budibase/packages/backend-core/src/auth.js

const passport = require("koa-passport")
const LocalStrategy = require("passport-local").Strategy
const JwtStrategy = require("passport-jwt").Strategy
const { getGlobalDB } = require("./tenancy")
const refresh = require("passport-oauth2-refresh")
const { Configs } = require("./constants")
const { getScopedConfig } = require("./db/utils")
const {
  jwt,
  local,
  authenticated,
  google,
  oidc,
  auditLog,
  tenancy,
  appTenancy,
  authError,
  ssoCallbackUrl,
  csrf,
  internalApi,
} = require("./middleware")

const { invalidateUser } = require("./cache/user")

// Strategies
passport.use(new LocalStrategy(local.options, local.authenticate))
passport.use(new JwtStrategy(jwt.options, jwt.authenticate))

passport.serializeUser((user, done) => done(null, user))

passport.deserializeUser(async (user, done) => {
  const db = getGlobalDB()

  try {
    const user = await db.get(user._id)
    return done(null, user)
  } catch (err) {
    console.error(`User not found`, err)
    return done(null, false, { message: "User not found" })
  }
})

async function refreshOIDCAccessToken(db, chosenConfig, refreshToken) {
  const callbackUrl = await oidc.getCallbackUrl(db, chosenConfig)
  let enrichedConfig
  let strategy

  try {
    enrichedConfig = await oidc.fetchStrategyConfig(chosenConfig, callbackUrl)
    if (!enrichedConfig) {
      throw new Error("OIDC Config contents invalid")
    }
    strategy = await oidc.strategyFactory(enrichedConfig)
  } catch (err) {
    console.error(err)
    throw new Error("Could not refresh OAuth Token")
  }

  refresh.use(strategy, {
    setRefreshOAuth2() {
      return strategy._getOAuth2Client(enrichedConfig)
    },
  })

  return new Promise(resolve => {
    refresh.requestNewAccessToken(
      Configs.OIDC,
      refreshToken,
      (err, accessToken, refreshToken, params) => {
        resolve({ err, accessToken, refreshToken, params })
      }
    )
  })
}

async function refreshGoogleAccessToken(db, config, refreshToken) {
  let callbackUrl = await google.getCallbackUrl(db, config)

  let strategy
  try {
    strategy = await google.strategyFactory(config, callbackUrl)
  } catch (err) {
    console.error(err)
    throw new Error("Error constructing OIDC refresh strategy", err)
  }

  refresh.use(strategy)

  return new Promise(resolve => {
    refresh.requestNewAccessToken(
      Configs.GOOGLE,
      refreshToken,
      (err, accessToken, refreshToken, params) => {
        resolve({ err, accessToken, refreshToken, params })
      }
    )
  })
}

async function refreshOAuthToken(refreshToken, configType, configId) {
  const db = getGlobalDB()

  const config = await getScopedConfig(db, {
    type: configType,
    group: {},
  })

  let chosenConfig = {}
  let refreshResponse
  if (configType === Configs.OIDC) {
    // configId - retrieved from cookie.
    chosenConfig = config.configs.filter(c => c.uuid === configId)[0]
    if (!chosenConfig) {
      throw new Error("Invalid OIDC configuration")
    }
    refreshResponse = await refreshOIDCAccessToken(
      db,
      chosenConfig,
      refreshToken
    )
  } else {
    chosenConfig = config
    refreshResponse = await refreshGoogleAccessToken(
      db,
      chosenConfig,
      refreshToken
    )
  }

  return refreshResponse
}

async function updateUserOAuth(userId, oAuthConfig) {
  const details = {
    accessToken: oAuthConfig.accessToken,
    refreshToken: oAuthConfig.refreshToken,
  }

  try {
    const db = getGlobalDB()
    const dbUser = await db.get(userId)

    //Do not overwrite the refresh token if a valid one is not provided.
    if (typeof details.refreshToken !== "string") {
      delete details.refreshToken
    }

    dbUser.oauth2 = {
      ...dbUser.oauth2,
      ...details,
    }

    await db.put(dbUser)

    await invalidateUser(userId)
  } catch (e) {
    console.error("Could not update OAuth details for current user", e)
  }
}

module.exports = {
  buildAuthMiddleware: authenticated,
  passport,
  google,
  oidc,
  jwt: require("jsonwebtoken"),
  buildTenancyMiddleware: tenancy,
  buildAppTenancyMiddleware: appTenancy,
  auditLog,
  authError,
  buildCsrfMiddleware: csrf,
  internalApi,
  refreshOAuthToken,
  updateUserOAuth,
  ssoCallbackUrl,
}
Refactoring core library usage in monorepo, make it a bit cleaner/easier to search/more standardised. 2022-01-13 00:32:14 +13:00			`const passport = require("koa-passport")`
			`const LocalStrategy = require("passport-local").Strategy`
			`const JwtStrategy = require("passport-jwt").Strategy`
			`const { getGlobalDB } = require("./tenancy")`
Merge commit 2022-06-24 01:29:19 +12:00			`const refresh = require("passport-oauth2-refresh")`
			`const { Configs } = require("./constants")`
			`const { getScopedConfig } = require("./db/utils")`
Refactoring core library usage in monorepo, make it a bit cleaner/easier to search/more standardised. 2022-01-13 00:32:14 +13:00			`const {`
			`jwt,`
			`local,`
			`authenticated,`
			`google,`
			`oidc,`
			`auditLog,`
			`tenancy,`
			`appTenancy,`
			`authError,`
Code review updates 2022-07-04 23:54:26 +12:00			`ssoCallbackUrl,`
Add CSRF Token 2022-01-26 11:54:50 +13:00			`csrf,`
Migrations 2.0 2022-01-24 23:48:59 +13:00			`internalApi,`
Refactoring core library usage in monorepo, make it a bit cleaner/easier to search/more standardised. 2022-01-13 00:32:14 +13:00			`} = require("./middleware")`

Properly invalidate the cached user ensuring up-to-date credentials are always used 2022-07-06 22:51:48 +12:00			`const { invalidateUser } = require("./cache/user")`

Refactoring core library usage in monorepo, make it a bit cleaner/easier to search/more standardised. 2022-01-13 00:32:14 +13:00			`// Strategies`
			`passport.use(new LocalStrategy(local.options, local.authenticate))`
			`passport.use(new JwtStrategy(jwt.options, jwt.authenticate))`

			`passport.serializeUser((user, done) => done(null, user))`

			`passport.deserializeUser(async (user, done) => {`
			`const db = getGlobalDB()`

			`try {`
			`const user = await db.get(user._id)`
			`return done(null, user)`
			`} catch (err) {`
enable clustering on server and worker services, better log output on user not found errors 2022-05-24 03:24:29 +12:00			console.error(`User not found`, err)
Refactoring core library usage in monorepo, make it a bit cleaner/easier to search/more standardised. 2022-01-13 00:32:14 +13:00			`return done(null, false, { message: "User not found" })`
			`}`
			`})`

Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`async function refreshOIDCAccessToken(db, chosenConfig, refreshToken) {`
			`const callbackUrl = await oidc.getCallbackUrl(db, chosenConfig)`
			`let enrichedConfig`
			`let strategy`
Merge commit 2022-06-24 01:29:19 +12:00
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`try {`
			`enrichedConfig = await oidc.fetchStrategyConfig(chosenConfig, callbackUrl)`
			`if (!enrichedConfig) {`
			`throw new Error("OIDC Config contents invalid")`
			`}`
			`strategy = await oidc.strategyFactory(enrichedConfig)`
			`} catch (err) {`
			`console.error(err)`
			`throw new Error("Could not refresh OAuth Token")`
			`}`
Merge commit 2022-06-24 01:29:19 +12:00
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`refresh.use(strategy, {`
			`setRefreshOAuth2() {`
			`return strategy._getOAuth2Client(enrichedConfig)`
			`},`
			`})`
Merge commit 2022-06-24 01:29:19 +12:00
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`return new Promise(resolve => {`
			`refresh.requestNewAccessToken(`
			`Configs.OIDC,`
			`refreshToken,`
			`(err, accessToken, refreshToken, params) => {`
			`resolve({ err, accessToken, refreshToken, params })`
			`}`
			`)`
Merge commit 2022-06-24 01:29:19 +12:00			`})`
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`}`
Merge commit 2022-06-24 01:29:19 +12:00
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`async function refreshGoogleAccessToken(db, config, refreshToken) {`
			`let callbackUrl = await google.getCallbackUrl(db, config)`

			`let strategy`
Merge commit 2022-06-24 01:29:19 +12:00			`try {`
Code review updates 2022-07-04 23:54:26 +12:00			`strategy = await google.strategyFactory(config, callbackUrl)`
Merge commit 2022-06-24 01:29:19 +12:00			`} catch (err) {`
			`console.error(err)`
			`throw new Error("Error constructing OIDC refresh strategy", err)`
			`}`

Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`refresh.use(strategy)`

			`return new Promise(resolve => {`
			`refresh.requestNewAccessToken(`
			`Configs.GOOGLE,`
			`refreshToken,`
			`(err, accessToken, refreshToken, params) => {`
			`resolve({ err, accessToken, refreshToken, params })`
			`}`
			`)`
			`})`
			`}`

			`async function refreshOAuthToken(refreshToken, configType, configId) {`
			`const db = getGlobalDB()`

			`const config = await getScopedConfig(db, {`
			`type: configType,`
			`group: {},`
			`})`

			`let chosenConfig = {}`
			`let refreshResponse`
			`if (configType === Configs.OIDC) {`
			`// configId - retrieved from cookie.`
			`chosenConfig = config.configs.filter(c => c.uuid === configId)[0]`
			`if (!chosenConfig) {`
			`throw new Error("Invalid OIDC configuration")`
			`}`
			`refreshResponse = await refreshOIDCAccessToken(`
			`db,`
			`chosenConfig,`
			`refreshToken`
			`)`
			`} else {`
			`chosenConfig = config`
			`refreshResponse = await refreshGoogleAccessToken(`
			`db,`
			`chosenConfig,`
			`refreshToken`
			`)`
			`}`

			`return refreshResponse`
			`}`

			`async function updateUserOAuth(userId, oAuthConfig) {`
Fix for oauth user db update 2022-07-04 09:14:18 +12:00			`const details = {`
			`accessToken: oAuthConfig.accessToken,`
			`refreshToken: oAuthConfig.refreshToken,`
			`}`

Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`try {`
			`const db = getGlobalDB()`
Fix for oauth user db update 2022-07-04 09:14:18 +12:00			`const dbUser = await db.get(userId)`
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00
			`//Do not overwrite the refresh token if a valid one is not provided.`
			`if (typeof details.refreshToken !== "string") {`
			`delete details.refreshToken`
			`}`

Fix for oauth user db update 2022-07-04 09:14:18 +12:00			`dbUser.oauth2 = {`
			`...dbUser.oauth2,`
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`...details,`
			`}`

			`await db.put(dbUser)`
Properly invalidate the cached user ensuring up-to-date credentials are always used 2022-07-06 22:51:48 +12:00
			`await invalidateUser(userId)`
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`} catch (e) {`
			`console.error("Could not update OAuth details for current user", e)`
			`}`
Merge commit 2022-06-24 01:29:19 +12:00			`}`

Refactoring core library usage in monorepo, make it a bit cleaner/easier to search/more standardised. 2022-01-13 00:32:14 +13:00			`module.exports = {`
			`buildAuthMiddleware: authenticated,`
			`passport,`
			`google,`
			`oidc,`
			`jwt: require("jsonwebtoken"),`
			`buildTenancyMiddleware: tenancy,`
			`buildAppTenancyMiddleware: appTenancy,`
			`auditLog,`
			`authError,`
Add CSRF Token 2022-01-26 11:54:50 +13:00			`buildCsrfMiddleware: csrf,`
Migrations 2.0 2022-01-24 23:48:59 +13:00			`internalApi,`
Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. 2022-07-04 08:13:15 +12:00			`refreshOAuthToken,`
			`updateUserOAuth,`
Code review updates 2022-07-04 23:54:26 +12:00			`ssoCallbackUrl,`
Refactoring core library usage in monorepo, make it a bit cleaner/easier to search/more standardised. 2022-01-13 00:32:14 +13:00			`}`