357 lines
12 KiB
JavaScript
357 lines
12 KiB
JavaScript
'use strict';
|
|
|
|
var crypto = require('crypto');
|
|
var PromiseA = require('bluebird');
|
|
var OpErr = PromiseA.OperationalError;
|
|
var makeB64UrlSafe = require('./common').makeB64UrlSafe;
|
|
|
|
function retrieveOtp(codeStore, codeId) {
|
|
return codeStore.get(codeId).then(function (code) {
|
|
if (!code) {
|
|
return null;
|
|
}
|
|
|
|
var expires = (new Date(code.expires)).valueOf();
|
|
if (!expires || Date.now() > expires) {
|
|
return codeStore.destroy(codeId).then(function () {
|
|
return null;
|
|
});
|
|
}
|
|
|
|
return code;
|
|
});
|
|
}
|
|
function validateOtp(codeStore, codeId, token) {
|
|
if (!codeId) {
|
|
return PromiseA.reject(new Error("Must provide authcode ID"));
|
|
}
|
|
if (!token) {
|
|
return PromiseA.reject(new Error("Must provide authcode code"));
|
|
}
|
|
return codeStore.get(codeId).then(function (code) {
|
|
if (!code) {
|
|
throw new OpErr('authcode specified does not exist or has expired');
|
|
}
|
|
|
|
return PromiseA.resolve().then(function () {
|
|
var attemptsLeft = 3 - (code.attempts && code.attempts.length || 0);
|
|
if (attemptsLeft <= 0) {
|
|
throw new OpErr('you have tried to authorize this code too many times');
|
|
}
|
|
if (code.code !== token) {
|
|
throw new OpErr('you have entered the code incorrectly. '+attemptsLeft+' attempts remaining');
|
|
}
|
|
// TODO: maybe impose a rate limit, although going fast doesn't help you break the
|
|
// system when you can only try 3 times total.
|
|
}).then(function () {
|
|
return codeStore.destroy(codeId).then(function () {
|
|
return code;
|
|
});
|
|
}, function (err) {
|
|
code.attempts = code.attempts || [];
|
|
code.attempts.unshift(new Date());
|
|
|
|
return codeStore.upsert(codeId, code).then(function () {
|
|
return PromiseA.reject(err);
|
|
}, function () {
|
|
return PromiseA.reject(err);
|
|
});
|
|
});
|
|
});
|
|
}
|
|
|
|
function getOrCreate(store, username) {
|
|
return store.IssuerOauth3OrgAccounts.get(username).then(function (account) {
|
|
if (account) {
|
|
return account;
|
|
}
|
|
|
|
account = {
|
|
username: username,
|
|
accountId: makeB64UrlSafe(crypto.randomBytes(32).toString('base64')),
|
|
};
|
|
return store.IssuerOauth3OrgAccounts.create(username, account).then(function () {
|
|
// TODO: put sort sort of email notification to the server managers?
|
|
return account;
|
|
});
|
|
});
|
|
}
|
|
function getPrivKey(store, experienceId) {
|
|
return store.IssuerOauth3OrgPrivateKeys.get(experienceId).then(function (jwk) {
|
|
if (jwk) {
|
|
return jwk;
|
|
}
|
|
|
|
var keyPair = require('elliptic').ec('p256').genKeyPair();
|
|
jwk = {
|
|
kty: 'EC',
|
|
crv: 'P-256',
|
|
alg: 'ES256',
|
|
kid: experienceId,
|
|
x: makeB64UrlSafe(keyPair.getPublic().getX().toArrayLike(Buffer).toString('base64')),
|
|
y: makeB64UrlSafe(keyPair.getPublic().getY().toArrayLike(Buffer).toString('base64')),
|
|
d: makeB64UrlSafe(keyPair.getPrivate().toArrayLike(Buffer).toString('base64')),
|
|
};
|
|
|
|
return store.IssuerOauth3OrgPrivateKeys.upsert(experienceId, jwk).then(function () {
|
|
return jwk;
|
|
});
|
|
});
|
|
}
|
|
|
|
function timespan(duration, max) {
|
|
var timestamp = Math.floor(Date.now() / 1000);
|
|
|
|
if (!duration) {
|
|
return;
|
|
}
|
|
if (typeof duration === 'string') {
|
|
duration = Math.floor(require('ms')(duration) / 1000) || 0;
|
|
}
|
|
if (typeof duration !== 'number') {
|
|
return 0;
|
|
}
|
|
// Handle the case where the user gave us a timestamp instead of duration for the expiration.
|
|
// Also make the maximum explicitly defined expiration as one year.
|
|
if (duration > 31557600) {
|
|
if (duration > timestamp) {
|
|
return duration - timestamp;
|
|
} else {
|
|
return 31557600;
|
|
}
|
|
}
|
|
|
|
if (max && timestamp+duration > max) {
|
|
return max - timestamp;
|
|
}
|
|
return duration;
|
|
}
|
|
|
|
function create(app) {
|
|
var restful = {};
|
|
|
|
restful.sendOtp = function (req, res) {
|
|
var params = req.body;
|
|
var promise = PromiseA.resolve().then(function () {
|
|
if (!params || !params.username) {
|
|
throw new OpErr("must provide the email address as 'username' in the body");
|
|
}
|
|
if ((params.username_type && 'email' !== params.username_type) || !/@/.test(params.username)) {
|
|
throw new OpErr("only email one-time login codes are supported at this time");
|
|
}
|
|
params.username_type = 'email';
|
|
|
|
return req.getSiteStore();
|
|
}).then(function (store) {
|
|
var codeStore = store.IssuerOauth3OrgCodes;
|
|
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
|
|
codeId = makeB64UrlSafe(codeId);
|
|
|
|
return retrieveOtp(codeStore, codeId).then(function (code) {
|
|
if (code) {
|
|
return code;
|
|
}
|
|
|
|
var token = '';
|
|
while (!/^\d{4}-\d{4}-\d{4}$/.test(token)) {
|
|
// Most of the number we can generate this was start with 1 (and no matter what can't
|
|
// start with 0), so we don't use the very first digit. Also basically all of the
|
|
// numbers are too big to accurately store in JS floats, so we limit the trailing 0's.
|
|
token = (parseInt(crypto.randomBytes(8).toString('hex'), 16)).toString()
|
|
.replace(/0+$/, '0').replace(/\d(\d{4})(\d{4})(\d{4}).*/, '$1-$2-$3');
|
|
}
|
|
code = {
|
|
id: codeId,
|
|
code: token,
|
|
expires: new Date(Date.now() + 20*60*1000),
|
|
};
|
|
return codeStore.upsert(codeId, code).then(function (){
|
|
return code;
|
|
});
|
|
});
|
|
}).then(function (code) {
|
|
var emailParams = {
|
|
to: params.username,
|
|
from: 'login@daplie.com', // opts.mailer.defaults.system
|
|
replyTo: 'hello@daplie.com',
|
|
subject: "Use " + code.code + " as your Login Code", // message.Subject
|
|
text: code.code + " is your Login Code." // message['stripped-html']
|
|
};
|
|
emailParams['h:Reply-To'] = emailParams.replyTo;
|
|
|
|
return req.getSiteMailer().sendMailAsync(emailParams).then(function () {
|
|
return {
|
|
code_id: code.id,
|
|
expires: code.expires,
|
|
created: new Date(parseInt(code.createdAt, 10) || code.createdAt),
|
|
};
|
|
});
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password');
|
|
};
|
|
|
|
restful.createToken = function (req, res) {
|
|
var store;
|
|
var promise = req.getSiteStore().then(function (_store) {
|
|
store = _store;
|
|
if (!req.body || !req.body.grant_type) {
|
|
throw new OpErr("missing 'grant_type' from the body");
|
|
}
|
|
|
|
if (req.body.grant_type === 'password') {
|
|
return restful.createToken.password(req);
|
|
}
|
|
if (req.body.grant_type === 'issuer_token') {
|
|
return restful.createToken.issuerToken(req);
|
|
}
|
|
if (req.body.grant_type === 'refresh_token') {
|
|
return restful.createToken.refreshToken(req);
|
|
}
|
|
|
|
throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'");
|
|
}).then(function (token_info) {
|
|
token_info.iss = req.experienceId;
|
|
if (!token_info.aud) {
|
|
throw new OpErr("missing required token field 'aud'");
|
|
}
|
|
if (!token_info.azp) {
|
|
throw new OpErr("missing required token field 'azp'");
|
|
}
|
|
|
|
if (token_info.iss === token_info.azp) {
|
|
// We don't have normal grants for the issuer, so we don't need to look the
|
|
// azpSub or the grants up in the database.
|
|
token_info.azpSub = token_info.sub;
|
|
token_info.scope = '';
|
|
return token_info;
|
|
}
|
|
|
|
var search = {};
|
|
['sub', 'azp', 'azpSub'].forEach(function (key) {
|
|
if (token_info[key]) {
|
|
search[key] = token_info[key];
|
|
}
|
|
});
|
|
return store.IssuerOauth3OrgGrants.find(search).then(function (grants) {
|
|
if (!grants.length) {
|
|
throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'");
|
|
}
|
|
if (grants.length > 1) {
|
|
throw new Error("unexpected resource collision: too many relevant grants");
|
|
}
|
|
var grant = grants[0];
|
|
Object.keys(grant).forEach(function (key) {
|
|
token_info[key] = grant[key];
|
|
});
|
|
return token_info;
|
|
});
|
|
}).then(function (token_info) {
|
|
return getPrivKey(store, req.experienceId).then(function (jwk) {
|
|
var pem = require('jwk-to-pem')(jwk, { private: true });
|
|
var payload = {
|
|
// standard
|
|
iss: token_info.iss, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1
|
|
aud: token_info.aud, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3
|
|
azp: token_info.azp,
|
|
sub: token_info.azpSub, // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.2
|
|
// extended
|
|
scp: token_info.scope,
|
|
};
|
|
var opts = {
|
|
algorithm: jwk.alg,
|
|
header: {
|
|
kid: jwk.kid
|
|
}
|
|
};
|
|
var accessOpts = {};
|
|
// We set `expiresIn` like this to make it possible to send `null` and `exp` to have
|
|
// no expiration while still having a default of 1 day.
|
|
if (req.body.hasOwnProperty('exp')) {
|
|
accessOpts.expiresIn = timespan(req.body.exp, token_info.exp);
|
|
} else {
|
|
accessOpts.expiresIn = timespan('1h', token_info.exp);
|
|
}
|
|
var refreshOpts = {};
|
|
refreshOpts.expiresIn = timespan(req.body.refresh_exp, token_info.exp);
|
|
|
|
var jwt = require('jsonwebtoken');
|
|
var result = {};
|
|
result.scope = token_info.scope;
|
|
result.access_token = jwt.sign(payload, pem, Object.assign(accessOpts, opts));
|
|
if (req.body.refresh_token) {
|
|
if (token_info.refresh_token) {
|
|
result.refresh_token = token_info.refresh_token;
|
|
} else {
|
|
result.refresh_token = jwt.sign(payload, pem, Object.assign(refreshOpts, opts));
|
|
}
|
|
}
|
|
return result;
|
|
});
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens');
|
|
};
|
|
restful.createToken.password = function (req) {
|
|
var params = req.body;
|
|
if (!params || !params.username) {
|
|
return PromiseA.reject(PromiseA.OperationalError("must provide the email address as 'username' in the body"));
|
|
}
|
|
if ((params.username_type && 'email' !== params.username_type) || !/@/.test(params.username)) {
|
|
return PromiseA.reject(PromiseA.OperationalError("only email one-time login codes are supported at this time"));
|
|
}
|
|
params.username_type = 'email';
|
|
if (!params.password) {
|
|
return PromiseA.reject(new OpErr("request missing 'password'"));
|
|
}
|
|
|
|
var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64');
|
|
codeId = makeB64UrlSafe(codeId);
|
|
return req.getSiteStore().then(function (store) {
|
|
return validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password)
|
|
.then(function () {
|
|
return getOrCreate(store, params.username);
|
|
}).then(function (account) {
|
|
return {
|
|
sub: account.accountId,
|
|
aud: req.params.aud || req.body.aud || req.experienceId,
|
|
azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri || req.experienceId,
|
|
};
|
|
});
|
|
});
|
|
};
|
|
restful.createToken.issuerToken = function (req) {
|
|
return require('./common').checkIsserToken(req, req.params.sub || req.body.sub).then(function (sub) {
|
|
return {
|
|
sub: sub,
|
|
aud: req.params.aud || req.body.aud || req.experienceId,
|
|
azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri,
|
|
exp: req.oauth3.token.exp,
|
|
};
|
|
});
|
|
};
|
|
restful.createToken.refreshToken = function (req) {
|
|
return PromiseA.resolve().then(function () {
|
|
if (!req.body.refresh_token) {
|
|
throw new OpErr("missing refresh token");
|
|
}
|
|
|
|
return req.oauth3.verifyAsync(req.body.refresh_token).then(function (token) {
|
|
return {
|
|
sub: token.sub,
|
|
aud: token.aud,
|
|
azp: token.azp,
|
|
exp: token.exp,
|
|
refresh_token: req.body.refresh_token,
|
|
};
|
|
});
|
|
});
|
|
};
|
|
|
|
return {
|
|
restful: restful,
|
|
};
|
|
}
|
|
|
|
module.exports.create = create;
|