walnut.js/lib/oauth3.js

339 lines
10 KiB
JavaScript
Raw Normal View History

'use strict';
var PromiseA = require('bluebird');
2017-09-12 22:32:33 +00:00
function generateRescope(req, Models, decoded, fullPpid, ppid) {
return function (/*sub*/) {
// TODO: this function is supposed to convert PPIDs of different parties to some account
// ID that allows application to keep track of permisions and what-not.
console.log('[rescope] Attempting ', fullPpid);
return Models.IssuerOauth3OrgGrants.find({ azpSub: fullPpid }).then(function (results) {
if (results[0]) {
2017-12-06 06:02:17 +00:00
console.log('[rescope] lucky duck: got it on the 1st try');
return results;
2017-09-12 22:32:33 +00:00
}
// XXX BUG XXX
// should be able to distinguish between own ids and 3rd party via @whatever.com
return Models.IssuerOauth3OrgGrants.find({ azpSub: ppid });
}).then(function (results) {
var result = results[0];
2017-12-06 06:02:17 +00:00
if (!result || !result.sub || !decoded.iss) {
console.log('[rescope] Not a 2nd party token...');
return Models.IssuerOauth3OrgProfiles.get(fullPpid);
}
return result;
}).then(function (result) {
2017-09-12 22:32:33 +00:00
if (!result || !result.sub || !decoded.iss) {
// XXX BUG XXX TODO swap this external ppid for an internal (and ask user to link with existing profile)
//req.oauth3.accountIdx = fullPpid;
2017-12-06 06:02:17 +00:00
console.log('[DEBUG] decoded:');
2017-12-05 22:18:03 +00:00
console.log(decoded);
2017-12-06 06:02:17 +00:00
console.log('[DEBUG] decoded.iss:', decoded.iss);
console.log('[DEBUG] fullPpid:', fullPpid);
console.log('[DEBUG] ppid:', ppid);
2017-12-06 07:46:25 +00:00
if (!req.oauth3.token.sub || !req.oauth3.token.iss) {
throw new Error(
"TODO: No profile found with that credential. Would you like to create a new profile or link to an existing profile?"
);
}
2017-09-12 22:32:33 +00:00
2017-12-06 07:46:25 +00:00
return req.oauth3.token.sub + '@' + req.oauth3.token.iss;
}
2017-12-06 06:02:17 +00:00
2017-09-12 22:32:33 +00:00
// XXX BUG XXX need to pass own url in to use as issuer for own tokens
2017-12-06 06:02:17 +00:00
req.oauth3.accountIdx = result.sub + '@' + (result.iss || decoded.iss);
2017-09-12 22:32:33 +00:00
console.log('[rescope] result:');
2017-12-06 06:02:17 +00:00
console.log(result);
console.log('[rescope] req.oauth3.accountIdx:', req.oauth3.accountIdx);
2017-09-12 22:32:33 +00:00
2017-12-06 06:02:17 +00:00
return req.oauth3.accountIdx;
2017-09-12 22:32:33 +00:00
});
};
}
function extractAccessToken(req) {
2017-08-11 23:00:18 +00:00
var token = null;
var parts;
var scheme;
var credentials;
if (req.headers && req.headers.authorization) {
// Works for all of Authorization: Bearer {{ token }}, Token {{ token }}, JWT {{ token }}
parts = req.headers.authorization.split(' ');
if (parts.length !== 2) {
return PromiseA.reject(new Error("malformed Authorization header"));
}
scheme = parts[0];
credentials = parts[1];
if (-1 !== ['token', 'bearer'].indexOf(scheme.toLowerCase())) {
token = credentials;
}
}
if (req.body && req.body.access_token) {
if (token) { PromiseA.reject(new Error("token exists in header and body")); }
token = req.body.access_token;
}
// TODO disallow query with req.method === 'GET'
// NOTE: the case of DDNS on routers requires a GET and access_token
// (cookies should be used for protected static assets)
if (req.query && req.query.access_token) {
if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); }
token = req.query.access_token;
}
/*
err = new Error(challenge());
err.code = 'E_BEARER_REALM';
if (!token) { return PromiseA.reject(err); }
*/
return PromiseA.resolve(token);
}
function verifyToken(token) {
var jwt = require('jsonwebtoken');
var decoded;
if (!token) {
return PromiseA.reject({
message: 'no token provided'
, code: 'E_NO_TOKEN'
, url: 'https://oauth3.org/docs/errors#E_NO_TOKEN'
});
}
try {
decoded = jwt.decode(token, {complete: true});
} catch (e) {}
if (!decoded) {
return PromiseA.reject({
message: 'provided token not a JSON Web Token'
, code: 'E_NOT_JWT'
, url: 'https://oauth3.org/docs/errors#E_NOT_JWT'
});
}
var sub = decoded.payload.sub || decoded.payload.ppid || decoded.payload.appScopedId;
if (!sub) {
return PromiseA.reject({
message: 'token missing sub'
, code: 'E_MISSING_SUB'
, url: 'https://oauth3.org/docs/errors#E_MISSING_SUB'
});
}
var kid = decoded.header.kid || decoded.payload.kid;
if (!kid) {
return PromiseA.reject({
message: 'token missing kid'
, code: 'E_MISSING_KID'
, url: 'https://oauth3.org/docs/errors#E_MISSING_KID'
});
}
if (!decoded.payload.iss) {
return PromiseA.reject({
message: 'token missing iss'
, code: 'E_MISSING_ISS'
, url: 'https://oauth3.org/docs/errors#E_MISSING_ISS'
});
}
var OAUTH3 = require('oauth3.js');
OAUTH3._hooks = require('oauth3.js/oauth3.node.storage.js');
return OAUTH3.discover(decoded.payload.iss).then(function (directives) {
var args = (directives || {}).retrieve_jwk;
if (typeof args === 'string') {
args = { url: args, method: 'GET' };
}
if (typeof (args || {}).url !== 'string') {
return PromiseA.reject({
message: 'token issuer does not support retrieving JWKs'
, code: 'E_INVALID_ISS'
, url: 'https://oauth3.org/docs/errors#E_INVALID_ISS'
});
}
var params = {
sub: sub
, kid: kid
};
var url = args.url;
var body;
Object.keys(params).forEach(function (key) {
if (url.indexOf(':'+key) !== -1) {
url = url.replace(':'+key, params[key]);
delete params[key];
}
});
if (Object.keys(params).length > 0) {
if ('GET' === (args.method || 'GET').toUpperCase()) {
url += '?' + OAUTH3.query.stringify(params);
} else {
body = params;
}
}
return OAUTH3.request({
url: OAUTH3.url.resolve(directives.api, url)
, method: args.method
, data: body
2017-08-11 23:00:18 +00:00
}).catch(function (err) {
return PromiseA.reject({
message: 'failed to retrieve public key from token issuer'
, code: 'E_NO_PUB_KEY'
, url: 'https://oauth3.org/docs/errors#E_NO_PUB_KEY'
, subErr: err.toString()
});
});
}, function (err) {
return PromiseA.reject({
message: 'token issuer is not a valid OAuth3 provider'
, code: 'E_INVALID_ISS'
, url: 'https://oauth3.org/docs/errors#E_INVALID_ISS'
, subErr: err.toString()
});
}).then(function (res) {
if (res.data.error) {
return PromiseA.reject(res.data.error);
}
var opts = {};
if (Array.isArray(res.data.alg)) {
opts.algorithms = res.data.alg;
} else if (typeof res.data.alg === 'string') {
opts.algorithms = [res.data.alg];
}
try {
return jwt.verify(token, require('jwk-to-pem')(res.data), opts);
} catch (err) {
2017-12-05 22:36:46 +00:00
if ('TokenExpiredError' === err.name) {
2017-12-05 22:18:03 +00:00
return PromiseA.reject({
message: 'TokenExpiredError: jwt expired'
, code: 'E_TOKEN_EXPIRED'
, url: 'https://oauth3.org/docs/errors#E_TOKEN_EXPIRED'
});
}
return PromiseA.reject({
message: 'token verification failed'
, code: 'E_INVALID_TOKEN'
, url: 'https://oauth3.org/docs/errors#E_INVALID_TOKEN'
, subErr: err.toString()
});
}
});
}
function deepFreeze(obj) {
Object.keys(obj).forEach(function (key) {
if (obj[key] && typeof obj[key] === 'object') {
deepFreeze(obj[key]);
}
});
Object.freeze(obj);
}
2017-09-12 22:32:33 +00:00
function cookieOauth3(Models, req, res, next) {
2017-08-30 17:47:31 +00:00
req.oauth3 = {};
2017-12-05 22:18:03 +00:00
var cookieName = 'jwt';
var token = req.cookies[cookieName];
2017-08-30 17:47:31 +00:00
req.oauth3.encodedToken = token;
req.oauth3.verifyAsync = function (jwt) {
return verifyToken(jwt || token);
};
return verifyToken(token).then(function (decoded) {
req.oauth3.token = decoded;
if (!decoded) {
return null;
}
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
req.oauth3.ppid = ppid;
req.oauth3.accountIdx = ppid+'@'+decoded.iss;
var hash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64');
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
req.oauth3.accountHash = hash;
2017-09-12 22:32:33 +00:00
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
2017-08-30 17:47:31 +00:00
}).then(function () {
deepFreeze(req.oauth3);
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
next();
}, function (err) {
if ('E_NO_TOKEN' === err.code) {
next();
return;
}
2017-12-05 22:18:03 +00:00
if ('E_TOKEN_EXPIRED' === err.code) {
res.clearCookie(cookieName);
next();
return;
}
2017-08-30 17:47:31 +00:00
console.error('[walnut] cookie lib/oauth3 error:');
console.error(err);
res.send(err);
});
}
2017-09-12 22:32:33 +00:00
function attachOauth3(Models, req, res, next) {
req.oauth3 = {};
extractAccessToken(req).then(function (token) {
2017-08-11 23:00:18 +00:00
req.oauth3.encodedToken = token;
req.oauth3.verifyAsync = function (jwt) {
return verifyToken(jwt || token);
};
if (!token) {
return null;
}
2017-08-11 23:00:18 +00:00
return verifyToken(token);
}).then(function (decoded) {
req.oauth3.token = decoded;
if (!decoded) {
2017-08-11 23:00:18 +00:00
return null;
}
2017-08-11 23:00:18 +00:00
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
2017-09-12 22:32:33 +00:00
var fullPpid = ppid+'@'+decoded.iss;
req.oauth3.ppid = ppid;
2017-08-11 23:00:18 +00:00
2017-09-12 22:32:33 +00:00
// TODO we can anonymize the relationship between our user as the other service's user
// in our own database by hashing the remote service's ppid and using that as the lookup
var hash = require('crypto').createHash('sha256').update(fullPpid).digest('base64');
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
2017-08-11 23:00:18 +00:00
req.oauth3.accountHash = hash;
2017-09-12 22:32:33 +00:00
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
console.log('############### assigned req.oauth3:');
console.log(req.oauth3);
}).then(function () {
2017-09-12 22:32:33 +00:00
//deepFreeze(req.oauth3);
2017-08-30 17:47:31 +00:00
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
next();
}, function (err) {
2017-08-30 17:47:31 +00:00
console.error('[walnut] JWT lib/oauth3 error:');
2017-08-16 19:47:51 +00:00
console.error(err);
res.send(err);
});
}
module.exports.attachOauth3 = attachOauth3;
2017-08-30 17:47:31 +00:00
module.exports.cookieOauth3 = cookieOauth3;
module.exports.verifyToken = verifyToken;