coolaj86
/
issuer.rest.walnut.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: coolaj86:master
Branches Tags
coolaj86:master
coolaj86:v1.2-profiles
coolaj86:v1.2
coolaj86:v1
coolaj86:v1.2.1
coolaj86:v1.2.0
...
pull from: coolaj86:v1.2
Branches Tags
coolaj86:v1.2-profiles
coolaj86:master
coolaj86:v1.2
coolaj86:v1
coolaj86:v1.2.1
coolaj86:v1.2.0

4 Commits
master ... v1.2

Author SHA1 Message Date
AJ ONeal 81b213ec4b WIP exchange credential for profile 2017-12-05 11:02:09 +00:00
AJ ONeal 8397b8a38c WIP token exchange 2017-12-02 08:43:45 +00:00
AJ ONeal 3fedb3d8ad Merge branch 'v1.2' of ssh://git.oauth3.org/OAuth3/issuer.rest.walnut.js into v1.2 2017-12-02 07:27:12 +00:00
AJ ONeal 9627e2054e WIP token exchange 2017-12-02 07:25:46 +00:00
4 changed files with 205 additions and 20 deletions
Show Stats Expand all files Collapse all files

200
accounts.js
View File

@ -62,18 +62,20 @@ function validateOtp(codeStore, codeId, token) {
}
function getOrCreate(store, username) {
return store.IssuerOauth3OrgAccounts.get(username).then(function (account) {
if (account) {
return account;
// account => profile
return store.IssuerOauth3OrgAccounts.get(username).then(function (profile) {
if (profile) {
return profile;
}
account = {
// TODO profile should be ecdsa256 pub/privkeypair
profile = {
username: username,
accountId: makeB64UrlSafe(crypto.randomBytes(32).toString('base64')),
};
return store.IssuerOauth3OrgAccounts.create(username, account).then(function () {
return store.IssuerOauth3OrgAccounts.create(username, profile).then(function () {
// TODO: put sort sort of email notification to the server managers?
return account;
return profile;
});
});
}
@ -168,17 +170,18 @@ function createOtp(store, params) {
});
}
function create(app) {
function create(deps, app) {
var restful = {};
restful.sendOtp = function (req, res) {
var params = req.body;
var promise = req.getSiteStore().then(function (store) {
store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
return createOtp(store, params).then(function (code) {
var emailParams = {
to: params.username,
from: 'login@daplie.com',
replyTo: 'hello@daplie.com',
from: 'login@mg.hellabit.com',
replyTo: 'hello@mg.hellabit.com',
subject: "Use " + code.code + " as your Login Code",
text: "Your login code is:\n\n"
+ code.code
@ -202,10 +205,165 @@ function create(app) {
app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password');
};
// This should exchange:
// * 3rd party PPIDs for 1st Party Profile
// * Opaque Tokens for PPID Tokens
restful.exchangeToken = function (req, res) {
var OAUTH3 = require('./oauth3.js');
var store = req.Models;
console.log('[exchangeToken] req.oauth3:');
console.log(req.oauth3); // req.oauth3.encodedToken
console.log('[exchangeToken] OAUTH3.jwk:');
console.log(OAUTH3.jwk);
var promise = OAUTH3.jwk.verifyToken(req.oauth3.encodedToken).then(function (decoded) {
console.log('[exchangeToken] verified token:');
console.log(decoded);
// TODO handle opaque tokens by exchanging at issuer -- if (!token.sub && token.jti) { ... }
return req.Models.IssuerOauth3OrgCredentialsProfiles.find({
credentialId: decoded.payload.sub + '@' + decoded.payload.iss
//, sub: decoded.payload.sub
//, iss: decoded.payload.iss
}).then(function (joins) {
console.log('[exchangeToken] credentials profiles:');
console.log(joins);
function getToken(token) {
var tokenInfo = {
iat: Math.round(Date.now() / 1000)
, sub: token.sub
, iss: token.iss
, azp: token.iss
, aud: token.iss
};
return restful.createToken._helper(req, res, tokenInfo);
}
function createProfile(credential, profile) {
var bs58 = require('bs58');
var EC = require('elliptic').ec;
var ec = new EC('secp256k1');
// TODO should be able to generate a private key without a library
// https://crypto.stackexchange.com/a/30273/53868
var key = ec.genKeyPair();
//var ec = new EC('curve25519');
var pub = bs58.encode(Buffer.from(key.derive(key.getPublic()).toString('hex'), 'hex'));
var priv = bs58.encode(Buffer.from(key.priv.toString('hex'), 'hex'));
var parts = [];
if (!credential.sub) {
return deps.Promise.reject(new Error("missing 'sub' from credential"));
}
if (credential.sub !== profile.sub || credential.iss !== profile.iss) {
return deps.Promise.reject(new Error("credential 'sub' and 'iss' do not match information in profile"));
}
parts.push(pub);
if (req.experienceId) {
parts.push(req.experienceId);
}
var username = parts.join('@');
var profile = {
accountId: pub // profile.sub
, sub: pub // profile.sub
, iss: req.experienceId
, prv: priv
, typ: 'oauth3'
};
function getId(token) {
var id = token.sub;
if (token.iss) {
id += '@' + token.iss;
}
return id || token.accountId;
}
console.log('[debug] username, credential, profile:');
console.log(username);
console.log(credential);
console.log(profile);
return deps.Promise.reject(new Error("blah blah grrr grrr"));
return store.IssuerOauth3OrgAccounts.create(username, profile).then(function () {
var id = crypto.randomBytes(16).toString('hex');
return store.IssuerOauth3OrgCredentialsProfiles.create(id, {
credentialId: getId(credential)
, profileId: getId(profile)
}).then(function () {
// TODO: put sort sort of email notification to the server managers?
return getToken(profile).then(function (token) {
return {
tokens: [ token ]
//, error: { code: "E_NO_IMPL", message: "not implemented [177]" }
};
});
});
});
}
function getProfile() {
var query = { username: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
//var query = { accountId: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
//var query = { accountId: joins.map(function (el) { return el.profileId })[0] };
console.log('[DEBUG] query profiles:');
console.log(query);
return req.Models.IssuerOauth3OrgAccounts.find(query).then(function (profiles) {
console.log('[DEBUG] Profiles:');
console.log(profiles);
profiles = (profiles||[]).filter(function (el) {
return !el.revokedAt && !el.deletedAt;
});
if (!profiles.length) {
return { tokens: [] };
}
return deps.Promise.all(profiles.map(function (profile) {
return getToken(profile);
})).then(function (tokens) {
return {
tokens: tokens
//, error: { code: "E_NO_IMPL", message: "not implemented [172]" }
};
});
});
}
joins = (joins||[]).filter(function (el) {
return !el.revokedAt && !el.deletedAt;
});
if (joins.length) {
console.log('[DEBUG] CredentialsProfiles:');
console.log(joins);
return getProfile();
}
if (!req.body || !req.body.create) {
console.log('[DEBUG] will not create');
return { tokens: [] };
} else {
console.log('[DEBUG] will create profile');
return createProfile(req.oauth3.token, req.body);
}
});
});
app.handlePromise(req, res, promise, '[issuer@oauth3.org] exchangeToken');
};
restful.createToken = function (req, res) {
var store;
var promise = req.getSiteStore().then(function (_store) {
store = _store;
store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
if (!req.body || !req.body.grant_type) {
throw new OpErr("missing 'grant_type' from the body");
}
@ -219,9 +377,19 @@ function create(app) {
if (req.body.grant_type === 'refresh_token') {
return restful.createToken.refreshToken(req);
}
if (req.body.grant_type === 'exchange_token') {
return restful.exchangeToken(req);
}
throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'");
}).then(function (token_info) {
return restful.createToken._helper(req, res, token_info);
});
app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens');
};
restful.createToken._helper = function (req, res, token_info) {
return deps.Promise.resolve().then(function () {
token_info.iss = req.experienceId;
if (!token_info.aud) {
throw new OpErr("missing required token field 'aud'");
@ -234,17 +402,18 @@ function create(app) {
// We don't have normal grants for the issuer, so we don't need to look the
// azpSub or the grants up in the database.
token_info.azpSub = token_info.sub;
token_info.scope = '';
token_info.scope = '*';
return token_info;
}
var search = {};
['sub', 'azp', 'azpSub'].forEach(function (key) {
[ 'sub', 'azp', 'azpSub' ].forEach(function (key) {
if (token_info[key]) {
search[key] = token_info[key];
}
});
return store.IssuerOauth3OrgGrants.find(search).then(function (grants) {
return req.Models.IssuerOauth3OrgGrants.find(search).then(function (grants) {
if (!grants.length) {
throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'");
}
@ -258,7 +427,7 @@ function create(app) {
return token_info;
});
}).then(function (token_info) {
return getPrivKey(store, req.experienceId).then(function (jwk) {
return getPrivKey(req.Models, req.experienceId).then(function (jwk) {
var pem = require('jwk-to-pem')(jwk, { private: true });
var payload = {
// standard
@ -300,8 +469,6 @@ function create(app) {
return result;
});
});
app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens');
};
restful.createToken.password = function (req) {
var params = req.body;
@ -319,6 +486,7 @@ function create(app) {
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
codeId = makeB64UrlSafe(codeId);
return req.getSiteStore().then(function (store) {
store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
return validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password)
.then(function () {
return getOrCreate(store, params.username);
@ -334,7 +502,7 @@ function create(app) {
console.log(contactClaim);
return req.Models.IssuerOauth3OrgContactNodes.upsert(contactClaim).then(function () {
return {
sub: account.accountId,
sub: account.sub || account.accountId,
aud: req.params.aud || req.body.aud || req.experienceId,
azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri || req.experienceId,
};

19
models.js
View File

@ -1,7 +1,7 @@
'use strict';
var apiname = 'issuer_oauth3_org';
var baseFields = [ 'createdAt', 'updatedAt', 'deletedAt' ];
var baseFields = [ 'createdAt', 'updatedAt', 'deletedAt', 'revokedAt', 'insertedAt' ];
module.exports = [
{
@ -15,9 +15,22 @@ module.exports = [
indices: baseFields.concat([ 'code', 'expires' ]),
},
{
tablename: apiname + '_credentials',
idname: 'id',
// credentialId = ppid@iss
indices: baseFields.concat([ 'credentialId', 'sub', 'iss', 'typ' ]), // comment, recoveryCredential
},
{
tablename: apiname + '_credentials_profiles',
idname: 'id',
// credentialId = ppid@iss
indices: baseFields.concat([ 'credentialId', 'profileId' ]),
},
{ // TODO rename to profiles
tablename: apiname + '_accounts',
idname: 'username',
indices: baseFields.concat([ 'accountId' ]),
// make sub an ecdsa256 key
indices: baseFields.concat([ 'accountId', 'sub', 'iss', 'typ', 'privateKey' ]), // comment, recoveryNode
},
{
tablename: apiname + '_contact_nodes',
@ -33,5 +46,5 @@ module.exports = [
tablename: apiname + '_grants',
idname: 'id',
indices: baseFields.concat([ 'sub', 'azp', 'azpSub', 'scope' ]),
},
}
];

1
package.json
View File

@ -12,6 +12,7 @@
},
"dependencies": {
"bluebird": "^3.5.0",
"bs58": "^4.0.1",
"elliptic": "^6.4.0",
"jsonwebtoken": "^7.4.1",
"jwk-to-pem": "^1.2.6",

5
rest.js
View File

@ -3,7 +3,7 @@
module.exports.create = function (bigconf, deps, app) {
var Jwks = require('./jwks').create(app);
var Grants = require('./grants').create(app);
var Accounts = require('./accounts').create(app);
var Accounts = require('./accounts').create(deps, app);
// This tablename is based on the tablename found in the objects in model.js.
// Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.
@ -48,6 +48,9 @@ module.exports.create = function (bigconf, deps, app) {
app.post( '/access_token/:sub/:aud/:azp', Accounts.restful.createToken);
app.post( '/access_token', Accounts.restful.createToken);
app.use( '/exchange_token', attachSiteModels);
app.post( '/exchange_token', Accounts.restful.exchangeToken);
app.use( '/acl/profile', attachSiteModels);
app.get( '/acl/profile', Accounts.restful.getProfile);
app.post( '/acl/profile', Accounts.restful.setProfile);