783 lines
27 KiB
JavaScript
783 lines
27 KiB
JavaScript
'use strict';
|
|
|
|
var crypto = require('crypto');
|
|
var PromiseA = require('bluebird');
|
|
var OpErr = PromiseA.OperationalError;
|
|
var makeB64UrlSafe = require('./common').makeB64UrlSafe;
|
|
|
|
function retrieveOtp(codeStore, codeId) {
|
|
return codeStore.get(codeId).then(function (code) {
|
|
if (!code) {
|
|
return null;
|
|
}
|
|
|
|
var expires = (new Date(code.expires)).valueOf();
|
|
if (!expires || Date.now() > expires) {
|
|
return codeStore.destroy(codeId).then(function () {
|
|
return null;
|
|
});
|
|
}
|
|
|
|
return code;
|
|
});
|
|
}
|
|
|
|
function validateOtp(codeStore, codeId, token) {
|
|
if (!codeId) {
|
|
return PromiseA.reject(new Error("Must provide authcode ID"));
|
|
}
|
|
if (!token) {
|
|
return PromiseA.reject(new Error("Must provide authcode code"));
|
|
}
|
|
return codeStore.get(codeId).then(function (code) {
|
|
if (!code) {
|
|
throw new OpErr('authcode specified does not exist or has expired');
|
|
}
|
|
|
|
return PromiseA.resolve().then(function () {
|
|
var attemptsLeft = 3 - (code.attempts && code.attempts.length || 0);
|
|
if (attemptsLeft <= 0) {
|
|
throw new OpErr('you have tried to authorize this code too many times');
|
|
}
|
|
if (code.code !== token) {
|
|
throw new OpErr('you have entered the code incorrectly. '+attemptsLeft+' attempts remaining');
|
|
}
|
|
// TODO: maybe impose a rate limit, although going fast doesn't help you break the
|
|
// system when you can only try 3 times total.
|
|
}).then(function () {
|
|
return codeStore.destroy(codeId).then(function () {
|
|
return code;
|
|
});
|
|
}, function (err) {
|
|
code.attempts = code.attempts || [];
|
|
code.attempts.unshift(new Date());
|
|
|
|
return codeStore.upsert(codeId, code).then(function () {
|
|
return PromiseA.reject(err);
|
|
}, function () {
|
|
return PromiseA.reject(err);
|
|
});
|
|
});
|
|
});
|
|
}
|
|
|
|
function getOrCreate(store, iss, username) {
|
|
// account => profile
|
|
return store.IssuerOauth3OrgProfiles.find({ username: username }).then(filterRejectable).then(function (profile) {
|
|
profile = profile && profile[0];
|
|
if (profile) {
|
|
return profile;
|
|
}
|
|
|
|
// TODO profile should be ecdsa256 pub/privkeypair
|
|
var sub = makeB64UrlSafe(crypto.randomBytes(32).toString('base64'));
|
|
profile = {
|
|
id: sub + (iss && ('@' + iss) || '')
|
|
, username: username
|
|
, sub: sub
|
|
, iss: iss
|
|
, typ: username ? 'username' : 'profile'
|
|
};
|
|
return store.IssuerOauth3OrgProfiles.create(profile.id, profile).then(function () {
|
|
// TODO: put sort sort of email notification to the server managers?
|
|
return profile;
|
|
});
|
|
});
|
|
}
|
|
function getPrivKey(store, experienceId) {
|
|
return store.IssuerOauth3OrgPrivateKeys.get(experienceId).then(function (jwk) {
|
|
if (jwk) {
|
|
return jwk;
|
|
}
|
|
|
|
var keyPair = require('elliptic').ec('p256').genKeyPair();
|
|
jwk = {
|
|
kty: 'EC',
|
|
crv: 'P-256',
|
|
alg: 'ES256',
|
|
kid: experienceId,
|
|
x: makeB64UrlSafe(keyPair.getPublic().getX().toArrayLike(Buffer).toString('base64')),
|
|
y: makeB64UrlSafe(keyPair.getPublic().getY().toArrayLike(Buffer).toString('base64')),
|
|
d: makeB64UrlSafe(keyPair.getPrivate().toArrayLike(Buffer).toString('base64')),
|
|
};
|
|
|
|
return store.IssuerOauth3OrgPrivateKeys.upsert(experienceId, jwk).then(function () {
|
|
return jwk;
|
|
});
|
|
});
|
|
}
|
|
|
|
function timespan(duration, max) {
|
|
var timestamp = Math.floor(Date.now() / 1000);
|
|
|
|
if (!duration) {
|
|
return;
|
|
}
|
|
if (typeof duration === 'string') {
|
|
duration = Math.floor(require('ms')(duration) / 1000) || 0;
|
|
}
|
|
if (typeof duration !== 'number') {
|
|
return 0;
|
|
}
|
|
// Handle the case where the user gave us a timestamp instead of duration for the expiration.
|
|
// Also make the maximum explicitly defined expiration as one year.
|
|
if (duration > 31557600) {
|
|
if (duration > timestamp) {
|
|
return duration - timestamp;
|
|
} else {
|
|
return 31557600;
|
|
}
|
|
}
|
|
|
|
if (max && timestamp+duration > max) {
|
|
return max - timestamp;
|
|
}
|
|
return duration;
|
|
}
|
|
|
|
function createOtp(store, params) {
|
|
return PromiseA.resolve().then(function () {
|
|
if (!params || !params.username) {
|
|
throw new OpErr("must provide the email address as 'username' in the body");
|
|
}
|
|
if ((params.username_type && 'email' !== params.username_type) || !/@/.test(params.username)) {
|
|
throw new OpErr("only email one-time login codes are supported at this time");
|
|
}
|
|
params.username_type = 'email';
|
|
|
|
var codeStore = store.IssuerOauth3OrgCodes;
|
|
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
|
|
codeId = makeB64UrlSafe(codeId);
|
|
|
|
return retrieveOtp(codeStore, codeId).then(function (code) {
|
|
if (code) {
|
|
return code;
|
|
}
|
|
|
|
var token = '';
|
|
while (!/^\d{4}-\d{4}-\d{4}$/.test(token)) {
|
|
// Most of the number we can generate this was start with 1 (and no matter what can't
|
|
// start with 0), so we don't use the very first digit. Also basically all of the
|
|
// numbers are too big to accurately store in JS floats, so we limit the trailing 0's.
|
|
token = (parseInt(crypto.randomBytes(8).toString('hex'), 16)).toString()
|
|
.replace(/0+$/, '0').replace(/\d(\d{4})(\d{4})(\d{4}).*/, '$1-$2-$3');
|
|
}
|
|
code = {
|
|
id: codeId,
|
|
code: token,
|
|
expires: new Date(Date.now() + 20*60*1000),
|
|
node: { type: params.username_type, node: params.username }
|
|
};
|
|
return codeStore.upsert(codeId, code).then(function (){
|
|
return code;
|
|
});
|
|
});
|
|
});
|
|
}
|
|
function rejectDeleted(el) {
|
|
if (el && (!el.revokedAt && !el.deletedAt)) {
|
|
return el;
|
|
}
|
|
return null;
|
|
}
|
|
function filterRejectable(arr) {
|
|
return arr.filter(rejectDeleted);
|
|
}
|
|
|
|
function create(deps, app) {
|
|
var restful = {};
|
|
|
|
restful.sendOtp = function (req, res) {
|
|
var params = req.body;
|
|
var promise = req.getSiteStore().then(function (store) {
|
|
//store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
|
|
return createOtp(store, params).then(function (code) {
|
|
var emailParams = {
|
|
to: params.username,
|
|
from: 'login@mg.hellabit.com',
|
|
replyTo: 'hello@mg.hellabit.com',
|
|
subject: "Use " + code.code + " as your Login Code",
|
|
text: "Your login code is:\n\n"
|
|
+ code.code
|
|
+ "\n\nThis email address was used to request to add your Hello ID to a device."
|
|
+ "\nIf you did not make the request you can safely ignore this message."
|
|
};
|
|
emailParams['h:Reply-To'] = emailParams.replyTo;
|
|
|
|
return req.getSiteCapability('email@daplie.com').then(function (mailer) {
|
|
return mailer.sendMailAsync(emailParams).then(function () {
|
|
return {
|
|
code_id: code.id,
|
|
expires: code.expires,
|
|
created: new Date(parseInt(code.createdAt, 10) || code.createdAt),
|
|
};
|
|
});
|
|
});
|
|
});
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password');
|
|
};
|
|
|
|
restful.createToken = function (req, res) {
|
|
var store;
|
|
var promise = req.getSiteStore().then(function (_store) {
|
|
store = _store;
|
|
//store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
|
|
if (!req.body || !req.body.grant_type) {
|
|
throw new OpErr("missing 'grant_type' from the body");
|
|
}
|
|
|
|
if (req.body.grant_type === 'password') {
|
|
return restful.createToken.password(req);
|
|
}
|
|
if (req.body.grant_type === 'issuer_token') {
|
|
return restful.createToken.issuerToken(req);
|
|
}
|
|
if (req.body.grant_type === 'refresh_token') {
|
|
return restful.createToken.refreshToken(req);
|
|
}
|
|
if (req.body.grant_type === 'exchange_token') {
|
|
return restful.createToken.exchangeToken(req);
|
|
}
|
|
|
|
throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'");
|
|
}).then(function (token_info) {
|
|
return restful.createToken._helper(req, res, token_info);
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens');
|
|
};
|
|
|
|
restful.createToken._helper = function (req, res, token_info) {
|
|
return deps.Promise.resolve().then(function () {
|
|
token_info.iss = req.experienceId;
|
|
if (!token_info.aud) {
|
|
throw new OpErr("missing required token field 'aud'");
|
|
}
|
|
if (!token_info.azp) {
|
|
throw new OpErr("missing required token field 'azp'");
|
|
}
|
|
|
|
if (token_info.iss === token_info.azp) {
|
|
// We don't have normal grants for the issuer, so we don't need to look the
|
|
// azpSub or the grants up in the database.
|
|
token_info.azpSub = token_info.sub;
|
|
token_info.scope = '*';
|
|
return token_info;
|
|
}
|
|
|
|
var search = {};
|
|
[ 'sub', 'azp', 'azpSub' ].forEach(function (key) {
|
|
if (token_info[key]) {
|
|
search[key] = token_info[key];
|
|
}
|
|
});
|
|
|
|
return req.Models.IssuerOauth3OrgGrants.find(search).then(filterRejectable).then(function (grants) {
|
|
if (!grants.length) {
|
|
throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'");
|
|
}
|
|
if (grants.length > 1) {
|
|
throw new Error("unexpected resource collision: too many relevant grants");
|
|
}
|
|
var grant = grants[0];
|
|
Object.keys(grant).forEach(function (key) {
|
|
token_info[key] = grant[key];
|
|
});
|
|
return token_info;
|
|
});
|
|
}).then(function (token_info) {
|
|
return getPrivKey(req.Models, req.experienceId).then(function (jwk) {
|
|
var pem = require('jwk-to-pem')(jwk, { private: true });
|
|
var payload = {
|
|
// standard
|
|
iss: token_info.iss, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1
|
|
aud: token_info.aud, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3
|
|
azp: token_info.azp,
|
|
sub: token_info.azpSub, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.2
|
|
// extended
|
|
scp: token_info.scope,
|
|
};
|
|
var opts = {
|
|
algorithm: jwk.alg,
|
|
header: {
|
|
kid: jwk.kid
|
|
}
|
|
};
|
|
var accessOpts = {};
|
|
// We set `expiresIn` like this to make it possible to send `null` and `exp` to have
|
|
// no expiration while still having a default of 1 day.
|
|
if (req.body.hasOwnProperty('exp')) {
|
|
accessOpts.expiresIn = timespan(req.body.exp, token_info.exp);
|
|
} else {
|
|
accessOpts.expiresIn = timespan('1h', token_info.exp);
|
|
}
|
|
var refreshOpts = {};
|
|
refreshOpts.expiresIn = timespan(req.body.refresh_exp, token_info.exp);
|
|
|
|
var jwt = require('jsonwebtoken');
|
|
var result = {};
|
|
result.scope = token_info.scope;
|
|
result.access_token = jwt.sign(payload, pem, Object.assign(accessOpts, opts));
|
|
if (req.body.refresh_token) {
|
|
if (token_info.refresh_token) {
|
|
result.refresh_token = token_info.refresh_token;
|
|
} else {
|
|
result.refresh_token = jwt.sign(payload, pem, Object.assign(refreshOpts, opts));
|
|
}
|
|
}
|
|
return result;
|
|
});
|
|
});
|
|
};
|
|
|
|
// This should exchange:
|
|
// * 3rd party PPIDs for 1st Party Profile
|
|
// * Opaque Tokens for PPID Tokens
|
|
restful.createToken.exchangeToken = function (req, res) {
|
|
var OAUTH3 = require('./oauth3.js');
|
|
var store = req.Models;
|
|
|
|
console.log('[exchangeToken] req.oauth3:');
|
|
console.log(req.oauth3); // req.oauth3.encodedToken
|
|
|
|
console.log('[exchangeToken] OAUTH3.jwk:');
|
|
console.log(OAUTH3.jwk);
|
|
|
|
var promise = OAUTH3.jwk.verifyToken(req.oauth3.encodedToken).then(function (completeDecoded) {
|
|
var p;
|
|
|
|
console.log('[exchangeToken] verified token:');
|
|
console.log(completeDecoded);
|
|
// TODO handle opaque tokens by exchanging at issuer -- if (!token.sub && token.jti) { ... }
|
|
|
|
if (!req.body || !req.body.create) {
|
|
return Profiles.get(req, res, completeDecoded.payload).then(function (profiles) {
|
|
return deps.Promise.all(profiles.map(function (profile) {
|
|
return Profiles._getToken(req, res, profile);
|
|
}));
|
|
}).then(function (tokens) {
|
|
return { tokens: tokens };
|
|
});
|
|
}
|
|
|
|
return Profiles.getOrCreate(req, res, completeDecoded.payload).then(function () {
|
|
return Profiles._getToken(req, res, profile).then(function (token) {
|
|
return { tokens: [ token ] };
|
|
});
|
|
});
|
|
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] exchangeToken');
|
|
};
|
|
|
|
restful.createToken.password = function (req) {
|
|
var params = req.body;
|
|
if (!params || !params.username) {
|
|
return PromiseA.reject(PromiseA.OperationalError("must provide the email address as 'username' in the body"));
|
|
}
|
|
if ((params.username_type && 'email' !== params.username_type) || !/@/.test(params.username)) {
|
|
return PromiseA.reject(PromiseA.OperationalError("only email one-time login codes are supported at this time"));
|
|
}
|
|
params.username_type = 'email';
|
|
if (!params.password) {
|
|
return PromiseA.reject(new OpErr("request missing 'password'"));
|
|
}
|
|
|
|
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
|
|
codeId = makeB64UrlSafe(codeId);
|
|
return req.getSiteStore().then(function (store) {
|
|
//store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts;
|
|
return validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password)
|
|
.then(function () {
|
|
return getOrCreate(store, req.experienceId, params.username);
|
|
}).then(function (account) {
|
|
var contactClaimId = crypto.createHash('sha256').update(account.sub+':'+params.username_type+':'+params.username).digest('base64');
|
|
//var contactClaimId = crypto.createHash('sha256').update(account.accountId+':'+params.username_type+':'+params.username).digest('base64');
|
|
return req.Models.IssuerOauth3OrgContactNodes.get(contactClaimId).then(function (contactClaim) {
|
|
var now = Date.now();
|
|
if (!contactClaim) { contactClaim = { id: contactClaimId, accountId: (req.oauth3._IDX_ || req.oauth3.accountIdx) }; }
|
|
if (!contactClaim.verifiedAt) { contactClaim.verifiedAt = now; }
|
|
contactClaim.lastVerifiedAt = now;
|
|
|
|
console.log('[DEBUG] contactClaim');
|
|
console.log(contactClaim);
|
|
return req.Models.IssuerOauth3OrgContactNodes.upsert(contactClaim).then(function () {
|
|
return {
|
|
sub: account.sub || account.accountId,
|
|
aud: req.params.aud || req.body.aud || req.experienceId,
|
|
azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri || req.experienceId,
|
|
};
|
|
});
|
|
});
|
|
});
|
|
});
|
|
};
|
|
restful.createToken.issuerToken = function (req) {
|
|
return require('./common').checkIssuerToken(req, req.params.sub || req.body.sub).then(function (sub) {
|
|
return {
|
|
sub: sub,
|
|
aud: req.params.aud || req.body.aud || req.experienceId,
|
|
azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri,
|
|
exp: req.oauth3.token.exp,
|
|
};
|
|
});
|
|
};
|
|
restful.createToken.refreshToken = function (req) {
|
|
return PromiseA.resolve().then(function () {
|
|
if (!req.body.refresh_token) {
|
|
throw new OpErr("missing refresh token");
|
|
}
|
|
|
|
return req.oauth3.verifyAsync(req.body.refresh_token).then(function (token) {
|
|
return {
|
|
sub: token.sub,
|
|
aud: token.aud,
|
|
azp: token.azp,
|
|
exp: token.exp,
|
|
refresh_token: req.body.refresh_token,
|
|
};
|
|
});
|
|
});
|
|
};
|
|
|
|
|
|
var Credentials = {};
|
|
Credentials.getOrCreate = function (credential) {
|
|
var query = {};
|
|
var id;
|
|
var result;
|
|
|
|
if (credential.username) {
|
|
query.username = credential.username;
|
|
id = credential.username;
|
|
} else if (credential.iss) {
|
|
query.sub = credential.sub;
|
|
query.iss = credential.iss;
|
|
id = query.sub + '@' + query.iss;
|
|
}
|
|
|
|
return req.Models.IssuerOauth3OrgCredentials.find(query).then(filterRejectable).then(function (_credentials) {
|
|
if (_credentials.length) {
|
|
return _credentials[0];
|
|
}
|
|
|
|
result = {
|
|
username: credential.username
|
|
, sub: credential.sub
|
|
, iss: credential.iss
|
|
, typ: username ? 'username' : 'profile'
|
|
};
|
|
|
|
return req.Models.IssuerOauth3OrgCredentials.create(id, result).then(function () {
|
|
result.id = id;
|
|
return result;
|
|
});
|
|
});
|
|
|
|
};
|
|
|
|
var Profiles = {};
|
|
Profiles.id = function (token) {
|
|
var id = token.sub || '';
|
|
if (token.iss) {
|
|
id += '@' + token.iss;
|
|
}
|
|
return id || token.id || token.accountIdx || token.accountId;
|
|
};
|
|
Profiles.create = function (req, res, credential, meta) {
|
|
meta = meta || {};
|
|
var pub = meta.sub;
|
|
var store = req.Models;
|
|
var iss;
|
|
|
|
if (!meta.sub) {
|
|
var bs58 = require('bs58');
|
|
var EC = require('elliptic').ec;
|
|
var ec = new EC('secp256k1');
|
|
// TODO should be able to generate a private key without a library
|
|
// https://crypto.stackexchange.com/a/30273/53868
|
|
var key = ec.genKeyPair();
|
|
//var ec = new EC('curve25519');
|
|
pub = bs58.encode(Buffer.from(key.derive(key.getPublic()).toString('hex'), 'hex'));
|
|
var priv = bs58.encode(Buffer.from(key.priv.toString('hex'), 'hex'));
|
|
iss = req.experienceId;
|
|
} else {
|
|
iss = credential.iss;
|
|
}
|
|
|
|
var id = pub + '@' + iss;
|
|
|
|
if (!credential.sub) {
|
|
return deps.Promise.reject(new Error("missing 'sub' from credential"));
|
|
}
|
|
|
|
var profile = {
|
|
id: id
|
|
// accountId: pub // profile.sub
|
|
, sub: pub // profile.sub
|
|
, iss: iss
|
|
, prv: priv
|
|
, typ: 'profile'
|
|
, username: id
|
|
};
|
|
|
|
console.log('[debug] id, credential, profile:');
|
|
console.log(id);
|
|
console.log(credential);
|
|
console.log(profile);
|
|
|
|
console.log('[Profiles.create] profile:');
|
|
console.log(profile);
|
|
return store.IssuerOauth3OrgProfiles.create(profile.id/*username*/, profile).then(function () {
|
|
console.log('[Profiles.create] created!');
|
|
var id = crypto.randomBytes(16).toString('hex');
|
|
return store.IssuerOauth3OrgCredentialsProfiles.create(id, {
|
|
credentialId: Profiles.id(credential)
|
|
, profileId: Profiles.id(profile)
|
|
}).then(function () {
|
|
// TODO: put sort sort of email notification to the server managers?
|
|
return profile;
|
|
});
|
|
});
|
|
};
|
|
Profiles._getToken = function (req, res, token) {
|
|
var tokenInfo = {
|
|
iat: Math.round(Date.now() / 1000)
|
|
, sub: token.sub
|
|
, iss: token.iss
|
|
, azp: token.iss
|
|
, aud: token.iss
|
|
};
|
|
return restful.createToken._helper(req, res, tokenInfo);
|
|
};
|
|
Profiles.ids = function (req, res, decoded) {
|
|
return req.Models.IssuerOauth3OrgCredentialsProfiles.find({
|
|
credentialId: decoded.sub + '@' + decoded.iss
|
|
//, sub: decoded.payload.sub
|
|
//, iss: decoded.payload.iss
|
|
}).then(filterRejectable).then(function (joins) {
|
|
console.log('[exchangeToken] credentials profiles:');
|
|
console.log(joins);
|
|
|
|
return joins;
|
|
});
|
|
};
|
|
Profiles.get = function (req, res, decoded) {
|
|
return Profiles.ids(decoded).then(function (joins) {
|
|
return Profiles.getFromIds(req, res, joins);
|
|
});
|
|
};
|
|
Profiles.getFromIds = function (req, res, joins) {
|
|
var query = { id: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
|
|
//var query = { username: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
|
|
//var query = { accountId: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
|
|
//var query = { accountId: joins.map(function (el) { return el.profileId })[0] };
|
|
console.log('[DEBUG] query profiles:');
|
|
console.log(query);
|
|
|
|
return Profiles._get(req, res, query).then(function (profiles) {
|
|
console.log('[DEBUG] Profiles:');
|
|
console.log(profiles);
|
|
|
|
return profiles;
|
|
});
|
|
};
|
|
Profiles._get = function (req, res, query) {
|
|
return req.Models.IssuerOauth3OrgProfiles.find(query).then(filterRejectable);
|
|
};
|
|
Profiles._one = function (req, res, id) {
|
|
console.log('[Profiles._one] id:', id);
|
|
return req.Models.IssuerOauth3OrgProfiles.get(id).then(function (p) {
|
|
console.log('[Profiles._one] p:', p);
|
|
return p;
|
|
}).then(rejectDeleted);
|
|
};
|
|
Profiles.oneOrCreate = function (req, res, cred) {
|
|
var sub;
|
|
var iss;
|
|
var tok;
|
|
if (cred.accountIdx) {
|
|
sub = cred.accountIdx.split('@')[0];
|
|
iss = cred.accountIdx.split('@')[1];
|
|
}
|
|
tok = { sub: sub || cred.sub, iss: iss || cred.iss };
|
|
|
|
var id = Profiles.id(cred);
|
|
console.log('[oneOrCreate] id:', id);
|
|
return Profiles._one(req, res, id).then(function (profile) {
|
|
console.log('[oneOrCreate] profile:', profile);
|
|
if (profile) { return profile; }
|
|
|
|
return Profiles.create(req, res, tok, tok);
|
|
});
|
|
};
|
|
Profiles.getOrCreate = function (req, res, cred) {
|
|
var sub;
|
|
var iss;
|
|
var tok;
|
|
if (cred.accountIdx) {
|
|
sub = cred.accountIdx.split('@')[0];
|
|
iss = cred.accountIdx.split('@')[1];
|
|
}
|
|
tok = { sub: sub || cred.sub, iss: iss || cred.iss };
|
|
|
|
return Profiles.ids(req, res, cred).then(function (joins) {
|
|
if (joins.length) {
|
|
console.log('[DEBUG] CredentialsProfiles:');
|
|
console.log(joins);
|
|
console.log('[DEBUG] will not create profile');
|
|
return Profiles.getFromIds(req, res, joins);
|
|
}
|
|
|
|
console.log('[DEBUG] will create profile');
|
|
req.body.sub = req.body.sub || cred.sub;
|
|
req.body.iss = req.body.iss || cred.iss;
|
|
return Profiles.create(req, res, req.oauth3.token, req.body).then(function (profile) {
|
|
return [ profile ];
|
|
});
|
|
});
|
|
};
|
|
restful.getProfile = function (req, res) {
|
|
// return Profiles.getOrCreate();
|
|
console.log('[getProfile] req.oauth3.accountIdx:', req.oauth3.accountIdx);
|
|
var promise = req.Models.IssuerOauth3OrgProfiles.get(req.oauth3.accountIdx).then(function (result) {
|
|
var err;
|
|
if (!result) {
|
|
err = new Error(
|
|
"No profile exists for '" + req.oauth3.accountIdx + "'. Please create a profile or perform dual-login to link this credential to an existing one."
|
|
);
|
|
err.code = 'E_NO_PROFILE@oauth3.org';
|
|
return PromiseA.reject({ message: err.message, code: err.code });
|
|
//return { id: undefined, sub: req.oauth3.accountIdx.split('@')[0], iss: req.oauth3.accountIdx.split('@')[1] };
|
|
}
|
|
|
|
result.id = undefined;
|
|
//result.prv = undefined;
|
|
|
|
return req.Models.IssuerOauth3OrgContactNodes.find({ accountId: req.oauth3.accountIdx }).then(filterRejectable).then(function (nodes) {
|
|
result.nodes = nodes;
|
|
return result;
|
|
});
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] get profile');
|
|
};
|
|
restful.setProfile = function (req, res) {
|
|
console.log('[setProfile] req.oauth3:');
|
|
console.log(req.oauth3);
|
|
|
|
var body = req.body;
|
|
var query = { accountIdx: req.oauth3.accountIdx, sub: req.oauth3.accountIdx.split('@')[0], iss: req.oauth3.accountIdx.split('@')[1] };
|
|
// was previously accountIdx, which should have been sub@iss anyway...
|
|
var promise = Profiles.oneOrCreate(req, res, query).then(function (result) {
|
|
var changed = false;
|
|
|
|
console.log('[setProfile] get gotten:');
|
|
console.log(result);
|
|
|
|
if (!result) { throw new OpErr("profile could not be found"); /*result = { accountId: req.oauth3.accountIdx, displayName: '', firstName: '', lastName: '', avatarUrl: '' };*/ }
|
|
|
|
// TODO schema for validation
|
|
[ 'firstName', 'lastName', 'avatarUrl', 'displayName' ].forEach(function (key) {
|
|
if ('string' === typeof body[key] && -1 === [ 'null', 'undefined' ].indexOf(body[key])) {
|
|
if (result[key] !== body[key]) {
|
|
result[key] = body[key];
|
|
changed = true;
|
|
}
|
|
}
|
|
});
|
|
|
|
if (body.email && (result.email !== body.email)) {
|
|
if (result.unverifiedEmail !== body.email) {
|
|
changed = true;
|
|
result.unverifiedEmail = body.email;
|
|
}
|
|
}
|
|
|
|
if (changed) {
|
|
return req.Models.IssuerOauth3OrgProfiles.upsert(result).then(function () { console.log('[setProfile] update updated'); return result; });
|
|
}
|
|
|
|
return result;
|
|
}).then(function (result) {
|
|
result.id = undefined;
|
|
//result.prv = undefined;
|
|
return result;
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] set profile');
|
|
};
|
|
restful.listContactNodes = function (req, res) {
|
|
/*
|
|
var contactClaimId = crypto.createHash('sha256').update((req.oauth3._IDX_ || req.oauth3.accountIdx)+':'+code.node.type+':'+code.node.node).digest('base64');
|
|
return req.Models.IssuerOauth3OrgContactNodes.get(contactClaimId).then(function (contactClaim) {
|
|
return;
|
|
});
|
|
*/
|
|
};
|
|
restful.claimContact = function (req, res) {
|
|
var type = req.body.type;
|
|
var node = req.body.node;
|
|
var promise = createOtp(req.Models, { username_type: type, username: node }).then(function (code) {
|
|
var emailParams = {
|
|
to: node,
|
|
from: 'login@daplie.com',
|
|
replyTo: 'hello@daplie.com',
|
|
subject: "Verify your email address: " + code.code,
|
|
text: "Your verification code is:\n\n"
|
|
+ code.code
|
|
+ "\n\nThis email address was requested to be used with Hello ID."
|
|
+ "\nIf you did not make the request you can safely ignore this message."
|
|
};
|
|
emailParams['h:Reply-To'] = emailParams.replyTo;
|
|
|
|
return req.getSiteCapability('email@daplie.com').then(function (mailer) {
|
|
return mailer.sendMailAsync(emailParams).then(function () {
|
|
return {
|
|
code_id: code.id,
|
|
expires: code.expires,
|
|
created: new Date(parseInt(code.createdAt, 10) || code.createdAt),
|
|
};
|
|
});
|
|
});
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] claim contact');
|
|
};
|
|
restful.verifyContact = function (req, res) {
|
|
var codeId = req.params.id;
|
|
var challenge = req.body.challenge || req.body.token || req.body.code;
|
|
var store = req.Models;
|
|
|
|
var promise = validateOtp(store.IssuerOauth3OrgCodes, codeId, challenge).then(function (code) {
|
|
if (!code.node || !code.node.type || !code.node.node) {
|
|
throw new OpErr("code didn't have contact node and type information");
|
|
}
|
|
|
|
// TODO this token may represent a 3rd-party credential or 1st-party profile. What should the ID be?
|
|
var contactClaimId = crypto.createHash('sha256').update((req.oauth3._IDX_ || req.oauth3.accountIdx)+':'+code.node.type+':'+code.node.node).digest('base64');
|
|
return req.Models.IssuerOauth3OrgContactNodes.get(contactClaimId).then(function (contactClaim) {
|
|
var now = Date.now();
|
|
if (!contactClaim) { contactClaim = { id: contactClaimId }; }
|
|
if (!contactClaim.verifiedAt) { contactClaim.verifiedAt = now; }
|
|
contactClaim.lastVerifiedAt = now;
|
|
|
|
return req.Models.IssuerOauth3OrgContactNodes.upsert(contactClaim).then(function () {
|
|
return { success: true };
|
|
});
|
|
});
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] verify contact');
|
|
};
|
|
|
|
return {
|
|
restful: restful,
|
|
};
|
|
}
|
|
|
|
module.exports.create = create;
|