Compare commits
3 Commits
installer-
...
master
Author | SHA1 | Date |
---|---|---|
AJ ONeal | e2e99a5c77 | |
AJ ONeal | 712e583183 | |
AJ ONeal | bb48c635e2 |
43
README.md
43
README.md
|
@ -19,7 +19,7 @@ Security Features
|
|||
* disallows cookies, except for protected static assets
|
||||
* api.* subdomain for apis
|
||||
* assets.* subdomain for protected assets
|
||||
* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.daplie.com/Daplie/goldilocks.js))
|
||||
* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.coolaj86.com/coolaj86/goldilocks.js))
|
||||
* HTTPS-only (checks for X-Forwarded-For)
|
||||
* AES, RSA, and ECDSA encryption and signing
|
||||
* Safe against CSRF, XSS, and SQL injection
|
||||
|
@ -34,14 +34,14 @@ Application Features
|
|||
|
||||
* JSON-only expressjs APIs
|
||||
* Capability-based permissions system for (oauth3-discoverable) packages such as
|
||||
* large file access (files@daplie.com)
|
||||
* database access (data@daplie.com)
|
||||
* scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@daplie.com)
|
||||
* payments (credit card) (payments@daplie.com)
|
||||
* email (email@daplie.com)
|
||||
* SMS (texting) (tel@daplie.com)
|
||||
* voice (calls and answering machine) (tel@daplie.com)
|
||||
* lamba-style functions (functions@daplie.com)
|
||||
* large file access (files@oauth3.org)
|
||||
* database access (data@oauth3.org)
|
||||
* scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@oauth3.org)
|
||||
* payments (credit card) (payments@oauth3.org)
|
||||
* email (email@oauth3.org)
|
||||
* SMS (texting) (tel@oauth3.org)
|
||||
* voice (calls and answering machine) (tel@oauth3.org)
|
||||
* lamba-style functions (functions@oauth3.org)
|
||||
* Per-app, per-site, and per-user configurations
|
||||
* Multi-Tentated Application Management
|
||||
* Built-in OAuth2 & OAuth3 support
|
||||
|
@ -54,7 +54,7 @@ Installation
|
|||
We're still in a stage where the installation generally requires many manual steps.
|
||||
|
||||
```bash
|
||||
curl https://git.daplie.com/Daplie/walnut.js/raw/v1.2/installer/get.sh | bash
|
||||
curl https://git.coolaj86.com/coolaj86/walnut.js/raw/v1.2/installer/get.sh | bash
|
||||
```
|
||||
|
||||
See [INSTALL.md](/INSTALL.md)
|
||||
|
@ -104,7 +104,6 @@ Understanding Walnut
|
|||
│ ├── rest
|
||||
│ └── services
|
||||
└── var
|
||||
├── <<pkgname>>/config.json
|
||||
└── sites
|
||||
```
|
||||
|
||||
|
@ -132,7 +131,7 @@ Initialization
|
|||
needs to know its primary domain
|
||||
|
||||
```
|
||||
POST https://api.<domain.tld>/api/walnut@daplie.com/init
|
||||
POST https://api.<domain.tld>/api/walnut@oauth3.org/init
|
||||
|
||||
{ "domain": "<domain.tld>" }
|
||||
```
|
||||
|
@ -154,18 +153,18 @@ api.<domain.tld>
|
|||
assets.<domain.tld>
|
||||
```
|
||||
|
||||
The domains can be setup through the Daplie Desktop App or with `daplie-tools`
|
||||
The domains can be setup through the OAuth3 Desktop App or with `oauth3-tools`
|
||||
|
||||
```bash
|
||||
# set device address and attach primary domain
|
||||
daplie devices:attach -d foodevice -n example.com -a 127.0.0.1
|
||||
oauth3 devices:attach -d foodevice -n example.com -a 127.0.0.1
|
||||
|
||||
# attach all other domains with same device/address
|
||||
daplie devices:attach -d foodevice -n www.example.com
|
||||
daplie devices:attach -d foodevice -n api.example.com
|
||||
daplie devices:attach -d foodevice -n assets.example.com
|
||||
daplie devices:attach -d foodevice -n cloud.example.com
|
||||
daplie devices:attach -d foodevice -n api.cloud.example.com
|
||||
oauth3 devices:attach -d foodevice -n www.example.com
|
||||
oauth3 devices:attach -d foodevice -n api.example.com
|
||||
oauth3 devices:attach -d foodevice -n assets.example.com
|
||||
oauth3 devices:attach -d foodevice -n cloud.example.com
|
||||
oauth3 devices:attach -d foodevice -n api.cloud.example.com
|
||||
```
|
||||
|
||||
Example `/etc/goldilocks/goldilocks.yml`:
|
||||
|
@ -195,7 +194,7 @@ Resetting the Initialization
|
|||
Once you run the app the initialization files will appear in these locations
|
||||
|
||||
```
|
||||
/srv/walnut/var/walnut+config@daplie.com.sqlite3
|
||||
/srv/walnut/var/walnut+config@oauth3.org.sqlite3
|
||||
/srv/walnut/config/<domain.tld>/config.json
|
||||
```
|
||||
|
||||
|
@ -280,7 +279,7 @@ The packages:
|
|||
The permissions:
|
||||
|
||||
```
|
||||
/srv/walnut/etc/
|
||||
/srv/walnut/packages/
|
||||
└── client-api-grants
|
||||
└── cloud.foobar.me
|
||||
'''
|
||||
|
@ -291,7 +290,7 @@ The permissions:
|
|||
```
|
||||
/srv/walnut/var/
|
||||
└── sites
|
||||
└── daplie.me
|
||||
└── example.com
|
||||
'''
|
||||
seed@example.com # refers to /srv/walnut/packages/pages/seed@example.com
|
||||
'''
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
{ "mailgun.org": {
|
||||
"apiKey": "key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
||||
, "apiPublicKey": "pubkey-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
||||
, "auth": {
|
||||
"user": "mailer@example.com"
|
||||
, "pass": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
||||
, "api_key": "key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
||||
, "domain": "example.com"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -7,7 +7,7 @@ my_ver=master
|
|||
my_tmp=$(mktemp -d)
|
||||
|
||||
mkdir -p $my_tmp/opt/$my_name/lib/node_modules/$my_name
|
||||
git clone https://git.daplie.com/Daplie/walnut.js.git $my_tmp/opt/$my_name/core
|
||||
git clone https://git.coolaj86.com/coolaj86/walnut.js.git $my_tmp/opt/$my_name/core
|
||||
|
||||
echo "Installing to $my_tmp (will be moved after install)"
|
||||
pushd $my_tmp/opt/$my_name/core
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# #
|
||||
###############################
|
||||
|
||||
# See https://git.daplie.com/Daplie/daplie-snippets/blob/master/bash/http-get.sh
|
||||
# See https://git.coolaj86.com/coolaj86/snippets/blob/master/bash/http-get.sh
|
||||
|
||||
_h_http_get=""
|
||||
_h_http_opts=""
|
||||
|
|
|
@ -6,7 +6,7 @@ set -u
|
|||
### IMPORTANT ###
|
||||
### VERSION ###
|
||||
my_name=walnut
|
||||
my_app_pkg_name=com.daplie.walnut.web
|
||||
my_app_pkg_name=org.oauth3.walnut.web
|
||||
my_app_ver="v1.2"
|
||||
my_azp_oauth3_ver="v1.2"
|
||||
# is the old version still needed in launchpad?
|
||||
|
@ -30,7 +30,7 @@ my_app_ver="v1.2"
|
|||
my_launchpad_ver="v1.2"
|
||||
my_iss_oauth3_rest_ver="v1.2.0"
|
||||
my_iss_oauth3_pages_ver="v1.2.1"
|
||||
my_www_daplie_ver=v1.0.15
|
||||
my_www_ppl_ver=v1.0.15
|
||||
export NODE_VERSION="v8.9.0"
|
||||
#################
|
||||
export NODE_PATH=$my_tmp/opt/$my_name/lib/node_modules
|
||||
|
@ -44,7 +44,7 @@ my_npm="$NPM_CONFIG_PREFIX/bin/npm"
|
|||
# TODO un-hardcode core at al
|
||||
#my_app_dist=$my_tmp/opt/$my_name/lib/node_modules/$my_name/dist
|
||||
my_app_dist=$my_tmp/opt/$my_name/core/dist
|
||||
installer_base="https://git.daplie.com/Daplie/goldilocks.js/raw/$my_app_ver"
|
||||
installer_base="https://git.coolaj86.com/coolaj86/goldilocks.js/raw/$my_app_ver"
|
||||
|
||||
# Backwards compat
|
||||
# some scripts still use the old names
|
||||
|
@ -102,8 +102,8 @@ pushd $my_tmp/opt/$my_name/core
|
|||
$my_npm install
|
||||
popd
|
||||
|
||||
git clone https://git.daplie.com/Daplie/walnut_launchpad.git $my_tmp/opt/$my_name/core/lib/walnut@daplie.com/setup
|
||||
pushd $my_tmp/opt/$my_name/core/lib/walnut@daplie.com/setup
|
||||
git clone https://git.coolaj86.com/coolaj86/walnut_launchpad.html.git $my_tmp/opt/$my_name/core/lib/walnut@oauth3.org/setup
|
||||
pushd $my_tmp/opt/$my_name/core/lib/walnut@oauth3.org/setup
|
||||
git pull
|
||||
git checkout $my_launchpad_ver
|
||||
|
||||
|
@ -130,9 +130,9 @@ pushd $my_tmp/opt/$my_name/packages
|
|||
popd
|
||||
popd
|
||||
|
||||
git clone https://git.daplie.com/Daplie/walnut_rest_www_daplie.com.git rest/www@daplie.com
|
||||
pushd rest/www@daplie.com
|
||||
git checkout $my_www_daplie_ver
|
||||
git clone https://git.coolaj86.com/coolaj86/walnut_rest_www_oauth3.org.js.git rest/www@oauth3.org
|
||||
pushd rest/www@oauth3.org
|
||||
git checkout $my_www_ppl_ver
|
||||
$my_npm install
|
||||
popd
|
||||
popd
|
||||
|
|
57
lib/apis.js
57
lib/apis.js
|
@ -124,7 +124,6 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
|
|||
var tok = req.oauth3.token;
|
||||
var accountId = req.params.accountId || '__NO_ID_GIVEN__';
|
||||
var ppid;
|
||||
var iss = tok.iss;
|
||||
|
||||
if (tok.sub && tok.sub.split(/,/g).filter(function (ppid) {
|
||||
return ppid === accountId;
|
||||
|
@ -132,7 +131,6 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
|
|||
ppid = accountId;
|
||||
}
|
||||
|
||||
// Deprecated backwards compat. To be removed.
|
||||
if (tok.axs && tok.axs.filter(function (acc) {
|
||||
return acc.id === accountId || acc.appScopedId === accountId;
|
||||
}).length) {
|
||||
|
@ -147,9 +145,10 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
|
|||
return PromiseA.reject(new Error("missing accountId '" + accountId + "' in access token"));
|
||||
}
|
||||
|
||||
return req.oauth3.rescope().then(function (accountIdx) {
|
||||
return req.oauth3.rescope(ppid).then(function (accountIdx) {
|
||||
req.oauth3.accountIdx = accountIdx;
|
||||
req.oauth3.ppid = ppid;
|
||||
req.oauth3.accountHash = crypto.createHash('sha1').update(accountIdx).digest('hex');
|
||||
//console.log('[walnut@daplie.com] accountIdx:', accountIdx);
|
||||
//console.log('[walnut@daplie.com] ppid:', ppid);
|
||||
|
||||
|
@ -161,31 +160,19 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
|
|||
}
|
||||
|
||||
function accountRequired(req, res, next) {
|
||||
console.log('[accountRequired] [enter]');
|
||||
|
||||
var myIss = req.experienceId;
|
||||
var isPpid;
|
||||
|
||||
// if this already has auth, great
|
||||
if (req.oauth3.ppid && req.oauth3.accountIdx) {
|
||||
// except that if it's a ppid, we have to internally exchange it for the real token
|
||||
isPpid = (myIss === req.oauth3.iss && myIss !== req.oauth3.azp);
|
||||
if (!isPpid) {
|
||||
console.log('[accountRequired] has token already');
|
||||
console.log(req.oauth3);
|
||||
console.log('');
|
||||
next();
|
||||
return;
|
||||
}
|
||||
|
||||
// being public does not disallow authentication
|
||||
if (req.isPublic && !req.oauth3.encodedToken) {
|
||||
next();
|
||||
return;
|
||||
}
|
||||
|
||||
if (!req.oauth3.encodedToken) {
|
||||
// being public does not disallow authentication
|
||||
if (req.isPublic) {
|
||||
next();
|
||||
return;
|
||||
}
|
||||
|
||||
rejectableRequest(
|
||||
req
|
||||
, res
|
||||
|
@ -200,7 +187,6 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
|
|||
var tok = req.oauth3.token;
|
||||
var ppid;
|
||||
var err;
|
||||
var iss = tok.iss;
|
||||
|
||||
if (tok.sub) {
|
||||
if (tok.sub.split(/,/g).length > 1) {
|
||||
|
@ -209,30 +195,25 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
|
|||
}
|
||||
ppid = tok.sub;
|
||||
}
|
||||
else if (tok.axs && tok.axs.length) {
|
||||
if (tok.axs.length > 1) {
|
||||
err = new Error("more than one 'axs' specified in token (also, update to using 'sub' instead)");
|
||||
return PromiseA.reject(err);
|
||||
}
|
||||
ppid = tok.axs[0].appScopedId || tok.axs[0].id;
|
||||
}
|
||||
else if (tok.acx) {
|
||||
ppid = tok.acx.appScopedId || tok.acx.id || tok.acx;
|
||||
}
|
||||
|
||||
if (!ppid) {
|
||||
return PromiseA.reject(new Error("could not determine accountId from access token"));
|
||||
}
|
||||
|
||||
return req.oauth3.rescope().then(function (accountIdx) {
|
||||
console.log('[accountRequired] req.oauth3');
|
||||
console.log(accountIdx);
|
||||
|
||||
var sub = accountIdx.split('@')[0];
|
||||
var iss = accountIdx.split('@')[1];
|
||||
var id = sub + '@' + iss;
|
||||
|
||||
req.oauth3.profile = {
|
||||
id: id
|
||||
, sub: sub
|
||||
, iss: iss
|
||||
};
|
||||
req.oauth3.id = id;
|
||||
req.oauth3.sub = sub;
|
||||
req.oauth3.iss = iss;
|
||||
|
||||
return req.oauth3.rescope(ppid).then(function (accountIdx) {
|
||||
req.oauth3.accountIdx = accountIdx;
|
||||
req.oauth3.ppid = ppid;
|
||||
req.oauth3.accountHash = crypto.createHash('sha1').update(accountIdx).digest('hex');
|
||||
|
||||
next();
|
||||
});
|
||||
|
|
252
lib/oauth3.js
252
lib/oauth3.js
|
@ -2,17 +2,15 @@
|
|||
|
||||
var PromiseA = require('bluebird');
|
||||
|
||||
function generateRescope(req, Models, decoded) {
|
||||
var fullPpid = decoded.sub+'@'+decoded.iss;
|
||||
var ppid = decoded.sub;
|
||||
function generateRescope(req, Models, decoded, fullPpid, ppid) {
|
||||
return function (/*sub*/) {
|
||||
// TODO: this function is supposed to convert PPIDs of different parties to some account
|
||||
// ID that allows application to keep track of permisions and what-not.
|
||||
console.log('[rescope] Attempting ', fullPpid);
|
||||
return Models.IssuerOauth3OrgGrants.find({ azpSub: fullPpid }).then(function (results) {
|
||||
if (results[0]) {
|
||||
console.log('[rescope] lucky duck: got it on the 1st try');
|
||||
return results;
|
||||
console.log('[rescope] lukcy duck: got it on the 1st try');
|
||||
return PromiseA.resolve(results);
|
||||
}
|
||||
|
||||
// XXX BUG XXX
|
||||
|
@ -21,46 +19,71 @@ function generateRescope(req, Models, decoded) {
|
|||
}).then(function (results) {
|
||||
var result = results[0];
|
||||
|
||||
if (!result || !result.sub || !decoded.iss) {
|
||||
console.log('[rescope] Not a 2nd party token...');
|
||||
return Models.IssuerOauth3OrgProfiles.get(fullPpid);
|
||||
}
|
||||
|
||||
return result;
|
||||
}).then(function (result) {
|
||||
var err;
|
||||
|
||||
if (!result || !result.sub || !decoded.iss) {
|
||||
// XXX BUG XXX TODO swap this external ppid for an internal (and ask user to link with existing profile)
|
||||
//req.oauth3.accountIdx = fullPpid;
|
||||
console.log('[DEBUG] decoded:');
|
||||
console.log(decoded);
|
||||
console.log('[DEBUG] decoded.iss:', decoded.iss);
|
||||
console.log('[DEBUG] fullPpid:', fullPpid);
|
||||
console.log('[DEBUG] ppid:', ppid);
|
||||
|
||||
err = new Error(
|
||||
"TODO: No profile found with that credential. Would you like to create a new profile or link to an existing profile?"
|
||||
);
|
||||
err.code = "E_NO_PROFILE@oauth3.org"
|
||||
throw err;
|
||||
//return req.oauth3.token.sub + '@' + req.oauth3.token.iss;
|
||||
throw new Error("internal / external ID swapping not yet implemented. TODO: "
|
||||
+ "No profile found with that credential. Would you like to create a new profile or link to an existing profile?");
|
||||
}
|
||||
|
||||
// XXX BUG XXX need to pass own url in to use as issuer for own tokens
|
||||
req.oauth3.accountIdx = result.sub + '@' + (result.iss || decoded.iss);
|
||||
req.oauth3.accountIdx = result.sub + '@' + decoded.iss;
|
||||
|
||||
console.log('[rescope] result:');
|
||||
console.log(result);
|
||||
console.log('[rescope] req.oauth3.accountIdx:', req.oauth3.accountIdx);
|
||||
console.log(results);
|
||||
console.log(req.oauth3.accountIdx);
|
||||
|
||||
return req.oauth3.accountIdx;
|
||||
return PromiseA.resolve(req.oauth3.accountIdx);
|
||||
});
|
||||
};
|
||||
}
|
||||
|
||||
function verifyToken(token, opts) {
|
||||
opts = opts || { audiences: [], complete: false };
|
||||
function extractAccessToken(req) {
|
||||
var token = null;
|
||||
var parts;
|
||||
var scheme;
|
||||
var credentials;
|
||||
|
||||
if (req.headers && req.headers.authorization) {
|
||||
// Works for all of Authorization: Bearer {{ token }}, Token {{ token }}, JWT {{ token }}
|
||||
parts = req.headers.authorization.split(' ');
|
||||
|
||||
if (parts.length !== 2) {
|
||||
return PromiseA.reject(new Error("malformed Authorization header"));
|
||||
}
|
||||
|
||||
scheme = parts[0];
|
||||
credentials = parts[1];
|
||||
|
||||
if (-1 !== ['token', 'bearer'].indexOf(scheme.toLowerCase())) {
|
||||
token = credentials;
|
||||
}
|
||||
}
|
||||
|
||||
if (req.body && req.body.access_token) {
|
||||
if (token) { PromiseA.reject(new Error("token exists in header and body")); }
|
||||
token = req.body.access_token;
|
||||
}
|
||||
|
||||
// TODO disallow query with req.method === 'GET'
|
||||
// NOTE: the case of DDNS on routers requires a GET and access_token
|
||||
// (cookies should be used for protected static assets)
|
||||
if (req.query && req.query.access_token) {
|
||||
if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); }
|
||||
token = req.query.access_token;
|
||||
}
|
||||
|
||||
/*
|
||||
err = new Error(challenge());
|
||||
err.code = 'E_BEARER_REALM';
|
||||
|
||||
if (!token) { return PromiseA.reject(err); }
|
||||
*/
|
||||
|
||||
return PromiseA.resolve(token);
|
||||
}
|
||||
|
||||
function verifyToken(token) {
|
||||
var jwt = require('jsonwebtoken');
|
||||
var decoded;
|
||||
|
||||
|
@ -75,7 +98,6 @@ function verifyToken(token, opts) {
|
|||
try {
|
||||
decoded = jwt.decode(token, {complete: true});
|
||||
} catch (e) {}
|
||||
|
||||
if (!decoded) {
|
||||
return PromiseA.reject({
|
||||
message: 'provided token not a JSON Web Token'
|
||||
|
@ -108,27 +130,6 @@ function verifyToken(token, opts) {
|
|||
});
|
||||
}
|
||||
|
||||
var audMatch = decoded.payload.aud && ('*' === decoded.payload.aud || opts.audiences.some(function (aud) { return -1 !== decoded.payload.aud.split(',').indexOf(aud); }));
|
||||
var azpMatch = decoded.payload.azp && ('*' === decoded.payload.azp || opts.audiences.some(function (aud) { return -1 !== decoded.payload.azp.split(',').indexOf(aud); }));
|
||||
|
||||
if (!audMatch) {
|
||||
console.log("[verifyToken] 'aud' '" + decoded.payload.aud + "' does not match '" + opts.audiences.join(',') + "'");
|
||||
}
|
||||
// TODO needs an option to verify that the sender of the token was, in fact, the azp (i.e. the Origin and/or Referer Headers)
|
||||
if (!azpMatch) {
|
||||
console.log("[verifyToken] 'azp' '" + decoded.payload.azp + "' does not match '" + opts.audiences.join(',') + "'");
|
||||
}
|
||||
|
||||
if (!audMatch && !azpMatch) {
|
||||
err = new Error(
|
||||
"Application '" + req.experienceId + "' refused token because '" + decoded.payload.aud + "' is not an accepted audience (aud)"
|
||||
+ " and '" + decoded.payload.azp + "' is not an authorized party (azp)"
|
||||
);
|
||||
err.code = 'E_TOKEN_AUD';
|
||||
err.url = 'https://oauth3.org/docs/errors#E_TOKEN_AUD'
|
||||
return PromiseA.reject(err);
|
||||
}
|
||||
|
||||
var OAUTH3 = require('oauth3.js');
|
||||
OAUTH3._hooks = require('oauth3.js/oauth3.node.storage.js');
|
||||
return OAUTH3.discover(decoded.payload.iss).then(function (directives) {
|
||||
|
@ -187,27 +188,16 @@ function verifyToken(token, opts) {
|
|||
if (res.data.error) {
|
||||
return PromiseA.reject(res.data.error);
|
||||
}
|
||||
var opts2 = {};
|
||||
var opts = {};
|
||||
if (Array.isArray(res.data.alg)) {
|
||||
opts2.algorithms = res.data.alg;
|
||||
opts.algorithms = res.data.alg;
|
||||
} else if (typeof res.data.alg === 'string') {
|
||||
opts2.algorithms = [res.data.alg];
|
||||
opts.algorithms = [res.data.alg];
|
||||
}
|
||||
|
||||
try {
|
||||
if (opts.complete) {
|
||||
opts2.complete = true;
|
||||
}
|
||||
return jwt.verify(token, require('jwk-to-pem')(res.data), opts2);
|
||||
return jwt.verify(token, require('jwk-to-pem')(res.data), opts);
|
||||
} catch (err) {
|
||||
if ('TokenExpiredError' === err.name) {
|
||||
return PromiseA.reject({
|
||||
message: 'TokenExpiredError: jwt expired'
|
||||
, code: 'E_TOKEN_EXPIRED'
|
||||
, url: 'https://oauth3.org/docs/errors#E_TOKEN_EXPIRED'
|
||||
});
|
||||
}
|
||||
|
||||
return PromiseA.reject({
|
||||
message: 'token verification failed'
|
||||
, code: 'E_INVALID_TOKEN'
|
||||
|
@ -227,47 +217,32 @@ function deepFreeze(obj) {
|
|||
Object.freeze(obj);
|
||||
}
|
||||
|
||||
function fiddleOauth3(Models, req) {
|
||||
var token = req.oauth3.encodedToken;
|
||||
function cookieOauth3(Models, req, res, next) {
|
||||
req.oauth3 = {};
|
||||
|
||||
req.oauth3.verifyAsync = function (jwt, opts) {
|
||||
return verifyToken(jwt || token, opts || { audiences: [ req.experienceId ] });
|
||||
var token = req.cookies.jwt;
|
||||
|
||||
req.oauth3.encodedToken = token;
|
||||
req.oauth3.verifyAsync = function (jwt) {
|
||||
return verifyToken(jwt || token);
|
||||
};
|
||||
|
||||
if (!token) {
|
||||
return PromiseA.resolve(null);
|
||||
}
|
||||
|
||||
return verifyToken(token, { complete: false, audiences: [ req.experienceId ] }).then(function (decoded) {
|
||||
var err;
|
||||
return verifyToken(token).then(function (decoded) {
|
||||
req.oauth3.token = decoded;
|
||||
|
||||
if (!decoded) {
|
||||
return null;
|
||||
}
|
||||
|
||||
req.oauth3.ppid = decoded.sub;
|
||||
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
|
||||
req.oauth3.ppid = ppid;
|
||||
req.oauth3.accountIdx = ppid+'@'+decoded.iss;
|
||||
|
||||
req.oauth3.id = decoded.sub + '@' + decoded.iss;
|
||||
req.oauth3.sub = decoded.sub;
|
||||
req.oauth3.iss = decoded.iss;
|
||||
req.oauth3.azp = decoded.azp;
|
||||
req.oauth3.aud = decoded.aud;
|
||||
var hash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64');
|
||||
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
|
||||
req.oauth3.accountHash = hash;
|
||||
|
||||
req.oauth3.accountIdx = req.oauth3.id;
|
||||
|
||||
req.oauth3.rescope = generateRescope(req, Models, decoded);
|
||||
});
|
||||
}
|
||||
|
||||
function cookieOauth3(Models, req, res, next) {
|
||||
req.oauth3 = {};
|
||||
|
||||
var cookieName = 'jwt';
|
||||
var token = req.cookies[cookieName];
|
||||
|
||||
req.oauth3.encodedToken = token;
|
||||
fiddleOauth3(Models, req).then(function () {
|
||||
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
|
||||
}).then(function () {
|
||||
deepFreeze(req.oauth3);
|
||||
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
|
||||
next();
|
||||
|
@ -276,11 +251,6 @@ function cookieOauth3(Models, req, res, next) {
|
|||
next();
|
||||
return;
|
||||
}
|
||||
if ('E_TOKEN_EXPIRED' === err.code) {
|
||||
res.clearCookie(cookieName);
|
||||
next();
|
||||
return;
|
||||
}
|
||||
console.error('[walnut] cookie lib/oauth3 error:');
|
||||
console.error(err);
|
||||
res.send(err);
|
||||
|
@ -290,49 +260,37 @@ function cookieOauth3(Models, req, res, next) {
|
|||
function attachOauth3(Models, req, res, next) {
|
||||
req.oauth3 = {};
|
||||
|
||||
var token = null;
|
||||
var parts;
|
||||
var scheme;
|
||||
var credentials;
|
||||
|
||||
if (req.headers && req.headers.authorization) {
|
||||
// Works for all of Authorization: Bearer {{ token }}, Token {{ token }}, JWT {{ token }}
|
||||
parts = req.headers.authorization.split(' ');
|
||||
|
||||
if (parts.length !== 2) {
|
||||
return PromiseA.reject(new Error("malformed Authorization header"));
|
||||
}
|
||||
|
||||
scheme = parts[0];
|
||||
credentials = parts[1];
|
||||
|
||||
if (-1 !== ['token', 'bearer'].indexOf(scheme.toLowerCase())) {
|
||||
token = credentials;
|
||||
}
|
||||
}
|
||||
|
||||
if (req.body && req.body.access_token) {
|
||||
if (token) { PromiseA.reject(new Error("token exists in header and body")); }
|
||||
token = req.body.access_token;
|
||||
}
|
||||
|
||||
// TODO disallow query with req.method === 'GET'
|
||||
// NOTE: the case of DDNS on routers requires a GET and access_token
|
||||
// (cookies should be used for protected static assets)
|
||||
if (req.query && req.query.access_token) {
|
||||
if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); }
|
||||
token = req.query.access_token;
|
||||
}
|
||||
|
||||
/*
|
||||
err = new Error(challenge());
|
||||
err.code = 'E_BEARER_REALM';
|
||||
|
||||
if (!token) { return PromiseA.reject(err); }
|
||||
*/
|
||||
|
||||
extractAccessToken(req).then(function (token) {
|
||||
req.oauth3.encodedToken = token;
|
||||
fiddleOauth3(Models, req).then(function () {
|
||||
req.oauth3.verifyAsync = function (jwt) {
|
||||
return verifyToken(jwt || token);
|
||||
};
|
||||
|
||||
if (!token) {
|
||||
return null;
|
||||
}
|
||||
return verifyToken(token);
|
||||
}).then(function (decoded) {
|
||||
req.oauth3.token = decoded;
|
||||
if (!decoded) {
|
||||
return null;
|
||||
}
|
||||
|
||||
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
|
||||
var fullPpid = ppid+'@'+decoded.iss;
|
||||
req.oauth3.ppid = ppid;
|
||||
|
||||
// TODO we can anonymize the relationship between our user as the other service's user
|
||||
// in our own database by hashing the remote service's ppid and using that as the lookup
|
||||
var hash = require('crypto').createHash('sha256').update(fullPpid).digest('base64');
|
||||
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
|
||||
req.oauth3.accountHash = hash;
|
||||
|
||||
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
|
||||
|
||||
console.log('############### assigned req.oauth3:');
|
||||
console.log(req.oauth3);
|
||||
}).then(function () {
|
||||
//deepFreeze(req.oauth3);
|
||||
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
|
||||
next();
|
||||
|
|
20
package.json
20
package.json
|
@ -8,7 +8,7 @@
|
|||
},
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/Daplie/walnut.git"
|
||||
"url": "https://git.coolaj86.com/coolaj86/walnut.js.git"
|
||||
},
|
||||
"bin": {
|
||||
"walnut": "./bin/walnut.js"
|
||||
|
@ -33,16 +33,16 @@
|
|||
"private",
|
||||
"public"
|
||||
],
|
||||
"author": "AJ ONeal <aj@daplie.com> (https://daplie.com)",
|
||||
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com)",
|
||||
"license": "(MIT or Apache2)",
|
||||
"bugs": {
|
||||
"url": "https://github.com/Daplie/walnut/issues"
|
||||
"url": "https://git.coolaj86.com/coolaj86/walnut.js/issues"
|
||||
},
|
||||
"homepage": "https://github.com/Daplie/walnut",
|
||||
"homepage": "https://git.coolaj86.com/coolaj86/walnut.js",
|
||||
"dependencies": {
|
||||
"bluebird": "3.x",
|
||||
"body-parser": "1.x",
|
||||
"cluster-store": "git+https://git.daplie.com/Daplie/cluster-store.git#v2",
|
||||
"cluster-store": "^2.0.8",
|
||||
"connect": "3.x",
|
||||
"connect-cors": "0.5.x",
|
||||
"connect-recase": "^1.0.2",
|
||||
|
@ -57,7 +57,7 @@
|
|||
"jwk-to-pem": "^1.2.6",
|
||||
"mailchimp-api-v3": "^1.7.0",
|
||||
"mandrill-api": "^1.0.45",
|
||||
"masterquest-sqlite3": "git+https://git.daplie.com/node/masterquest-sqlite3.git",
|
||||
"masterquest-sqlite3": "^1.1.1",
|
||||
"mkdirp": "^0.5.1",
|
||||
"multiparty": "^4.1.3",
|
||||
"nodemailer": "^1.4.0",
|
||||
|
@ -67,8 +67,14 @@
|
|||
"request": "^2.81.0",
|
||||
"scmp": "^2.0.0",
|
||||
"serve-static": "1.x",
|
||||
"sqlite3-cluster": "git+https://git.daplie.com/coolaj86/sqlite3-cluster.git#v2",
|
||||
"sqlite3-cluster": "^2.1.2",
|
||||
"stripe": "^4.22.0",
|
||||
"twilio": "1.x"
|
||||
},
|
||||
"gitDependencies": {
|
||||
"cluster-store": "git+https://git.coolaj86.com/coolaj86/cluster-store.git#v2",
|
||||
"masterquest-sqlite3": "git+https://git.coolaj86.com/coolaj86/masterquest-sqlite3.git",
|
||||
"oauth3.js": "git+https://git.oauth3.org/OAuth3/oauth3.js.git#v1.2",
|
||||
"sqlite3-cluster": "git+https://git.coolaj86.com/coolaj86/sqlite3-cluster.git#v2"
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue