kuzzle 2.50.3 → 2.51.0

package/dist/lib/api/controllers/authController.js

@@ -46,7 +46,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-const http_1 = require("http");
+const node_http_1 = require("node:http");
 const Cookie = __importStar(require("cookie"));
 const bluebird_1 = __importDefault(require("bluebird"));
 const lodash_1 = require("lodash");
@@ -59,6 +59,7 @@ const formatProcessing_1 = __importDefault(require("../../core/auth/formatProces
 const user_1 = require("../../model/security/user");
 const apiKey_1 = __importDefault(require("../../model/storage/apiKey"));
 const securityController_1 = __importDefault(require("./securityController"));
+const securityError = kerror.wrap("security", "token");
 class AuthController extends baseController_1.NativeController {
     /**
      * @param {Kuzzle} kuzzle
@@ -87,7 +88,7 @@ class AuthController extends baseController_1.NativeController {
             "validateMyCredentials",
         ]);
         this.anonymousId = null;
-        this.logger = global.kuzzle.log.child("api:controllers:auth");
+        this.logger = globalThis.kuzzle.log.child("api:controllers:auth");
     }
     /**
      * Controller initialization: we need the anonymous user identifier for the
@@ -96,7 +97,7 @@ class AuthController extends baseController_1.NativeController {
      * @returns {Promise}
      */
     async init() {
-        const anonymous = await global.kuzzle.ask("core:security:user:anonymous:get");
+        const anonymous = await globalThis.kuzzle.ask("core:security:user:anonymous:get");
         this.anonymousId = anonymous._id;
     }
     async createToken(request) {
@@ -191,24 +192,24 @@ class AuthController extends baseController_1.NativeController {
      * @returns {Promise<object>}
      */
     async logout(request) {
-        if (!global.kuzzle.config.http.cookieAuthentication ||
+        if (!globalThis.kuzzle.config.http.cookieAuthentication ||
             !request.getBoolean("cookieAuth")) {
             this.assertIsAuthenticated(request);
         }
-        if (global.kuzzle.config.internal.notifiableProtocols.includes(request.context.connection.protocol)) {
+        if (globalThis.kuzzle.config.internal.notifiableProtocols.includes(request.context.connection.protocol)) {
             // Unlink connection so the connection will not be notified when the token expires.
-            global.kuzzle.tokenManager.unlink(request.context.token, request.context.connection.id);
+            globalThis.kuzzle.tokenManager.unlink(request.context.token, request.context.connection.id);
         }
         if (request.context.user._id !== this.anonymousId) {
             if (request.getBoolean("global")) {
-                await global.kuzzle.ask("core:security:token:deleteByKuid", request.getKuid(), { keepApiKeys: true });
+                await globalThis.kuzzle.ask("core:security:token:deleteByKuid", request.getKuid(), { keepApiKeys: true });
             }
             else if (request.context.token &&
                 request.context.token.type !== "apiKey") {
-                await global.kuzzle.ask("core:security:token:delete", request.context.token);
+                await globalThis.kuzzle.ask("core:security:token:delete", request.context.token);
             }
         }
-        if (global.kuzzle.config.http.cookieAuthentication &&
+        if (globalThis.kuzzle.config.http.cookieAuthentication &&
             request.getBoolean("cookieAuth")) {
             request.response.configure({
                 headers: {
@@ -234,7 +235,7 @@ class AuthController extends baseController_1.NativeController {
         // otherwise we should send a normal response because
         // even if the SDK / Browser can handle the cookie,
         // Kuzzle would not be capable of doing anything with it
-        if (global.kuzzle.config.http.cookieAuthentication &&
+        if (globalThis.kuzzle.config.http.cookieAuthentication &&
             request.getBoolean("cookieAuth")) {
             // Here we are not sending auth token when cookieAuth is set to true
             // This allow us to detect if kuzzle does support cookie as auth token directly from the SDK
@@ -262,7 +263,7 @@ class AuthController extends baseController_1.NativeController {
      */
     async login(request) {
         const strategy = request.getString("strategy");
-        const passportRequest = new http_1.IncomingMessage(null);
+        const passportRequest = new node_http_1.IncomingMessage(null);
         // Even in http, the url and the method are not pushed back to the request object
         // set some arbitrary values to get a pseudo-valid object.
         passportRequest.url = `/login?strategy=${strategy}`;
@@ -278,10 +279,10 @@ class AuthController extends baseController_1.NativeController {
             passportRequest.rawHeaders.push(passportRequest.headers[h]);
         }
         passportRequest.original = request;
-        if (!(0, safeObject_1.has)(global.kuzzle.pluginsManager.strategies, strategy)) {
+        if (!(0, safeObject_1.has)(globalThis.kuzzle.pluginsManager.strategies, strategy)) {
             throw kerror.get("security", "credentials", "unknown_strategy", strategy);
         }
-        const content = await global.kuzzle.passport.authenticate(passportRequest, strategy);
+        const content = await globalThis.kuzzle.passport.authenticate(passportRequest, strategy);
         // do not trigger the "auth:strategyAutenticated" pipe if the result is
         // not a User object, i.e. if we are a intermediate step of a multi-step
         // authentication strategy
@@ -300,7 +301,7 @@ class AuthController extends baseController_1.NativeController {
         if (request.input.args.expiresIn) {
             options.expiresIn = request.input.args.expiresIn;
         }
-        const existingToken = global.kuzzle.tokenManager.getConnectedUserToken(authResponse.content._id, request.context.connection.id);
+        const existingToken = globalThis.kuzzle.tokenManager.getConnectedUserToken(authResponse.content._id, request.context.connection.id);
         /**
          * If a previous token from the same User is linked to this connection
          * and the token is either an API Key or an infinite duration token
@@ -313,11 +314,11 @@ class AuthController extends baseController_1.NativeController {
         }
         const token = await this.ask("core:security:token:create", authResponse.content, options);
         if (existingToken) {
-            global.kuzzle.tokenManager.refresh(existingToken, token);
+            globalThis.kuzzle.tokenManager.refresh(existingToken, token);
         }
-        if (global.kuzzle.config.internal.notifiableProtocols.includes(request.context.connection.protocol)) {
+        if (globalThis.kuzzle.config.internal.notifiableProtocols.includes(request.context.connection.protocol)) {
             // Link the connection with the token, this way the connection can be notified when the token has expired.
-            global.kuzzle.tokenManager.link(token, request.context.connection.id);
+            globalThis.kuzzle.tokenManager.link(token, request.context.connection.id);
         }
         return this._sendToken(token, request);
     }
@@ -338,8 +339,8 @@ class AuthController extends baseController_1.NativeController {
             promises.push(bluebird_1.default.resolve([]));
         }
         else {
-            for (const strategy of global.kuzzle.pluginsManager.listStrategies()) {
-                const existsMethod = global.kuzzle.pluginsManager.getStrategyMethod(strategy, "exists");
+            for (const strategy of globalThis.kuzzle.pluginsManager.listStrategies()) {
+                const existsMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "exists");
                 promises.push(existsMethod(request, userId, strategy)
                     .then((exists) => (exists ? strategy : null))
                     .catch((err) => wrapPluginError(err)));
@@ -371,7 +372,7 @@ class AuthController extends baseController_1.NativeController {
      */
     async checkToken(request) {
         let token = "";
-        if (global.kuzzle.config.http.cookieAuthentication &&
+        if (globalThis.kuzzle.config.http.cookieAuthentication &&
             request.getBoolean("cookieAuth")) {
             token = request.input.jwt;
         }
@@ -414,7 +415,7 @@ class AuthController extends baseController_1.NativeController {
      * @returns {Promise.<string[]>}
      */
     getStrategies() {
-        return bluebird_1.default.resolve(global.kuzzle.pluginsManager.listStrategies());
+        return bluebird_1.default.resolve(globalThis.kuzzle.pluginsManager.listStrategies());
     }
     /**
      * @param {KuzzleRequest} request
@@ -424,7 +425,7 @@ class AuthController extends baseController_1.NativeController {
         this.assertIsAuthenticated(request);
         const userId = request.getKuid(), strategy = request.getString("strategy"), credentials = request.getBody();
         this.assertIsStrategyRegistered(strategy);
-        const createMethod = global.kuzzle.pluginsManager.getStrategyMethod(strategy, "create"), validateMethod = global.kuzzle.pluginsManager.getStrategyMethod(strategy, "validate");
+        const createMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "create"), validateMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "validate");
         return validateMethod(request, credentials, userId, strategy, false)
             .then(() => createMethod(request, credentials, userId, strategy))
             .catch((err) => wrapPluginError(err));
@@ -437,7 +438,7 @@ class AuthController extends baseController_1.NativeController {
         this.assertIsAuthenticated(request);
         const userId = request.getKuid(), strategy = request.getString("strategy"), credentials = request.getBody();
         this.assertIsStrategyRegistered(strategy);
-        const updateMethod = global.kuzzle.pluginsManager.getStrategyMethod(request.input.args.strategy, "update"), validateMethod = global.kuzzle.pluginsManager.getStrategyMethod(request.input.args.strategy, "validate");
+        const updateMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(request.input.args.strategy, "update"), validateMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(request.input.args.strategy, "validate");
         return validateMethod(request, credentials, userId, strategy, true)
             .then(() => updateMethod(request, credentials, userId, strategy))
             .catch((err) => wrapPluginError(err));
@@ -450,7 +451,7 @@ class AuthController extends baseController_1.NativeController {
         this.assertIsAuthenticated(request);
         const userId = request.getKuid(), strategy = request.getString("strategy");
         this.assertIsStrategyRegistered(strategy);
-        const existsMethod = global.kuzzle.pluginsManager.getStrategyMethod(strategy, "exists");
+        const existsMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "exists");
         return existsMethod(request, userId, strategy).catch((err) => wrapPluginError(err));
     }
     /**
@@ -461,7 +462,7 @@ class AuthController extends baseController_1.NativeController {
         this.assertIsAuthenticated(request);
         const userId = request.getKuid(), strategy = request.getString("strategy"), credentials = request.getBody();
         this.assertIsStrategyRegistered(strategy);
-        const validateMethod = global.kuzzle.pluginsManager.getStrategyMethod(strategy, "validate");
+        const validateMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "validate");
         return validateMethod(request, credentials, userId, strategy, false).catch((err) => wrapPluginError(err));
     }
     /**
@@ -472,7 +473,7 @@ class AuthController extends baseController_1.NativeController {
         this.assertIsAuthenticated(request);
         const userId = request.getKuid(), strategy = request.getString("strategy");
         this.assertIsStrategyRegistered(strategy);
-        const deleteMethod = global.kuzzle.pluginsManager.getStrategyMethod(strategy, "delete");
+        const deleteMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "delete");
         return deleteMethod(request, userId, strategy)
             .then(() => ({ acknowledged: true }))
             .catch((err) => wrapPluginError(err));
@@ -485,10 +486,10 @@ class AuthController extends baseController_1.NativeController {
         this.assertIsAuthenticated(request);
         const userId = request.getKuid(), strategy = request.getString("strategy");
         this.assertIsStrategyRegistered(strategy);
-        if (!global.kuzzle.pluginsManager.hasStrategyMethod(strategy, "getInfo")) {
+        if (!globalThis.kuzzle.pluginsManager.hasStrategyMethod(strategy, "getInfo")) {
             return bluebird_1.default.resolve({});
         }
-        const getInfoMethod = global.kuzzle.pluginsManager.getStrategyMethod(strategy, "getInfo");
+        const getInfoMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "getInfo");
         return getInfoMethod(request, userId, strategy).catch((err) => wrapPluginError(err));
     }
     /**
@@ -496,6 +497,25 @@ class AuthController extends baseController_1.NativeController {
      */
     async refreshToken(request) {
         this.assertIsAuthenticated(request);
+        const strategy = request.input.args?.strategy;
+        if (request.input.args?.strategy) {
+            try {
+                const refreshTokenMethod = globalThis.kuzzle.pluginsManager.getStrategyMethod(strategy, "refreshToken");
+                await refreshTokenMethod(request);
+            }
+            catch (err) {
+                /**
+                 * Every strategies does not implement a standard way of returning errors.
+                 * Which mean we cannot properly catch any errors in the catch block.
+                 * Meaning if we arrive here, the refresh token did not work as planned
+                 * We can safely ensure that the user refresh token is not active anymore
+                 */
+                this.logger.error(`Error while refreshing the token with the strategy ${strategy} with ERROR: ${err}`);
+                // Adding some debug information to better known our target here.
+                this.logger.debug(`Error when refreshing token with request: ${JSON.stringify(request)}`);
+                throw securityError.get("refresh_forbidden", request.context.token.jwt);
+            }
+        }
         const token = await this.ask("core:security:token:refresh", request.context.user, request.context.token, request.input.args.expiresIn);
         return this._sendToken(token, request);
     }

package/dist/lib/types/StrategyDefinition.d.ts

@@ -30,6 +30,7 @@ export type StrategyDefinition = {
             getById?: string;
             getInfo?: string;
             search?: string;
+            refreshToken?: string;
             update: string;
             validate: string;
             verify: string;

package/dist/package.json

@@ -1,7 +1,7 @@
 {
     "name": "kuzzle",
     "author": "The Kuzzle Team <support@kuzzle.io>",
-    "version": "2.50.3",
+    "version": "2.51.0",
     "description": "Kuzzle is an open-source solution that handles all the data management through a secured API, with a large choice of protocols.",
     "scripts": {
         "build": "rm -Rf ./dist && tsc && node ./bin/copy-protobuf.js",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "kuzzle",
   "author": "The Kuzzle Team <support@kuzzle.io>",
-  "version": "2.50.3",
+  "version": "2.51.0",
   "description": "Kuzzle is an open-source solution that handles all the data management through a secured API, with a large choice of protocols.",
   "scripts": {
     "build": "rm -Rf ./dist && tsc && node ./bin/copy-protobuf.js",