This repository has been archived by the owner on Jan 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 145
/
client-oauth2.js
705 lines (619 loc) · 18.2 KB
/
client-oauth2.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
var Buffer = require('safe-buffer').Buffer
var Querystring = require('querystring')
var defaultRequest = require('./request')
const DEFAULT_URL_BASE = 'https://example.org/'
var btoa
if (typeof Buffer === 'function') {
btoa = btoaBuffer
} else {
btoa = window.btoa.bind(window)
}
/**
* Export `ClientOAuth2` class.
*/
module.exports = ClientOAuth2
/**
* Default headers for executing OAuth 2.0 flows.
*/
var DEFAULT_HEADERS = {
Accept: 'application/json, application/x-www-form-urlencoded',
'Content-Type': 'application/x-www-form-urlencoded'
}
/**
* Format error response types to regular strings for displaying to clients.
*
* Reference: http://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
var ERROR_RESPONSES = {
invalid_request: [
'The request is missing a required parameter, includes an',
'invalid parameter value, includes a parameter more than',
'once, or is otherwise malformed.'
].join(' '),
invalid_client: [
'Client authentication failed (e.g., unknown client, no',
'client authentication included, or unsupported',
'authentication method).'
].join(' '),
invalid_grant: [
'The provided authorization grant (e.g., authorization',
'code, resource owner credentials) or refresh token is',
'invalid, expired, revoked, does not match the redirection',
'URI used in the authorization request, or was issued to',
'another client.'
].join(' '),
unauthorized_client: [
'The client is not authorized to request an authorization',
'code using this method.'
].join(' '),
unsupported_grant_type: [
'The authorization grant type is not supported by the',
'authorization server.'
].join(' '),
access_denied: [
'The resource owner or authorization server denied the request.'
].join(' '),
unsupported_response_type: [
'The authorization server does not support obtaining',
'an authorization code using this method.'
].join(' '),
invalid_scope: [
'The requested scope is invalid, unknown, or malformed.'
].join(' '),
server_error: [
'The authorization server encountered an unexpected',
'condition that prevented it from fulfilling the request.',
'(This error code is needed because a 500 Internal Server',
'Error HTTP status code cannot be returned to the client',
'via an HTTP redirect.)'
].join(' '),
temporarily_unavailable: [
'The authorization server is currently unable to handle',
'the request due to a temporary overloading or maintenance',
'of the server.'
].join(' ')
}
/**
* Support base64 in node like how it works in the browser.
*
* @param {string} string
* @return {string}
*/
function btoaBuffer (string) {
return Buffer.from(string).toString('base64')
}
/**
* Check if properties exist on an object and throw when they aren't.
*
* @throws {TypeError} If an expected property is missing.
*
* @param {Object} obj
* @param {...string} props
*/
function expects (obj) {
for (var i = 1; i < arguments.length; i++) {
var prop = arguments[i]
if (obj[prop] == null) {
throw new TypeError('Expected "' + prop + '" to exist')
}
}
}
/**
* Pull an authentication error from the response data.
*
* @param {Object} data
* @return {string}
*/
function getAuthError (body) {
var message = ERROR_RESPONSES[body.error] ||
body.error_description ||
body.error
if (message) {
var err = new Error(message)
err.body = body
err.code = 'EAUTH'
return err
}
}
/**
* Attempt to parse response body as JSON, fall back to parsing as a query string.
*
* @param {string} body
* @return {Object}
*/
function parseResponseBody (body) {
try {
return JSON.parse(body)
} catch (e) {
return Querystring.parse(body)
}
}
/**
* Sanitize the scopes option to be a string.
*
* @param {Array} scopes
* @return {string}
*/
function sanitizeScope (scopes) {
return Array.isArray(scopes) ? scopes.join(' ') : toString(scopes)
}
/**
* Create a request uri based on an options object and token type.
*
* @param {Object} options
* @param {string} tokenType
* @return {string}
*/
function createUri (options, tokenType) {
// Check the required parameters are set.
expects(options, 'clientId', 'authorizationUri')
const qs = {
client_id: options.clientId,
redirect_uri: options.redirectUri,
response_type: tokenType,
state: options.state
}
if (options.scopes !== undefined) {
qs.scope = sanitizeScope(options.scopes)
}
const sep = options.authorizationUri.includes('?') ? '&' : '?'
return options.authorizationUri + sep + Querystring.stringify(
Object.assign(qs, options.query))
}
/**
* Create basic auth header.
*
* @param {string} username
* @param {string} password
* @return {string}
*/
function auth (username, password) {
return 'Basic ' + btoa(toString(username) + ':' + toString(password))
}
/**
* Ensure a value is a string.
*
* @param {string} str
* @return {string}
*/
function toString (str) {
return str == null ? '' : String(str)
}
/**
* Merge request options from an options object.
*/
function requestOptions (requestOptions, options) {
return {
url: requestOptions.url,
method: requestOptions.method,
body: Object.assign({}, requestOptions.body, options.body),
query: Object.assign({}, requestOptions.query, options.query),
headers: Object.assign({}, requestOptions.headers, options.headers)
}
}
/**
* Construct an object that can handle the multiple OAuth 2.0 flows.
*
* @param {Object} options
*/
function ClientOAuth2 (options, request) {
this.options = options
this.request = request || defaultRequest
this.code = new CodeFlow(this)
this.token = new TokenFlow(this)
this.owner = new OwnerFlow(this)
this.credentials = new CredentialsFlow(this)
this.jwt = new JwtBearerFlow(this)
}
/**
* Alias the token constructor.
*
* @type {Function}
*/
ClientOAuth2.Token = ClientOAuth2Token
/**
* Create a new token from existing data.
*
* @param {string} access
* @param {string} [refresh]
* @param {string} [type]
* @param {Object} [data]
* @return {Object}
*/
ClientOAuth2.prototype.createToken = function (access, refresh, type, data) {
var options = Object.assign(
{},
data,
typeof access === 'string' ? { access_token: access } : access,
typeof refresh === 'string' ? { refresh_token: refresh } : refresh,
typeof type === 'string' ? { token_type: type } : type
)
return new ClientOAuth2.Token(this, options)
}
/**
* Using the built-in request method, we'll automatically attempt to parse
* the response.
*
* @param {Object} options
* @return {Promise}
*/
ClientOAuth2.prototype._request = function (options) {
var url = options.url
var body = Querystring.stringify(options.body)
var query = Querystring.stringify(options.query)
if (query) {
url += (url.indexOf('?') === -1 ? '?' : '&') + query
}
return this.request(options.method, url, body, options.headers)
.then(function (res) {
var body = parseResponseBody(res.body)
var authErr = getAuthError(body)
if (authErr) {
return Promise.reject(authErr)
}
if (res.status < 200 || res.status >= 399) {
var statusErr = new Error('HTTP status ' + res.status)
statusErr.status = res.status
statusErr.body = res.body
statusErr.code = 'ESTATUS'
return Promise.reject(statusErr)
}
return body
})
}
/**
* General purpose client token generator.
*
* @param {Object} client
* @param {Object} data
*/
function ClientOAuth2Token (client, data) {
this.client = client
this.data = data
this.tokenType = data.token_type && data.token_type.toLowerCase()
this.accessToken = data.access_token
this.refreshToken = data.refresh_token
this.expiresIn(Number(data.expires_in))
}
/**
* Expire the token after some time.
*
* @param {number|Date} duration Seconds from now to expire, or a date to expire on.
* @return {Date}
*/
ClientOAuth2Token.prototype.expiresIn = function (duration) {
if (typeof duration === 'number') {
this.expires = new Date()
this.expires.setSeconds(this.expires.getSeconds() + duration)
} else if (duration instanceof Date) {
this.expires = new Date(duration.getTime())
} else {
throw new TypeError('Unknown duration: ' + duration)
}
return this.expires
}
/**
* Sign a standardised request object with user authentication information.
*
* @param {Object} requestObject
* @return {Object}
*/
ClientOAuth2Token.prototype.sign = function (requestObject) {
if (!this.accessToken) {
throw new Error('Unable to sign without access token')
}
requestObject.headers = requestObject.headers || {}
if (this.tokenType === 'bearer') {
requestObject.headers.Authorization = 'Bearer ' + this.accessToken
} else {
var parts = requestObject.url.split('#')
var token = 'access_token=' + this.accessToken
var url = parts[0].replace(/[?&]access_token=[^&#]/, '')
var fragment = parts[1] ? '#' + parts[1] : ''
// Prepend the correct query string parameter to the url.
requestObject.url = url + (url.indexOf('?') > -1 ? '&' : '?') + token + fragment
// Attempt to avoid storing the url in proxies, since the access token
// is exposed in the query parameters.
requestObject.headers.Pragma = 'no-store'
requestObject.headers['Cache-Control'] = 'no-store'
}
return requestObject
}
/**
* Refresh a user access token with the supplied token.
*
* @param {Object} opts
* @return {Promise}
*/
ClientOAuth2Token.prototype.refresh = function (opts) {
var self = this
var options = Object.assign({}, this.client.options, opts)
if (!this.refreshToken) {
return Promise.reject(new Error('No refresh token'))
}
return this.client._request(requestOptions({
url: options.accessTokenUri,
method: 'POST',
headers: Object.assign({}, DEFAULT_HEADERS, {
Authorization: auth(options.clientId, options.clientSecret)
}),
body: {
refresh_token: this.refreshToken,
grant_type: 'refresh_token'
}
}, options))
.then(function (data) {
return self.client.createToken(Object.assign({}, self.data, data))
})
}
/**
* Check whether the token has expired.
*
* @return {boolean}
*/
ClientOAuth2Token.prototype.expired = function () {
return Date.now() > this.expires.getTime()
}
/**
* Support resource owner password credentials OAuth 2.0 grant.
*
* Reference: http://tools.ietf.org/html/rfc6749#section-4.3
*
* @param {ClientOAuth2} client
*/
function OwnerFlow (client) {
this.client = client
}
/**
* Make a request on behalf of the user credentials to get an access token.
*
* @param {string} username
* @param {string} password
* @param {Object} [opts]
* @return {Promise}
*/
OwnerFlow.prototype.getToken = function (username, password, opts) {
var self = this
var options = Object.assign({}, this.client.options, opts)
const body = {
username: username,
password: password,
grant_type: 'password'
}
if (options.scopes !== undefined) {
body.scope = sanitizeScope(options.scopes)
}
return this.client._request(requestOptions({
url: options.accessTokenUri,
method: 'POST',
headers: Object.assign({}, DEFAULT_HEADERS, {
Authorization: auth(options.clientId, options.clientSecret)
}),
body: body
}, options))
.then(function (data) {
return self.client.createToken(data)
})
}
/**
* Support implicit OAuth 2.0 grant.
*
* Reference: http://tools.ietf.org/html/rfc6749#section-4.2
*
* @param {ClientOAuth2} client
*/
function TokenFlow (client) {
this.client = client
}
/**
* Get the uri to redirect the user to for implicit authentication.
*
* @param {Object} [opts]
* @return {string}
*/
TokenFlow.prototype.getUri = function (opts) {
var options = Object.assign({}, this.client.options, opts)
return createUri(options, 'token')
}
/**
* Get the user access token from the uri.
*
* @param {string|Object} uri
* @param {Object} [opts]
* @return {Promise}
*/
TokenFlow.prototype.getToken = function (uri, opts) {
var options = Object.assign({}, this.client.options, opts)
var url = typeof uri === 'object' ? uri : new URL(uri, DEFAULT_URL_BASE)
var expectedUrl = new URL(options.redirectUri, DEFAULT_URL_BASE)
if (typeof url.pathname === 'string' && url.pathname !== expectedUrl.pathname) {
return Promise.reject(
new TypeError('Redirected path should match configured path, but got: ' + url.pathname)
)
}
// If no query string or fragment exists, we won't be able to parse
// any useful information from the uri.
if (!url.hash && !url.search) {
return Promise.reject(new TypeError('Unable to process uri: ' + uri))
}
// Extract data from both the fragment and query string. The fragment is most
// important, but the query string is also used because some OAuth 2.0
// implementations (Instagram) have a bug where state is passed via query.
var data = Object.assign(
{},
typeof url.search === 'string' ? Querystring.parse(url.search.substr(1)) : (url.search || {}),
typeof url.hash === 'string' ? Querystring.parse(url.hash.substr(1)) : (url.hash || {})
)
var err = getAuthError(data)
// Check if the query string was populated with a known error.
if (err) {
return Promise.reject(err)
}
// Check whether the state matches.
if (options.state != null && data.state !== options.state) {
return Promise.reject(new TypeError('Invalid state: ' + data.state))
}
// Initalize a new token and return.
return Promise.resolve(this.client.createToken(data))
}
/**
* Support client credentials OAuth 2.0 grant.
*
* Reference: http://tools.ietf.org/html/rfc6749#section-4.4
*
* @param {ClientOAuth2} client
*/
function CredentialsFlow (client) {
this.client = client
}
/**
* Request an access token using the client credentials.
*
* @param {Object} [opts]
* @return {Promise}
*/
CredentialsFlow.prototype.getToken = function (opts) {
var self = this
var options = Object.assign({}, this.client.options, opts)
expects(options, 'clientId', 'clientSecret', 'accessTokenUri')
const body = {
grant_type: 'client_credentials'
}
if (options.scopes !== undefined) {
body.scope = sanitizeScope(options.scopes)
}
return this.client._request(requestOptions({
url: options.accessTokenUri,
method: 'POST',
headers: Object.assign({}, DEFAULT_HEADERS, {
Authorization: auth(options.clientId, options.clientSecret)
}),
body: body
}, options))
.then(function (data) {
return self.client.createToken(data)
})
}
/**
* Support authorization code OAuth 2.0 grant.
*
* Reference: http://tools.ietf.org/html/rfc6749#section-4.1
*
* @param {ClientOAuth2} client
*/
function CodeFlow (client) {
this.client = client
}
/**
* Generate the uri for doing the first redirect.
*
* @param {Object} [opts]
* @return {string}
*/
CodeFlow.prototype.getUri = function (opts) {
var options = Object.assign({}, this.client.options, opts)
return createUri(options, 'code')
}
/**
* Get the code token from the redirected uri and make another request for
* the user access token.
*
* @param {string|Object} uri
* @param {Object} [opts]
* @return {Promise}
*/
CodeFlow.prototype.getToken = function (uri, opts) {
var self = this
var options = Object.assign({}, this.client.options, opts)
expects(options, 'clientId', 'accessTokenUri')
var url = typeof uri === 'object' ? uri : new URL(uri, DEFAULT_URL_BASE)
if (
typeof options.redirectUri === 'string' &&
typeof url.pathname === 'string' &&
url.pathname !== (new URL(options.redirectUri, DEFAULT_URL_BASE)).pathname
) {
return Promise.reject(
new TypeError('Redirected path should match configured path, but got: ' + url.pathname)
)
}
if (!url.search || !url.search.substr(1)) {
return Promise.reject(new TypeError('Unable to process uri: ' + uri))
}
var data = typeof url.search === 'string'
? Querystring.parse(url.search.substr(1))
: (url.search || {})
var err = getAuthError(data)
if (err) {
return Promise.reject(err)
}
if (options.state != null && data.state !== options.state) {
return Promise.reject(new TypeError('Invalid state: ' + data.state))
}
// Check whether the response code is set.
if (!data.code) {
return Promise.reject(new TypeError('Missing code, unable to request token'))
}
var headers = Object.assign({}, DEFAULT_HEADERS)
var body = { code: data.code, grant_type: 'authorization_code', redirect_uri: options.redirectUri }
// `client_id`: REQUIRED, if the client is not authenticating with the
// authorization server as described in Section 3.2.1.
// Reference: https://tools.ietf.org/html/rfc6749#section-3.2.1
if (options.clientSecret) {
headers.Authorization = auth(options.clientId, options.clientSecret)
} else {
body.client_id = options.clientId
}
return this.client._request(requestOptions({
url: options.accessTokenUri,
method: 'POST',
headers: headers,
body: body
}, options))
.then(function (data) {
return self.client.createToken(data)
})
}
/**
* Support JSON Web Token (JWT) Bearer Token OAuth 2.0 grant.
*
* Reference: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-2.1
*
* @param {ClientOAuth2} client
*/
function JwtBearerFlow (client) {
this.client = client
}
/**
* Request an access token using a JWT token.
*
* @param {string} token A JWT token.
* @param {Object} [opts]
* @return {Promise}
*/
JwtBearerFlow.prototype.getToken = function (token, opts) {
var self = this
var options = Object.assign({}, this.client.options, opts)
var headers = Object.assign({}, DEFAULT_HEADERS)
expects(options, 'accessTokenUri')
// Authentication of the client is optional, as described in
// Section 3.2.1 of OAuth 2.0 [RFC6749]
if (options.clientId) {
headers.Authorization = auth(options.clientId, options.clientSecret)
}
const body = {
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: token
}
if (options.scopes !== undefined) {
body.scope = sanitizeScope(options.scopes)
}
return this.client._request(requestOptions({
url: options.accessTokenUri,
method: 'POST',
headers: headers,
body: body
}, options))
.then(function (data) {
return self.client.createToken(data)
})
}