npm - @things-factory/auth-base - Versions diffs - 8.0.0-beta.8 → 8.0.0 - Mend

@things-factory/auth-base 8.0.0-beta.8 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/client/actions/auth.ts +24 -0
package/client/auth.ts +272 -0
package/client/bootstrap.ts +47 -0
package/client/directive/privileged.ts +28 -0
package/client/index.ts +3 -0
package/client/profiled.ts +83 -0
package/client/reducers/auth.ts +31 -0
package/dist-client/index.d.ts +0 -1
package/dist-client/index.js +0 -1
package/dist-client/index.js.map +1 -1
package/dist-client/tsconfig.tsbuildinfo +1 -1
package/dist-server/constants/error-code.d.ts +0 -2
package/dist-server/constants/error-code.js +1 -3
package/dist-server/constants/error-code.js.map +1 -1
package/dist-server/controllers/change-pwd.js +2 -2
package/dist-server/controllers/change-pwd.js.map +1 -1
package/dist-server/controllers/delete-user.js +12 -13
package/dist-server/controllers/delete-user.js.map +1 -1
package/dist-server/controllers/invitation.d.ts +1 -2
package/dist-server/controllers/invitation.js +5 -30
package/dist-server/controllers/invitation.js.map +1 -1
package/dist-server/controllers/profile.d.ts +3 -4
package/dist-server/controllers/profile.js +2 -20
package/dist-server/controllers/profile.js.map +1 -1
package/dist-server/controllers/signin.d.ts +1 -4
package/dist-server/controllers/signin.js +1 -17
package/dist-server/controllers/signin.js.map +1 -1
package/dist-server/controllers/signup.js +4 -13
package/dist-server/controllers/signup.js.map +1 -1
package/dist-server/controllers/unlock-user.js +0 -1
package/dist-server/controllers/unlock-user.js.map +1 -1
package/dist-server/controllers/verification.js +0 -1
package/dist-server/controllers/verification.js.map +1 -1
package/dist-server/middlewares/signin-middleware.js +4 -9
package/dist-server/middlewares/signin-middleware.js.map +1 -1
package/dist-server/middlewares/webauthn-middleware.js.map +1 -1
package/dist-server/migrations/1548206416130-SeedUser.js +1 -2
package/dist-server/migrations/1548206416130-SeedUser.js.map +1 -1
package/dist-server/router/auth-checkin-router.js +2 -8
package/dist-server/router/auth-checkin-router.js.map +1 -1
package/dist-server/router/auth-private-process-router.js +7 -12
package/dist-server/router/auth-private-process-router.js.map +1 -1
package/dist-server/router/auth-public-process-router.js +9 -20
package/dist-server/router/auth-public-process-router.js.map +1 -1
package/dist-server/router/auth-signin-router.js +3 -3
package/dist-server/router/auth-signin-router.js.map +1 -1
package/dist-server/router/webauthn-router.js +1 -51
package/dist-server/router/webauthn-router.js.map +1 -1
package/dist-server/service/invitation/invitation-mutation.d.ts +2 -3
package/dist-server/service/invitation/invitation-mutation.js +8 -20
package/dist-server/service/invitation/invitation-mutation.js.map +1 -1
package/dist-server/service/user/user-mutation.d.ts +9 -10
package/dist-server/service/user/user-mutation.js +54 -112
package/dist-server/service/user/user-mutation.js.map +1 -1
package/dist-server/service/user/user-types.d.ts +0 -1
package/dist-server/service/user/user-types.js +0 -4
package/dist-server/service/user/user-types.js.map +1 -1
package/dist-server/service/user/user.d.ts +0 -1
package/dist-server/service/user/user.js +14 -40
package/dist-server/service/user/user.js.map +1 -1
package/dist-server/templates/account-unlock-email.d.ts +1 -2
package/dist-server/templates/account-unlock-email.js +1 -1
package/dist-server/templates/account-unlock-email.js.map +1 -1
package/dist-server/templates/invitation-email.d.ts +1 -2
package/dist-server/templates/invitation-email.js +1 -1
package/dist-server/templates/invitation-email.js.map +1 -1
package/dist-server/templates/verification-email.d.ts +1 -2
package/dist-server/templates/verification-email.js +1 -1
package/dist-server/templates/verification-email.js.map +1 -1
package/dist-server/tsconfig.tsbuildinfo +1 -1
package/package.json +6 -6
package/server/constants/error-code.ts +20 -0
package/server/constants/error-message.ts +0 -0
package/server/constants/max-age.ts +1 -0
package/server/controllers/auth.ts +5 -0
package/server/controllers/change-pwd.ts +99 -0
package/server/controllers/checkin.ts +21 -0
package/server/controllers/delete-user.ts +68 -0
package/server/controllers/invitation.ts +132 -0
package/server/controllers/profile.ts +28 -0
package/server/controllers/reset-password.ts +126 -0
package/server/controllers/signin.ts +79 -0
package/server/controllers/signup.ts +60 -0
package/server/controllers/unlock-user.ts +61 -0
package/server/controllers/utils/make-invitation-token.ts +5 -0
package/server/controllers/utils/make-verification-token.ts +4 -0
package/server/controllers/utils/password-rule.ts +120 -0
package/server/controllers/utils/save-invitation-token.ts +10 -0
package/server/controllers/utils/save-verification-token.ts +12 -0
package/server/controllers/verification.ts +83 -0
package/server/errors/auth-error.ts +24 -0
package/server/errors/index.ts +2 -0
package/server/errors/user-domain-not-match-error.ts +29 -0
package/server/index.ts +37 -0
package/server/middlewares/authenticate-401-middleware.ts +114 -0
package/server/middlewares/domain-authenticate-middleware.ts +78 -0
package/server/middlewares/graphql-authenticate-middleware.ts +13 -0
package/server/middlewares/index.ts +67 -0
package/server/middlewares/jwt-authenticate-middleware.ts +84 -0
package/server/middlewares/signin-middleware.ts +55 -0
package/server/middlewares/webauthn-middleware.ts +127 -0
package/server/migrations/1548206416130-SeedUser.ts +59 -0
package/server/migrations/1566805283882-SeedPrivilege.ts +28 -0
package/server/migrations/index.ts +9 -0
package/server/router/auth-checkin-router.ts +107 -0
package/server/router/auth-private-process-router.ts +107 -0
package/server/router/auth-public-process-router.ts +302 -0
package/server/router/auth-signin-router.ts +55 -0
package/server/router/auth-signup-router.ts +95 -0
package/server/router/index.ts +9 -0
package/server/router/oauth2/index.ts +2 -0
package/server/router/oauth2/oauth2-authorize-router.ts +81 -0
package/server/router/oauth2/oauth2-router.ts +165 -0
package/server/router/oauth2/oauth2-server.ts +262 -0
package/server/router/oauth2/passport-oauth2-client-password.ts +87 -0
package/server/router/oauth2/passport-refresh-token.ts +87 -0
package/server/router/path-base-domain-router.ts +8 -0
package/server/router/site-root-router.ts +48 -0
package/server/router/webauthn-router.ts +87 -0
package/server/routes.ts +80 -0
package/server/service/app-binding/app-binding-mutation.ts +22 -0
package/server/service/app-binding/app-binding-query.ts +92 -0
package/server/service/app-binding/app-binding-types.ts +11 -0
package/server/service/app-binding/app-binding.ts +17 -0
package/server/service/app-binding/index.ts +4 -0
package/server/service/appliance/appliance-mutation.ts +113 -0
package/server/service/appliance/appliance-query.ts +76 -0
package/server/service/appliance/appliance-types.ts +56 -0
package/server/service/appliance/appliance.ts +133 -0
package/server/service/appliance/index.ts +6 -0
package/server/service/application/application-mutation.ts +104 -0
package/server/service/application/application-query.ts +98 -0
package/server/service/application/application-types.ts +76 -0
package/server/service/application/application.ts +216 -0
package/server/service/application/index.ts +6 -0
package/server/service/auth-provider/auth-provider-mutation.ts +159 -0
package/server/service/auth-provider/auth-provider-parameter-spec.ts +24 -0
package/server/service/auth-provider/auth-provider-query.ts +88 -0
package/server/service/auth-provider/auth-provider-type.ts +67 -0
package/server/service/auth-provider/auth-provider.ts +155 -0
package/server/service/auth-provider/index.ts +7 -0
package/server/service/domain-generator/domain-generator-mutation.ts +117 -0
package/server/service/domain-generator/domain-generator-types.ts +46 -0
package/server/service/domain-generator/index.ts +3 -0
package/server/service/granted-role/granted-role-mutation.ts +156 -0
package/server/service/granted-role/granted-role-query.ts +60 -0
package/server/service/granted-role/granted-role.ts +27 -0
package/server/service/granted-role/index.ts +6 -0
package/server/service/index.ts +90 -0
package/server/service/invitation/index.ts +6 -0
package/server/service/invitation/invitation-mutation.ts +63 -0
package/server/service/invitation/invitation-query.ts +33 -0
package/server/service/invitation/invitation-types.ts +11 -0
package/server/service/invitation/invitation.ts +63 -0
package/server/service/login-history/index.ts +5 -0
package/server/service/login-history/login-history-query.ts +51 -0
package/server/service/login-history/login-history-type.ts +12 -0
package/server/service/login-history/login-history.ts +45 -0
package/server/service/partner/index.ts +6 -0
package/server/service/partner/partner-mutation.ts +61 -0
package/server/service/partner/partner-query.ts +102 -0
package/server/service/partner/partner-types.ts +11 -0
package/server/service/partner/partner.ts +57 -0
package/server/service/password-history/index.ts +3 -0
package/server/service/password-history/password-history.ts +16 -0
package/server/service/privilege/index.ts +6 -0
package/server/service/privilege/privilege-directive.ts +77 -0
package/server/service/privilege/privilege-mutation.ts +92 -0
package/server/service/privilege/privilege-query.ts +94 -0
package/server/service/privilege/privilege-types.ts +60 -0
package/server/service/privilege/privilege.ts +102 -0
package/server/service/role/index.ts +6 -0
package/server/service/role/role-mutation.ts +109 -0
package/server/service/role/role-query.ts +155 -0
package/server/service/role/role-types.ts +81 -0
package/server/service/role/role.ts +72 -0
package/server/service/user/domain-query.ts +24 -0
package/server/service/user/index.ts +7 -0
package/server/service/user/user-mutation.ts +413 -0
package/server/service/user/user-query.ts +145 -0
package/server/service/user/user-types.ts +97 -0
package/server/service/user/user.ts +354 -0
package/server/service/users-auth-providers/index.ts +5 -0
package/server/service/users-auth-providers/users-auth-providers.ts +71 -0
package/server/service/verification-token/index.ts +3 -0
package/server/service/verification-token/verification-token.ts +60 -0
package/server/service/web-auth-credential/index.ts +3 -0
package/server/service/web-auth-credential/web-auth-credential.ts +67 -0
package/server/templates/account-unlock-email.ts +65 -0
package/server/templates/invitation-email.ts +66 -0
package/server/templates/reset-password-email.ts +65 -0
package/server/templates/verification-email.ts +66 -0
package/server/types.ts +21 -0
package/server/utils/accepts.ts +11 -0
package/server/utils/access-token-cookie.ts +61 -0
package/server/utils/check-permission.ts +52 -0
package/server/utils/check-user-belongs-domain.ts +19 -0
package/server/utils/check-user-has-role.ts +29 -0
package/server/utils/encrypt-state.ts +22 -0
package/server/utils/get-aes-256-key.ts +13 -0
package/server/utils/get-domain-from-hostname.ts +7 -0
package/server/utils/get-domain-users.ts +38 -0
package/server/utils/get-secret.ts +13 -0
package/server/utils/get-user-domains.ts +112 -0
package/translations/en.json +1 -5
package/translations/ja.json +1 -5
package/translations/ko.json +3 -6
package/translations/ms.json +1 -5
package/translations/zh.json +1 -5
package/dist-client/verify-webauthn.d.ts +0 -13
package/dist-client/verify-webauthn.js +0 -72
package/dist-client/verify-webauthn.js.map +0 -1

package/server/router/auth-public-process-router.ts ADDED Viewed

@@ -0,0 +1,302 @@
+import Router from 'koa-router'
+import { config } from '@things-factory/env'
+import { getRepository, getSiteRootPath } from '@things-factory/shell'
+import { resendInvitationEmail } from '../controllers/invitation'
+import { resetPassword, sendPasswordResetEmail } from '../controllers/reset-password'
+import { unlockUser } from '../controllers/unlock-user'
+import { resendVerificationEmail, verify } from '../controllers/verification'
+import { User } from '../service/user/user'
+import { accepts } from '../utils/accepts'
+import { clearAccessTokenCookie } from '../utils/access-token-cookie'
+const disableUserSignupProcess = config.get('disableUserSignupProcess', false)
+const disableUserFavoredLanguage = config.get('i18n/disableUserFavoredLanguage', false)
+const languages = config.get('i18n/languages', false)
+const passwordRule = config.get('password') || {
+  lowerCase: true,
+  upperCase: true,
+  digit: true,
+  specialCharacter: true,
+  allowRepeat: false,
+  useTightPattern: true,
+  useLoosePattern: false,
+  tightCharacterLength: 8,
+  looseCharacterLength: 15
+}
+export const authPublicProcessRouter = new Router({
+  prefix: '/auth'
+})
+authPublicProcessRouter.post('/join', async (context, next) => {
+  const { email } = context.request.body || {}
+  const user: User = await getRepository(User).findOneBy({
+    email
+  })
+  if (user) {
+    context.redirect(`/auth/signin?email=${email}`)
+  } else {
+    context.redirect(`/auth/signup?email=${email}`)
+  }
+})
+authPublicProcessRouter.all('/signout', async (context, next) => {
+  const { header, t } = context
+  clearAccessTokenCookie(context)
+  context.body = t('text.signout successfully')
+  if (accepts(header.accept, ['text/html', '*/*'])) {
+    context.redirect(getSiteRootPath(context))
+  }
+})
+authPublicProcessRouter.get('/forgot-password', async (context, next) => {
+  const { email } = context.request.query
+  await context.render('auth-page', {
+    pageElement: 'forgot-password',
+    elementScript: '/auth/forgot-password.js',
+    data: {
+      email,
+      disableUserSignupProcess,
+      disableUserFavoredLanguage,
+      languages
+    }
+  })
+})
+authPublicProcessRouter.get('/reset-password', async (context, next) => {
+  const { token } = context.request.query
+  await context.render('auth-page', {
+    pageElement: 'reset-password',
+    elementScript: '/auth/reset-password.js',
+    data: {
+      token,
+      passwordRule,
+      disableUserSignupProcess,
+      disableUserFavoredLanguage,
+      languages
+    }
+  })
+})
+authPublicProcessRouter.get('/unlock-user', async (context, next) => {
+  const { token } = context.request.query
+  await context.render('auth-page', {
+    pageElement: 'unlock-user',
+    elementScript: '/auth/unlock-user.js',
+    data: {
+      token,
+      disableUserSignupProcess,
+      disableUserFavoredLanguage,
+      languages
+    }
+  })
+})
+authPublicProcessRouter.get('/activate/:email', async (context, next) => {
+  const { email } = context.params
+  await context.render('auth-page', {
+    pageElement: 'auth-activate',
+    elementScript: '/auth/activate.js',
+    data: {
+      email,
+      disableUserSignupProcess,
+      disableUserFavoredLanguage,
+      languages
+    }
+  })
+})
+authPublicProcessRouter.get('/verify/:token', async (context, next) => {
+  const { header, t } = context
+  var token = context.params.token
+  await verify(token)
+  var message = t('text.user activated successfully')
+  context.body = message
+  if (accepts(header.accept, ['text/html', '*/*'])) {
+    await context.render('auth-page', {
+      pageElement: 'auth-result',
+      elementScript: '/auth/result.js',
+      data: {
+        message,
+        disableUserSignupProcess,
+        disableUserFavoredLanguage,
+        languages
+      }
+    })
+  }
+})
+authPublicProcessRouter.post('/resend-verification-email', async (context, next) => {
+  const { t } = context
+  const { email } = context.request.body
+  var succeed = await resendVerificationEmail(email, context)
+  var message = t('text.verification email sent')
+  if (succeed) {
+    context.status = 200
+    context.body = message
+  }
+})
+authPublicProcessRouter.post('/resend-invitation-email', async (context, next) => {
+  const { t } = context
+  const { email, reference, type } = context.request.body
+  var succeed = await resendInvitationEmail(
+    {
+      email,
+      reference,
+      type
+    },
+    context
+  )
+  var message = t('text.invitation email sent')
+  if (succeed) {
+    context.status = 200
+    context.body = message
+  }
+})
+authPublicProcessRouter.post('/forgot-password', async (context, next) => {
+  const { t } = context
+  const { email } = context.request.body
+  if (!email) return next()
+  const userRepo = getRepository(User)
+  const user = await userRepo.findOne({
+    where: {
+      email
+    }
+  })
+  const succeed = await sendPasswordResetEmail({
+    user,
+    context
+  })
+  if (succeed) {
+    context.status = 200
+    context.body = t('text.password reset email sent')
+  }
+})
+authPublicProcessRouter.post('/reset-password', async (context, next) => {
+  const { header, t } = context
+  try {
+    const { password, token } = context.request.body
+    if (!(token && password)) {
+      let message = t('error.token or password is invalid')
+      context.status = 404
+      context.body = {
+        message
+      }
+      if (accepts(header.accept, ['text/html', '*/*'])) {
+        await context.render('auth-page', {
+          pageElement: 'reset-password',
+          elementScript: '/auth/reset-password.js',
+          data: {
+            token,
+            message,
+            passwordRule,
+            disableUserSignupProcess,
+            disableUserFavoredLanguage,
+            languages
+          }
+        })
+      }
+      return
+    }
+    await resetPassword(token, password, context)
+    var message = t('text.password reset succeed')
+    context.body = message
+    clearAccessTokenCookie(context)
+    if (accepts(header.accept, ['text/html', '*/*'])) {
+      await context.render('auth-page', {
+        pageElement: 'auth-result',
+        elementScript: '/auth/result.js',
+        data: {
+          message,
+          disableUserSignupProcess,
+          disableUserFavoredLanguage,
+          languages
+        }
+      })
+    }
+  } catch (e) {
+    context.status = 404
+    context.body = e.message
+    if (accepts(header.accept, ['text/html', '*/*'])) {
+      await context.render('auth-page', {
+        pageElement: 'auth-result',
+        elementScript: '/auth/result.js',
+        data: {
+          message: e.message,
+          disableUserSignupProcess,
+          disableUserFavoredLanguage,
+          languages
+        }
+      })
+    }
+  }
+})
+authPublicProcessRouter.post('/unlock-user', async (context, next) => {
+  const { header, t } = context
+  const { password, token } = context.request.body
+  if (!(token || password)) {
+    context.status = 404
+    context.body = t('error.token or password is invalid')
+    return
+  }
+  var succeed = await unlockUser(token, password)
+  if (succeed) {
+    context.body = t('text.password reset succeed')
+    clearAccessTokenCookie(context)
+  }
+  if (accepts(header.accept, ['text/html', '*/*'])) {
+    await context.render('auth-page', {
+      pageElement: 'auth-result',
+      elementScript: '/auth/result.js',
+      data: {
+        message: t('text.account is reactivated'),
+        disableUserSignupProcess,
+        disableUserFavoredLanguage,
+        languages
+      }
+    })
+  }
+})

package/server/router/auth-signin-router.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import Router from 'koa-router'
+import { config } from '@things-factory/env'
+import { signinMiddleware } from '../middlewares'
+import { accepts } from '../utils/accepts'
+import { setAccessTokenCookie } from '../utils/access-token-cookie'
+const disableUserSignupProcess = config.get('disableUserSignupProcess', false)
+const disableUserFavoredLanguage = config.get('i18n/disableUserFavoredLanguage', false)
+const languages = config.get('i18n/languages', false)
+const SSOConfig = config.get('sso', {} as any)
+const SSOLinks = Object.values(SSOConfig)
+  .filter(({ link, title }) => link && title)
+  .map(({ link, title }) => {
+    return { link, title }
+  })
+export const authSigninRouter = new Router()
+authSigninRouter.get('/auth/signin', async (context, next) => {
+  const { redirect_to, email } = context.query
+  await context.render('auth-page', {
+    pageElement: 'auth-signin',
+    elementScript: '/auth/signin.js',
+    data: {
+      email,
+      redirectTo: redirect_to,
+      ssoLinks: SSOLinks,
+      disableUserSignupProcess,
+      disableUserFavoredLanguage,
+      languages
+    }
+  })
+})
+authSigninRouter.post('/auth/signin', signinMiddleware, async (context, next) => {
+  const { request, t } = context
+  const { token, user, domain } = context.state
+  const { body: reqBody, header } = request
+  if (!accepts(header.accept, ['text/html', '*/*'])) {
+    context.body = token
+    return
+  }
+  var redirectTo = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(
+    reqBody.redirectTo || '/'
+  )}`
+  setAccessTokenCookie(context, token)
+  context.redirect(redirectTo)
+})

package/server/router/auth-signup-router.ts ADDED Viewed

@@ -0,0 +1,95 @@
+import Router from 'koa-router'
+import { config } from '@things-factory/env'
+import { signup } from '../controllers/signup'
+import { accepts } from '../utils/accepts'
+import { setAccessTokenCookie } from '../utils/access-token-cookie'
+const disableUserSignupProcess = config.get('disableUserSignupProcess', false)
+const disableUserFavoredLanguage = config.get('i18n/disableUserFavoredLanguage', false)
+const languages = config.get('i18n/languages', false)
+const passwordRule = config.get('password') || {
+  lowerCase: true,
+  upperCase: true,
+  digit: true,
+  specialCharacter: true,
+  allowRepeat: false,
+  useTightPattern: true,
+  useLoosePattern: false,
+  tightCharacterLength: 8,
+  looseCharacterLength: 15
+}
+export const authSignupRouter = new Router()
+if (!disableUserSignupProcess) {
+  authSignupRouter.get('/auth/signup', async (context, next) => {
+    const { email } = context.query
+    await context.render('auth-page', {
+      pageElement: 'auth-signup',
+      elementScript: '/auth/signup.js',
+      data: {
+        email,
+        passwordRule,
+        disableUserSignupProcess,
+        disableUserFavoredLanguage,
+        languages
+      }
+    })
+  })
+  authSignupRouter.post('/auth/signup', async (context, next) => {
+    const { header, t } = context
+    const { domain } = context.state
+    const user = context.request.body
+    // try {
+    const { token } = await signup(
+      {
+        ...user,
+        context,
+        domain
+      },
+      true
+    )
+    const message = t('text.user registered successfully')
+    context.body = {
+      message,
+      token
+    }
+    setAccessTokenCookie(context, token)
+    if (accepts(header.accept, ['text/html', '*/*'])) {
+      await context.render('auth-page', {
+        pageElement: 'auth-result',
+        elementScript: '/auth/result.js',
+        data: {
+          message,
+          disableUserSignupProcess,
+          disableUserFavoredLanguage,
+          languages
+        }
+      })
+    }
+    // } catch (e) {
+    //   context.status = 401
+    //   context.body = e.message
+    //   if (accepts(header.accept, ['text/html', '*/*'])) {
+    //     await context.render('auth-page', {
+    //       pageElement: 'auth-signup',
+    //       elementScript: '/auth/signup.js',
+    //       data: {
+    //         message: e instanceof AuthError ? t(`error.${e.message}`) : e.message,
+    //         passwordRule
+    //       }
+    //     })
+    //   }
+    // }
+  })
+}

package/server/router/index.ts ADDED Viewed

@@ -0,0 +1,9 @@
+export * from './auth-private-process-router'
+export * from './auth-public-process-router'
+export * from './path-base-domain-router'
+export * from './site-root-router'
+export * from './oauth2'
+export * from './auth-checkin-router'
+export * from './auth-signin-router'
+export * from './auth-signup-router'
+export * from './webauthn-router'

package/server/router/oauth2/index.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export * from './oauth2-authorize-router'
2	+ export * from './oauth2-router'

package/server/router/oauth2/oauth2-authorize-router.ts ADDED Viewed

@@ -0,0 +1,81 @@
+import Router from 'koa-router'
+import { getRepository } from '@things-factory/shell'
+import { config } from '@things-factory/env'
+import { Application } from '../../service/application/application'
+import { NonClient, server as oauth2orizeServer } from './oauth2-server'
+export const oauth2AuthorizeRouter = new Router()
+const disableUserFavoredLanguage = config.get('i18n/disableUserFavoredLanguage', false)
+const languages = config.get('i18n/languages', false)
+// user authorization endpoint
+//
+// `authorization` middleware accepts a `validate` callback which is
+// responsible for validating the client making the authorization request.  In
+// doing so, is recommended that the `redirectURI` be checked against a
+// registered value, although security requirements may vary accross
+// implementations.  Once validated, the `done` callback must be invoked with
+// a `client` instance, as well as the `redirectURI` to which the user will be
+// redirected after an authorization decision is obtained.
+//
+// This middleware simply initializes a new authorization transaction.  It is
+// the application's responsibility to authenticate the user and render a dialog
+// to obtain their approval (displaying details about the client requesting
+// authorization).  We accomplish that here by routing through `ensureLoggedIn()`
+// first, and rendering the `dialog` view.
+oauth2AuthorizeRouter.get(
+  '/authorize',
+  oauth2orizeServer.authorize(async function (clientID, redirectURI) {
+    const client = await getRepository(Application).findOneBy({
+      appKey: clientID
+    })
+    // CONFIRM-ME redirectUrl 의 허용 범위는 ?
+    // if (!client.redirectUrl != redirectURI) {
+    //   return false
+    // }
+    return [client || NonClient, redirectURI]
+  }),
+  async function (context, next) {
+    const { oauth2, user, domain } = context.state
+    let pageElement: string = 'oauth2-decision'
+    let elementScript: string = '/oauth2/oauth2-decision-page.js'
+    if (oauth2.client.id === NonClient.id) {
+      pageElement = 'oauth2-decision-error'
+      elementScript = '/oauth2/oauth2-decision-error-page.js'
+    }
+    try {
+      await context.render('oauth2-page', {
+        pageElement,
+        elementScript,
+        data: {
+          domain,
+          oauth2: {
+            ...oauth2,
+            user: {
+              id: oauth2.user.id,
+              name: oauth2.user.name,
+              email: oauth2.user.email
+            }
+          },
+          disableUserFavoredLanguage,
+          languages
+        }
+      })
+      // await context.render(decisionPage, {
+      //   domain: domain,
+      //   ...oauth2, // client, redirectURI, req { type, clientID, redirectURI, scope, state}, user, transactionID, info, locals
+      //   availableScopes
+      // })
+    } catch (e) {
+      throw e
+    }
+  }
+)