planka/server/api/controllers/access-tokens/exchange.js

const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');
const openidClient = require('openid-client');
const { getRemoteAddress } = require('../../../utils/remoteAddress');

const Errors = {
  INVALID_TOKEN: {
    invalidToken: 'Access Token is invalid',
  },
  MISSING_VALUES: {
    missingValues:
      'Unable to retrieve required values. Verify the access token or UserInfo endpoint has email, username and name claims',
  },
};

const jwks = jwksClient({
  jwksUri: sails.config.custom.oidcJwksUri,
  requestHeaders: {}, // Optional
  timeout: 30000, // Defaults to 30s
});

const getJwtVerificationOptions = () => {
  const options = {};
  if (sails.config.custom.oidcIssuer) {
    options.issuer = sails.config.custom.oidcIssuer;
  }
  if (sails.config.custom.oidcAudience) {
    options.audience = sails.config.custom.oidcAudience;
  }
  return options;
};

const validateAndDecodeToken = async (accessToken, options) => {
  const keys = await jwks.getSigningKeys();
  let validToken = {};

  const isTokenValid = keys.some((signingKey) => {
    try {
      const key = signingKey.getPublicKey();
      validToken = jwt.verify(accessToken, key, options);
      return 'true';
    } catch (error) {
      sails.log.error(error);
    }
    return false;
  });

  if (!isTokenValid) {
    const tokenForLogging = jwt.decode(accessToken);
    const remoteAddress = getRemoteAddress(this.req);

    sails.log.warn(
      `invalid token: sub: "${tokenForLogging.sub}" issuer: "${tokenForLogging.iss}" audience: "${tokenForLogging.aud}" exp: ${tokenForLogging.exp} (IP: ${remoteAddress})`,
    );
    throw Errors.INVALID_TOKEN;
  }
  return validToken;
};

const getUserInfo = async (accessToken, options) => {
  if (sails.config.custom.oidcSkipUserInfo) {
    return {};
  }
  const issuer = await openidClient.Issuer.discover(options.issuer);
  const oidcClient = new issuer.Client({
    client_id: 'irrelevant',
  });
  const userInfo = await oidcClient.userinfo(accessToken);
  return userInfo;
};
const mergeUserData = (validToken, userInfo) => {
  const oidcUser = { ...validToken, ...userInfo };
  return oidcUser;
};
const getOrCreateUser = async (newUser) => {
  const user = await User.findOne({
    where: {
      username: newUser.username,
    },
  });
  if (user) {
    return user;
  }
  return User.create(newUser).fetch();
};
module.exports = {
  inputs: {
    token: {
      type: 'string',
      required: true,
    },
  },

  exits: {
    invalidToken: {
      responseType: 'unauthorized',
    },
    missingValues: {
      responseType: 'unauthorized',
    },
  },

  async fn(inputs) {
    const options = getJwtVerificationOptions();
    const validToken = await validateAndDecodeToken(inputs.token, options);
    const userInfo = await getUserInfo(inputs.token, options);
    const oidcUser = mergeUserData(validToken, userInfo);

    const now = new Date();
    let isAdmin = false;
    if (sails.config.custom.oidcAdminRoles.includes('*')) isAdmin = true;
    else if (Array.isArray(oidcUser[sails.config.custom.oidcRolesAttribute])) {
      const userRoles = new Set(oidcUser[sails.config.custom.oidcRolesAttribute]);
      isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
    }

    const newUser = {
      email: oidcUser.email,
      isAdmin,
      name: oidcUser.name,
      username: oidcUser.preferred_username,
      subscribeToOwnCards: false,
      createdAt: now,
      updatedAt: now,
      locked: true,
    };

    if (!newUser.email || !newUser.username || !newUser.name) {
      sails.log.error(Errors.MISSING_VALUES.missingValues);
      throw Errors.MISSING_VALUES;
    }

    const identityProviderUser = await IdentityProviderUser.findOne({
      where: {
        issuer: oidcUser.iss,
        sub: oidcUser.sub,
      },
    }).populate('userId');

    let user = identityProviderUser ? identityProviderUser.userId : {};
    if (!identityProviderUser) {
      user = await getOrCreateUser(newUser);
      await IdentityProviderUser.create({
        issuer: oidcUser.iss,
        sub: oidcUser.sub,
        userId: user.id,
      });
    }

    const controlledFields = ['email', 'password', 'isAdmin', 'name', 'username'];
    const updateFields = {};
    controlledFields.forEach((field) => {
      if (user[field] !== newUser[field]) {
        updateFields[field] = newUser[field];
      }
    });

    if (Object.keys(updateFields).length > 0) {
      updateFields.updatedAt = now;
      await User.updateOne({ id: user.id }).set(updateFields);
    }

    const plankaToken = sails.helpers.utils.createToken(user.id);

    const remoteAddress = getRemoteAddress(this.req);
    await Session.create({
      accessToken: plankaToken,
      remoteAddress,
      userId: user.id,
      userAgent: this.req.headers['user-agent'],
    });

    return {
      item: plankaToken,
    };
  },
};
feat: OIDC with PKCE flow (#491) 2023-09-04 10:06:59 -05:00			`const jwt = require('jsonwebtoken');`
			`const jwksClient = require('jwks-rsa');`
			`const openidClient = require('openid-client');`
			`const { getRemoteAddress } = require('../../../utils/remoteAddress');`

			`const Errors = {`
			`INVALID_TOKEN: {`
			`invalidToken: 'Access Token is invalid',`
			`},`
			`MISSING_VALUES: {`
			`missingValues:`
			`'Unable to retrieve required values. Verify the access token or UserInfo endpoint has email, username and name claims',`
			`},`
			`};`

			`const jwks = jwksClient({`
			`jwksUri: sails.config.custom.oidcJwksUri,`
			`requestHeaders: {}, // Optional`
			`timeout: 30000, // Defaults to 30s`
			`});`

			`const getJwtVerificationOptions = () => {`
			`const options = {};`
			`if (sails.config.custom.oidcIssuer) {`
			`options.issuer = sails.config.custom.oidcIssuer;`
			`}`
			`if (sails.config.custom.oidcAudience) {`
			`options.audience = sails.config.custom.oidcAudience;`
			`}`
			`return options;`
			`};`

			`const validateAndDecodeToken = async (accessToken, options) => {`
			`const keys = await jwks.getSigningKeys();`
			`let validToken = {};`

			`const isTokenValid = keys.some((signingKey) => {`
			`try {`
			`const key = signingKey.getPublicKey();`
			`validToken = jwt.verify(accessToken, key, options);`
			`return 'true';`
			`} catch (error) {`
			`sails.log.error(error);`
			`}`
			`return false;`
			`});`

			`if (!isTokenValid) {`
			`const tokenForLogging = jwt.decode(accessToken);`
			`const remoteAddress = getRemoteAddress(this.req);`

			`sails.log.warn(`
			`invalid token: sub: "${tokenForLogging.sub}" issuer: "${tokenForLogging.iss}" audience: "${tokenForLogging.aud}" exp: ${tokenForLogging.exp} (IP: ${remoteAddress})`,
			`);`
			`throw Errors.INVALID_TOKEN;`
			`}`
			`return validToken;`
			`};`

			`const getUserInfo = async (accessToken, options) => {`
			`if (sails.config.custom.oidcSkipUserInfo) {`
			`return {};`
			`}`
			`const issuer = await openidClient.Issuer.discover(options.issuer);`
			`const oidcClient = new issuer.Client({`
			`client_id: 'irrelevant',`
			`});`
			`const userInfo = await oidcClient.userinfo(accessToken);`
			`return userInfo;`
			`};`
			`const mergeUserData = (validToken, userInfo) => {`
			`const oidcUser = { ...validToken, ...userInfo };`
			`return oidcUser;`
			`};`
			`const getOrCreateUser = async (newUser) => {`
			`const user = await User.findOne({`
			`where: {`
			`username: newUser.username,`
			`},`
			`});`
			`if (user) {`
			`return user;`
			`}`
			`return User.create(newUser).fetch();`
			`};`
			`module.exports = {`
			`inputs: {`
			`token: {`
			`type: 'string',`
			`required: true,`
			`},`
			`},`

			`exits: {`
			`invalidToken: {`
			`responseType: 'unauthorized',`
			`},`
			`missingValues: {`
			`responseType: 'unauthorized',`
			`},`
			`},`

			`async fn(inputs) {`
			`const options = getJwtVerificationOptions();`
			`const validToken = await validateAndDecodeToken(inputs.token, options);`
			`const userInfo = await getUserInfo(inputs.token, options);`
			`const oidcUser = mergeUserData(validToken, userInfo);`

			`const now = new Date();`
			`let isAdmin = false;`
			`if (sails.config.custom.oidcAdminRoles.includes('*')) isAdmin = true;`
			`else if (Array.isArray(oidcUser[sails.config.custom.oidcRolesAttribute])) {`
			`const userRoles = new Set(oidcUser[sails.config.custom.oidcRolesAttribute]);`
			`isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;`
			`}`

			`const newUser = {`
			`email: oidcUser.email,`
			`isAdmin,`
			`name: oidcUser.name,`
			`username: oidcUser.preferred_username,`
			`subscribeToOwnCards: false,`
			`createdAt: now,`
			`updatedAt: now,`
			`locked: true,`
			`};`

			`if (!newUser.email \|\| !newUser.username \|\| !newUser.name) {`
			`sails.log.error(Errors.MISSING_VALUES.missingValues);`
			`throw Errors.MISSING_VALUES;`
			`}`

			`const identityProviderUser = await IdentityProviderUser.findOne({`
			`where: {`
			`issuer: oidcUser.iss,`
			`sub: oidcUser.sub,`
			`},`
			`}).populate('userId');`

			`let user = identityProviderUser ? identityProviderUser.userId : {};`
			`if (!identityProviderUser) {`
			`user = await getOrCreateUser(newUser);`
			`await IdentityProviderUser.create({`
			`issuer: oidcUser.iss,`
			`sub: oidcUser.sub,`
			`userId: user.id,`
			`});`
			`}`

			`const controlledFields = ['email', 'password', 'isAdmin', 'name', 'username'];`
			`const updateFields = {};`
			`controlledFields.forEach((field) => {`
			`if (user[field] !== newUser[field]) {`
			`updateFields[field] = newUser[field];`
			`}`
			`});`

			`if (Object.keys(updateFields).length > 0) {`
			`updateFields.updatedAt = now;`
			`await User.updateOne({ id: user.id }).set(updateFields);`
			`}`

			`const plankaToken = sails.helpers.utils.createToken(user.id);`

			`const remoteAddress = getRemoteAddress(this.req);`
			`await Session.create({`
			`accessToken: plankaToken,`
			`remoteAddress,`
			`userId: user.id,`
			`userAgent: this.req.headers['user-agent'],`
			`});`

			`return {`
			`item: plankaToken,`
			`};`
			`},`
			`};`