liquid_feedback_frontend
view app/main/oauth2/token.lua @ 1800:b87997219042
Updated spanish translation
| author | bsw |
|---|---|
| date | Thu Oct 21 15:22:29 2021 +0200 (2021-10-21) |
| parents | 8fde003bdeb0 |
| children |
line source
1 if not request.is_post() then
2 return execute.view { module = "index", view = "405" }
3 end
5 slot.set_layout(nil, "application/json;charset=UTF-8")
7 request.add_header("Cache-Control", "no-store")
8 request.add_header("Pragma", "no-cache")
10 local function error_result(error_code, error_description)
11 -- TODO special HTTP status codes for some errors?
12 request.set_status("400 Bad Request")
13 slot.put_into("data", json.export{
14 error = error_code,
15 error_description = error_description
16 })
17 end
19 local token
20 local grant_type = param.get("grant_type")
21 if grant_type == "authorization_code" then
22 local code = param.get("code")
23 token = Token:by_token_type_and_token("authorization", code)
24 elseif grant_type == "refresh_token" then
25 local refresh_token = param.get("refresh_token")
26 token = Token:by_token_type_and_token("refresh", refresh_token)
27 elseif grant_type == "access_token" then
28 local access_token, access_token_err = util.get_access_token()
29 if access_token_err then
30 if access_token_err == "header_and_param" then
31 return error_result("invalid_request", "Access token passed both via header and param")
32 end
33 error("Error in util.get_access_token")
34 end
35 token = Token:by_token_type_and_token("access", access_token)
36 else
37 return error_result("unsupported_grant_type", "Grant type not supported")
38 end
40 if not token then
41 return error_result("invalid_grant", "Token invalid or expired")
42 end
44 if grant_type == "authorization_code" then
45 if not token.used then
46 local expiry = db:query({"SELECT now() + (? || 'sec')::interval AS expiry", config.oauth2.authorization_code_lifetime }, "object").expiry
47 token.used = true
48 token.expiry = expiry
49 token:save()
50 else
51 token:destroy()
52 return error_result("invalid_grant", "Token invalid or expired")
53 end
54 end
56 if grant_type ~= "access_token" then
57 local cert_ca = request.get_header("X-LiquidFeedback-CA")
58 local cert_distinguished_name = request.get_header("X-SSL-DN")
59 local cert_common_name
61 if not token.system_application or token.system_application.cert_common_name then
62 if cert_distinguished_name then
63 cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
64 if not cert_common_name then
65 cert_common_name = string.match(cert_distinguished_name, "^CN=([A-Za-z0-9_.-]+)")
66 end
67 if not cert_common_name then
68 return error_result("invalid_client", "CN in X.509 certificate invalid")
69 end
70 else
71 return error_result("invalid_client", "X.509 client authorization missing")
72 end
73 end
74 if token.system_application then
75 if token.system_application.cert_common_name then
76 if cert_ca ~= "private" then
77 return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")
78 end
79 if cert_common_name ~= token.system_application.cert_common_name then
80 return error_result("invalid_grant", "CN in X.509 certificate incorrect")
81 end
82 end
83 else
84 if cert_ca ~= "public" then
85 return error_result("invalid_client", "X.509 certificate not signed by publicly trusted certificate authority or wrong endpoint used")
86 end
87 if cert_common_name ~= token.domain then
88 return error_result("invalid_grant", "CN in X.509 certificate incorrect")
89 end
90 end
91 local client_id = param.get("client_id")
92 if client_id then
93 if token.system_application then
94 if client_id ~= token.system_application.client_id then
95 return error_result("invalid_grant", "Token was issued to another client")
96 end
97 else
98 if client_id ~= "dynamic:" .. token.domain then
99 return error_result ("invalid_grant", "Token was issued to another client")
100 end
101 end
102 elseif grant_type == "authorization_code" and not cert_common_name then
103 return error_result("invalid_request", "No client_id supplied for authorization_code request")
104 end
105 end
107 if grant_type == "authorization_code" then
108 local redirect_uri = param.get("redirect_uri")
109 if (token.redirect_uri_explicit or redirect_uri) and token.redirect_uri ~= redirect_uri then
110 return error_result("invalid_request", "Redirect URI missing or invalid")
111 end
112 end
114 local scopes = {
115 [0] = param.get("scope")
116 }
117 for i = 1, math.huge do
118 scopes[i] = param.get("scope" .. i)
119 if not scopes[i] then
120 break
121 end
122 end
124 if not scopes[0] and #scopes == 0 then
125 for dummy, token_scope in ipairs(token.token_scopes) do
126 scopes[token_scope.index] = token_scope.scope
127 end
128 end
130 local allowed_scopes = {}
131 local requested_detached_scopes = {}
132 for scope in string.gmatch(token.scope, "[^ ]+") do
133 allowed_scopes[scope] = true
134 end
135 for i = 0, #scopes do
136 if scopes[i] then
137 for scope in string.gmatch(scopes[i], "[^ ]+") do
138 if string.match(scope, "_detached$") then
139 requested_detached_scopes[scope] = true
140 end
141 if not allowed_scopes[scope] then
142 return error_result("invalid_scope", "Scope exceeds limits")
143 end
144 end
145 end
146 end
148 local expiry
150 if grant_type == "access_token" then
151 expiry = db:query({ "SELECT FLOOR(EXTRACT(EPOCH FROM ? - now())) AS access_time_left", token.expiry }, "object")
152 else
153 expiry = db:query({
154 "SELECT now() + (? || 'sec')::interval AS refresh, now() + (? || 'sec')::interval AS access",
155 config.oauth2.refresh_token_lifetime,
156 config.oauth2.access_token_lifetime
157 }, "object")
158 end
160 if grant_type == "refresh_token" then
161 local requested_detached_scopes_list = {}
162 for scope in pairs(requested_detached_scopes) do
163 requested_detached_scopes_list[#requested_detached_scopes_list+1] = scope
164 end
165 local tokens_to_reduce = Token:old_refresh_token_by_token(token, requested_detached_scopes_list)
166 for dummy, t in ipairs(tokens_to_reduce) do
167 local t_scopes = {}
168 for t_scope in string.gmatch(t.scope, "[^ ]+") do
169 t_scopes[t_scope] = true
170 end
171 for scope in pairs(requested_detached_scopes) do
172 local scope_without_detached = string.gmatch(scope, "(.+)_detached")
173 if t_scope[scope] then
174 t_scope[scope] = nil
175 t_scope[scope_without_detached] = true
176 end
177 end
178 local t_scope_list = {}
179 for scope in pairs(t_scopes) do
180 t_scope_list[#t_scope_list+1] = scope
181 end
182 t.scope = table.concat(t_scope_list, " ")
183 t:save()
184 end
185 end
187 local r = json.object()
189 local refresh_token
190 if
191 grant_type ~= "access_token"
192 and (grant_type == "authorization_code" or #(Token:fresh_refresh_token_by_token(token)) == 0)
193 then
194 refresh_token = Token:new()
195 refresh_token.token_type = "refresh"
196 if grant_type == "authorization_code" then
197 refresh_token.authorization_token_id = token.id
198 else
199 refresh_token.authorization_token_id = token.authorization_token_id
200 end
201 refresh_token.member_id = token.member_id
202 refresh_token.system_application_id = token.system_application_id
203 refresh_token.domain = token.domain
204 refresh_token.session_id = token.session_id
205 refresh_token.expiry = expiry.refresh
206 refresh_token.scope = token.scope
207 refresh_token:save()
208 r.refresh_token = refresh_token.token
209 end
212 r.token_type = "bearer"
213 if grant_type == "access_token" then
214 r.expires_in = expiry.access_time_left
215 else
216 r.expires_in = config.oauth2.access_token_lifetime
217 end
219 for i = 0, #scopes do
220 if scopes[i] then
221 local scope = scopes[i]
222 local access_token = Token:new()
223 access_token.token_type = "access"
224 if grant_type == "authorization_code" then
225 access_token.authorization_token_id = token.id
226 else
227 access_token.authorization_token_id = token.authorization_token_id
228 end
229 access_token.member_id = token.member_id
230 access_token.system_application_id = token.system_application_id
231 access_token.domain = token.domain
232 access_token.session_id = token.session_id
233 if grant_type == "access_token" then
234 access_token.expiry = token.expiry
235 else
236 access_token.expiry = expiry.access
237 end
238 access_token.scope = scope
239 access_token:save()
240 if refresh_token then
241 local refresh_token_scope = TokenScope:new()
242 refresh_token_scope.token_id = refresh_token.id
243 refresh_token_scope.index = i
244 refresh_token_scope.scope = scope
245 refresh_token_scope:save()
246 end
247 local index = i == 0 and "" or i
248 r["access_token" .. index] = access_token.token
249 end
250 end
252 r.member_id = token.member_id
253 if token.member.role then
254 r.member_is_role = true
255 end
256 if token.session then
257 r.real_member_id = token.real_member_id
258 end
260 if allowed_scopes.identification or allowed_scopes.authentication then
261 if param.get("include_member", atom.boolean) then
262 local member = token.member
263 r.member = json.object{
264 id = member.id,
265 name = member.name,
266 }
267 if token.session and token.session.real_member then
268 r.real_member = json.object{
269 id = token.session.real_member.id,
270 name = token.session.real_member.name,
271 }
272 end
273 if allowed_scopes.identification then
274 r.member.identification = member.identification
275 if token.session and token.session.real_member then
276 r.real_member.identification = token.session.real_member.identification
277 end
278 end
279 end
280 end
282 slot.put_into("data", json.export(r))