Compare commits
4 Commits
Author | SHA1 | Date |
---|---|---|
AJ ONeal | 81b213ec4b | |
AJ ONeal | 8397b8a38c | |
AJ ONeal | 3fedb3d8ad | |
AJ ONeal | 9627e2054e |
200
accounts.js
200
accounts.js
|
@ -62,18 +62,20 @@ function validateOtp(codeStore, codeId, token) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function getOrCreate(store, username) {
|
function getOrCreate(store, username) {
|
||||||
return store.IssuerOauth3OrgAccounts.get(username).then(function (account) {
|
// account => profile
|
||||||
if (account) {
|
return store.IssuerOauth3OrgAccounts.get(username).then(function (profile) {
|
||||||
return account;
|
if (profile) {
|
||||||
|
return profile;
|
||||||
}
|
}
|
||||||
|
|
||||||
account = {
|
// TODO profile should be ecdsa256 pub/privkeypair
|
||||||
|
profile = {
|
||||||
username: username,
|
username: username,
|
||||||
accountId: makeB64UrlSafe(crypto.randomBytes(32).toString('base64')),
|
accountId: makeB64UrlSafe(crypto.randomBytes(32).toString('base64')),
|
||||||
};
|
};
|
||||||
return store.IssuerOauth3OrgAccounts.create(username, account).then(function () {
|
return store.IssuerOauth3OrgAccounts.create(username, profile).then(function () {
|
||||||
// TODO: put sort sort of email notification to the server managers?
|
// TODO: put sort sort of email notification to the server managers?
|
||||||
return account;
|
return profile;
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
@ -168,17 +170,18 @@ function createOtp(store, params) {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
function create(app) {
|
function create(deps, app) {
|
||||||
var restful = {};
|
var restful = {};
|
||||||
|
|
||||||
restful.sendOtp = function (req, res) {
|
restful.sendOtp = function (req, res) {
|
||||||
var params = req.body;
|
var params = req.body;
|
||||||
var promise = req.getSiteStore().then(function (store) {
|
var promise = req.getSiteStore().then(function (store) {
|
||||||
|
store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
|
||||||
return createOtp(store, params).then(function (code) {
|
return createOtp(store, params).then(function (code) {
|
||||||
var emailParams = {
|
var emailParams = {
|
||||||
to: params.username,
|
to: params.username,
|
||||||
from: 'login@daplie.com',
|
from: 'login@mg.hellabit.com',
|
||||||
replyTo: 'hello@daplie.com',
|
replyTo: 'hello@mg.hellabit.com',
|
||||||
subject: "Use " + code.code + " as your Login Code",
|
subject: "Use " + code.code + " as your Login Code",
|
||||||
text: "Your login code is:\n\n"
|
text: "Your login code is:\n\n"
|
||||||
+ code.code
|
+ code.code
|
||||||
|
@ -202,10 +205,165 @@ function create(app) {
|
||||||
app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password');
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password');
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// This should exchange:
|
||||||
|
// * 3rd party PPIDs for 1st Party Profile
|
||||||
|
// * Opaque Tokens for PPID Tokens
|
||||||
|
restful.exchangeToken = function (req, res) {
|
||||||
|
var OAUTH3 = require('./oauth3.js');
|
||||||
|
var store = req.Models;
|
||||||
|
|
||||||
|
console.log('[exchangeToken] req.oauth3:');
|
||||||
|
console.log(req.oauth3); // req.oauth3.encodedToken
|
||||||
|
|
||||||
|
console.log('[exchangeToken] OAUTH3.jwk:');
|
||||||
|
console.log(OAUTH3.jwk);
|
||||||
|
|
||||||
|
var promise = OAUTH3.jwk.verifyToken(req.oauth3.encodedToken).then(function (decoded) {
|
||||||
|
console.log('[exchangeToken] verified token:');
|
||||||
|
console.log(decoded);
|
||||||
|
// TODO handle opaque tokens by exchanging at issuer -- if (!token.sub && token.jti) { ... }
|
||||||
|
return req.Models.IssuerOauth3OrgCredentialsProfiles.find({
|
||||||
|
credentialId: decoded.payload.sub + '@' + decoded.payload.iss
|
||||||
|
//, sub: decoded.payload.sub
|
||||||
|
//, iss: decoded.payload.iss
|
||||||
|
}).then(function (joins) {
|
||||||
|
console.log('[exchangeToken] credentials profiles:');
|
||||||
|
console.log(joins);
|
||||||
|
|
||||||
|
function getToken(token) {
|
||||||
|
var tokenInfo = {
|
||||||
|
iat: Math.round(Date.now() / 1000)
|
||||||
|
, sub: token.sub
|
||||||
|
, iss: token.iss
|
||||||
|
, azp: token.iss
|
||||||
|
, aud: token.iss
|
||||||
|
};
|
||||||
|
return restful.createToken._helper(req, res, tokenInfo);
|
||||||
|
}
|
||||||
|
|
||||||
|
function createProfile(credential, profile) {
|
||||||
|
var bs58 = require('bs58');
|
||||||
|
var EC = require('elliptic').ec;
|
||||||
|
var ec = new EC('secp256k1');
|
||||||
|
// TODO should be able to generate a private key without a library
|
||||||
|
// https://crypto.stackexchange.com/a/30273/53868
|
||||||
|
var key = ec.genKeyPair();
|
||||||
|
//var ec = new EC('curve25519');
|
||||||
|
var pub = bs58.encode(Buffer.from(key.derive(key.getPublic()).toString('hex'), 'hex'));
|
||||||
|
var priv = bs58.encode(Buffer.from(key.priv.toString('hex'), 'hex'));
|
||||||
|
var parts = [];
|
||||||
|
|
||||||
|
if (!credential.sub) {
|
||||||
|
return deps.Promise.reject(new Error("missing 'sub' from credential"));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (credential.sub !== profile.sub || credential.iss !== profile.iss) {
|
||||||
|
return deps.Promise.reject(new Error("credential 'sub' and 'iss' do not match information in profile"));
|
||||||
|
}
|
||||||
|
|
||||||
|
parts.push(pub);
|
||||||
|
if (req.experienceId) {
|
||||||
|
parts.push(req.experienceId);
|
||||||
|
}
|
||||||
|
|
||||||
|
var username = parts.join('@');
|
||||||
|
var profile = {
|
||||||
|
accountId: pub // profile.sub
|
||||||
|
, sub: pub // profile.sub
|
||||||
|
, iss: req.experienceId
|
||||||
|
, prv: priv
|
||||||
|
, typ: 'oauth3'
|
||||||
|
};
|
||||||
|
|
||||||
|
function getId(token) {
|
||||||
|
var id = token.sub;
|
||||||
|
if (token.iss) {
|
||||||
|
id += '@' + token.iss;
|
||||||
|
}
|
||||||
|
return id || token.accountId;
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log('[debug] username, credential, profile:');
|
||||||
|
console.log(username);
|
||||||
|
console.log(credential);
|
||||||
|
console.log(profile);
|
||||||
|
|
||||||
|
return deps.Promise.reject(new Error("blah blah grrr grrr"));
|
||||||
|
|
||||||
|
return store.IssuerOauth3OrgAccounts.create(username, profile).then(function () {
|
||||||
|
var id = crypto.randomBytes(16).toString('hex');
|
||||||
|
return store.IssuerOauth3OrgCredentialsProfiles.create(id, {
|
||||||
|
credentialId: getId(credential)
|
||||||
|
, profileId: getId(profile)
|
||||||
|
}).then(function () {
|
||||||
|
// TODO: put sort sort of email notification to the server managers?
|
||||||
|
return getToken(profile).then(function (token) {
|
||||||
|
return {
|
||||||
|
tokens: [ token ]
|
||||||
|
//, error: { code: "E_NO_IMPL", message: "not implemented [177]" }
|
||||||
|
};
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
function getProfile() {
|
||||||
|
var query = { username: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
|
||||||
|
//var query = { accountId: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
|
||||||
|
//var query = { accountId: joins.map(function (el) { return el.profileId })[0] };
|
||||||
|
console.log('[DEBUG] query profiles:');
|
||||||
|
console.log(query);
|
||||||
|
return req.Models.IssuerOauth3OrgAccounts.find(query).then(function (profiles) {
|
||||||
|
console.log('[DEBUG] Profiles:');
|
||||||
|
console.log(profiles);
|
||||||
|
|
||||||
|
profiles = (profiles||[]).filter(function (el) {
|
||||||
|
return !el.revokedAt && !el.deletedAt;
|
||||||
|
});
|
||||||
|
|
||||||
|
if (!profiles.length) {
|
||||||
|
return { tokens: [] };
|
||||||
|
}
|
||||||
|
|
||||||
|
return deps.Promise.all(profiles.map(function (profile) {
|
||||||
|
return getToken(profile);
|
||||||
|
})).then(function (tokens) {
|
||||||
|
return {
|
||||||
|
tokens: tokens
|
||||||
|
//, error: { code: "E_NO_IMPL", message: "not implemented [172]" }
|
||||||
|
};
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
joins = (joins||[]).filter(function (el) {
|
||||||
|
return !el.revokedAt && !el.deletedAt;
|
||||||
|
});
|
||||||
|
|
||||||
|
if (joins.length) {
|
||||||
|
console.log('[DEBUG] CredentialsProfiles:');
|
||||||
|
console.log(joins);
|
||||||
|
return getProfile();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!req.body || !req.body.create) {
|
||||||
|
console.log('[DEBUG] will not create');
|
||||||
|
return { tokens: [] };
|
||||||
|
} else {
|
||||||
|
console.log('[DEBUG] will create profile');
|
||||||
|
return createProfile(req.oauth3.token, req.body);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] exchangeToken');
|
||||||
|
};
|
||||||
|
|
||||||
restful.createToken = function (req, res) {
|
restful.createToken = function (req, res) {
|
||||||
var store;
|
var store;
|
||||||
var promise = req.getSiteStore().then(function (_store) {
|
var promise = req.getSiteStore().then(function (_store) {
|
||||||
store = _store;
|
store = _store;
|
||||||
|
store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
|
||||||
if (!req.body || !req.body.grant_type) {
|
if (!req.body || !req.body.grant_type) {
|
||||||
throw new OpErr("missing 'grant_type' from the body");
|
throw new OpErr("missing 'grant_type' from the body");
|
||||||
}
|
}
|
||||||
|
@ -219,9 +377,19 @@ function create(app) {
|
||||||
if (req.body.grant_type === 'refresh_token') {
|
if (req.body.grant_type === 'refresh_token') {
|
||||||
return restful.createToken.refreshToken(req);
|
return restful.createToken.refreshToken(req);
|
||||||
}
|
}
|
||||||
|
if (req.body.grant_type === 'exchange_token') {
|
||||||
|
return restful.exchangeToken(req);
|
||||||
|
}
|
||||||
|
|
||||||
throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'");
|
throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'");
|
||||||
}).then(function (token_info) {
|
}).then(function (token_info) {
|
||||||
|
return restful.createToken._helper(req, res, token_info);
|
||||||
|
});
|
||||||
|
|
||||||
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens');
|
||||||
|
};
|
||||||
|
restful.createToken._helper = function (req, res, token_info) {
|
||||||
|
return deps.Promise.resolve().then(function () {
|
||||||
token_info.iss = req.experienceId;
|
token_info.iss = req.experienceId;
|
||||||
if (!token_info.aud) {
|
if (!token_info.aud) {
|
||||||
throw new OpErr("missing required token field 'aud'");
|
throw new OpErr("missing required token field 'aud'");
|
||||||
|
@ -234,17 +402,18 @@ function create(app) {
|
||||||
// We don't have normal grants for the issuer, so we don't need to look the
|
// We don't have normal grants for the issuer, so we don't need to look the
|
||||||
// azpSub or the grants up in the database.
|
// azpSub or the grants up in the database.
|
||||||
token_info.azpSub = token_info.sub;
|
token_info.azpSub = token_info.sub;
|
||||||
token_info.scope = '';
|
token_info.scope = '*';
|
||||||
return token_info;
|
return token_info;
|
||||||
}
|
}
|
||||||
|
|
||||||
var search = {};
|
var search = {};
|
||||||
['sub', 'azp', 'azpSub'].forEach(function (key) {
|
[ 'sub', 'azp', 'azpSub' ].forEach(function (key) {
|
||||||
if (token_info[key]) {
|
if (token_info[key]) {
|
||||||
search[key] = token_info[key];
|
search[key] = token_info[key];
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
return store.IssuerOauth3OrgGrants.find(search).then(function (grants) {
|
|
||||||
|
return req.Models.IssuerOauth3OrgGrants.find(search).then(function (grants) {
|
||||||
if (!grants.length) {
|
if (!grants.length) {
|
||||||
throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'");
|
throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'");
|
||||||
}
|
}
|
||||||
|
@ -258,7 +427,7 @@ function create(app) {
|
||||||
return token_info;
|
return token_info;
|
||||||
});
|
});
|
||||||
}).then(function (token_info) {
|
}).then(function (token_info) {
|
||||||
return getPrivKey(store, req.experienceId).then(function (jwk) {
|
return getPrivKey(req.Models, req.experienceId).then(function (jwk) {
|
||||||
var pem = require('jwk-to-pem')(jwk, { private: true });
|
var pem = require('jwk-to-pem')(jwk, { private: true });
|
||||||
var payload = {
|
var payload = {
|
||||||
// standard
|
// standard
|
||||||
|
@ -300,8 +469,6 @@ function create(app) {
|
||||||
return result;
|
return result;
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens');
|
|
||||||
};
|
};
|
||||||
restful.createToken.password = function (req) {
|
restful.createToken.password = function (req) {
|
||||||
var params = req.body;
|
var params = req.body;
|
||||||
|
@ -319,6 +486,7 @@ function create(app) {
|
||||||
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
|
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
|
||||||
codeId = makeB64UrlSafe(codeId);
|
codeId = makeB64UrlSafe(codeId);
|
||||||
return req.getSiteStore().then(function (store) {
|
return req.getSiteStore().then(function (store) {
|
||||||
|
store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
|
||||||
return validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password)
|
return validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password)
|
||||||
.then(function () {
|
.then(function () {
|
||||||
return getOrCreate(store, params.username);
|
return getOrCreate(store, params.username);
|
||||||
|
@ -334,7 +502,7 @@ function create(app) {
|
||||||
console.log(contactClaim);
|
console.log(contactClaim);
|
||||||
return req.Models.IssuerOauth3OrgContactNodes.upsert(contactClaim).then(function () {
|
return req.Models.IssuerOauth3OrgContactNodes.upsert(contactClaim).then(function () {
|
||||||
return {
|
return {
|
||||||
sub: account.accountId,
|
sub: account.sub || account.accountId,
|
||||||
aud: req.params.aud || req.body.aud || req.experienceId,
|
aud: req.params.aud || req.body.aud || req.experienceId,
|
||||||
azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri || req.experienceId,
|
azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri || req.experienceId,
|
||||||
};
|
};
|
||||||
|
|
19
models.js
19
models.js
|
@ -1,7 +1,7 @@
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
var apiname = 'issuer_oauth3_org';
|
var apiname = 'issuer_oauth3_org';
|
||||||
var baseFields = [ 'createdAt', 'updatedAt', 'deletedAt' ];
|
var baseFields = [ 'createdAt', 'updatedAt', 'deletedAt', 'revokedAt', 'insertedAt' ];
|
||||||
|
|
||||||
module.exports = [
|
module.exports = [
|
||||||
{
|
{
|
||||||
|
@ -15,9 +15,22 @@ module.exports = [
|
||||||
indices: baseFields.concat([ 'code', 'expires' ]),
|
indices: baseFields.concat([ 'code', 'expires' ]),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
tablename: apiname + '_credentials',
|
||||||
|
idname: 'id',
|
||||||
|
// credentialId = ppid@iss
|
||||||
|
indices: baseFields.concat([ 'credentialId', 'sub', 'iss', 'typ' ]), // comment, recoveryCredential
|
||||||
|
},
|
||||||
|
{
|
||||||
|
tablename: apiname + '_credentials_profiles',
|
||||||
|
idname: 'id',
|
||||||
|
// credentialId = ppid@iss
|
||||||
|
indices: baseFields.concat([ 'credentialId', 'profileId' ]),
|
||||||
|
},
|
||||||
|
{ // TODO rename to profiles
|
||||||
tablename: apiname + '_accounts',
|
tablename: apiname + '_accounts',
|
||||||
idname: 'username',
|
idname: 'username',
|
||||||
indices: baseFields.concat([ 'accountId' ]),
|
// make sub an ecdsa256 key
|
||||||
|
indices: baseFields.concat([ 'accountId', 'sub', 'iss', 'typ', 'privateKey' ]), // comment, recoveryNode
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
tablename: apiname + '_contact_nodes',
|
tablename: apiname + '_contact_nodes',
|
||||||
|
@ -33,5 +46,5 @@ module.exports = [
|
||||||
tablename: apiname + '_grants',
|
tablename: apiname + '_grants',
|
||||||
idname: 'id',
|
idname: 'id',
|
||||||
indices: baseFields.concat([ 'sub', 'azp', 'azpSub', 'scope' ]),
|
indices: baseFields.concat([ 'sub', 'azp', 'azpSub', 'scope' ]),
|
||||||
},
|
}
|
||||||
];
|
];
|
||||||
|
|
|
@ -12,6 +12,7 @@
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"bluebird": "^3.5.0",
|
"bluebird": "^3.5.0",
|
||||||
|
"bs58": "^4.0.1",
|
||||||
"elliptic": "^6.4.0",
|
"elliptic": "^6.4.0",
|
||||||
"jsonwebtoken": "^7.4.1",
|
"jsonwebtoken": "^7.4.1",
|
||||||
"jwk-to-pem": "^1.2.6",
|
"jwk-to-pem": "^1.2.6",
|
||||||
|
|
5
rest.js
5
rest.js
|
@ -3,7 +3,7 @@
|
||||||
module.exports.create = function (bigconf, deps, app) {
|
module.exports.create = function (bigconf, deps, app) {
|
||||||
var Jwks = require('./jwks').create(app);
|
var Jwks = require('./jwks').create(app);
|
||||||
var Grants = require('./grants').create(app);
|
var Grants = require('./grants').create(app);
|
||||||
var Accounts = require('./accounts').create(app);
|
var Accounts = require('./accounts').create(deps, app);
|
||||||
|
|
||||||
// This tablename is based on the tablename found in the objects in model.js.
|
// This tablename is based on the tablename found in the objects in model.js.
|
||||||
// Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.
|
// Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.
|
||||||
|
@ -48,6 +48,9 @@ module.exports.create = function (bigconf, deps, app) {
|
||||||
app.post( '/access_token/:sub/:aud/:azp', Accounts.restful.createToken);
|
app.post( '/access_token/:sub/:aud/:azp', Accounts.restful.createToken);
|
||||||
app.post( '/access_token', Accounts.restful.createToken);
|
app.post( '/access_token', Accounts.restful.createToken);
|
||||||
|
|
||||||
|
app.use( '/exchange_token', attachSiteModels);
|
||||||
|
app.post( '/exchange_token', Accounts.restful.exchangeToken);
|
||||||
|
|
||||||
app.use( '/acl/profile', attachSiteModels);
|
app.use( '/acl/profile', attachSiteModels);
|
||||||
app.get( '/acl/profile', Accounts.restful.getProfile);
|
app.get( '/acl/profile', Accounts.restful.getProfile);
|
||||||
app.post( '/acl/profile', Accounts.restful.setProfile);
|
app.post( '/acl/profile', Accounts.restful.setProfile);
|
||||||
|
|
Loading…
Reference in New Issue