From 1e6845d5cb82d74ae86c44a68723914f0650571e Mon Sep 17 00:00:00 2001 From: Dean Date: Sun, 3 Jul 2022 21:13:15 +0100 Subject: [PATCH] Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication. --- packages/backend-core/src/auth.js | 144 +++++++++++++----- .../src/middleware/authenticated.js | 2 + .../src/middleware/passport/google.js | 18 ++- .../src/middleware/passport/local.js | 16 +- .../src/middleware/passport/oidc.js | 11 +- .../integration/appPublishWorkflow.spec.js | 12 +- .../server/src/api/controllers/query/index.ts | 28 +++- packages/server/src/module.d.ts | 1 + packages/server/src/threads/query.js | 64 ++++++-- .../worker/src/api/controllers/global/auth.ts | 8 +- 10 files changed, 233 insertions(+), 71 deletions(-) diff --git a/packages/backend-core/src/auth.js b/packages/backend-core/src/auth.js index 58c00c92c3..9566a646f1 100644 --- a/packages/backend-core/src/auth.js +++ b/packages/backend-core/src/auth.js @@ -37,53 +37,118 @@ passport.deserializeUser(async (user, done) => { } }) -//requestAccessStrategy -//refreshOAuthAccessToken - -//configId for google and OIDC?? -async function reUpToken(refreshToken, configId) { - const db = getGlobalDB() - console.log(refreshToken, configId) - const config = await getScopedConfig(db, { - type: Configs.OIDC, - group: {}, //ctx.query.group, this was an empty object when authentication initially - }) - - const chosenConfig = config.configs[0] //.filter((c) => c.uuid === configId)[0] - let callbackUrl = await oidc.oidcCallbackUrl(db, chosenConfig) - - //Remote Config - const enrichedConfig = await oidc.fetchOIDCStrategyConfig( - chosenConfig, - callbackUrl - ) - - const strategy = await oidc.strategyFactory(enrichedConfig, () => { - console.log("saveFn RETURN ARGS", JSON.stringify(arguments)) - }) +async function refreshOIDCAccessToken(db, chosenConfig, refreshToken) { + const callbackUrl = await oidc.getCallbackUrl(db, chosenConfig) + let enrichedConfig + let strategy try { - refresh.use(strategy, { - setRefreshOAuth2() { - return strategy._getOAuth2Client(enrichedConfig) - }, - }) - console.log("Testing") + enrichedConfig = await oidc.fetchStrategyConfig(chosenConfig, callbackUrl) + if (!enrichedConfig) { + throw new Error("OIDC Config contents invalid") + } + strategy = await oidc.strategyFactory(enrichedConfig) + } catch (err) { + console.error(err) + throw new Error("Could not refresh OAuth Token") + } - // By default, the strat calls itself "openidconnect" + refresh.use(strategy, { + setRefreshOAuth2() { + return strategy._getOAuth2Client(enrichedConfig) + }, + }) - // refresh.requestNewAccessToken( - // 'openidconnect', - // refToken, - // (err, accessToken, refreshToken) => { - // console.log("REAUTH CB", err, accessToken, refreshToken); - // }) + return new Promise(resolve => { + refresh.requestNewAccessToken( + Configs.OIDC, + refreshToken, + (err, accessToken, refreshToken, params) => { + resolve({ err, accessToken, refreshToken, params }) + } + ) + }) +} + +async function refreshGoogleAccessToken(db, config, refreshToken) { + let callbackUrl = await google.getCallbackUrl(db, config) + const googleConfig = await google.fetchStrategyConfig(config) + + let strategy + try { + strategy = await google.strategyFactory(googleConfig, callbackUrl) } catch (err) { console.error(err) throw new Error("Error constructing OIDC refresh strategy", err) } - console.log("end") + refresh.use(strategy) + + return new Promise(resolve => { + refresh.requestNewAccessToken( + Configs.GOOGLE, + refreshToken, + (err, accessToken, refreshToken, params) => { + resolve({ err, accessToken, refreshToken, params }) + } + ) + }) +} + +async function refreshOAuthToken(refreshToken, configType, configId) { + const db = getGlobalDB() + + const config = await getScopedConfig(db, { + type: configType, + group: {}, + }) + + let chosenConfig = {} + let refreshResponse + if (configType === Configs.OIDC) { + // configId - retrieved from cookie. + chosenConfig = config.configs.filter(c => c.uuid === configId)[0] + if (!chosenConfig) { + throw new Error("Invalid OIDC configuration") + } + refreshResponse = await refreshOIDCAccessToken( + db, + chosenConfig, + refreshToken + ) + } else { + chosenConfig = config + refreshResponse = await refreshGoogleAccessToken( + db, + chosenConfig, + refreshToken + ) + } + + console.log(JSON.stringify(refreshResponse)) + return refreshResponse +} + +async function updateUserOAuth(userId, oAuthConfig) { + const details = { ...oAuthConfig } + try { + const db = getGlobalDB() + const dbUser = db.get(userId) + + //Do not overwrite the refresh token if a valid one is not provided. + if (typeof details.refreshToken !== "string") { + delete details.refreshToken + } + + dbUser.oAuth2 = { + ...dbUser.oAuth2, + ...details, + } + + await db.put(dbUser) + } catch (e) { + console.error("Could not update OAuth details for current user", e) + } } module.exports = { @@ -98,5 +163,6 @@ module.exports = { authError, buildCsrfMiddleware: csrf, internalApi, - reUpToken, + refreshOAuthToken, + updateUserOAuth, } diff --git a/packages/backend-core/src/middleware/authenticated.js b/packages/backend-core/src/middleware/authenticated.js index 9c35336dda..cca80cc511 100644 --- a/packages/backend-core/src/middleware/authenticated.js +++ b/packages/backend-core/src/middleware/authenticated.js @@ -128,6 +128,8 @@ module.exports = ( } if (!user && tenantId) { user = { tenantId } + } else { + delete user.password } // be explicit if (authenticated !== true) { diff --git a/packages/backend-core/src/middleware/passport/google.js b/packages/backend-core/src/middleware/passport/google.js index 858029ca80..167e719203 100644 --- a/packages/backend-core/src/middleware/passport/google.js +++ b/packages/backend-core/src/middleware/passport/google.js @@ -1,6 +1,8 @@ const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy - +const { ssoCallbackUrl } = require("./utils") const { authenticateThirdParty } = require("./third-party-common") +const { Configs } = require("../../../constants") +const environment = require("../../environment") const buildVerifyFn = saveUserFn => { return (accessToken, refreshToken, profile, done) => { @@ -57,5 +59,19 @@ exports.strategyFactory = async function (config, callbackUrl, saveUserFn) { ) } } + +exports.fetchStrategyConfig = async function (googleConfig) { + return ( + googleConfig || { + clientID: environment.GOOGLE_CLIENT_ID, + clientSecret: environment.GOOGLE_CLIENT_SECRET, + } + ) +} + +exports.getCallbackUrl = async function (db, config) { + return ssoCallbackUrl(db, config, Configs.GOOGLE) +} + // expose for testing exports.buildVerifyFn = buildVerifyFn diff --git a/packages/backend-core/src/middleware/passport/local.js b/packages/backend-core/src/middleware/passport/local.js index 445893b1df..3f224e7abd 100644 --- a/packages/backend-core/src/middleware/passport/local.js +++ b/packages/backend-core/src/middleware/passport/local.js @@ -6,7 +6,7 @@ const users = require("../../users") const { authError } = require("./utils") const { newid } = require("../../hashing") const { createASession } = require("../../security/sessions") -const { getTenantId } = require("../../tenancy") +const { getTenantId, getGlobalDB } = require("../../tenancy") const INVALID_ERR = "Invalid credentials" const SSO_NO_PASSWORD = "SSO user does not have a password set" @@ -55,6 +55,20 @@ exports.authenticate = async function (ctx, email, password, done) { if (await compare(password, dbUser.password)) { const sessionId = newid() const tenantId = getTenantId() + + if (dbUser.provider || dbUser.providerType || dbUser.pictureUrl) { + delete dbUser.provider + delete dbUser.providerType + delete dbUser.pictureUrl + + try { + const db = getGlobalDB() + await db.put(dbUser) + } catch (err) { + console.error("OAuth elements could not be purged") + } + } + await createASession(dbUser._id, { sessionId, tenantId }) dbUser.token = jwt.sign( diff --git a/packages/backend-core/src/middleware/passport/oidc.js b/packages/backend-core/src/middleware/passport/oidc.js index ef785f8aeb..570ce641cf 100644 --- a/packages/backend-core/src/middleware/passport/oidc.js +++ b/packages/backend-core/src/middleware/passport/oidc.js @@ -2,6 +2,7 @@ const fetch = require("node-fetch") const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy const { authenticateThirdParty } = require("./third-party-common") const { ssoCallbackUrl } = require("./utils") +const { Configs } = require("../../../constants") const buildVerifyFn = saveUserFn => { /** @@ -93,14 +94,16 @@ function validEmail(value) { exports.strategyFactory = async function (config, saveUserFn) { try { const verify = buildVerifyFn(saveUserFn) - return new OIDCStrategy(config, verify) + const strategy = new OIDCStrategy(config, verify) + strategy.name = "oidc" + return strategy } catch (err) { console.error(err) throw new Error("Error constructing OIDC authentication strategy", err) } } -export const fetchOIDCStrategyConfig = async (config, callbackUrl) => { +exports.fetchStrategyConfig = async function (config, callbackUrl) { try { const { clientID, clientSecret, configUrl } = config @@ -136,8 +139,8 @@ export const fetchOIDCStrategyConfig = async (config, callbackUrl) => { } } -export const oidcCallbackUrl = async (db, config) => { - return ssoCallbackUrl(db, config, "oidc") +exports.getCallbackUrl = async function (db, config) { + return ssoCallbackUrl(db, config, Configs.OIDC) } // expose for testing diff --git a/packages/builder/cypress/integration/appPublishWorkflow.spec.js b/packages/builder/cypress/integration/appPublishWorkflow.spec.js index a431051075..e65c01c1b6 100644 --- a/packages/builder/cypress/integration/appPublishWorkflow.spec.js +++ b/packages/builder/cypress/integration/appPublishWorkflow.spec.js @@ -85,12 +85,12 @@ filterTests(['all'], () => { cy.get(interact.APP_TABLE_APP_NAME).click({ force: true }) }) - cy.get(interact.DEPLOYMENT_TOP_NAV).click() - cy.get(interact.PUBLISH_POPOVER_ACTION).click({ force: true }) - cy.get(interact.UNPUBLISH_MODAL) - .within(() => { - cy.get(interact.CONFIRM_WRAP_BUTTON).click({ force: true }) - }) + cy.get(interact.DEPLOYMENT_TOP_GLOBE).should("exist").click({ force: true }) + + cy.get("[data-cy='publish-popover-menu']") + .within(() => { + cy.get(interact.PUBLISH_POPOVER_ACTION).click({ force: true }) + }) cy.get(interact.UNPUBLISH_MODAL).should("be.visible") .within(() => { diff --git a/packages/server/src/api/controllers/query/index.ts b/packages/server/src/api/controllers/query/index.ts index 73b508f028..528079be83 100644 --- a/packages/server/src/api/controllers/query/index.ts +++ b/packages/server/src/api/controllers/query/index.ts @@ -9,7 +9,7 @@ import { getAppDB } from "@budibase/backend-core/context" import { quotas } from "@budibase/pro" import { events } from "@budibase/backend-core" import { getCookie } from "@budibase/backend-core/utils" -import { Cookies } from "@budibase/backend-core/constants" +import { Cookies, Configs } from "@budibase/backend-core/constants" const Runner = new Thread(ThreadType.QUERY, { timeoutMs: QUERY_THREAD_TIMEOUT || 10000, @@ -112,6 +112,21 @@ export async function find(ctx: any) { ctx.body = query } +//Required to discern between OIDC OAuth config entries +function getOAuthConfigCookieId(ctx: any) { + if (ctx.user.providerType === Configs.OIDC) { + return getCookie(ctx, Cookies.OIDC_CONFIG) + } +} + +function getAuthConfig(ctx: any) { + const authCookie = getCookie(ctx, Cookies.Auth) + let authConfigCtx: any = {} + authConfigCtx["configId"] = getOAuthConfigCookieId(ctx) + authConfigCtx["sessionId"] = authCookie ? authCookie.sessionId : null + return authConfigCtx +} + export async function preview(ctx: any) { const db = getAppDB() @@ -121,9 +136,7 @@ export async function preview(ctx: any) { // this stops dynamic variables from calling the same query const { fields, parameters, queryVerb, transformer, queryId } = query - //check for oAuth elements here? - const configId = getCookie(ctx, Cookies.OIDC_CONFIG) - console.log(configId) + const authConfigCtx: any = getAuthConfig(ctx) try { const runFn = () => @@ -135,6 +148,10 @@ export async function preview(ctx: any) { parameters, transformer, queryId, + ctx: { + user: ctx.user, + auth: { ...authConfigCtx }, + }, }) const { rows, keys, info, extra } = await quotas.addQuery(runFn) await events.query.previewed(datasource, query) @@ -177,6 +194,9 @@ async function execute(ctx: any, opts = { rowsOnly: false }) { parameters: enrichedParameters, transformer: query.transformer, queryId: ctx.params.queryId, + ctx: { + user: ctx.user, + }, }) const { rows, pagination, extra } = await quotas.addQuery(runFn) diff --git a/packages/server/src/module.d.ts b/packages/server/src/module.d.ts index 466bea6576..fb523cf90d 100644 --- a/packages/server/src/module.d.ts +++ b/packages/server/src/module.d.ts @@ -8,3 +8,4 @@ declare module "@budibase/backend-core/constants" declare module "@budibase/backend-core/auth" declare module "@budibase/backend-core/sessions" declare module "@budibase/backend-core/encryption" +declare module "@budibase/backend-core/utils" diff --git a/packages/server/src/threads/query.js b/packages/server/src/threads/query.js index 6e6822d6f5..7808297f89 100644 --- a/packages/server/src/threads/query.js +++ b/packages/server/src/threads/query.js @@ -4,7 +4,12 @@ const ScriptRunner = require("../utilities/scriptRunner") const { integrations } = require("../integrations") const { processStringSync } = require("@budibase/string-templates") const { doInAppContext, getAppDB } = require("@budibase/backend-core/context") -// const { reUpToken } = require("@budibase/backend-core/auth") +const { + refreshOAuthToken, + updateUserOAuth, +} = require("@budibase/backend-core/auth") +const { getGlobalIDFromUserMetadataID } = require("../db/utils") + const { isSQL } = require("../integrations/utils") const { enrichQueryFields, @@ -22,20 +27,19 @@ class QueryRunner { this.queryId = input.queryId this.noRecursiveQuery = flags.noRecursiveQuery this.cachedVariables = [] + // Additional context items for enrichment + this.ctx = input.ctx // allows the response from a query to be stored throughout this // execution so that if it needs to be re-used for another variable // it can be this.queryResponse = {} this.hasRerun = false + this.hasRefreshedOAuth = false } async execute() { let { datasource, fields, queryVerb, transformer } = this - // if(this.ctx.user.oauth2?.refreshToken){ - // reUpToken(this.ctx.user.oauth2?.refreshToken) - // } - const Integration = integrations[datasource.source] if (!Integration) { throw "Integration type does not exist." @@ -79,15 +83,24 @@ class QueryRunner { } // if the request fails we retry once, invalidating the cached value - if ( - info && - info.code >= 400 && - this.cachedVariables.length > 0 && - !this.hasRerun - ) { - // return { info } + if (info && info.code >= 400 && !this.hasRerun) { + if ( + this.ctx.user?.provider && + info.code === 401 && + !this.hasRefreshedOAuth + ) { + // Attempt to refresh the access token from the provider + this.hasRefreshedOAuth = true + const authResponse = await this.refreshOAuth2(this.ctx) + + if (!authResponse || authResponse.err) { + // In this event the user may have oAuth issues that + // could require re-authenticating with their provider. + throw new Error("OAuth2 access token could not be refreshed") + } + } + this.hasRerun = true - // invalidate the cache value await threadUtils.invalidateDynamicVariables(this.cachedVariables) return this.execute() } @@ -133,6 +146,31 @@ class QueryRunner { ).execute() } + async refreshOAuth2(ctx) { + const { oauth2, providerType, _id } = ctx.user + const { configId } = ctx.auth + + if (!providerType || !oauth2?.refreshToken) { + console.error("No refresh token found for authenticated user") + return + } + + const resp = await refreshOAuthToken( + oauth2.refreshToken, + providerType, + configId + ) + + // Refresh session flow. Should be in same location as refreshOAuthToken + // There are several other properties available in 'resp' + if (!resp.error) { + const globalUserId = getGlobalIDFromUserMetadataID(_id) + await updateUserOAuth(globalUserId, resp) + } + + return resp + } + async getDynamicVariable(variable) { let { parameters } = this const queryId = variable.queryId, diff --git a/packages/worker/src/api/controllers/global/auth.ts b/packages/worker/src/api/controllers/global/auth.ts index bd399a29fc..2b738b4900 100644 --- a/packages/worker/src/api/controllers/global/auth.ts +++ b/packages/worker/src/api/controllers/global/auth.ts @@ -70,7 +70,7 @@ async function authInternal(ctx: any, user: any, err = null, info = null) { export const authenticate = async (ctx: any, next: any) => { return passport.authenticate( "local", - async (err: any, user: User, info: any) => { + async (err: any, user: any, info: any) => { await authInternal(ctx, user, err, info) await context.identity.doInUserContext(user, async () => { await events.auth.login("local") @@ -197,7 +197,9 @@ export const googlePreAuth = async (ctx: any, next: any) => { const strategy = await google.strategyFactory(config, callbackUrl, users.save) return passport.authenticate(strategy, { - scope: ["profile", "email"], + scope: ["profile", "email", "https://www.googleapis.com/auth/spreadsheets"], + accessType: "offline", + prompt: "consent", })(ctx, next) } @@ -235,7 +237,7 @@ export const oidcStrategyFactory = async (ctx: any, configId: any) => { let callbackUrl = await exports.oidcCallbackUrl(chosenConfig) //Remote Config - const enrichedConfig = await oidc.fetchOIDCStrategyConfig( + const enrichedConfig = await oidc.fetchStrategyConfig( chosenConfig, callbackUrl )