@things-factory/auth-base 8.0.0-beta.0 → 8.0.0-beta.2

package/server/router/oauth2/oauth2-router.ts

@@ -1,165 +0,0 @@
-import jwt from 'jsonwebtoken'
-import compose from 'koa-compose'
-import passport from 'koa-passport'
-import Router from 'koa-router'
-
-import { Domain, getRepository } from '@things-factory/shell'
-
-import { jwtAuthenticateMiddleware } from '../../middlewares'
-import { Application } from '../../service/application/application'
-import { User, UserStatus } from '../../service/user/user'
-import { setAccessTokenCookie } from '../../utils/access-token-cookie'
-import { SECRET } from '../../utils/get-secret'
-import { server as oauth2orizeServer } from './oauth2-server'
-import { Strategy as ClientPasswordStrategy } from './passport-oauth2-client-password'
-
-declare global {
-  namespace NodeJS {
-    interface Process {
-      oauthDisconnect: (user: User) => Promise<void>
-    }
-  }
-}
-
-export const oauth2Router = new Router()
-
-passport.use(
-  'oauth2-client-password',
-  new ClientPasswordStrategy({}, (clientId, clientSecret, done) => {
-    getRepository(Application)
-      .findOneBy({
-        appKey: clientId
-      })
-      .then(client => {
-        if (!client || client.appSecret != clientSecret) {
-          done(null, false)
-          return
-        }
-
-        done(null, client)
-      })
-      .catch(err => done(err))
-  })
-)
-
-// user decision endpoint
-//
-// `decision` middleware processes a user's decision to allow or deny access
-// requested by a client application.  Based on the grant type requested by the
-// client, the above grant middleware configured above will be invoked to send
-// a response.
-
-oauth2Router.post(
-  '/decision',
-  jwtAuthenticateMiddleware,
-  compose(
-    oauth2orizeServer.decision(async function (context) {
-      const { request } = context
-
-      return request.body
-    })
-  )
-)
-
-// token endpoint
-//
-// `token` middleware handles client requests to exchange authorization grants
-// for access tokens.  Based on the grant type being exchanged, the above
-// exchange middleware will be invoked to handle the request.  Clients must
-// authenticate when making requests to this endpoint.
-
-oauth2Router.post(
-  '/access-token',
-  passport.authenticate('oauth2-client-password', { session: false }),
-  oauth2orizeServer.token(),
-  oauth2orizeServer.errorHandler()
-)
-
-oauth2Router.post('/refresh-token', async (context, next) => {
-  const refreshToken: string | undefined = context.request?.body?.refreshToken
-  if (!refreshToken) throw new Error('Missing refresh token')
-
-  const appUser: User | undefined = await getRepository(User).findOneBy({
-    password: refreshToken
-  })
-
-  if (!appUser) throw new Error('App user is not found')
-
-  try {
-    jwt.verify(refreshToken, SECRET)
-    const decoded = jwt.decode(refreshToken) as any
-    const subdomain: string = decoded.domain.subdomain
-    const domain: Domain | undefined = await getRepository(Domain).findOne({
-      where: { subdomain }
-    })
-    if (!domain) throw new Error('Domain is not found')
-    const appKey: string = decoded.application.appKey
-    const scopes: any[] = decoded.scope
-
-    const newAccessToken: string = Application.generateAccessToken(domain, appUser, appKey, scopes)
-    const newRefreshToken: string = Application.generateRefreshToken(domain, appUser, appKey, scopes)
-
-    appUser.password = newRefreshToken
-    await getRepository(User).save(appUser)
-
-    setAccessTokenCookie(context, newAccessToken)
-
-    context.body = {
-      accessToken: newAccessToken,
-      refreshToken: newRefreshToken
-    }
-  } catch (e) {
-    context.status = 401
-    context.body = e.message
-  }
-})
-
-oauth2Router.get('/profile', jwtAuthenticateMiddleware, async (context, next) => {
-  const { user, domain } = context.state
-
-  const { name, description, email, userType: type, locale } = user
-  const { name: domainName, subdomain, brandName, brandImage, contentImage, timezone } = domain || {}
-
-  var application = {}
-  if (type == 'application') {
-    /* user entity에 reference 필드가 추가되기 전까지, appKey취득 방법임. */
-    application['appKey'] = email.substr(0, email.lastIndexOf('@'))
-  }
-
-  context.body = {
-    profile: {
-      name,
-      description,
-      email,
-      type /* (admin|user|application|appliance) */,
-      domain: {
-        name: domainName,
-        subdomain,
-        brandName,
-        brandImage,
-        contentImage,
-        timezone
-      },
-      application
-    }
-  }
-})
-
-oauth2Router.post('/disconnect', jwtAuthenticateMiddleware, async (context, next) => {
-  try {
-    let { user } = context.state
-
-    if (typeof process.oauthDisconnect === 'function') {
-      await process.oauthDisconnect(user)
-    } else {
-      user.domains = []
-      user.roles = []
-      user.status = UserStatus.DELETED
-      await getRepository(User).save(user)
-    }
-    context.status = 200
-    context.body = 'ok'
-  } catch (e) {
-    throw e
-  }
-})

package/server/router/oauth2/oauth2-server.ts

@@ -1,262 +0,0 @@
-import oauth2orize from 'oauth2orize-koa'
-import { ILike, In } from 'typeorm'
-
-import { logger } from '@things-factory/env'
-import { Domain, getRepository } from '@things-factory/shell'
-
-import { Application } from '../../service/application/application'
-import { Role } from '../../service/role/role'
-import { User, UserStatus } from '../../service/user/user'
-
-const crypto = require('crypto')
-
-export const NOTFOUND = 'NOTFOUND'
-export const NonClient = {
-  id: NOTFOUND
-}
-
-// create OAuth 2.0 server
-export const server = oauth2orize.createServer()
-
-// Register serialialization and deserialization functions.
-//
-// When a client redirects a user to user authorization endpoint, an
-// authorization transaction is initiated.  To complete the transaction, the
-// user must authenticate and approve the authorization request.  Because this
-// may involve multiple HTTP request/response exchanges, the transaction is
-// stored in the session.
-//
-// An application must supply serialization functions, which determine how the
-// client object is serialized into the session.  Typically this will be a
-// simple matter of serializing the client's ID, and deserializing by finding
-// the client by ID from the database.
-
-server.serializeClient(async function (client) {
-  return client.id
-})
-
-server.deserializeClient(async function (id) {
-  if (id == NOTFOUND) {
-    return {}
-  }
-
-  const application = await getRepository(Application).findOneBy({ id })
-  return application
-})
-
-// Register supported grant types.
-//
-// OAuth 2.0 specifies a framework that allows users to grant client
-// applications limited access to their protected resources.  It does this
-// through a process of the user granting access, and the client exchanging
-// the grant for an access token.
-
-// Grant authorization codes.  The callback takes the `client` requesting
-// authorization, the `redirectURI` (which is used as a verifier in the
-// subsequent exchange), the authenticated `user` granting access, and
-// their response, which contains approved scope, duration, etc. as parsed by
-// the application.  The application issues a code, which is bound to these
-// values, and will be exchanged for an access token.
-
-server.grant(
-  oauth2orize.grant.code(async (client, redirectUrl, user, ares, areq) => {
-    const { email, appKey, subdomain, scopes, state } = ares
-
-    return Application.generateAuthCode(email, appKey, subdomain, scopes, state)
-  })
-)
-
-// Exchange authorization codes for access tokens.  The callback accepts the
-// `client`, which is exchanging `code` and any `redirectURI` from the
-// authorization request for verification.  If these values are validated, the
-// application issues an access token on behalf of the user who authorized the
-// code.
-
-server.exchange(
-  oauth2orize.exchange.code(async (client, code, redirectUrl) => {
-    try {
-      /* authorization code */
-      var decoded: any = Application.verifyAuthCode(code)
-    } catch (e) {
-      return false
-    }
-    let { email, appKey, subdomain, scopes } = decoded
-
-    const application: Application = await getRepository(Application).findOneBy({
-      appKey
-    })
-
-    if (!application) {
-      return false
-    }
-
-    /* DONT-FORGET uncomment after test */
-    // if (redirectUrl !== application.redirectUrl && redirectUrl.indexOf(application.redirectUrl) != 0) {
-    //   logger.error(
-    //     'oauth2 exchange error - redirectUrl should begins with the application setting',
-    //     redirectUrl,
-    //     application.redirectUrl
-    //   )
-    //   // return false
-    //   throw new TypeError(
-    //     `oauth2 exchange error - redirectUrl should begins with the application setting : '${redirectUrl}':'${application.redirectUrl}'`
-    //   )
-    // }
-
-    const domain: Domain = await getRepository(Domain).findOneBy({
-      subdomain
-    })
-
-    const creator: User = await getRepository(User).findOneBy({ email: ILike(email) })
-
-    const appuserEmail = `${crypto.randomUUID()}@${subdomain}`
-
-    var appuser: User = await getRepository(User).findOne({
-      where: {
-        email: appuserEmail,
-        reference: application.id,
-        userType: 'application'
-      },
-
-      relations: ['domains', 'creator', 'updater']
-    })
-
-    appuser = await getRepository(User).save({
-      ...(appuser || {}),
-      email: appuserEmail,
-      name: application.name,
-      userType: 'application',
-      reference: application.id,
-      domains: [domain],
-      roles: scopes,
-      status: UserStatus.ACTIVATED,
-      updater: creator,
-      creator
-    })
-
-    // appuser = await getRepository(User).findOne({
-    //   where: { email: ILike(appuserEmail) },
-    //   relations: ['domains']
-    // })
-
-    // appuser.domains = Promise.resolve([domain])
-    // await getRepository(User).save(appuser)
-    // Lazy relation 필드들(domain, domains)들에 대한 업데이트. 이상의 방법으로 업데이트 해야하는 것 같다.
-    // Lazy relation 업데이트 방법의 일관성이 부족하므로, Lazy relation 필드를 사용하지 않기를 권장함.
-
-    var accessToken = Application.generateAccessToken(domain, appuser, appKey, scopes)
-    var refreshToken = Application.generateRefreshToken(domain, appuser, appKey, scopes)
-
-    await getRepository(User).save({
-      ...(appuser as any),
-      password: refreshToken
-    })
-
-    return [
-      accessToken,
-      refreshToken,
-      {
-        expires_in: 30 * 24 * 60 * 60 /* 30d */,
-        token_type: 'bearer',
-        centerId: subdomain
-      }
-    ]
-  })
-)
-
-server.exchange(
-  oauth2orize.exchange.refreshToken(async (client, refreshToken, scope) => {
-    try {
-      /* refresh token */
-      var decoded: any = Application.verifyAuthCode(refreshToken)
-    } catch (e) {
-      logger.error(e)
-      return false
-    }
-    const {
-      id,
-      userType,
-      email,
-      application: { appKey },
-      domain: { subdomain },
-      scope: originalScope,
-      exp: expires_in
-    } = decoded
-
-    const application: Application = await getRepository(Application).findOneBy({
-      appKey
-    })
-
-    if (!application) {
-      logger.error('application is not exist')
-      return false
-    }
-
-    if (Date.now() > expires_in * 1000) {
-      logger.error('refresh token is expired')
-      return false
-    }
-
-    const domain: Domain = await getRepository(Domain).findOneBy({
-      subdomain
-    })
-
-    const creator: User = await getRepository(User).findOneBy({
-      id,
-      userType
-    })
-
-    const appuserEmail = `${appKey}@${subdomain}`
-
-    var appuser: User = await getRepository(User).findOne({
-      where: {
-        email: appuserEmail,
-        reference: application.id,
-        userType: 'application'
-      },
-      relations: ['domain', 'creator', 'updater']
-    })
-
-    if (!appuser) {
-      logger.error('application is not bound')
-      return false
-    }
-
-    /*
-     * `scope` is the scope of access requested by the client, which must not include any scope not originally granted.
-     */
-
-    scope = scope || originalScope
-
-    const scopes: string[] = scope.split(',')
-    const originalScopes = (originalScope || '').split(',')
-    const additionalScope = scopes.find(scope => originalScopes.indexOf(scope) === -1)
-    if (additionalScope) {
-      logger.error(`additional scope(${additionalScope}) required`)
-      return false
-    }
-
-    const roles = await getRepository(Role).findBy({
-      name: In(scopes),
-      domain: { id: domain.id }
-    })
-
-    var accessToken = Application.generateAccessToken(domain, appuser, appKey, scope)
-    var refreshToken: any = Application.generateRefreshToken(domain, appuser, appKey, scope)
-
-    await getRepository(User).save({
-      ...(appuser as any),
-      roles,
-      password: refreshToken
-    })
-
-    return [
-      accessToken,
-      refreshToken,
-      {
-        expires_in: 30 * 24 * 60 * 60 /* 30d */,
-        token_type: 'bearer'
-      }
-    ]
-  })
-)

package/server/router/oauth2/passport-oauth2-client-password.ts

@@ -1,87 +0,0 @@
-import passport from 'koa-passport'
-import util from 'util'
-
-/**
- * `Oauth2ClientPasswordStrategy` constructor.
- *
- * @api protected
- * Basic Authorization Header와 Body 형식을 모두 지원한다.
- */
-export function Strategy(options, verify) {
-  if (typeof options == 'function') {
-    verify = options
-    options = {}
-  }
-  if (!verify) throw new Error('OAuth 2.0 client password strategy requires a verify function')
-
-  passport.Strategy.call(this)
-  this.name = 'oauth2-client-password'
-  this._verify = verify
-  this._passReqToCallback = options.passReqToCallback
-}
-
-/**
- * Inherit from `passport.Strategy`.
- */
-util.inherits(Strategy, passport.Strategy)
-
-function fetchBasicCredential(authorization = '') {
-  var parts = authorization.split(' ')
-  if (parts.length < 2) {
-    return
-  }
-
-  var scheme = parts[0]
-  var credentials = new Buffer(parts[1], 'base64').toString().split(':')
-
-  if (!/Basic/i.test(scheme)) {
-    return
-  }
-  if (credentials.length < 2) {
-    return
-  }
-
-  var clientId = credentials[0]
-  var clientSecret = credentials[1]
-  if (!clientId || !clientSecret) {
-    return
-  }
-
-  return [clientId, clientSecret]
-}
-
-/**
- * Authenticate request based on client credentials in the request body.
- *
- * @param {Object} req
- * @api protected
- */
-Strategy.prototype.authenticate = function (req) {
-  var [clientId, clientSecret] = fetchBasicCredential(req.headers['authorization']) || []
-  if (!clientId) {
-    if (!req.body || !req.body['client_id'] || !req.body['client_secret']) {
-      return this.fail()
-    }
-
-    clientId = req.body['client_id']
-    clientSecret = req.body['client_secret']
-  }
-
-  var self = this
-
-  function verified(err, client, info) {
-    if (err) {
-      return self.error(err)
-    }
-    if (!client) {
-      return self.fail()
-    }
-    self.success(client, info)
-  }
-
-  if (self._passReqToCallback) {
-    this._verify(req, clientId, clientSecret, verified)
-  } else {
-    this._verify(clientId, clientSecret, verified)
-  }
-}

package/server/router/oauth2/passport-refresh-token.ts

@@ -1,87 +0,0 @@
-import passport from 'koa-passport'
-import util from 'util'
-
-/**
- * `PassportRefreshTokenStrategy` constructor.
- *
- * @api protected
- * Basic Authorization Header와 Body 형식을 모두 지원한다.
- */
-export function Strategy(options, verify) {
-  if (typeof options == 'function') {
-    verify = options
-    options = {}
-  }
-  if (!verify) throw new Error('OAuth 2.0 refresh-token strategy requires a verify function')
-
-  passport.Strategy.call(this)
-  this.name = 'refresh-token'
-  this._verify = verify
-  this._passReqToCallback = options.passReqToCallback
-}
-
-/**
- * Inherit from `passport.Strategy`.
- */
-util.inherits(Strategy, passport.Strategy)
-
-function fetchBasicCredential(authorization = '') {
-  var parts = authorization.split(' ')
-  if (parts.length < 2) {
-    return
-  }
-
-  var scheme = parts[0]
-  var credentials = new Buffer(parts[1], 'base64').toString().split(':')
-
-  if (!/Basic/i.test(scheme)) {
-    return
-  }
-  if (credentials.length < 2) {
-    return
-  }
-
-  var clientId = credentials[0]
-  var clientSecret = credentials[1]
-  if (!clientId || !clientSecret) {
-    return
-  }
-
-  return [clientId, clientSecret]
-}
-
-/**
- * Authenticate request based on client credentials in the request body.
- *
- * @param {Object} req
- * @api protected
- */
-Strategy.prototype.authenticate = function (req) {
-  var [clientId, clientSecret] = fetchBasicCredential(req.headers['authorization']) || []
-  if (!clientId) {
-    if (!req.body || !req.body['client_id'] || !req.body['client_secret']) {
-      return this.fail()
-    }
-
-    clientId = req.body['client_id']
-    clientSecret = req.body['client_secret']
-  }
-
-  var self = this
-
-  function verified(err, client, info) {
-    if (err) {
-      return self.error(err)
-    }
-    if (!client) {
-      return self.fail()
-    }
-    self.success(client, info)
-  }
-
-  if (self._passReqToCallback) {
-    this._verify(req, clientId, clientSecret, verified)
-  } else {
-    this._verify(clientId, clientSecret, verified)
-  }
-}

package/server/router/path-base-domain-router.ts

@@ -1,8 +0,0 @@
-import Router from 'koa-router'
-
-export const pathBaseDomainRouter = new Router()
-
-/* browser history fallback 을 위한 라우터. */
-pathBaseDomainRouter.get('/(.*)', async (context, next) => {
-  await next()
-})

package/server/router/site-root-router.ts

@@ -1,48 +0,0 @@
-import Router from 'koa-router'
-import passport from 'koa-passport'
-
-import { Domain, domainMiddleware } from '@things-factory/shell'
-import { config } from '@things-factory/env'
-
-import { User } from '../service/user/user'
-import { getUserDomains } from '../utils/get-user-domains'
-
-const PUBLIC_HOME_ROUTE = config.get('publicHomeRoute', '/public/home')
-
-export const siteRootRouter = new Router()
-
-async function findAuth(context, next) {
-  return await passport.authenticate('jwt', { session: false }, async (err, decoded, info) => {
-    if (decoded) {
-      try {
-        const user = await User.checkAuth(decoded)
-        context.state.user = user
-      } catch (e) {}
-    }
-
-    await next()
-  })(context, next)
-}
-
-siteRootRouter.get('/', findAuth, domainMiddleware, async (context, next) => {
-  const { user, domain } = context.state
-
-  const subdomain = domain?.subdomain
-
-  if (user && subdomain) {
-    const userDomains: Partial<Domain>[] = await getUserDomains(user)
-    if (userDomains.find(userDomain => userDomain.subdomain == subdomain)) {
-      return await next()
-    }
-
-    return context.redirect(`/auth/checkin/${subdomain}`)
-  }
-
-  if (user && !subdomain) {
-    context.redirect('/auth/checkin')
-
-    return
-  }
-
-  context.redirect(PUBLIC_HOME_ROUTE)
-})