liquid_feedback_frontend: app/main/oauth2/token.lua annotate

liquid_feedback_frontend

annotate app/main/oauth2/token.lua @ 1663:05d2f46c60c5

Fixed cancel link in preview

author	bsw
date	Mon Feb 15 14:20:07 2021 +0100 (2021-02-15)
parents	2874a199c727
children	8fde003bdeb0

rev	line source
bsw/jbe@1309	1 if not request.is_post() then
bsw/jbe@1309	2 return execute.view { module = "index", view = "405" }
bsw/jbe@1309	3 end
bsw/jbe@1309	4
bsw/jbe@1309	5 slot.set_layout(nil, "application/json;charset=UTF-8")
bsw/jbe@1309	6
bsw/jbe@1309	7 request.add_header("Cache-Control", "no-store")
bsw/jbe@1309	8 request.add_header("Pragma", "no-cache")
bsw/jbe@1309	9
bsw/jbe@1309	10 local function error_result(error_code, error_description)
bsw/jbe@1309	11 -- TODO special HTTP status codes for some errors?
bsw/jbe@1309	12 request.set_status("400 Bad Request")
bsw/jbe@1309	13 slot.put_into("data", json.export{
bsw/jbe@1309	14 error = error_code,
bsw/jbe@1309	15 error_description = error_description
bsw/jbe@1309	16 })
bsw/jbe@1309	17 end
bsw/jbe@1309	18
bsw/jbe@1309	19 local token
bsw/jbe@1309	20 local grant_type = param.get("grant_type")
bsw/jbe@1309	21 if grant_type == "authorization_code" then
bsw/jbe@1309	22 local code = param.get("code")
bsw/jbe@1309	23 token = Token:by_token_type_and_token("authorization", code)
bsw/jbe@1309	24 elseif grant_type == "refresh_token" then
bsw/jbe@1309	25 local refresh_token = param.get("refresh_token")
bsw/jbe@1309	26 token = Token:by_token_type_and_token("refresh", refresh_token)
bsw/jbe@1309	27 elseif grant_type == "access_token" then
bsw/jbe@1309	28 local access_token, access_token_err = util.get_access_token()
bsw/jbe@1309	29 if access_token_err then
bsw/jbe@1309	30 if access_token_err == "header_and_param" then
bsw/jbe@1309	31 return error_result("invalid_request", "Access token passed both via header and param")
bsw/jbe@1309	32 end
bsw/jbe@1309	33 error("Error in util.get_access_token")
bsw/jbe@1309	34 end
bsw/jbe@1309	35 token = Token:by_token_type_and_token("access", access_token)
bsw/jbe@1309	36 else
bsw/jbe@1309	37 return error_result("unsupported_grant_type", "Grant type not supported")
bsw/jbe@1309	38 end
bsw/jbe@1309	39
bsw/jbe@1309	40 if not token then
bsw/jbe@1309	41 return error_result("invalid_grant", "Token invalid or expired")
bsw/jbe@1309	42 end
bsw/jbe@1309	43
bsw/jbe@1309	44 if grant_type == "authorization_code" then
bsw/jbe@1309	45 if not token.used then
bsw/jbe@1309	46 local expiry = db:query({"SELECT now() + (? \|\| 'sec')::interval AS expiry", config.oauth2.authorization_code_lifetime }, "object").expiry
bsw/jbe@1309	47 token.used = true
bsw/jbe@1309	48 token.expiry = expiry
bsw/jbe@1309	49 token:save()
bsw/jbe@1309	50 else
bsw/jbe@1309	51 token:destroy()
bsw/jbe@1309	52 return error_result("invalid_grant", "Token invalid or expired")
bsw/jbe@1309	53 end
bsw/jbe@1309	54 end
bsw/jbe@1309	55
bsw/jbe@1309	56 if grant_type ~= "access_token" then
bsw/jbe@1309	57 local cert_ca = request.get_header("X-LiquidFeedback-CA")
bsw/jbe@1309	58 local cert_distinguished_name = request.get_header("X-SSL-DN")
bsw/jbe@1309	59 local cert_common_name
bsw@1514	60
bsw@1514	61 if not token.system_application or token.system_application.cert_common_name then
bsw@1514	62 if cert_distinguished_name then
bsw@1514	63 cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
bsw@1514	64 if not cert_common_name then
bsw@1514	65 return error_result("invalid_client", "CN in X.509 certificate invalid")
bsw@1514	66 end
bsw@1514	67 else
bsw@1514	68 return error_result("invalid_client", "X.509 client authorization missing")
bsw/jbe@1309	69 end
bsw/jbe@1309	70 end
bsw/jbe@1309	71 if token.system_application then
bsw@1514	72 if token.system_application.cert_common_name then
bsw@1514	73 if cert_ca ~= "private" then
bsw@1514	74 return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")
bsw@1514	75 end
bsw@1514	76 if cert_common_name ~= token.system_application.cert_common_name then
bsw@1514	77 return error_result("invalid_grant", "CN in X.509 certificate incorrect")
bsw@1514	78 end
bsw/jbe@1309	79 end
bsw/jbe@1309	80 else
bsw/jbe@1309	81 if cert_ca ~= "public" then
bsw/jbe@1309	82 return error_result("invalid_client", "X.509 certificate not signed by publicly trusted certificate authority or wrong endpoint used")
bsw/jbe@1309	83 end
bsw/jbe@1309	84 if cert_common_name ~= token.domain then
bsw/jbe@1309	85 return error_result("invalid_grant", "CN in X.509 certificate incorrect")
bsw/jbe@1309	86 end
bsw/jbe@1309	87 end
bsw/jbe@1309	88 local client_id = param.get("client_id")
bsw/jbe@1309	89 if client_id then
bsw/jbe@1309	90 if token.system_application then
bsw/jbe@1309	91 if client_id ~= token.system_application.client_id then
bsw/jbe@1309	92 return error_result("invalid_grant", "Token was issued to another client")
bsw/jbe@1309	93 end
bsw/jbe@1309	94 else
bsw/jbe@1309	95 if client_id ~= "dynamic:" .. token.domain then
bsw/jbe@1309	96 return error_result ("invalid_grant", "Token was issued to another client")
bsw/jbe@1309	97 end
bsw/jbe@1309	98 end
bsw/jbe@1309	99 elseif grant_type == "authorization_code" and not cert_common_name then
bsw/jbe@1309	100 return error_result("invalid_request", "No client_id supplied for authorization_code request")
bsw/jbe@1309	101 end
bsw/jbe@1309	102 end
bsw/jbe@1309	103
bsw/jbe@1309	104 if grant_type == "authorization_code" then
bsw/jbe@1309	105 local redirect_uri = param.get("redirect_uri")
bsw/jbe@1309	106 if (token.redirect_uri_explicit or redirect_uri) and token.redirect_uri ~= redirect_uri then
bsw/jbe@1309	107 return error_result("invalid_request", "Redirect URI missing or invalid")
bsw/jbe@1309	108 end
bsw/jbe@1309	109 end
bsw/jbe@1309	110
bsw/jbe@1309	111 local scopes = {
bsw/jbe@1309	112 [0] = param.get("scope")
bsw/jbe@1309	113 }
bsw/jbe@1309	114 for i = 1, math.huge do
bsw/jbe@1309	115 scopes[i] = param.get("scope" .. i)
bsw/jbe@1309	116 if not scopes[i] then
bsw/jbe@1309	117 break
bsw/jbe@1309	118 end
bsw/jbe@1309	119 end
bsw/jbe@1309	120
bsw/jbe@1309	121 if not scopes[0] and #scopes == 0 then
bsw/jbe@1309	122 for dummy, token_scope in ipairs(token.token_scopes) do
bsw/jbe@1309	123 scopes[token_scope.index] = token_scope.scope
bsw/jbe@1309	124 end
bsw/jbe@1309	125 end
bsw/jbe@1309	126
bsw/jbe@1309	127 local allowed_scopes = {}
bsw/jbe@1309	128 local requested_detached_scopes = {}
bsw/jbe@1309	129 for scope in string.gmatch(token.scope, "[^ ]+") do
bsw/jbe@1309	130 allowed_scopes[scope] = true
bsw/jbe@1309	131 end
bsw/jbe@1309	132 for i = 0, #scopes do
bsw/jbe@1309	133 if scopes[i] then
bsw/jbe@1309	134 for scope in string.gmatch(scopes[i], "[^ ]+") do
bsw/jbe@1309	135 if string.match(scope, "_detached$") then
bsw/jbe@1309	136 requested_detached_scopes[scope] = true
bsw/jbe@1309	137 end
bsw/jbe@1309	138 if not allowed_scopes[scope] then
bsw/jbe@1309	139 return error_result("invalid_scope", "Scope exceeds limits")
bsw/jbe@1309	140 end
bsw/jbe@1309	141 end
bsw/jbe@1309	142 end
bsw/jbe@1309	143 end
bsw/jbe@1309	144
bsw/jbe@1309	145 local expiry
bsw/jbe@1309	146
bsw/jbe@1309	147 if grant_type == "access_token" then
bsw/jbe@1309	148 expiry = db:query({ "SELECT FLOOR(EXTRACT(EPOCH FROM ? - now())) AS access_time_left", token.expiry }, "object")
bsw/jbe@1309	149 else
bsw/jbe@1309	150 expiry = db:query({
bsw/jbe@1309	151 "SELECT now() + (? \|\| 'sec')::interval AS refresh, now() + (? \|\| 'sec')::interval AS access",
bsw/jbe@1309	152 config.oauth2.refresh_token_lifetime,
bsw/jbe@1309	153 config.oauth2.access_token_lifetime
bsw/jbe@1309	154 }, "object")
bsw/jbe@1309	155 end
bsw/jbe@1309	156
bsw/jbe@1309	157 if grant_type == "refresh_token" then
bsw/jbe@1309	158 local requested_detached_scopes_list = {}
bsw/jbe@1309	159 for scope in pairs(requested_detached_scopes) do
bsw/jbe@1309	160 requested_detached_scopes_list[#requested_detached_scopes_list+1] = scope
bsw/jbe@1309	161 end
bsw/jbe@1309	162 local tokens_to_reduce = Token:old_refresh_token_by_token(token, requested_detached_scopes_list)
bsw/jbe@1309	163 for dummy, t in ipairs(tokens_to_reduce) do
bsw/jbe@1309	164 local t_scopes = {}
bsw/jbe@1309	165 for t_scope in string.gmatch(t.scope, "[^ ]+") do
bsw/jbe@1309	166 t_scopes[t_scope] = true
bsw/jbe@1309	167 end
bsw/jbe@1309	168 for scope in pairs(requested_detached_scopes) do
bsw/jbe@1309	169 local scope_without_detached = string.gmatch(scope, "(.+)_detached")
bsw/jbe@1309	170 if t_scope[scope] then
bsw/jbe@1309	171 t_scope[scope] = nil
bsw/jbe@1309	172 t_scope[scope_without_detached] = true
bsw/jbe@1309	173 end
bsw/jbe@1309	174 end
bsw/jbe@1309	175 local t_scope_list = {}
bsw/jbe@1309	176 for scope in pairs(t_scopes) do
bsw/jbe@1309	177 t_scope_list[#t_scope_list+1] = scope
bsw/jbe@1309	178 end
bsw/jbe@1309	179 t.scope = table.concat(t_scope_list, " ")
bsw/jbe@1309	180 t:save()
bsw/jbe@1309	181 end
bsw/jbe@1309	182 end
bsw/jbe@1309	183
bsw/jbe@1309	184 local r = json.object()
bsw/jbe@1309	185
bsw/jbe@1309	186 local refresh_token
bsw/jbe@1309	187 if
bsw/jbe@1309	188 grant_type ~= "access_token"
bsw/jbe@1309	189 and (grant_type == "authorization_code" or #(Token:fresh_refresh_token_by_token(token)) == 0)
bsw/jbe@1309	190 then
bsw/jbe@1309	191 refresh_token = Token:new()
bsw/jbe@1309	192 refresh_token.token_type = "refresh"
bsw/jbe@1309	193 if grant_type == "authorization_code" then
bsw/jbe@1309	194 refresh_token.authorization_token_id = token.id
bsw/jbe@1309	195 else
bsw/jbe@1309	196 refresh_token.authorization_token_id = token.authorization_token_id
bsw/jbe@1309	197 end
bsw/jbe@1309	198 refresh_token.member_id = token.member_id
bsw/jbe@1309	199 refresh_token.system_application_id = token.system_application_id
bsw/jbe@1309	200 refresh_token.domain = token.domain
bsw/jbe@1309	201 refresh_token.session_id = token.session_id
bsw/jbe@1309	202 refresh_token.expiry = expiry.refresh
bsw/jbe@1309	203 refresh_token.scope = token.scope
bsw/jbe@1309	204 refresh_token:save()
bsw/jbe@1309	205 r.refresh_token = refresh_token.token
bsw/jbe@1309	206 end
bsw/jbe@1309	207
bsw/jbe@1309	208
bsw/jbe@1309	209 r.token_type = "bearer"
bsw/jbe@1309	210 if grant_type == "access_token" then
bsw/jbe@1309	211 r.expires_in = expiry.access_time_left
bsw/jbe@1309	212 else
bsw/jbe@1309	213 r.expires_in = config.oauth2.access_token_lifetime
bsw/jbe@1309	214 end
bsw/jbe@1309	215
bsw/jbe@1309	216 for i = 0, #scopes do
bsw/jbe@1309	217 if scopes[i] then
bsw/jbe@1309	218 local scope = scopes[i]
bsw/jbe@1309	219 local access_token = Token:new()
bsw/jbe@1309	220 access_token.token_type = "access"
bsw/jbe@1309	221 if grant_type == "authorization_code" then
bsw/jbe@1309	222 access_token.authorization_token_id = token.id
bsw/jbe@1309	223 else
bsw/jbe@1309	224 access_token.authorization_token_id = token.authorization_token_id
bsw/jbe@1309	225 end
bsw/jbe@1309	226 access_token.member_id = token.member_id
bsw/jbe@1309	227 access_token.system_application_id = token.system_application_id
bsw/jbe@1309	228 access_token.domain = token.domain
bsw/jbe@1309	229 access_token.session_id = token.session_id
bsw/jbe@1309	230 if grant_type == "access_token" then
bsw/jbe@1309	231 access_token.expiry = token.expiry
bsw/jbe@1309	232 else
bsw/jbe@1309	233 access_token.expiry = expiry.access
bsw/jbe@1309	234 end
bsw/jbe@1309	235 access_token.scope = scope
bsw/jbe@1309	236 access_token:save()
bsw/jbe@1309	237 if refresh_token then
bsw/jbe@1309	238 local refresh_token_scope = TokenScope:new()
bsw/jbe@1309	239 refresh_token_scope.token_id = refresh_token.id
bsw/jbe@1309	240 refresh_token_scope.index = i
bsw/jbe@1309	241 refresh_token_scope.scope = scope
bsw/jbe@1309	242 refresh_token_scope:save()
bsw/jbe@1309	243 end
bsw/jbe@1309	244 local index = i == 0 and "" or i
bsw/jbe@1309	245 r["access_token" .. index] = access_token.token
bsw/jbe@1309	246 end
bsw/jbe@1309	247 end
bsw/jbe@1309	248
bsw/jbe@1309	249 r.member_id = token.member_id
bsw/jbe@1309	250 if token.member.role then
bsw/jbe@1309	251 r.member_is_role = true
bsw/jbe@1309	252 end
bsw/jbe@1309	253 if token.session then
bsw/jbe@1309	254 r.real_member_id = token.real_member_id
bsw/jbe@1309	255 end
bsw/jbe@1309	256
bsw@1582	257 if allowed_scopes.identification or allowed_scopes.authentication then
bsw@1582	258 if param.get("include_member", atom.boolean) then
bsw/jbe@1309	259 local member = token.member
bsw/jbe@1309	260 r.member = json.object{
bsw/jbe@1309	261 id = member.id,
bsw/jbe@1309	262 name = member.name,
bsw/jbe@1309	263 }
bsw/jbe@1309	264 if token.session and token.session.real_member then
bsw/jbe@1309	265 r.real_member = json.object{
bsw/jbe@1309	266 id = token.session.real_member.id,
bsw/jbe@1309	267 name = token.session.real_member.name,
bsw/jbe@1309	268 }
bsw/jbe@1309	269 end
bsw/jbe@1309	270 if allowed_scopes.identification then
bsw/jbe@1309	271 r.member.identification = member.identification
bsw/jbe@1309	272 if token.session and token.session.real_member then
bsw/jbe@1309	273 r.real_member.identification = token.session.real_member.identification
bsw/jbe@1309	274 end
bsw/jbe@1309	275 end
bsw/jbe@1309	276 end
bsw/jbe@1309	277 end
bsw/jbe@1309	278
bsw/jbe@1309	279 slot.put_into("data", json.export(r))