Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks

2020-05-16 23:55:08 -05:00
parent 6f621f5891
commit d558f21375
51 changed files with 2808 additions and 159 deletions
--- a/app/models/oauth/Client.model.js
+++ b/app/models/oauth/Client.model.js
@@ -0,0 +1,95 @@
+const { Model } = require('flitter-orm')
+const uuid = require('uuid/v4')
+
+/*
+ * OAuth2 Client Model
+ * ---------------------------------------------------
+ * Represents a single OAuth2 client. This class contains logic
+ * to create/update/delete the associated Flitter-Auth Oauth2Client
+ * instance.
+ */
+class ClientModel extends Model {
+    static get services() {
+        return [...super.services, 'models']
+    }
+
+    static get schema() {
+        return {
+            name: String,
+            uuid: {type: String, default: uuid},
+            secret: {type: String, default: uuid},
+            active: {type: Boolean, default: true},
+            api_scopes: [String],
+            redirect_url: String,
+        }
+    }
+
+    can(scope) {
+        return this.api_scopes.includes()
+    }
+
+    async application() {
+        const Application = this.models.get('Application')
+        return Application.findOne({ active: true, oauth_client_ids: this.id })
+    }
+
+    async update_auth_client() {
+        const Oauth2Client = this.models.get('auth::Oauth2Client')
+        let client = await Oauth2Client.findOne({ clientID: this.uuid })
+
+        // There's an associated client, but we're not active, so delete the assoc
+        if ( client && !this.active ) {
+            await client.delete()
+            return
+        }
+
+        if ( !client ) {
+            client = new Oauth2Client({
+                grants: ['authorization_code'],
+            })
+        }
+
+        client.clientID = this.uuid
+        client.clientSecret = this.secret
+        client.name = this.name
+        client.redirectUris = [this.redirect_url]
+        await client.save()
+    }
+
+    async save() {
+        await super.save()
+
+        // Save the associated flitter-auth-compatible client.
+        await this.update_auth_client()
+    }
+
+    async to_api() {
+        return {
+            id: this.id,
+            name: this.name,
+            uuid: this.uuid,
+            secret: this.secret,
+            api_scopes: this.api_scopes,
+            redirect_url: this.redirect_url,
+        }
+    }
+
+    // See flitter-auth/User
+    _array_allow_permission(array_of_permissions, permission) {
+        const permission_parts = permission.split(':')
+
+        for ( let i = permission_parts.length; i > 0; i-- ) {
+            const permission_string = permission_parts.slice(0, i).join(':')
+            if ( array_of_permissions.includes(permission_string) ) return true
+        }
+
+        return false
+    }
+
+    // See flitter-auth/User
+    can(scope){
+        return this._array_allow_permission(this.api_scopes, scope)
+    }
+}
+
+module.exports = exports = ClientModel