liquid_feedback_frontend
view app/main/oauth2/token.lua @ 1680:6f28933dbc36
Fixed layout, do not show secret when set via link
| author | bsw | 
|---|---|
| date | Mon Sep 20 09:21:21 2021 +0200 (2021-09-20) | 
| parents | 8fde003bdeb0 | 
| children | 
 line source
     1 if not request.is_post() then
     2   return execute.view { module = "index", view = "405" }
     3 end
     5 slot.set_layout(nil, "application/json;charset=UTF-8")
     7 request.add_header("Cache-Control", "no-store")
     8 request.add_header("Pragma", "no-cache")
    10 local function error_result(error_code, error_description)
    11   -- TODO special HTTP status codes for some errors?
    12   request.set_status("400 Bad Request")
    13   slot.put_into("data", json.export{ 
    14     error = error_code,
    15     error_description = error_description
    16   })
    17 end
    19 local token
    20 local grant_type = param.get("grant_type")
    21 if grant_type == "authorization_code" then
    22   local code = param.get("code")
    23   token = Token:by_token_type_and_token("authorization", code)
    24 elseif grant_type == "refresh_token" then
    25   local refresh_token = param.get("refresh_token")
    26   token = Token:by_token_type_and_token("refresh", refresh_token)
    27 elseif grant_type == "access_token" then
    28   local access_token, access_token_err = util.get_access_token()
    29   if access_token_err then
    30     if access_token_err == "header_and_param" then
    31       return error_result("invalid_request", "Access token passed both via header and param")
    32     end
    33     error("Error in util.get_access_token")
    34   end
    35   token = Token:by_token_type_and_token("access", access_token)
    36 else
    37   return error_result("unsupported_grant_type", "Grant type not supported")
    38 end
    40 if not token then
    41   return error_result("invalid_grant", "Token invalid or expired")
    42 end
    44 if grant_type == "authorization_code" then
    45   if not token.used then
    46     local expiry = db:query({"SELECT now() + (? || 'sec')::interval AS expiry", config.oauth2.authorization_code_lifetime }, "object").expiry
    47     token.used = true
    48     token.expiry = expiry
    49     token:save()
    50   else
    51     token:destroy()
    52     return error_result("invalid_grant", "Token invalid or expired")
    53   end
    54 end
    56 if grant_type ~= "access_token" then
    57   local cert_ca = request.get_header("X-LiquidFeedback-CA")
    58   local cert_distinguished_name = request.get_header("X-SSL-DN")
    59   local cert_common_name
    61   if not token.system_application or token.system_application.cert_common_name then
    62     if cert_distinguished_name then
    63       cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
    64       if not cert_common_name then
    65         cert_common_name = string.match(cert_distinguished_name, "^CN=([A-Za-z0-9_.-]+)")
    66       end
    67       if not cert_common_name then
    68         return error_result("invalid_client", "CN in X.509 certificate invalid")
    69       end
    70     else
    71       return error_result("invalid_client", "X.509 client authorization missing")
    72     end
    73   end
    74   if token.system_application then
    75     if token.system_application.cert_common_name then
    76       if cert_ca ~= "private" then
    77         return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")
    78       end
    79       if cert_common_name ~= token.system_application.cert_common_name then
    80         return error_result("invalid_grant", "CN in X.509 certificate incorrect")
    81       end
    82     end
    83   else
    84     if cert_ca ~= "public" then
    85       return error_result("invalid_client", "X.509 certificate not signed by publicly trusted certificate authority or wrong endpoint used")
    86     end
    87     if cert_common_name ~= token.domain then
    88       return error_result("invalid_grant", "CN in X.509 certificate incorrect")
    89     end
    90   end
    91   local client_id = param.get("client_id")
    92   if client_id then
    93     if token.system_application then
    94       if client_id ~= token.system_application.client_id then
    95         return error_result("invalid_grant", "Token was issued to another client")
    96       end
    97     else
    98       if client_id ~= "dynamic:" .. token.domain then
    99         return error_result ("invalid_grant", "Token was issued to another client")
   100       end
   101     end
   102   elseif grant_type == "authorization_code" and not cert_common_name then
   103     return error_result("invalid_request", "No client_id supplied for authorization_code request")
   104   end
   105 end
   107 if grant_type == "authorization_code" then
   108   local redirect_uri = param.get("redirect_uri")
   109   if (token.redirect_uri_explicit or redirect_uri) and token.redirect_uri ~= redirect_uri then
   110     return error_result("invalid_request", "Redirect URI missing or invalid")
   111   end
   112 end
   114 local scopes = {
   115   [0] = param.get("scope")
   116 }
   117 for i = 1, math.huge do
   118   scopes[i] = param.get("scope" .. i)
   119   if not scopes[i] then
   120     break
   121   end
   122 end
   124 if not scopes[0] and #scopes == 0 then
   125   for dummy, token_scope in ipairs(token.token_scopes) do
   126     scopes[token_scope.index] = token_scope.scope
   127   end
   128 end
   130 local allowed_scopes = {}
   131 local requested_detached_scopes = {}
   132 for scope in string.gmatch(token.scope, "[^ ]+") do
   133   allowed_scopes[scope] = true
   134 end
   135 for i = 0, #scopes do
   136   if scopes[i] then
   137     for scope in string.gmatch(scopes[i], "[^ ]+") do
   138       if string.match(scope, "_detached$") then
   139         requested_detached_scopes[scope] = true
   140       end
   141       if not allowed_scopes[scope] then
   142         return error_result("invalid_scope", "Scope exceeds limits")
   143       end
   144     end
   145   end
   146 end
   148 local expiry 
   150 if grant_type == "access_token" then
   151   expiry = db:query({ "SELECT FLOOR(EXTRACT(EPOCH FROM ? - now())) AS access_time_left", token.expiry }, "object")
   152 else
   153   expiry = db:query({ 
   154       "SELECT now() + (? || 'sec')::interval AS refresh, now() + (? || 'sec')::interval AS access",
   155       config.oauth2.refresh_token_lifetime,
   156       config.oauth2.access_token_lifetime
   157   }, "object")
   158 end
   160 if grant_type == "refresh_token" then
   161   local requested_detached_scopes_list = {}
   162   for scope in pairs(requested_detached_scopes) do
   163     requested_detached_scopes_list[#requested_detached_scopes_list+1] = scope
   164   end
   165   local tokens_to_reduce = Token:old_refresh_token_by_token(token, requested_detached_scopes_list)
   166   for dummy, t in ipairs(tokens_to_reduce) do
   167     local t_scopes = {}
   168     for t_scope in string.gmatch(t.scope, "[^ ]+") do
   169       t_scopes[t_scope] = true
   170     end
   171     for scope in pairs(requested_detached_scopes) do
   172       local scope_without_detached = string.gmatch(scope, "(.+)_detached")
   173       if t_scope[scope] then
   174         t_scope[scope] = nil
   175         t_scope[scope_without_detached] = true
   176       end
   177     end
   178     local t_scope_list = {}
   179     for scope in pairs(t_scopes) do
   180       t_scope_list[#t_scope_list+1] = scope
   181     end
   182     t.scope = table.concat(t_scope_list, " ")
   183     t:save()
   184   end
   185 end
   187 local r = json.object()
   189 local refresh_token
   190 if 
   191   grant_type ~= "access_token"
   192   and (grant_type == "authorization_code" or #(Token:fresh_refresh_token_by_token(token)) == 0)
   193 then
   194   refresh_token = Token:new()
   195   refresh_token.token_type = "refresh"
   196   if grant_type == "authorization_code" then
   197     refresh_token.authorization_token_id = token.id
   198   else
   199     refresh_token.authorization_token_id = token.authorization_token_id
   200   end
   201   refresh_token.member_id = token.member_id
   202   refresh_token.system_application_id = token.system_application_id
   203   refresh_token.domain = token.domain
   204   refresh_token.session_id = token.session_id
   205   refresh_token.expiry = expiry.refresh
   206   refresh_token.scope = token.scope
   207   refresh_token:save()
   208   r.refresh_token = refresh_token.token
   209 end
   212 r.token_type = "bearer"
   213 if grant_type == "access_token" then
   214   r.expires_in = expiry.access_time_left
   215 else
   216   r.expires_in = config.oauth2.access_token_lifetime
   217 end
   219 for i = 0, #scopes do
   220   if scopes[i] then
   221     local scope = scopes[i]
   222     local access_token = Token:new()
   223     access_token.token_type = "access"
   224     if grant_type == "authorization_code" then
   225       access_token.authorization_token_id = token.id
   226     else
   227       access_token.authorization_token_id = token.authorization_token_id
   228     end
   229     access_token.member_id = token.member_id
   230     access_token.system_application_id = token.system_application_id
   231     access_token.domain = token.domain
   232     access_token.session_id = token.session_id
   233     if grant_type == "access_token" then
   234       access_token.expiry = token.expiry
   235     else
   236       access_token.expiry = expiry.access
   237     end
   238     access_token.scope = scope
   239     access_token:save()
   240     if refresh_token then
   241       local refresh_token_scope = TokenScope:new()
   242       refresh_token_scope.token_id = refresh_token.id
   243       refresh_token_scope.index = i
   244       refresh_token_scope.scope = scope
   245       refresh_token_scope:save()
   246     end
   247     local index = i == 0 and "" or i
   248     r["access_token" .. index] = access_token.token
   249   end
   250 end
   252 r.member_id = token.member_id
   253 if token.member.role then
   254   r.member_is_role = true
   255 end
   256 if token.session then
   257   r.real_member_id = token.real_member_id  
   258 end
   260 if allowed_scopes.identification or allowed_scopes.authentication then
   261   if param.get("include_member", atom.boolean) then
   262     local member = token.member
   263     r.member = json.object{
   264       id = member.id,
   265       name = member.name,
   266     }
   267     if token.session and token.session.real_member then
   268       r.real_member = json.object{
   269         id = token.session.real_member.id,
   270         name = token.session.real_member.name,
   271       }
   272     end
   273     if allowed_scopes.identification then
   274       r.member.identification = member.identification
   275       if token.session and token.session.real_member then
   276         r.real_member.identification = token.session.real_member.identification
   277       end
   278     end
   279   end
   280 end
   282 slot.put_into("data", json.export(r))
