liquid_feedback_frontend: 32cc544d5a5b app/main/oauth2/token.lua

liquid_feedback_frontend

view app/main/oauth2/token.lua @ 1309:32cc544d5a5b

Cumulative patch for upcoming frontend version 4

author	bsw/jbe
date	Sun Jul 15 14:07:29 2018 +0200 (2018-07-15)
parents
children	3fcae27c2709

line source

1 if not request.is_post() then

2 return execute.view { module = "index", view = "405" }

3 end

5 slot.set_layout(nil, "application/json;charset=UTF-8")

7 request.add_header("Cache-Control", "no-store")

8 request.add_header("Pragma", "no-cache")

10 local function error_result(error_code, error_description)

11 -- TODO special HTTP status codes for some errors?

12 request.set_status("400 Bad Request")

13 slot.put_into("data", json.export{

14 error = error_code,

15 error_description = error_description

16 })

17 end

19 local token

20 local grant_type = param.get("grant_type")

21 if grant_type == "authorization_code" then

22 local code = param.get("code")

23 token = Token:by_token_type_and_token("authorization", code)

24 elseif grant_type == "refresh_token" then

25 local refresh_token = param.get("refresh_token")

26 token = Token:by_token_type_and_token("refresh", refresh_token)

27 elseif grant_type == "access_token" then

28 local access_token, access_token_err = util.get_access_token()

29 if access_token_err then

30 if access_token_err == "header_and_param" then

31 return error_result("invalid_request", "Access token passed both via header and param")

32 end

33 error("Error in util.get_access_token")

34 end

35 token = Token:by_token_type_and_token("access", access_token)

36 else

37 return error_result("unsupported_grant_type", "Grant type not supported")

38 end

40 if not token then

41 return error_result("invalid_grant", "Token invalid or expired")

42 end

44 if grant_type == "authorization_code" then

45 if not token.used then

46 local expiry = db:query({"SELECT now() + (? || 'sec')::interval AS expiry", config.oauth2.authorization_code_lifetime }, "object").expiry

47 token.used = true

48 token.expiry = expiry

49 token:save()

50 else

51 token:destroy()

52 return error_result("invalid_grant", "Token invalid or expired")

53 end

54 end

56 if grant_type ~= "access_token" then

57 local cert_ca = request.get_header("X-LiquidFeedback-CA")

58 local cert_distinguished_name = request.get_header("X-SSL-DN")

59 local cert_common_name

60 if cert_distinguished_name then

61 cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")

62 if not cert_common_name then

63 return error_result("invalid_client", "CN in X.509 certificate invalid")

64 end

65 else

66 return error_result("invalid_client", "X.509 client authorization missing")

67 end

68 if token.system_application then

69 if cert_ca ~= "private" then

70 return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")

71 end

72 if cert_common_name ~= token.system_application.cert_common_name then

73 return error_result("invalid_grant", "CN in X.509 certificate incorrect")

74 end

75 else

76 if cert_ca ~= "public" then

77 return error_result("invalid_client", "X.509 certificate not signed by publicly trusted certificate authority or wrong endpoint used")

78 end

79 if cert_common_name ~= token.domain then

80 return error_result("invalid_grant", "CN in X.509 certificate incorrect")

81 end

82 end

83 local client_id = param.get("client_id")

84 if client_id then

85 if token.system_application then

86 if client_id ~= token.system_application.client_id then

87 return error_result("invalid_grant", "Token was issued to another client")

88 end

89 else

90 if client_id ~= "dynamic:" .. token.domain then

91 return error_result ("invalid_grant", "Token was issued to another client")

92 end

93 end

94 elseif grant_type == "authorization_code" and not cert_common_name then

95 return error_result("invalid_request", "No client_id supplied for authorization_code request")

96 end

97 end

99 if grant_type == "authorization_code" then

100 local redirect_uri = param.get("redirect_uri")

101 if (token.redirect_uri_explicit or redirect_uri) and token.redirect_uri ~= redirect_uri then

102 return error_result("invalid_request", "Redirect URI missing or invalid")

103 end

104 end

105

106 local scopes = {

107 [0] = param.get("scope")

108 }

109 for i = 1, math.huge do

110 scopes[i] = param.get("scope" .. i)

111 if not scopes[i] then

112 break

113 end

114 end

115

116 if not scopes[0] and #scopes == 0 then

117 for dummy, token_scope in ipairs(token.token_scopes) do

118 scopes[token_scope.index] = token_scope.scope

119 end

120 end

121

122 local allowed_scopes = {}

123 local requested_detached_scopes = {}

124 for scope in string.gmatch(token.scope, "[^ ]+") do

125 allowed_scopes[scope] = true

126 end

127 for i = 0, #scopes do

128 if scopes[i] then

129 for scope in string.gmatch(scopes[i], "[^ ]+") do

130 if string.match(scope, "_detached$") then

131 requested_detached_scopes[scope] = true

132 end

133 if not allowed_scopes[scope] then

134 return error_result("invalid_scope", "Scope exceeds limits")

135 end

136 end

137 end

138 end

139

140 local expiry

141

142 if grant_type == "access_token" then

143 expiry = db:query({ "SELECT FLOOR(EXTRACT(EPOCH FROM ? - now())) AS access_time_left", token.expiry }, "object")

144 else

145 expiry = db:query({

146 "SELECT now() + (? || 'sec')::interval AS refresh, now() + (? || 'sec')::interval AS access",

147 config.oauth2.refresh_token_lifetime,

148 config.oauth2.access_token_lifetime

149 }, "object")

150 end

151

152 if grant_type == "refresh_token" then

153 local requested_detached_scopes_list = {}

154 for scope in pairs(requested_detached_scopes) do

155 requested_detached_scopes_list[#requested_detached_scopes_list+1] = scope

156 end

157 local tokens_to_reduce = Token:old_refresh_token_by_token(token, requested_detached_scopes_list)

158 for dummy, t in ipairs(tokens_to_reduce) do

159 local t_scopes = {}

160 for t_scope in string.gmatch(t.scope, "[^ ]+") do

161 t_scopes[t_scope] = true

162 end

163 for scope in pairs(requested_detached_scopes) do

164 local scope_without_detached = string.gmatch(scope, "(.+)_detached")

165 if t_scope[scope] then

166 t_scope[scope] = nil

167 t_scope[scope_without_detached] = true

168 end

169 end

170 local t_scope_list = {}

171 for scope in pairs(t_scopes) do

172 t_scope_list[#t_scope_list+1] = scope

173 end

174 t.scope = table.concat(t_scope_list, " ")

175 t:save()

176 end

177 end

178

179 local r = json.object()

180

181 local refresh_token

182 if

183 grant_type ~= "access_token"

184 and (grant_type == "authorization_code" or #(Token:fresh_refresh_token_by_token(token)) == 0)

185 then

186 refresh_token = Token:new()

187 refresh_token.token_type = "refresh"

188 if grant_type == "authorization_code" then

189 refresh_token.authorization_token_id = token.id

190 else

191 refresh_token.authorization_token_id = token.authorization_token_id

192 end

193 refresh_token.member_id = token.member_id

194 refresh_token.system_application_id = token.system_application_id

195 refresh_token.domain = token.domain

196 refresh_token.session_id = token.session_id

197 refresh_token.expiry = expiry.refresh

198 refresh_token.scope = token.scope

199 refresh_token:save()

200 r.refresh_token = refresh_token.token

201 end

202

203

204 r.token_type = "bearer"

205 if grant_type == "access_token" then

206 r.expires_in = expiry.access_time_left

207 else

208 r.expires_in = config.oauth2.access_token_lifetime

209 end

210

211 for i = 0, #scopes do

212 if scopes[i] then

213 local scope = scopes[i]

214 local access_token = Token:new()

215 access_token.token_type = "access"

216 if grant_type == "authorization_code" then

217 access_token.authorization_token_id = token.id

218 else

219 access_token.authorization_token_id = token.authorization_token_id

220 end

221 access_token.member_id = token.member_id

222 access_token.system_application_id = token.system_application_id

223 access_token.domain = token.domain

224 access_token.session_id = token.session_id

225 if grant_type == "access_token" then

226 access_token.expiry = token.expiry

227 else

228 access_token.expiry = expiry.access

229 end

230 access_token.scope = scope

231 access_token:save()

232 if refresh_token then

233 local refresh_token_scope = TokenScope:new()

234 refresh_token_scope.token_id = refresh_token.id

235 refresh_token_scope.index = i

236 refresh_token_scope.scope = scope

237 refresh_token_scope:save()

238 end

239 local index = i == 0 and "" or i

240 r["access_token" .. index] = access_token.token

241 end

242 end

243

244 r.member_id = token.member_id

245 if token.member.role then

246 r.member_is_role = true

247 end

248 if token.session then

249 r.real_member_id = token.real_member_id

250 end

251

252 if param.get("include_member", atom.boolean) then

253 if allowed_scopes.identification or allowed_scopes.authentication then

254 local member = token.member

255 r.member = json.object{

256 id = member.id,

257 name = member.name,

258 }

259 if token.session and token.session.real_member then

260 r.real_member = json.object{

261 id = token.session.real_member.id,

262 name = token.session.real_member.name,

263 }

264 end

265 if allowed_scopes.identification then

266 r.member.identification = member.identification

267 if token.session and token.session.real_member then

268 r.real_member.identification = token.session.real_member.identification

269 end

270 end

271 end

272 end

273

274 slot.put_into("data", json.export(r))