(req, res, next) { + var promise = checkIsserToken(req, req.params.sub).then(function () { next(); }); @@ -213,7 +216,8 @@ module.exports.create = function (bigconf, deps, app) { app.handlePromise(req, res, promise, '[issuer@oauth3.org] save grants'); }; - Tokens.retrieveOtp = function (codeStore, codeId) { + + Accounts.retrieveOtp = function (codeStore, codeId) { return codeStore.get(codeId).then(function (code) { if (!code) { return null; @@ -229,7 +233,7 @@ module.exports.create = function (bigconf, deps, app) { return code; }); }; - Tokens.validateOtp = function (codeStore, codeId, token) { + Accounts.validateOtp = function (codeStore, codeId, token) { if (!codeId) { return PromiseA.reject(new Error("Must provide authcode ID")); } @@ -267,7 +271,24 @@ module.exports.create = function (bigconf, deps, app) { }); }); }; - Tokens.getPrivKey = function (store, experienceId) { + + Accounts.getOrCreate = function (store, username) { + return store.IssuerOauth3OrgAccounts.get(username).then(function (account) { + if (account) { + return account; + } + + account = { + username: username, + accountId: makeB64UrlSafe(crypto.randomBytes(32).toString('base64')), + }; + return store.IssuerOauth3OrgAccounts.create(username, account).then(function () { + // TODO: put sort sort of email notification to the server managers? + return account; + }); + }); + }; + Accounts.getPrivKey = function (store, experienceId) { return store.IssuerOauth3OrgPrivateKeys.get(experienceId).then(function (jwk) { if (jwk) { return jwk; @@ -290,7 +311,7 @@ module.exports.create = function (bigconf, deps, app) { }); }; - Tokens.restful.sendOtp = function (req, res) { + Accounts.restful.sendOtp = function (req, res) { var params = req.body; var promise = PromiseA.resolve().then(function () { if (!params || !params.username) { @@ -307,7 +328,7 @@ module.exports.create = function (bigconf, deps, app) { var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64'); codeId = makeB64UrlSafe(codeId); - return Tokens.retrieveOtp(codeStore, codeId).then(function (code) { + return Accounts.retrieveOtp(codeStore, codeId).then(function (code) { if (code) { return code; } @@ -341,7 +362,7 @@ module.exports.create = function (bigconf, deps, app) { return req.getSiteMailer().sendMailAsync(emailParams).then(function () { return { - id: code.id, + code_id: code.id, expires: code.expires, created: new Date(parseInt(code.createdAt, 10) || code.createdAt), }; @@ -350,25 +371,70 @@ module.exports.create = function (bigconf, deps, app) { app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password'); }; - Tokens.restful.create = function (req, res) { + + Accounts.restful.createToken = function (req, res) { var store; var promise = req.getSiteStore().then(function (_store) { store = _store; - return store.IssuerOauth3OrgGrants.get(req.params.sub+'/'+req.params.azp); - }).then(function (grant) { - if (!grant) { - throw new OpErr("'"+req.params.azp+"' not given any grants from '"+req.params.sub+"'"); + if (!req.body || !req.body.grant_type) { + throw new OpErr("missing 'grant_type' from the body"); } - return Tokens.getPrivKey(store, req.experienceId).then(function (jwk) { + + if (req.body.grant_type === 'password') { + return Accounts.restful.createToken.password(req); + } + if (req.body.grant_type === 'issuer_token') { + return Accounts.restful.createToken.issuerToken(req); + } + + throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'"); + }).then(function (token_info) { + token_info.iss = req.experienceId; + if (!token_info.aud) { + throw new OpErr("missing required token field 'aud'"); + } + if (!token_info.azp) { + throw new OpErr("missing required token field 'azp'"); + } + + if (token_info.iss === token_info.azp) { + // We don't have normal grants for the issuer, so we don't need to look the + // azpSub or the grants up in the database. + token_info.azpSub = token_info.sub; + token_info.scope = ''; + return token_info; + } + + var search = {}; + ['sub', 'azp', 'azpSub'].forEach(function (key) { + if (token_info[key]) { + search[key] = token_info[key]; + } + }); + return store.IssuerOauth3OrgGrants.find(search).then(function (grants) { + if (!grants.length) { + throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'"); + } + if (grants.length > 1) { + throw new Error("unexpected resource collision: too many relevant grants"); + } + var grant = grants[0]; + Object.keys(grant).forEach(function (key) { + token_info[key] = grant[key]; + }); + return token_info; + }); + }).then(function (token_info) { + return Accounts.getPrivKey(store, req.experienceId).then(function (jwk) { var pem = require('jwk-to-pem')(jwk, { private: true }); - var payload = { + var payload = { // standard - iss: req.experienceId, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 - aud: req.params.aud, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3 - azp: grant.azp, - sub: grant.azpSub, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.2 + iss: token_info.iss, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 + aud: token_info.aud, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3 + azp: token_info.azp, + sub: token_info.azpSub, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.2 // extended - scp: grant.scope, + scp: token_info.scope, }; var opts = { algorithm: jwk.alg, @@ -379,7 +445,7 @@ module.exports.create = function (bigconf, deps, app) { var jwt = require('jsonwebtoken'); var result = {}; - result.scope = grant.scope; + result.scope = token_info.scope; result.access_token = jwt.sign(payload, pem, Object.assign({expiresIn: req.body.exp || '1d'}, opts)); if (req.body.refresh_token) { result.refresh_token = jwt.sign(payload, pem, Object.assign({expiresIn: req.body.refresh_exp}, opts)); @@ -390,6 +456,45 @@ module.exports.create = function (bigconf, deps, app) { app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens'); }; + Accounts.restful.createToken.password = function (req) { + var params = req.body; + if (!params || !params.username) { + return PromiseA.reject(PromiseA.OperationalError("must provide the email address as 'username' in the body")); + } + if ((params.username_type && 'email' !== params.username_type) || !/@/.test(params.username)) { + return PromiseA.reject(PromiseA.OperationalError("only email one-time login codes are supported at this time")); + } + params.username_type = 'email'; + if (!params.password) { + return PromiseA.reject(new OpErr("request missing 'password'")); + } + + var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64'); + codeId = makeB64UrlSafe(codeId); + return req.getSiteStore().then(function (store) { + return Accounts.validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password) + .then(function () { + return Accounts.getOrCreate(store, params.username); + }).then(function (account) { + return { + sub: account.accountId, + aud: req.params.aud || req.body.aud || req.experienceId, + azp: req.params.azp || req.body.azp || req.experienceId, + }; + }); + }); + }; + Accounts.restful.createToken.issuerToken = function (req) { + return checkIsserToken(req, req.params.sub || req.body.sub).then(function (sub) { + return { + sub: sub, + aud: req.params.aud || req.body.aud, + azp: req.params.azp || req.body.azp, + exp: req.oauth3.token.exp, + }; + }); + }; + app.get( '/jwks/:sub/:kid.json', Jwks.restful.get); app.get( '/jwks/:sub/:kid', Jwks.restful.get); @@ -403,9 +508,9 @@ module.exports.create = function (bigconf, deps, app) { app.get( '/grants/:sub/:azp', Grants.restful.getOne); app.post( '/grants/:sub/:azp', Grants.restful.saveNew); - app.post( '/access_token/send_otp', Tokens.restful.sendOtp); - app.use( '/access_token/:sub', authorizeIssuer); - app.post( '/access_token/:sub/:aud/:azp', Tokens.restful.create); + app.post( '/access_token/send_otp', Accounts.restful.sendOtp); + app.post( '/access_token/:sub/:aud/:azp', Accounts.restful.createToken); + app.post( '/access_token', Accounts.restful.createToken); app.use(detachSiteStore); };