'use strict'; var PromiseA = require('bluebird'); var crypto = require('crypto'); function makeB64UrlSafe(b64) { return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=*$/, ''); } module.exports.create = function (bigconf, deps, app) { var Jwks = { restful: {} }; var Grants = { restful: {} }; var Tokens = { restful: {} }; // This tablename is based on the tablename found in the objects in model.js. // Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3. function attachSiteStore(tablename, req, res, next) { return req.getSiteStore().then(function (store) { req.Store = store[tablename]; next(); }); } function detachSiteStore(req, res, next) { delete req.Store; next(); } function authorizeIssuer(req, res, next) { var promise = PromiseA.resolve().then(function () { // It might seem unnecessary to wrap a promise in another promise, but this way it will // catch the error thrown when a token isn't provided and verifyAsync isn't a function. return req.oauth3.verifyAsync(); }).then(function (token) { // Now that we've confirmed the token is valid we also need to make sure the issuer, audience, // and authorized party are all us, because no other app should be managing user identity. if (token.iss !== req.experienceId || token.aud !== token.iss || token.azp !== token.iss) { throw new Error("token does not allow access to requested resource"); } var sub = token.sub || token.ppid || (token.acx && (token.acx.id || token.acx.appScopedId)); if (!sub) { if (!Array.isArray(token.axs) || !token.axs.length) { throw new Error("no account pairwise identifier"); } var allowed = token.axs.some(function (acc) { return req.params.sub === (acc.id || acc.ppid || acc.appScopedId); }); if (!allowed) { throw new Error("no account pairwise identifier matching '" + req.params.sub + "'"); } sub = req.params.sub; } if (req.params.sub !== sub) { throw new Error("token does not allow access to resources for '"+req.params.sub+"'"); } next(); }); app.handleRejection(req, res, promise, '[issuer@oauth3.org] authorize req as issuer'); } Jwks.thumbprint = function (jwk) { // To produce a thumbprint we need to create a JSON string with only the required keys for // the key type, with the keys sorted lexicographically and no white space. We then need // run it through a SHA-256 and encode the result in url safe base64. // https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk var keys; if (jwk.kty === 'EC') { keys = ['crv', 'x', 'y']; } else if (jwk.kty === 'RSA') { keys = ['e', 'n']; } else { return PromiseA.reject(new Error('invalid JWK key type ' + jwk.kty)); } keys.push('kty'); keys.sort(); var missing = keys.filter(function (name) { return !jwk.hasOwnProperty(name); }); if (missing.length > 0) { return PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing)); } // I'm not 100% sure this behavior is guaranteed by a real standard, but when we use an array // as the replacer argument the keys are always in the order they appeared in the array. var jwkStr = JSON.stringify(jwk, keys); var hash = crypto.createHash('sha256').update(jwkStr).digest('base64'); return PromiseA.resolve(makeB64UrlSafe(hash)); }; Jwks.restful.get = function (req, res) { var store; // The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so // we need to look up the issuer PPID using the 3rd party PPID. var promise = req.getSiteStore().then(function (_store) { store = _store; return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }); }).then(function (results) { if (!results.length) { throw new Error("unknown PPID '"+req.params.sub+"'"); } if (results.length > 1) { // This should not ever happen since there is a check for PPID collisions when saving // grants, but it's probably better to have this check anyway just incase something // happens that isn't currently accounted for. throw new Error('PPID collision - unable to safely retrieve keys'); } return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); }).then(function (jwk) { if (!jwk) { throw new Error("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub); } // We need to sanitize the key to make sure we don't deliver any private keys fields if // we were given a key we could use to sign tokens on behalf of the user. We also don't // want to deliver the sub or any other PPIDs. var whitelist = [ 'kty', 'alg', 'kid', 'use' ]; if (jwk.kty === 'EC') { whitelist = whitelist.concat([ 'crv', 'x', 'y' ]); } else if (jwk.kty === 'RSA') { whitelist = whitelist.concat([ 'e', 'n' ]); } var result = {}; whitelist.forEach(function (key) { result[key] = jwk[key]; }); return result; }); app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK"); }; Jwks.restful.saveNew = function (req, res) { var jwk = req.body; var promise = Jwks.thumbprint(jwk).then(function (kid) { if (jwk.kid && jwk.kid !== kid) { throw new Error('provided kid "'+jwk.kid+'" does not match calculated "'+kid+'"'); } jwk.kid = kid; jwk.sub = req.params.sub; return req.Store.upsert(jwk.sub+'/'+jwk.kid, jwk); }).then(function () { return { success: true }; }); app.handlePromise(req, res, promise, "[issuer@oauth3.org] save JWK"); }; Grants.trim = function (grant) { return { sub: grant.sub, azp: grant.azp, // azpSub: grant.azpSub, scope: grant.scope, updatedAt: parseInt(grant.updatedAt, 10), }; }; Grants.restful.getOne = function (req, res) { var promise = req.Store.get(req.params.sub+'/'+req.params.azp).then(function (grant) { if (!grant) { throw new Error('no grants found'); } return Grants.trim(grant); }); app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve grants"); }; Grants.restful.getAll = function (req, res) { var promise = req.Store.find({ sub: req.params.sub }).then(function (results) { return results.map(Grants.trim).sort(function (grantA, grantB) { return (grantA.azp < grantB.azp) ? -1 : 1; }); }); app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve grants"); }; Grants.restful.saveNew = function (req, res) { var promise = PromiseA.resolve().then(function () { if (typeof req.body.scope !== 'string' || typeof req.body.sub !== 'string') { throw new Error("malformed request: 'sub' and 'scope' must be strings"); } return req.Store.find({ azpSub: req.body.sub }); }).then(function (existing) { if (existing.length) { if (existing.length > 1) { throw new Error("pre-existing PPID collision detected"); } else if (existing[0].sub !== req.params.sub || existing[0].azp !== req.params.azp) { throw new Error("PPID collision detected, cannot save authorized party's sub"); } } var grant = { sub: req.params.sub, azp: req.params.azp, azpSub: req.body.sub, scope: req.body.scope.split(/[+ ,]+/g).join(','), }; return req.Store.upsert(grant.sub+'/'+grant.azp, grant); }).then(function () { return {success: true}; }); app.handlePromise(req, res, promise, '[issuer@oauth3.org] save grants'); }; Tokens.getPrivKey = function (store, experienceId) { return store.IssuerOauth3OrgPrivateKeys.get(experienceId).then(function (jwk) { if (jwk) { return jwk; } var keyPair = require('elliptic').ec('p256').genKeyPair(); jwk = { kty: 'EC', crv: 'P-256', alg: 'ES256', kid: experienceId, x: makeB64UrlSafe(keyPair.getPublic().getX().toArrayLike(Buffer).toString('base64')), y: makeB64UrlSafe(keyPair.getPublic().getY().toArrayLike(Buffer).toString('base64')), d: makeB64UrlSafe(keyPair.getPrivate().toArrayLike(Buffer).toString('base64')), }; return store.IssuerOauth3OrgPrivateKeys.upsert(experienceId, jwk).then(function () { return jwk; }); }); }; Tokens.restful.create = function (req, res) { var store; var promise = req.getSiteStore().then(function (_store) { store = _store; return store.IssuerOauth3OrgGrants.get(req.params.sub+'/'+req.params.azp); }).then(function (grant) { if (!grant) { throw new Error("'"+req.params.azp+"' not given any grants from '"+req.params.sub+"'"); } return Tokens.getPrivKey(store, req.experienceId).then(function (jwk) { var pem = require('jwk-to-pem')(jwk, { private: true }); var payload = { // standard iss: req.experienceId, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 aud: req.params.aud, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3 azp: grant.azp, sub: grant.azpSub, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.2 // extended scp: grant.scope, }; var opts = { algorithm: jwk.alg, header: { kid: jwk.kid } }; return { access_token: require('jsonwebtoken').sign(payload, pem, Object.assign({expiresIn: '1d'}, opts)), refresh_token: require('jsonwebtoken').sign(payload, pem, opts), scope: grant.scope, }; }); }); app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens'); }; app.get( '/jwks/:sub/:kid.json', Jwks.restful.get); // Everything but getting keys is only for the issuer app.use( '/jwks/:sub', authorizeIssuer, attachSiteStore.bind(null, 'IssuerOauth3OrgJwks')); app.post( '/jwks/:sub', Jwks.restful.saveNew); // Everything regarding grants is only for the issuer app.use( '/grants/:sub', authorizeIssuer, attachSiteStore.bind(null, 'IssuerOauth3OrgGrants')); app.get( '/grants/:sub', Grants.restful.getAll); app.get( '/grants/:sub/:azp', Grants.restful.getOne); app.post( '/grants/:sub/:azp', Grants.restful.saveNew); app.use( '/access_token/:sub', authorizeIssuer); app.post( '/access_token/:sub/:aud/:azp', Tokens.restful.create); app.use(detachSiteStore); };