Working towards OpenID - Connect

- Adding id_token support - Adding bearer token header support for client api auth
2020-03-09 15:03:26 +01:00
parent 40b134ace7
commit 8edfaba134
8 changed files with 63 additions and 84 deletions
--- a/src/api/client/index.ts
+++ b/src/api/client/index.ts
@ -5,6 +5,7 @@ import { GetUserMiddleware } from "../middlewares/user";
 import { createJWT } from "../../keys";
 import Client from "../../models/client";
 import RequestError, { HttpStatusCode } from "../../helper/request_error";
+import config from "../../config";


 const ClientRouter = Router();
@ -33,7 +34,13 @@ ClientRouter.get("/user", Stacker(GetClientAuthMiddleware(false), GetUserMiddlew
      uid: req.user.uid,
      username: req.user.username,
      state: state
-   }, 30); //after 30 seconds this token is invalid
+   }, {
+      expiresIn: 30,
+      issuer: config.core.url,
+      algorithm: "RS256",
+      subject: req.user.uid,
+      audience: req.client.client_id
+   }); //after 30 seconds this token is invalid
   res.redirect(redirect_uri + "?jwt=" + jwt + (state ? `&state=${state}` : ""));
 }));

--- a/src/api/middlewares/client.ts
+++ b/src/api/middlewares/client.ts
@ -11,11 +11,11 @@ export function GetClientAuthMiddleware(checksecret = true, internal = false, ch
      try {
         let client_id = req.query.client_id || req.body.client_id;
         let client_secret = req.query.client_secret || req.body.client_secret;
-                                                               
-         if(!client_id && !client_secret && req.headers.authorization) {
+
+         if (!client_id && !client_secret && req.headers.authorization) {
            let header = req.headers.authorization;
            let [type, val] = header.split(" ");
-            if(val) {
+            if (val) {
               let str = Buffer.from(val, "base64").toString("utf-8");
               let [id, secret] = str.split(":");
               client_id = id;
@ -53,10 +53,13 @@ export function GetClientApiAuthMiddleware(permissions?: string[]) {
   return async (req: Request, res: Response, next: NextFunction) => {
      try {
         const invalid_err = new RequestError(req.__("You are not logged in or your login is expired"), HttpStatusCode.UNAUTHORIZED);
-         let token = req.query.access_token || req.headers.authorization;
+         let token: string = req.query.access_token || req.headers.authorization;
         if (!token)
            throw invalid_err;

+         if (token.toLowerCase().startsWith("bearer "))
+            token = token.substring(7);
+
         let data: OAuthJWT;
         try {
            data = await validateJWT(token);
--- a/src/api/oauth/jwt.ts
+++ b/src/api/oauth/jwt.ts
@ -4,7 +4,7 @@ import RequestError, { HttpStatusCode } from "../../helper/request_error";
 import RefreshToken from "../../models/refresh_token";
 import User from "../../models/user";
 import Client from "../../models/client";
-import getOAuthJWT from "../../helper/jwt";
+import { getAccessTokenJWT } from "../../helper/jwt";

 const JWTRoute = promiseMiddleware(async (req: Request, res: Response) => {
   let { refreshtoken } = req.query;
@ -22,7 +22,7 @@ const JWTRoute = promiseMiddleware(async (req: Request, res: Response) => {

   let client = await Client.findById(token.client);

-   let jwt = await getOAuthJWT({ user, permissions: token.permissions, client });
+   let jwt = await getAccessTokenJWT({ user, permissions: token.permissions, client });
   res.json({ token: jwt });
 })
 export default JWTRoute;
--- a/src/api/oauth/refresh.ts
+++ b/src/api/oauth/refresh.ts
@ -2,14 +2,14 @@ import { Request, Response } from "express";
 import RequestError, { HttpStatusCode } from "../../helper/request_error";
 import User from "../../models/user";
 import Client from "../../models/client";
-import getOAuthJWT from "../../helper/jwt";
+import { getAccessTokenJWT, getIDToken, AccessTokenJWTExp } from "../../helper/jwt";
 import Stacker from "../middlewares/stacker";
 import { GetClientAuthMiddleware } from "../middlewares/client"
 import ClientCode from "../../models/client_code";
 import Mail from "../../models/mail";
 import { randomBytes } from "crypto";
 import moment = require("moment");
-import { JWTExpDur } from "../../keys";
+// import { JWTExpDur } from "../../keys";
 import RefreshToken from "../../models/refresh_token";
 import { getEncryptionKey } from "../../helper/user_key";

@ -29,6 +29,8 @@ const RefreshTokenRoute = Stacker(GetClientAuthMiddleware(false, false, true), a
   let grant_type = req.query.grant_type || req.body.grant_type;
   if (!grant_type || grant_type === "authorization_code") {
      let code = req.query.code || req.body.code;
+      let nonce = req.query.nonce || req.body.nonce;
+
      let c = await ClientCode.findOne({ code: code })
      if (!c || moment(c.validTill).isBefore()) {
         throw new RequestError(req.__("Invalid code"), HttpStatusCode.BAD_REQUEST);
@ -56,19 +58,20 @@ const RefreshTokenRoute = Stacker(GetClientAuthMiddleware(false, false, true), a
      res.json({
         refresh_token: token.token,
         token: token.token,
-         access_token: await getOAuthJWT({
+         access_token: await getAccessTokenJWT({
            client: client,
            user: user,
            permissions: c.permissions
         }),
         token_type: "bearer",
-         expires_in: JWTExpDur.asSeconds(),
+         expires_in: AccessTokenJWTExp.asSeconds(),
         profile: {
            uid: user.uid,
            email: mail ? mail.mail : "",
            name: user.name,
            enc_key: getEncryptionKey(user, client)
-         }
+         },
+         id_token: getIDToken(user, client.client_id, nonce)
      });
   } else if (grant_type === "refresh_token") {
      let refresh_token = req.query.refresh_token || req.body.refresh_token;
@ -83,8 +86,8 @@ const RefreshTokenRoute = Stacker(GetClientAuthMiddleware(false, false, true), a

      let user = await User.findById(token.user);
      let client = await Client.findById(token.client)
-      let jwt = await getOAuthJWT({ user, client, permissions: token.permissions });
-      res.json({ access_token: jwt, expires_in: JWTExpDur.asSeconds() });
+      let jwt = await getAccessTokenJWT({ user, client, permissions: token.permissions });
+      res.json({ access_token: jwt, expires_in: AccessTokenJWTExp.asSeconds() });
   } else {
      throw new RequestError("invalid grant_type", HttpStatusCode.BAD_REQUEST);
   }