coolaj86/issuer.rest.walnut.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

implemented getting token using one-time-password

Browse Source
This commit is contained in:
tigerbot 2017-07-24 14:45:25 -06:00
parent 73a0c72c5a
commit 0649227fb8
2 changed files with 146 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
models.js
View File

@ -14,6 +14,11 @@ module.exports = [
idname: 'id', idname: 'id',
indices: baseFields.concat([ 'code', 'expires' ]), indices: baseFields.concat([ 'code', 'expires' ]),
}, },
{
tablename: apiname + '_accounts',
idname: 'username',
indices: baseFields.concat([ 'accountId' ]),
},
{ {
tablename: apiname + '_jwks', tablename: apiname + '_jwks',
idname: 'id', idname: 'id',

177
rest.js
View File

@ -11,7 +11,7 @@ function makeB64UrlSafe(b64) {
module.exports.create = function (bigconf, deps, app) { module.exports.create = function (bigconf, deps, app) {
var Jwks = { restful: {} }; var Jwks = { restful: {} };
var Grants = { restful: {} }; var Grants = { restful: {} };
var Tokens = { restful: {} }; var Accounts = { restful: {} };
// This tablename is based on the tablename found in the objects in model.js. // This tablename is based on the tablename found in the objects in model.js.
// Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3. // Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.
@ -26,13 +26,11 @@ module.exports.create = function (bigconf, deps, app) {
next(); next();
} }
function checkIsserToken(req, expectedSub) {
function authorizeIssuer(req, res, next) { if (!req.oauth3 || !req.oauth3.verifyAsync) {
var promise = PromiseA.resolve().then(function () { return PromiseA.reject(new OpErr("request requires a token for authorization"));
// It might seem unnecessary to wrap a promise in another promise, but this way it will }
// catch the error thrown when a token isn't provided and verifyAsync isn't a function. return req.oauth3.verifyAsync().then(function (token) {
return req.oauth3.verifyAsync();
}).then(function (token) {
// Now that we've confirmed the token is valid we also need to make sure the issuer, audience, // Now that we've confirmed the token is valid we also need to make sure the issuer, audience,
// and authorized party are all us, because no other app should be managing user identity. // and authorized party are all us, because no other app should be managing user identity.
if (token.iss !== req.experienceId || token.aud !== token.iss || token.azp !== token.iss) { if (token.iss !== req.experienceId || token.aud !== token.iss || token.azp !== token.iss) {
@ -41,22 +39,27 @@ module.exports.create = function (bigconf, deps, app) {
var sub = token.sub || token.ppid || (token.acx && (token.acx.id || token.acx.appScopedId)); var sub = token.sub || token.ppid || (token.acx && (token.acx.id || token.acx.appScopedId));
if (!sub) { if (!sub) {
if (!Array.isArray(token.axs) || !token.axs.length) { if (!expectedSub || !Array.isArray(token.axs) || !token.axs.length) {
throw new OpErr("no account pairwise identifier"); throw new OpErr("no account pairwise identifier");
} }
var allowed = token.axs.some(function (acc) { var allowed = token.axs.some(function (acc) {
return req.params.sub === (acc.id || acc.ppid || acc.appScopedId); return expectedSub === (acc.id || acc.ppid || acc.appScopedId);
}); });
if (!allowed) { if (!allowed) {
throw new OpErr("no account pairwise identifier matching '" + req.params.sub + "'"); throw new OpErr("no account pairwise identifier matching '" + expectedSub + "'");
} }
sub = req.params.sub; sub = expectedSub;
} }
if (req.params.sub !== sub) { if (expectedSub && expectedSub !== sub) {
throw new OpErr("token does not allow access to resources for '"+req.params.sub+"'"); throw new OpErr("token does not allow access to resources for '"+expectedSub+"'");
} }
return sub;
});
}
function authorizeIssuer(req, res, next) {
var promise = checkIsserToken(req, req.params.sub).then(function () {
next(); next();
}); });
@ -213,7 +216,8 @@ module.exports.create = function (bigconf, deps, app) {
app.handlePromise(req, res, promise, '[issuer@oauth3.org] save grants'); app.handlePromise(req, res, promise, '[issuer@oauth3.org] save grants');
}; };
Tokens.retrieveOtp = function (codeStore, codeId) {
Accounts.retrieveOtp = function (codeStore, codeId) {
return codeStore.get(codeId).then(function (code) { return codeStore.get(codeId).then(function (code) {
if (!code) { if (!code) {
return null; return null;
@ -229,7 +233,7 @@ module.exports.create = function (bigconf, deps, app) {
return code; return code;
}); });
}; };
Tokens.validateOtp = function (codeStore, codeId, token) { Accounts.validateOtp = function (codeStore, codeId, token) {
if (!codeId) { if (!codeId) {
return PromiseA.reject(new Error("Must provide authcode ID")); return PromiseA.reject(new Error("Must provide authcode ID"));
} }
@ -267,7 +271,24 @@ module.exports.create = function (bigconf, deps, app) {
}); });
}); });
}; };
Tokens.getPrivKey = function (store, experienceId) {
Accounts.getOrCreate = function (store, username) {
return store.IssuerOauth3OrgAccounts.get(username).then(function (account) {
if (account) {
return account;
}
account = {
username: username,
accountId: makeB64UrlSafe(crypto.randomBytes(32).toString('base64')),
};
return store.IssuerOauth3OrgAccounts.create(username, account).then(function () {
// TODO: put sort sort of email notification to the server managers?
return account;
});
});
};
Accounts.getPrivKey = function (store, experienceId) {
return store.IssuerOauth3OrgPrivateKeys.get(experienceId).then(function (jwk) { return store.IssuerOauth3OrgPrivateKeys.get(experienceId).then(function (jwk) {
if (jwk) { if (jwk) {
return jwk; return jwk;
@ -290,7 +311,7 @@ module.exports.create = function (bigconf, deps, app) {
}); });
}; };
Tokens.restful.sendOtp = function (req, res) { Accounts.restful.sendOtp = function (req, res) {
var params = req.body; var params = req.body;
var promise = PromiseA.resolve().then(function () { var promise = PromiseA.resolve().then(function () {
if (!params || !params.username) { if (!params || !params.username) {
@ -307,7 +328,7 @@ module.exports.create = function (bigconf, deps, app) {
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64'); var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
codeId = makeB64UrlSafe(codeId); codeId = makeB64UrlSafe(codeId);
return Tokens.retrieveOtp(codeStore, codeId).then(function (code) { return Accounts.retrieveOtp(codeStore, codeId).then(function (code) {
if (code) { if (code) {
return code; return code;
} }
@ -341,7 +362,7 @@ module.exports.create = function (bigconf, deps, app) {
return req.getSiteMailer().sendMailAsync(emailParams).then(function () { return req.getSiteMailer().sendMailAsync(emailParams).then(function () {
return { return {
id: code.id, code_id: code.id,
expires: code.expires, expires: code.expires,
created: new Date(parseInt(code.createdAt, 10) || code.createdAt), created: new Date(parseInt(code.createdAt, 10) || code.createdAt),
}; };
@ -350,25 +371,70 @@ module.exports.create = function (bigconf, deps, app) {
app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password'); app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password');
}; };
Tokens.restful.create = function (req, res) {
Accounts.restful.createToken = function (req, res) {
var store; var store;
var promise = req.getSiteStore().then(function (_store) { var promise = req.getSiteStore().then(function (_store) {
store = _store; store = _store;
return store.IssuerOauth3OrgGrants.get(req.params.sub+'/'+req.params.azp); if (!req.body || !req.body.grant_type) {
}).then(function (grant) { throw new OpErr("missing 'grant_type' from the body");
if (!grant) {
throw new OpErr("'"+req.params.azp+"' not given any grants from '"+req.params.sub+"'");
} }
return Tokens.getPrivKey(store, req.experienceId).then(function (jwk) {
if (req.body.grant_type === 'password') {
return Accounts.restful.createToken.password(req);
}
if (req.body.grant_type === 'issuer_token') {
return Accounts.restful.createToken.issuerToken(req);
}
throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'");
}).then(function (token_info) {
token_info.iss = req.experienceId;
if (!token_info.aud) {
throw new OpErr("missing required token field 'aud'");
}
if (!token_info.azp) {
throw new OpErr("missing required token field 'azp'");
}
if (token_info.iss === token_info.azp) {
// We don't have normal grants for the issuer, so we don't need to look the
// azpSub or the grants up in the database.
token_info.azpSub = token_info.sub;
token_info.scope = '';
return token_info;
}
var search = {};
['sub', 'azp', 'azpSub'].forEach(function (key) {
if (token_info[key]) {
search[key] = token_info[key];
}
});
return store.IssuerOauth3OrgGrants.find(search).then(function (grants) {
if (!grants.length) {
throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'");
}
if (grants.length > 1) {
throw new Error("unexpected resource collision: too many relevant grants");
}
var grant = grants[0];
Object.keys(grant).forEach(function (key) {
token_info[key] = grant[key];
});
return token_info;
});
}).then(function (token_info) {
return Accounts.getPrivKey(store, req.experienceId).then(function (jwk) {
var pem = require('jwk-to-pem')(jwk, { private: true }); var pem = require('jwk-to-pem')(jwk, { private: true });
var payload = { var payload = {
// standard // standard
iss: req.experienceId, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 iss: token_info.iss, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1
aud: req.params.aud, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3 aud: token_info.aud, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3
azp: grant.azp, azp: token_info.azp,
sub: grant.azpSub, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.2 sub: token_info.azpSub, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.2
// extended // extended
scp: grant.scope, scp: token_info.scope,
}; };
var opts = { var opts = {
algorithm: jwk.alg, algorithm: jwk.alg,
@ -379,7 +445,7 @@ module.exports.create = function (bigconf, deps, app) {
var jwt = require('jsonwebtoken'); var jwt = require('jsonwebtoken');
var result = {}; var result = {};
result.scope = grant.scope; result.scope = token_info.scope;
result.access_token = jwt.sign(payload, pem, Object.assign({expiresIn: req.body.exp || '1d'}, opts)); result.access_token = jwt.sign(payload, pem, Object.assign({expiresIn: req.body.exp || '1d'}, opts));
if (req.body.refresh_token) { if (req.body.refresh_token) {
result.refresh_token = jwt.sign(payload, pem, Object.assign({expiresIn: req.body.refresh_exp}, opts)); result.refresh_token = jwt.sign(payload, pem, Object.assign({expiresIn: req.body.refresh_exp}, opts));
@ -390,6 +456,45 @@ module.exports.create = function (bigconf, deps, app) {
app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens'); app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens');
}; };
Accounts.restful.createToken.password = function (req) {
var params = req.body;
if (!params || !params.username) {
return PromiseA.reject(PromiseA.OperationalError("must provide the email address as 'username' in the body"));
}
if ((params.username_type && 'email' !== params.username_type) || !/@/.test(params.username)) {
return PromiseA.reject(PromiseA.OperationalError("only email one-time login codes are supported at this time"));
}
params.username_type = 'email';
if (!params.password) {
return PromiseA.reject(new OpErr("request missing 'password'"));
}
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
codeId = makeB64UrlSafe(codeId);
return req.getSiteStore().then(function (store) {
return Accounts.validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password)
.then(function () {
return Accounts.getOrCreate(store, params.username);
}).then(function (account) {
return {
sub: account.accountId,
aud: req.params.aud || req.body.aud || req.experienceId,
azp: req.params.azp || req.body.azp || req.experienceId,
};
});
});
};
Accounts.restful.createToken.issuerToken = function (req) {
return checkIsserToken(req, req.params.sub || req.body.sub).then(function (sub) {
return {
sub: sub,
aud: req.params.aud || req.body.aud,
azp: req.params.azp || req.body.azp,
exp: req.oauth3.token.exp,
};
});
};
app.get( '/jwks/:sub/:kid.json', Jwks.restful.get); app.get( '/jwks/:sub/:kid.json', Jwks.restful.get);
app.get( '/jwks/:sub/:kid', Jwks.restful.get); app.get( '/jwks/:sub/:kid', Jwks.restful.get);
@ -403,9 +508,9 @@ module.exports.create = function (bigconf, deps, app) {
app.get( '/grants/:sub/:azp', Grants.restful.getOne); app.get( '/grants/:sub/:azp', Grants.restful.getOne);
app.post( '/grants/:sub/:azp', Grants.restful.saveNew); app.post( '/grants/:sub/:azp', Grants.restful.saveNew);
app.post( '/access_token/send_otp', Tokens.restful.sendOtp); app.post( '/access_token/send_otp', Accounts.restful.sendOtp);
app.use( '/access_token/:sub', authorizeIssuer); app.post( '/access_token/:sub/:aud/:azp', Accounts.restful.createToken);
app.post( '/access_token/:sub/:aud/:azp', Tokens.restful.create); app.post( '/access_token', Accounts.restful.createToken);
app.use(detachSiteStore); app.use(detachSiteStore);
}; };