miteruzo
/
nizika_video
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
ニジカ投稿局 https://tv.nizika.tv
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
24 MiB
Tree: 3d23752d9e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3d23752d9e'
${ noResults }
nizika_video/server/core/lib/auth/oauth.ts

oauth.ts 6.8 KiB
Raw Normal View History

はじまりの大地
2 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230 
  1. import express from 'express'

  2. import OAuth2Server, {

  3.   InvalidClientError,

  4.   InvalidGrantError,

  5.   InvalidRequestError,

  6.   Request,

  7.   Response,

  8.   UnauthorizedClientError,

  9.   UnsupportedGrantTypeError

  10. } from '@node-oauth/oauth2-server'

  11. import { randomBytesPromise } from '@server/helpers/core-utils.js'

  12. import { isOTPValid } from '@server/helpers/otp.js'

  13. import { CONFIG } from '@server/initializers/config.js'

  14. import { UserRegistrationModel } from '@server/models/user/user-registration.js'

  15. import { MOAuthClient } from '@server/types/models/index.js'

  16. import { sha1 } from '@peertube/peertube-node-utils'

  17. import { HttpStatusCode, ServerErrorCode, UserRegistrationState } from '@peertube/peertube-models'

  18. import { OTP } from '../../initializers/constants.js'

  19. import { BypassLogin, getAccessToken, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model.js'

  20. 

  21. class MissingTwoFactorError extends Error {

  22.   code = HttpStatusCode.UNAUTHORIZED_401

  23.   name = ServerErrorCode.MISSING_TWO_FACTOR

  24. }

  25. 

  26. class InvalidTwoFactorError extends Error {

  27.   code = HttpStatusCode.BAD_REQUEST_400

  28.   name = ServerErrorCode.INVALID_TWO_FACTOR

  29. }

  30. 

  31. class RegistrationWaitingForApproval extends Error {

  32.   code = HttpStatusCode.BAD_REQUEST_400

  33.   name = ServerErrorCode.ACCOUNT_WAITING_FOR_APPROVAL

  34. }

  35. 

  36. class RegistrationApprovalRejected extends Error {

  37.   code = HttpStatusCode.BAD_REQUEST_400

  38.   name = ServerErrorCode.ACCOUNT_APPROVAL_REJECTED

  39. }

  40. 

  41. /**

  42.  *

  43.  * Reimplement some functions of OAuth2Server to inject external auth methods

  44.  *

  45.  */

  46. const oAuthServer = new OAuth2Server({

  47.   // Wants seconds

  48.   accessTokenLifetime: CONFIG.OAUTH2.TOKEN_LIFETIME.ACCESS_TOKEN / 1000,

  49.   refreshTokenLifetime: CONFIG.OAUTH2.TOKEN_LIFETIME.REFRESH_TOKEN / 1000,

  50. 

  51.   // See https://github.com/oauthjs/node-oauth2-server/wiki/Model-specification for the model specifications

  52.   model: {

  53.     getAccessToken,

  54.     getClient,

  55.     getRefreshToken,

  56.     getUser,

  57.     revokeToken,

  58.     saveToken

  59.   } as any // FIXME: typings

  60. })

  61. 

  62. // ---------------------------------------------------------------------------

  63. 

  64. async function handleOAuthToken (req: express.Request, options: { refreshTokenAuthName?: string, bypassLogin?: BypassLogin }) {

  65.   const request = new Request(req)

  66.   const { refreshTokenAuthName, bypassLogin } = options

  67. 

  68.   if (request.method !== 'POST') {

  69.     throw new InvalidRequestError('Invalid request: method must be POST')

  70.   }

  71. 

  72.   if (!request.is([ 'application/x-www-form-urlencoded' ])) {

  73.     throw new InvalidRequestError('Invalid request: content must be application/x-www-form-urlencoded')

  74.   }

  75. 

  76.   const clientId = request.body.client_id

  77.   const clientSecret = request.body.client_secret

  78. 

  79.   if (!clientId || !clientSecret) {

  80.     throw new InvalidClientError('Invalid client: cannot retrieve client credentials')

  81.   }

  82. 

  83.   const client = await getClient(clientId, clientSecret)

  84.   if (!client) {

  85.     throw new InvalidClientError('Invalid client: client is invalid')

  86.   }

  87. 

  88.   const grantType = request.body.grant_type

  89.   if (!grantType) {

  90.     throw new InvalidRequestError('Missing parameter: `grant_type`')

  91.   }

  92. 

  93.   if (![ 'password', 'refresh_token' ].includes(grantType)) {

  94.     throw new UnsupportedGrantTypeError('Unsupported grant type: `grant_type` is invalid')

  95.   }

  96. 

  97.   if (!client.grants.includes(grantType)) {

  98.     throw new UnauthorizedClientError('Unauthorized client: `grant_type` is invalid')

  99.   }

  100. 

  101.   if (grantType === 'password') {

  102.     return handlePasswordGrant({

  103.       request,

  104.       client,

  105.       bypassLogin

  106.     })

  107.   }

  108. 

  109.   return handleRefreshGrant({

  110.     request,

  111.     client,

  112.     refreshTokenAuthName

  113.   })

  114. }

  115. 

  116. function handleOAuthAuthenticate (

  117.   req: express.Request,

  118.   res: express.Response

  119. ) {

  120.   return oAuthServer.authenticate(new Request(req), new Response(res))

  121. }

  122. 

  123. export {

  124.   MissingTwoFactorError,

  125.   InvalidTwoFactorError,

  126. 

  127.   handleOAuthToken,

  128.   handleOAuthAuthenticate

  129. }

  130. 

  131. // ---------------------------------------------------------------------------

  132. 

  133. async function handlePasswordGrant (options: {

  134.   request: Request

  135.   client: MOAuthClient

  136.   bypassLogin?: BypassLogin

  137. }) {

  138.   const { request, client, bypassLogin } = options

  139. 

  140.   if (!request.body.username) {

  141.     throw new InvalidRequestError('Missing parameter: `username`')

  142.   }

  143. 

  144.   if (!bypassLogin && !request.body.password) {

  145.     throw new InvalidRequestError('Missing parameter: `password`')

  146.   }

  147. 

  148.   const user = await getUser(request.body.username, request.body.password, bypassLogin)

  149.   if (!user) {

  150.     const registration = await UserRegistrationModel.loadByEmailOrUsername(request.body.username)

  151. 

  152.     if (registration?.state === UserRegistrationState.REJECTED) {

  153.       throw new RegistrationApprovalRejected('Registration approval for this account has been rejected')

  154.     } else if (registration?.state === UserRegistrationState.PENDING) {

  155.       throw new RegistrationWaitingForApproval('Registration for this account is awaiting approval')

  156.     }

  157. 

  158.     throw new InvalidGrantError('Invalid grant: user credentials are invalid')

  159.   }

  160. 

  161.   if (user.otpSecret) {

  162.     if (!request.headers[OTP.HEADER_NAME]) {

  163.       throw new MissingTwoFactorError('Missing two factor header')

  164.     }

  165. 

  166.     if (await isOTPValid({ encryptedSecret: user.otpSecret, token: request.headers[OTP.HEADER_NAME] }) !== true) {

  167.       throw new InvalidTwoFactorError('Invalid two factor header')

  168.     }

  169.   }

  170. 

  171.   const token = await buildToken()

  172. 

  173.   return saveToken(token, client, user, { bypassLogin })

  174. }

  175. 

  176. async function handleRefreshGrant (options: {

  177.   request: Request

  178.   client: MOAuthClient

  179.   refreshTokenAuthName: string

  180. }) {

  181.   const { request, client, refreshTokenAuthName } = options

  182. 

  183.   if (!request.body.refresh_token) {

  184.     throw new InvalidRequestError('Missing parameter: `refresh_token`')

  185.   }

  186. 

  187.   const refreshToken = await getRefreshToken(request.body.refresh_token)

  188. 

  189.   if (!refreshToken) {

  190.     throw new InvalidGrantError('Invalid grant: refresh token is invalid')

  191.   }

  192. 

  193.   if (refreshToken.client.id !== client.id) {

  194.     throw new InvalidGrantError('Invalid grant: refresh token is invalid')

  195.   }

  196. 

  197.   if (refreshToken.refreshTokenExpiresAt && refreshToken.refreshTokenExpiresAt < new Date()) {

  198.     throw new InvalidGrantError('Invalid grant: refresh token has expired')

  199.   }

  200. 

  201.   await revokeToken({ refreshToken: refreshToken.refreshToken })

  202. 

  203.   const token = await buildToken()

  204. 

  205.   return saveToken(token, client, refreshToken.user, { refreshTokenAuthName })

  206. }

  207. 

  208. function generateRandomToken () {

  209.   return randomBytesPromise(256)

  210.     .then(buffer => sha1(buffer))

  211. }

  212. 

  213. function getTokenExpiresAt (type: 'access' | 'refresh') {

  214.   const lifetime = type === 'access'

  215.     ? CONFIG.OAUTH2.TOKEN_LIFETIME.ACCESS_TOKEN

  216.     : CONFIG.OAUTH2.TOKEN_LIFETIME.REFRESH_TOKEN

  217. 

  218.   return new Date(Date.now() + lifetime)

  219. }

  220. 

  221. async function buildToken () {

  222.   const [ accessToken, refreshToken ] = await Promise.all([ generateRandomToken(), generateRandomToken() ])

  223. 

  224.   return {

  225.     accessToken,

  226.     refreshToken,

  227.     accessTokenExpiresAt: getTokenExpiresAt('access'),

  228.     refreshTokenExpiresAt: getTokenExpiresAt('refresh')

  229.   }

  230. }