rodauth-oauth 0.8.0 → 0.9.2

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -0,0 +1,252 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_dynamic_client_registration, :OauthDynamicClientRegistration) do
+    depends :oauth_base
+
+    before "register"
+
+    auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name client_uri]
+
+    PROTECTED_APPLICATION_ATTRIBUTES = %i[account_id client_id].freeze
+
+    # /register
+    route(:register) do |r|
+      next unless is_authorization_server?
+
+      before_register_route
+
+      validate_client_registration_params
+
+      r.post do
+        response_params = transaction do
+          before_register
+          do_register
+        end
+
+        response.status = 201
+        response["Content-Type"] = json_response_content_type
+        response["Cache-Control"] = "no-store"
+        response["Pragma"] = "no-cache"
+        response.write(_json_response_body(response_params))
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when register_path
+        false
+      else
+        super
+      end
+    end
+
+    private
+
+    def registration_metadata
+      oauth_server_metadata_body
+    end
+
+    def validate_client_registration_params
+      oauth_client_registration_required_params.each do |required_param|
+        unless request.params.key?(required_param)
+          register_throw_json_response_error("invalid_client_metadata", register_required_param_message(required_param))
+        end
+      end
+      metadata = registration_metadata
+
+      @oauth_application_params = request.params.each_with_object({}) do |(key, value), params|
+        case key
+        when "redirect_uris"
+          if value.is_a?(Array)
+            value = value.each do |uri|
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless check_valid_uri?(uri)
+            end.join(" ")
+          else
+            register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
+          end
+          key = oauth_applications_redirect_uri_column
+        when "token_endpoint_auth_method"
+          unless oauth_auth_methods_supported.include?(value)
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+          end
+          # verify if in range
+          key = oauth_applications_token_endpoint_auth_method_column
+        when "grant_types"
+          if value.is_a?(Array)
+            value = value.each do |grant_type|
+              unless metadata[:grant_types_supported].include?(grant_type)
+                register_throw_json_response_error("invalid_client_metadata", register_invalid_grant_type_message(grant_type))
+              end
+            end.join(" ")
+          else
+            set_field_error(key, invalid_client_metadata_message)
+          end
+          key = oauth_applications_grant_types_column
+        when "response_types"
+          if value.is_a?(Array)
+            grant_types = request.params["grant_types"] || metadata[:grant_types_supported]
+            value = value.each do |response_type|
+              unless metadata[:response_types_supported].include?(response_type)
+                register_throw_json_response_error("invalid_client_metadata",
+                                                   register_invalid_response_type_message(response_type))
+              end
+
+              validate_client_registration_response_type(response_type, grant_types)
+            end.join(" ")
+          else
+            set_field_error(key, invalid_client_metadata_message)
+          end
+          key = oauth_applications_response_types_column
+          # verify if in range and match grant type
+        when "client_uri", "logo_uri", "tos_uri", "policy_uri", "jwks_uri"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(value)) unless check_valid_uri?(value)
+          case key
+          when "client_uri"
+            key = "homepage_url"
+          when "jwks_uri"
+            if request.params.key?("jwks")
+              register_throw_json_response_error("invalid_client_metadata",
+                                                 register_invalid_jwks_param_message(key, "jwks"))
+            end
+          end
+          key = __send__(:"oauth_applications_#{key}_column")
+        when "jwks"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(Hash)
+          if request.params.key?("jwks_uri")
+            register_throw_json_response_error("invalid_client_metadata",
+                                               register_invalid_jwks_param_message(key, "jwks_uri"))
+          end
+
+          key = oauth_applications_jwks_column
+          value = JSON.dump(value)
+        when "scope"
+          scopes = value.split(" ") - oauth_application_scopes
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_scopes_message(value)) unless scopes.empty?
+          key = oauth_applications_scopes_column
+          # verify if in range
+        when "contacts"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_contacts_message(value)) unless value.is_a?(Array)
+          value = value.join(" ")
+          key = oauth_applications_contacts_column
+        when "client_name"
+          key = oauth_applications_name_column
+        else
+          if respond_to?(:"oauth_applications_#{key}_column")
+            property = :"oauth_applications_#{key}_column"
+            if PROTECTED_APPLICATION_ATTRIBUTES.include?(property)
+              register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+            end
+            key = __send__(property)
+          elsif !db[oauth_applications_table].columns.include?(key.to_sym)
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+          end
+        end
+        params[key] = value
+      end
+    end
+
+    def validate_client_registration_response_type(response_type, grant_types)
+      case response_type
+      when "code"
+        unless grant_types.include?("authorization_code")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_response_type_for_grant_type_message(response_type,
+                                                                                                   "authorization_code"))
+        end
+      when "token"
+        unless grant_types.include?("implicit")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_response_type_for_grant_type_message(response_type, "implicit"))
+        end
+      when "none"
+        if grant_types.include?("implicit") || grant_types.include?("authorization_code")
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_response_type_message(response_type))
+        end
+      end
+    end
+
+    def do_register(return_params = request.params.dup)
+      # set defaults
+      create_params = @oauth_application_params
+      create_params[oauth_applications_scopes_column] ||= return_params["scopes"] = oauth_application_default_scope.join(" ")
+      create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
+        return_params["token_endpoint_auth_method"] = "client_secret_basic"
+        "client_secret_basic"
+      end
+      create_params[oauth_applications_grant_types_column] ||= begin
+        return_params["grant_types"] = %w[authorization_code]
+        "authorization_code"
+      end
+      create_params[oauth_applications_response_types_column] ||= begin
+        return_params["response_types"] = %w[code]
+        "code"
+      end
+      rescue_from_uniqueness_error do
+        client_id = oauth_unique_id_generator
+        create_params[oauth_applications_client_id_column] = client_id
+        return_params["client_id"] = client_id
+        return_params["client_id_issued_at"] = Time.now.utc.iso8601
+        if create_params.key?(oauth_applications_client_secret_column)
+          create_params[oauth_applications_client_secret_column] = secret_hash(create_params[oauth_applications_client_secret_column])
+          return_params.delete("client_secret")
+        else
+          client_secret = oauth_unique_id_generator
+          create_params[oauth_applications_client_secret_column] = secret_hash(client_secret)
+          return_params["client_secret"] = client_secret
+          return_params["client_secret_expires_at"] = 0
+        end
+        db[oauth_applications_table].insert(create_params)
+      end
+
+      return_params
+    end
+
+    def register_throw_json_response_error(code, message)
+      throw_json_response_error(invalid_oauth_response_status, code, message)
+    end
+
+    def register_required_param_message(key)
+      "The param '#{key}' is required by this server."
+    end
+
+    def register_invalid_param_message(key)
+      "The param '#{key}' is not supported by this server."
+    end
+
+    def register_invalid_contacts_message(contacts)
+      "The contacts '#{contacts}' are not allowed by this server."
+    end
+
+    def register_invalid_uri_message(uri)
+      "The '#{uri}' URL is not allowed by this server."
+    end
+
+    def register_invalid_jwks_param_message(key1, key2)
+      "The param '#{key1}' cannot be accepted together with param '#{key2}'."
+    end
+
+    def register_invalid_scopes_message(scopes)
+      "The given scopes (#{scopes}) are not allowed by this server."
+    end
+
+    def register_invalid_grant_type_message(grant_type)
+      "The grant type #{grant_type} is not allowed by this server."
+    end
+
+    def register_invalid_response_type_message(response_type)
+      "The response type #{response_type} is not allowed by this server."
+    end
+
+    def register_invalid_response_type_for_grant_type_message(response_type, grant_type)
+      "The grant type '#{grant_type}' must be registered for the response " \
+        "type '#{response_type}' to be allowed."
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:registration_endpoint] = register_url
+      end
+    end
+  end
+end