PeerTube/server/middlewares/oauth.ts

import * as express from 'express'
import * as OAuthServer from 'express-oauth-server'
import { OAUTH_LIFETIME } from '../initializers/constants'
import { logger } from '../helpers/logger'
import { Socket } from 'socket.io'
import { getAccessToken } from '../lib/oauth-model'

const oAuthServer = new OAuthServer({
  useErrorHandler: true,
  accessTokenLifetime: OAUTH_LIFETIME.ACCESS_TOKEN,
  refreshTokenLifetime: OAUTH_LIFETIME.REFRESH_TOKEN,
  continueMiddleware: true,
  model: require('../lib/oauth-model')
})

function authenticate (req: express.Request, res: express.Response, next: express.NextFunction, authenticateInQuery = false) {
  const options = authenticateInQuery ? { allowBearerTokensInQueryString: true } : {}

  oAuthServer.authenticate(options)(req, res, err => {
    if (err) {
      logger.warn('Cannot authenticate.', { err })

      return res.status(err.status)
        .json({
          error: 'Token is invalid.',
          code: err.name
        })
        .end()
    }

    return next()
  })
}

function authenticateSocket (socket: Socket, next: (err?: any) => void) {
  const accessToken = socket.handshake.query.accessToken

  logger.debug('Checking socket access token %s.', accessToken)

  if (!accessToken) return next(new Error('No access token provided'))

  getAccessToken(accessToken)
    .then(tokenDB => {
      const now = new Date()

      if (!tokenDB || tokenDB.accessTokenExpiresAt < now || tokenDB.refreshTokenExpiresAt < now) {
        return next(new Error('Invalid access token.'))
      }

      socket.handshake.query.user = tokenDB.User

      return next()
    })
}

function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {
  return new Promise(resolve => {
    // Already authenticated? (or tried to)
    if (res.locals.oauth && res.locals.oauth.token.User) return resolve()

    if (res.locals.authenticated === false) return res.sendStatus(401)

    authenticate(req, res, () => resolve(), authenticateInQuery)
  })
}

function optionalAuthenticate (req: express.Request, res: express.Response, next: express.NextFunction) {
  if (req.header('authorization')) return authenticate(req, res, next)

  res.locals.authenticated = false

  return next()
}

function token (req: express.Request, res: express.Response, next: express.NextFunction) {
  return oAuthServer.token()(req, res, err => {
    if (err) {
      return res.status(err.status)
        .json({
          error: err.message,
          code: err.name
        })
        .end()
    }

    return next()
  })
}

// ---------------------------------------------------------------------------

export {
  authenticate,
  authenticateSocket,
  authenticatePromiseIfNeeded,
  optionalAuthenticate,
  token
}
Type functions 2017-06-10 22:15:25 +02:00			`import * as express from 'express'`
require -> import 2017-06-05 21:53:49 +02:00			`import * as OAuthServer from 'express-oauth-server'`
Don't expose constants directly in initializers/ 2019-04-11 14:26:41 +02:00			`import { OAUTH_LIFETIME } from '../initializers/constants'`
Add ability to choose what policy we have for NSFW videos There is a global instance setting and a per user setting 2018-04-19 11:01:34 +02:00			`import { logger } from '../helpers/logger'`
Add user notification base code 2018-12-26 10:36:24 +01:00			`import { Socket } from 'socket.io'`
			`import { getAccessToken } from '../lib/oauth-model'`
Add authentications for routes that need it and adapts the tests 2016-04-14 22:06:11 +02:00
			`const oAuthServer = new OAuthServer({`
Improve check jobs parameters tests 2017-12-28 14:40:11 +01:00			`useErrorHandler: true,`
Type models 2017-05-22 20:58:25 +02:00			`accessTokenLifetime: OAUTH_LIFETIME.ACCESS_TOKEN,`
			`refreshTokenLifetime: OAUTH_LIFETIME.REFRESH_TOKEN,`
Add action hooks to user routes 2019-12-06 15:59:12 +01:00			`continueMiddleware: true,`
OAuth/User models refractoring -> use mongoose api 2016-07-01 16:03:53 +02:00			`model: require('../lib/oauth-model')`
OAuth server: first draft 2016-03-21 11:56:33 +01:00			`})`

Fix private video download 2019-12-03 10:41:23 +01:00			`function authenticate (req: express.Request, res: express.Response, next: express.NextFunction, authenticateInQuery = false) {`
			`const options = authenticateInQuery ? { allowBearerTokensInQueryString: true } : {}`

			`oAuthServer.authenticate(options)(req, res, err => {`
Add authentications for routes that need it and adapts the tests 2016-04-14 22:06:11 +02:00			`if (err) {`
Add ability to choose what policy we have for NSFW videos There is a global instance setting and a per user setting 2018-04-19 11:01:34 +02:00			`logger.warn('Cannot authenticate.', { err })`

Improve check jobs parameters tests 2017-12-28 14:40:11 +01:00			`return res.status(err.status)`
			`.json({`
Fix user tests 2017-12-28 16:45:32 +01:00			`error: 'Token is invalid.',`
Improve check jobs parameters tests 2017-12-28 14:40:11 +01:00			`code: err.name`
			`})`
			`.end()`
Improve check follow params tests 2017-12-28 14:29:57 +01:00			`}`
Add authentications for routes that need it and adapts the tests 2016-04-14 22:06:11 +02:00
			`return next()`
			`})`
			`}`

Add user notification base code 2018-12-26 10:36:24 +01:00			`function authenticateSocket (socket: Socket, next: (err?: any) => void) {`
			`const accessToken = socket.handshake.query.accessToken`

			`logger.debug('Checking socket access token %s.', accessToken)`

Upgrade sequelize 2019-04-23 09:50:57 +02:00			`if (!accessToken) return next(new Error('No access token provided'))`

Add user notification base code 2018-12-26 10:36:24 +01:00			`getAccessToken(accessToken)`
			`.then(tokenDB => {`
			`const now = new Date()`

			`if (!tokenDB \|\| tokenDB.accessTokenExpiresAt < now \|\| tokenDB.refreshTokenExpiresAt < now) {`
			`return next(new Error('Invalid access token.'))`
			`}`

			`socket.handshake.query.user = tokenDB.User`

			`return next()`
			`})`
			`}`

Fix private video download 2019-12-03 10:41:23 +01:00			`function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {`
Check follow constraints when getting a video 2018-11-16 15:02:48 +01:00			`return new Promise(resolve => {`
			`// Already authenticated? (or tried to)`
			`if (res.locals.oauth && res.locals.oauth.token.User) return resolve()`

			`if (res.locals.authenticated === false) return res.sendStatus(401)`

Fix private video download 2019-12-03 10:41:23 +01:00			`authenticate(req, res, () => resolve(), authenticateInQuery)`
Check follow constraints when getting a video 2018-11-16 15:02:48 +01:00			`})`
			`}`

Add ability to choose what policy we have for NSFW videos There is a global instance setting and a per user setting 2018-04-19 11:01:34 +02:00			`function optionalAuthenticate (req: express.Request, res: express.Response, next: express.NextFunction) {`
			`if (req.header('authorization')) return authenticate(req, res, next)`

Check follow constraints when getting a video 2018-11-16 15:02:48 +01:00			`res.locals.authenticated = false`

Add ability to choose what policy we have for NSFW videos There is a global instance setting and a per user setting 2018-04-19 11:01:34 +02:00			`return next()`
			`}`

Type functions 2017-06-10 22:15:25 +02:00			`function token (req: express.Request, res: express.Response, next: express.NextFunction) {`
Fix user tests 2017-12-28 16:45:32 +01:00			`return oAuthServer.token()(req, res, err => {`
			`if (err) {`
			`return res.status(err.status)`
			`.json({`
Implement user blocking on server side 2018-08-08 14:58:21 +02:00			`error: err.message,`
Fix user tests 2017-12-28 16:45:32 +01:00			`code: err.name`
			`})`
			`.end()`
			`}`

			`return next()`
			`})`
Add authentications for routes that need it and adapts the tests 2016-04-14 22:06:11 +02:00			`}`

OAuth server: first draft 2016-03-21 11:56:33 +01:00			`// ---------------------------------------------------------------------------`

First typescript iteration 2017-05-15 22:22:03 +02:00			`export {`
			`authenticate,`
Add user notification base code 2018-12-26 10:36:24 +01:00			`authenticateSocket,`
Check follow constraints when getting a video 2018-11-16 15:02:48 +01:00			`authenticatePromiseIfNeeded,`
Add ability to choose what policy we have for NSFW videos There is a global instance setting and a per user setting 2018-04-19 11:01:34 +02:00			`optionalAuthenticate,`
First typescript iteration 2017-05-15 22:22:03 +02:00			`token`
			`}`