Error response enhancements, CoreID auth client backend

2022-03-29 01:14:46 -05:00
parent a039b1ff25
commit 8f08b94f74
31 changed files with 736 additions and 52 deletions
--- a/src/auth/server/OAuth2Server.ts
+++ b/src/auth/server/OAuth2Server.ts
@@ -3,22 +3,98 @@ import {Injectable} from '../../di'
 import {ResponseObject, Route} from '../../http/routing/Route'
 import {Request} from '../../http/lifecycle/Request'
 import {Session} from '../../http/session/Session'
-import {OAuth2Client, ClientRepository, OAuth2Scope, ScopeRepository} from './types'
+import {
+    ClientRepository,
+    OAuth2Client,
+    OAuth2FlowType,
+    OAuth2Scope,
+    RedemptionCodeRepository,
+    ScopeRepository,
+} from './types'
 import {HTTPError} from '../../http/HTTPError'
 import {HTTPStatus, Maybe} from '../../util'
 import {view} from '../../http/response/ViewResponseFactory'
+import {SecurityContext} from '../context/SecurityContext'
+import {redirect} from '../../http/response/RedirectResponseFactory'
+import {AuthRequiredMiddleware} from '../middleware/AuthRequiredMiddleware'

@Injectable()
 export class OAuth2Server extends Controller {
    public static routes(): void {
        Route.get('/oauth2/authorize')
+            .alias('@oauth2:authorize')
+            .pre(AuthRequiredMiddleware)
            .passingRequest()
-            .calls<OAuth2Server>(OAuth2Server, x => x.promptForAuthorization.bind(x))
+            .calls<OAuth2Server>(OAuth2Server, x => x.promptForAuthorization)
+
+        Route.post('/oauth2/authorize')
+            .alias('@oauth2:authorize:submit')
+            .pre(AuthRequiredMiddleware)
+            .passingRequest()
+            .calls<OAuth2Server>(OAuth2Server, x => x.authorizeAndRedirect)
+
+        Route.post('/oauth2/redeem')
+            .alias('@oauth2:authorize:redeem')
+            .passingRequest()
+            .calls<OAuth2Server>(OAuth2Server, x => x.redeemToken)
+    }
+
+    async redeemToken(request: Request): Promise<ResponseObject> {
+        const authParts = String(request.getHeader('Authorization')).split(':')
+        if ( authParts.length !== 2 ) {
+            throw new HTTPError(HTTPStatus.BAD_REQUEST)
+        }
+
+        const clientRepo = <ClientRepository> request.make(ClientRepository)
+        const [clientId, clientSecret] = authParts
+        const client = await clientRepo.find(clientId)
+        if ( !client || client.secret !== clientSecret ) {
+            throw new HTTPError(HTTPStatus.UNAUTHORIZED)
+        }
+
+        const codeRepo = <RedemptionCodeRepository> request.make(RedemptionCodeRepository)
+        const codeString = request.safe('code').string()
+        const code = await codeRepo.find(codeString)
+        if ( !code ) {
+            throw new HTTPError(HTTPStatus.BAD_REQUEST)
+        }
+
+
+    }
+
+    async authorizeAndRedirect(request: Request): Promise<ResponseObject> {
+        // Look up the client in the client repo
+        const session = <Session> request.make(Session)
+        const clientId = session.safe('oauth2.authorize.clientId').string()
+        const client = await this.getClient(request, clientId)
+
+        const flowType = session.safe('oauth2.authorize.flow').in(client.allowedFlows)
+        if ( flowType === OAuth2FlowType.code ) {
+            return this.authorizeCodeFlow(request, client)
+        }
+    }
+
+    protected async authorizeCodeFlow(request: Request, client: OAuth2Client): Promise<ResponseObject> {
+        const session = <Session> request.make(Session)
+        const security = <SecurityContext> request.make(SecurityContext)
+        const codeRepository = <RedemptionCodeRepository> request.make(RedemptionCodeRepository)
+
+        const user = security.user()
+        const scope = session.get('oauth2.authorize.scope')
+        const redirectUri = session.safe('oauth2.authorize.redirectUri').in(client.allowedRedirectUris)
+
+        // FIXME store authorization
+
+        const code = await codeRepository.issue(user, client, scope)
+        const uri = new URL(redirectUri)
+        uri.searchParams.set('code', code.code)
+        return redirect(uri)
    }

    async promptForAuthorization(request: Request): Promise<ResponseObject> {
        // Look up the client in the client repo
-        const client = await this.getClient(request)
+        const clientId = request.safe('client_id').string()
+        const client = await this.getClient(request, clientId)

        // Make sure the requested flow type is valid for this client
        const session = <Session> request.make(Session)
@@ -43,12 +119,12 @@ export class OAuth2Server extends Controller {
        return view('@extollo:oauth2:authorize', {
            clientName: client.display,
            scopeDescription: scope?.description,
+            redirectDomain: (new URL(redirectUri)).host,
        })
    }

-    protected async getClient(request: Request): Promise<OAuth2Client> {
+    protected async getClient(request: Request, clientId: string): Promise<OAuth2Client> {
        const clientRepo = <ClientRepository> request.make(ClientRepository)
-        const clientId = request.safe('client_id').string()
        const client = await clientRepo.find(clientId)
        if ( !client ) {
            throw new HTTPError(HTTPStatus.BAD_REQUEST, 'Invalid client configuration', {
--- a/src/auth/server/models/OAuth2TokenModel.ts
+++ b/src/auth/server/models/OAuth2TokenModel.ts
@@ -0,0 +1,30 @@
+import {Field, FieldType, Model} from '../../../orm'
+import {OAuth2Token} from '../types'
+
+export class OAuth2TokenModel extends Model<OAuth2TokenModel> implements OAuth2Token {
+    public static table = 'oauth2_tokens'
+
+    public static key = 'oauth2_token_id'
+
+    @Field(FieldType.serial, 'oauth2_token_id')
+    protected oauth2TokenId!: number
+
+    public get id(): string {
+        return String(this.oauth2TokenId)
+    }
+
+    @Field(FieldType.varchar, 'user_id')
+    public userId!: string
+
+    @Field(FieldType.varchar, 'client_id')
+    public clientId!: string
+
+    @Field(FieldType.timestamp)
+    public issued!: Date
+
+    @Field(FieldType.timestamp)
+    public expires!: Date
+
+    @Field(FieldType.varchar)
+    public scope?: string
+}
--- a/src/auth/server/repositories/CacheRedemptionCodeRepository.ts
+++ b/src/auth/server/repositories/CacheRedemptionCodeRepository.ts
@@ -0,0 +1,33 @@
+import {isOAuth2RedemptionCode, OAuth2Client, OAuth2RedemptionCode, RedemptionCodeRepository} from '../types'
+import {Inject, Injectable} from '../../../di'
+import {Cache, Maybe, uuid4} from '../../../util'
+import {Authenticatable} from '../../types'
+
+@Injectable()
+export class CacheRedemptionCodeRepository extends RedemptionCodeRepository {
+    @Inject()
+    protected readonly cache!: Cache
+
+    async find(codeString: string): Promise<Maybe<OAuth2RedemptionCode>> {
+        const cacheKey = `@extollo:oauth2:redemption:${codeString}`
+        if ( await this.cache.has(cacheKey) ) {
+            const code = await this.cache.safe(cacheKey).then(x => x.json())
+            if ( isOAuth2RedemptionCode(code) ) {
+                return code
+            }
+        }
+    }
+
+    async issue(user: Authenticatable, client: OAuth2Client, scope?: string): Promise<OAuth2RedemptionCode> {
+        const code = {
+            scope,
+            clientId: client.id,
+            userId: user.getUniqueIdentifier(),
+            code: uuid4(),
+        }
+
+        const cacheKey = `@extollo:oauth2:redemption:${code.code}`
+        await this.cache.put(cacheKey, JSON.stringify(code))
+        return code
+    }
+}
--- a/src/auth/server/repositories/ORMTokenRepository.ts
+++ b/src/auth/server/repositories/ORMTokenRepository.ts
@@ -0,0 +1,88 @@
+import {isOAuth2Token, OAuth2Client, OAuth2Token, oauth2TokenString, OAuth2TokenString, TokenRepository} from '../types'
+import {Inject, Injectable} from '../../../di'
+import {Maybe} from '../../../util'
+import {OAuth2TokenModel} from '../models/OAuth2TokenModel'
+import {Config} from '../../../service/Config'
+import * as jwt from 'jsonwebtoken'
+import {Authenticatable} from '../../types'
+
+@Injectable()
+export class ORMTokenRepository extends TokenRepository {
+    @Inject()
+    protected readonly config!: Config
+
+    async find(id: string): Promise<Maybe<OAuth2Token>> {
+        const idNum = parseInt(id, 10)
+        if ( !isNaN(idNum) ) {
+            return OAuth2TokenModel.query<OAuth2TokenModel>()
+                .whereKey(idNum)
+                .first()
+        }
+    }
+
+    async issue(user: Authenticatable, client: OAuth2Client, scope?: string): Promise<OAuth2Token> {
+        const expiration = this.config.safe('outh2.token.lifetimeSeconds')
+            .or(60 * 60 * 6)
+            .integer() * 1000
+
+        const token = new OAuth2TokenModel()
+        token.scope = scope
+        token.userId = String(user.getUniqueIdentifier())
+        token.clientId = client.id
+        token.issued = new Date()
+        token.expires = new Date(Math.floor(Date.now() + expiration))
+        await token.save()
+
+        return token
+    }
+
+    async encode(token: OAuth2Token): Promise<OAuth2TokenString> {
+        const secret = this.config.safe('oauth2.secret').string()
+        const payload = {
+            id: token.id,
+            userId: token.userId,
+            clientId: token.clientId,
+            iat: Math.floor(token.issued.valueOf() / 1000),
+            exp: Math.floor(token.expires.valueOf() / 1000),
+            ...(token.scope ? { scope: token.scope } : {}),
+        }
+
+        const generated = await new Promise<string>((res, rej) => {
+            jwt.sign(payload, secret, {}, (err, gen) => {
+                if (err || err === null || !gen) {
+                    rej(err || new Error('Unable to encode JWT.'))
+                } else {
+                    res(gen)
+                }
+            })
+        })
+
+        return oauth2TokenString(generated)
+    }
+
+    async decode(token: OAuth2TokenString): Promise<Maybe<OAuth2Token>> {
+        const secret = this.config.safe('oauth2.secret').string()
+        const decoded = await new Promise<any>((res, rej) => {
+            jwt.verify(token, secret, {}, (err, payload) => {
+                if ( err ) {
+                    rej(err)
+                } else {
+                    res(payload)
+                }
+            })
+        })
+
+        const value = {
+            id: decoded.id,
+            userId: decoded.userId,
+            clientId: decoded.clientId,
+            issued: new Date(decoded.iat * 1000),
+            expires: new Date(decoded.exp * 1000),
+            ...(decoded.scope ? { scope: decoded.scope } : {}),
+        }
+
+        if ( isOAuth2Token(value) ) {
+            return value
+        }
+    }
+}
--- a/src/auth/server/repositories/RedemptionCodeRepositoryFactory.ts
+++ b/src/auth/server/repositories/RedemptionCodeRepositoryFactory.ts
@@ -0,0 +1,74 @@
+import {
+    AbstractFactory,
+    Container,
+    DependencyRequirement,
+    PropertyDependency,
+    isInstantiable,
+    DEPENDENCY_KEYS_METADATA_KEY,
+    DEPENDENCY_KEYS_PROPERTY_METADATA_KEY, Instantiable, FactoryProducer,
+} from '../../../di'
+import {Collection, ErrorWithContext} from '../../../util'
+import {Config} from '../../../service/Config'
+import {RedemptionCodeRepository} from '../types'
+import {CacheRedemptionCodeRepository} from './CacheRedemptionCodeRepository'
+
+/**
+ * A dependency injection factory that matches the abstract RedemptionCodeRepository class
+ * and produces an instance of the configured repository driver implementation.
+ */
+@FactoryProducer()
+export class RedemptionCodeRepositoryFactory extends AbstractFactory<RedemptionCodeRepository> {
+    protected get config(): Config {
+        return Container.getContainer().make<Config>(Config)
+    }
+
+    produce(): RedemptionCodeRepository {
+        return new (this.getRedemptionCodeRepositoryClass())()
+    }
+
+    match(something: unknown): boolean {
+        return something === RedemptionCodeRepository
+    }
+
+    getDependencyKeys(): Collection<DependencyRequirement> {
+        const meta = Reflect.getMetadata(DEPENDENCY_KEYS_METADATA_KEY, this.getRedemptionCodeRepositoryClass())
+        if ( meta ) {
+            return meta
+        }
+        return new Collection<DependencyRequirement>()
+    }
+
+    getInjectedProperties(): Collection<PropertyDependency> {
+        const meta = new Collection<PropertyDependency>()
+        let currentToken = this.getRedemptionCodeRepositoryClass()
+
+        do {
+            const loadedMeta = Reflect.getMetadata(DEPENDENCY_KEYS_PROPERTY_METADATA_KEY, currentToken)
+            if ( loadedMeta ) {
+                meta.concat(loadedMeta)
+            }
+            currentToken = Object.getPrototypeOf(currentToken)
+        } while (Object.getPrototypeOf(currentToken) !== Function.prototype && Object.getPrototypeOf(currentToken) !== Object.prototype)
+
+        return meta
+    }
+
+    /**
+     * Return the instantiable class of the configured client repository backend.
+     * @protected
+     * @return Instantiable<RedemptionCodeRepository>
+     */
+    protected getRedemptionCodeRepositoryClass(): Instantiable<RedemptionCodeRepository> {
+        const RedemptionCodeRepositoryClass = this.config.get('oauth2.repository.client', CacheRedemptionCodeRepository)
+
+        if ( !isInstantiable(RedemptionCodeRepositoryClass) || !(RedemptionCodeRepositoryClass.prototype instanceof RedemptionCodeRepository) ) {
+            const e = new ErrorWithContext('Provided client repository class does not extend from @extollo/lib.RedemptionCodeRepository')
+            e.context = {
+                configKey: 'oauth2.repository.client',
+                class: RedemptionCodeRepositoryClass.toString(),
+            }
+        }
+
+        return RedemptionCodeRepositoryClass
+    }
+}
--- a/src/auth/server/repositories/TokenRepositoryFactory.ts
+++ b/src/auth/server/repositories/TokenRepositoryFactory.ts
@@ -0,0 +1,74 @@
+import {
+    AbstractFactory,
+    Container,
+    DependencyRequirement,
+    PropertyDependency,
+    isInstantiable,
+    DEPENDENCY_KEYS_METADATA_KEY,
+    DEPENDENCY_KEYS_PROPERTY_METADATA_KEY, Instantiable, FactoryProducer,
+} from '../../../di'
+import {Collection, ErrorWithContext} from '../../../util'
+import {Config} from '../../../service/Config'
+import {TokenRepository} from '../types'
+import {ORMTokenRepository} from './ORMTokenRepository'
+
+/**
+ * A dependency injection factory that matches the abstract TokenRepository class
+ * and produces an instance of the configured repository driver implementation.
+ */
+@FactoryProducer()
+export class TokenRepositoryFactory extends AbstractFactory<TokenRepository> {
+    protected get config(): Config {
+        return Container.getContainer().make<Config>(Config)
+    }
+
+    produce(): TokenRepository {
+        return new (this.getTokenRepositoryClass())()
+    }
+
+    match(something: unknown): boolean {
+        return something === TokenRepository
+    }
+
+    getDependencyKeys(): Collection<DependencyRequirement> {
+        const meta = Reflect.getMetadata(DEPENDENCY_KEYS_METADATA_KEY, this.getTokenRepositoryClass())
+        if ( meta ) {
+            return meta
+        }
+        return new Collection<DependencyRequirement>()
+    }
+
+    getInjectedProperties(): Collection<PropertyDependency> {
+        const meta = new Collection<PropertyDependency>()
+        let currentToken = this.getTokenRepositoryClass()
+
+        do {
+            const loadedMeta = Reflect.getMetadata(DEPENDENCY_KEYS_PROPERTY_METADATA_KEY, currentToken)
+            if ( loadedMeta ) {
+                meta.concat(loadedMeta)
+            }
+            currentToken = Object.getPrototypeOf(currentToken)
+        } while (Object.getPrototypeOf(currentToken) !== Function.prototype && Object.getPrototypeOf(currentToken) !== Object.prototype)
+
+        return meta
+    }
+
+    /**
+     * Return the instantiable class of the configured token repository backend.
+     * @protected
+     * @return Instantiable<TokenRepository>
+     */
+    protected getTokenRepositoryClass(): Instantiable<TokenRepository> {
+        const TokenRepositoryClass = this.config.get('oauth2.repository.token', ORMTokenRepository)
+
+        if ( !isInstantiable(TokenRepositoryClass) || !(TokenRepositoryClass.prototype instanceof TokenRepository) ) {
+            const e = new ErrorWithContext('Provided token repository class does not extend from @extollo/lib.TokenRepository')
+            e.context = {
+                configKey: 'oauth2.repository.client',
+                class: TokenRepositoryClass.toString(),
+            }
+        }
+
+        return TokenRepositoryClass
+    }
+}
--- a/src/auth/server/types.ts
+++ b/src/auth/server/types.ts
@@ -1,4 +1,5 @@
-import {Awaitable, hasOwnProperty, Maybe} from '../../util'
+import {Awaitable, hasOwnProperty, Maybe, TypeTag} from '../../util'
+import {Authenticatable, AuthenticatableIdentifier} from '../types'

 export enum OAuth2FlowType {
    code = 'code',
@@ -81,3 +82,93 @@ export abstract class ScopeRepository {

    abstract findByName(name: string): Awaitable<Maybe<OAuth2Scope>>
 }
+
+export interface OAuth2Token {
+    id: string
+    userId: AuthenticatableIdentifier
+    clientId: string
+    issued: Date
+    expires: Date
+    scope?: string
+}
+
+export type OAuth2TokenString = TypeTag<'@extollo/lib.OAuth2TokenString'> & string
+
+export function oauth2TokenString(s: string): OAuth2TokenString {
+    return s as OAuth2TokenString
+}
+
+export function isOAuth2Token(what: unknown): what is OAuth2Token {
+    if ( typeof what !== 'object' || what === null ) {
+        return false
+    }
+
+    if (
+        !hasOwnProperty(what, 'id')
+        || !hasOwnProperty(what, 'userId')
+        || !hasOwnProperty(what, 'clientId')
+        || !hasOwnProperty(what, 'issued')
+        || !hasOwnProperty(what, 'expires')
+    ) {
+        return false
+    }
+
+    if (
+        typeof what.id !== 'string'
+        || !(typeof what.userId === 'string' || typeof what.userId === 'number')
+        || typeof what.clientId !== 'string'
+        || !(what.issued instanceof Date)
+        || !(what.expires instanceof Date)
+    ) {
+        return false
+    }
+
+    return !hasOwnProperty(what, 'scope') || typeof what.scope === 'string'
+}
+
+export abstract class TokenRepository {
+    abstract find(id: string): Awaitable<Maybe<OAuth2Token>>
+
+    abstract issue(user: Authenticatable, client: OAuth2Client, scope?: string): Awaitable<OAuth2Token>
+
+    abstract decode(token: OAuth2TokenString): Awaitable<Maybe<OAuth2Token>>
+
+    abstract encode(token: OAuth2Token): Awaitable<OAuth2TokenString>
+}
+
+export interface OAuth2RedemptionCode {
+    clientId: string
+    userId: AuthenticatableIdentifier
+    code: string
+    scope?: string
+}
+
+export function isOAuth2RedemptionCode(what: unknown): what is OAuth2RedemptionCode {
+    if ( typeof what !== 'object' || what === null ) {
+        return false
+    }
+
+    if (
+        !hasOwnProperty(what, 'clientId')
+        || !hasOwnProperty(what, 'userId')
+        || !hasOwnProperty(what, 'code')
+    ) {
+        return false
+    }
+
+    if (
+        typeof what.clientId !== 'string'
+        || !(typeof what.userId === 'number' || typeof what.userId === 'string')
+        || typeof what.code !== 'string'
+    ) {
+        return false
+    }
+
+    return !hasOwnProperty(what, 'scope') || typeof what.scope === 'string'
+}
+
+export abstract class RedemptionCodeRepository {
+    abstract find(code: string): Awaitable<Maybe<OAuth2RedemptionCode>>
+
+    abstract issue(user: Authenticatable, client: OAuth2Client, scope?: string): Awaitable<OAuth2RedemptionCode>
+}