Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication.

2024-07-04 22:11:23 +12:00 · 2022-07-03 21:13:15 +01:00 · 2022-07-03 21:13:15 +01:00 · 1e6845d5cb
parent 9972ec403d
commit 1e6845d5cb
10 changed files with 233 additions and 71 deletions
--- a/packages/backend-core/src/auth.js
+++ b/packages/backend-core/src/auth.js
@ -37,53 +37,118 @@ passport.deserializeUser(async (user, done) => {
  }
 })
-//requestAccessStrategy
+async function refreshOIDCAccessToken(db, chosenConfig, refreshToken) {
-//refreshOAuthAccessToken
+  const callbackUrl = await oidc.getCallbackUrl(db, chosenConfig)
-
+  let enrichedConfig
-//configId for google and OIDC??
+  let strategy
 async function reUpToken(refreshToken, configId) {
  const db = getGlobalDB()
  console.log(refreshToken, configId)
  const config = await getScopedConfig(db, {
    type: Configs.OIDC,
    group: {}, //ctx.query.group, this was an empty object when authentication initially
  })
  const chosenConfig = config.configs[0] //.filter((c) => c.uuid === configId)[0]
  let callbackUrl = await oidc.oidcCallbackUrl(db, chosenConfig)
  //Remote Config
  const enrichedConfig = await oidc.fetchOIDCStrategyConfig(
    chosenConfig,
    callbackUrl
  )
  const strategy = await oidc.strategyFactory(enrichedConfig, () => {
    console.log("saveFn RETURN ARGS", JSON.stringify(arguments))
  })
  try {
-    refresh.use(strategy, {
+    enrichedConfig = await oidc.fetchStrategyConfig(chosenConfig, callbackUrl)
-      setRefreshOAuth2() {
+    if (!enrichedConfig) {
-        return strategy._getOAuth2Client(enrichedConfig)
+      throw new Error("OIDC Config contents invalid")
-      },
+    }
-    })
+    strategy = await oidc.strategyFactory(enrichedConfig)
-    console.log("Testing")
+  } catch (err) {
    console.error(err)
    throw new Error("Could not refresh OAuth Token")
  }
-    // By default, the strat calls itself "openidconnect"
+  refresh.use(strategy, {
    setRefreshOAuth2() {
      return strategy._getOAuth2Client(enrichedConfig)
    },
  })
-    // refresh.requestNewAccessToken(
+  return new Promise(resolve => {
-    //   'openidconnect',
+    refresh.requestNewAccessToken(
-    //   refToken,
+      Configs.OIDC,
-    //   (err, accessToken, refreshToken) => {
+      refreshToken,
-    //     console.log("REAUTH CB", err, accessToken, refreshToken);
+      (err, accessToken, refreshToken, params) => {
-    //   })
+        resolve({ err, accessToken, refreshToken, params })
      }
    )
  })
 }
 async function refreshGoogleAccessToken(db, config, refreshToken) {
  let callbackUrl = await google.getCallbackUrl(db, config)
  const googleConfig = await google.fetchStrategyConfig(config)
  let strategy
  try {
    strategy = await google.strategyFactory(googleConfig, callbackUrl)
  } catch (err) {
    console.error(err)
    throw new Error("Error constructing OIDC refresh strategy", err)
  }
-  console.log("end")
+  refresh.use(strategy)
  return new Promise(resolve => {
    refresh.requestNewAccessToken(
      Configs.GOOGLE,
      refreshToken,
      (err, accessToken, refreshToken, params) => {
        resolve({ err, accessToken, refreshToken, params })
      }
    )
  })
 }
 async function refreshOAuthToken(refreshToken, configType, configId) {
  const db = getGlobalDB()
  const config = await getScopedConfig(db, {
    type: configType,
    group: {},
  })
  let chosenConfig = {}
  let refreshResponse
  if (configType === Configs.OIDC) {
    // configId - retrieved from cookie.
    chosenConfig = config.configs.filter(c => c.uuid === configId)[0]
    if (!chosenConfig) {
      throw new Error("Invalid OIDC configuration")
    }
    refreshResponse = await refreshOIDCAccessToken(
      db,
      chosenConfig,
      refreshToken
    )
  } else {
    chosenConfig = config
    refreshResponse = await refreshGoogleAccessToken(
      db,
      chosenConfig,
      refreshToken
    )
  }
  console.log(JSON.stringify(refreshResponse))
  return refreshResponse
 }
 async function updateUserOAuth(userId, oAuthConfig) {
  const details = { ...oAuthConfig }
  try {
    const db = getGlobalDB()
    const dbUser = db.get(userId)
    //Do not overwrite the refresh token if a valid one is not provided.
    if (typeof details.refreshToken !== "string") {
      delete details.refreshToken
    }
    dbUser.oAuth2 = {
      ...dbUser.oAuth2,
      ...details,
    }
    await db.put(dbUser)
  } catch (e) {
    console.error("Could not update OAuth details for current user", e)
  }
 }
 module.exports = {
@ -98,5 +163,6 @@ module.exports = {
  authError,
  buildCsrfMiddleware: csrf,
  internalApi,
-  reUpToken,
+  refreshOAuthToken,
  updateUserOAuth,
 }
--- a/packages/backend-core/src/middleware/authenticated.js
+++ b/packages/backend-core/src/middleware/authenticated.js
@ -128,6 +128,8 @@ module.exports = (
      }
      if (!user && tenantId) {
        user = { tenantId }
      } else {
        delete user.password
      }
      // be explicit
      if (authenticated !== true) {
--- a/packages/backend-core/src/middleware/passport/google.js
+++ b/packages/backend-core/src/middleware/passport/google.js
@ -1,6 +1,8 @@
 const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
-
+const { ssoCallbackUrl } = require("./utils")
 const { authenticateThirdParty } = require("./third-party-common")
 const { Configs } = require("../../../constants")
 const environment = require("../../environment")
 const buildVerifyFn = saveUserFn => {
  return (accessToken, refreshToken, profile, done) => {
@ -57,5 +59,19 @@ exports.strategyFactory = async function (config, callbackUrl, saveUserFn) {
    )
  }
 }
 exports.fetchStrategyConfig = async function (googleConfig) {
  return (
    googleConfig || {
      clientID: environment.GOOGLE_CLIENT_ID,
      clientSecret: environment.GOOGLE_CLIENT_SECRET,
    }
  )
 }
 exports.getCallbackUrl = async function (db, config) {
  return ssoCallbackUrl(db, config, Configs.GOOGLE)
 }
 // expose for testing
 exports.buildVerifyFn = buildVerifyFn
--- a/packages/backend-core/src/middleware/passport/local.js
+++ b/packages/backend-core/src/middleware/passport/local.js
@ -6,7 +6,7 @@ const users = require("../../users")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
 const { createASession } = require("../../security/sessions")
-const { getTenantId } = require("../../tenancy")
+const { getTenantId, getGlobalDB } = require("../../tenancy")
 const INVALID_ERR = "Invalid credentials"
 const SSO_NO_PASSWORD = "SSO user does not have a password set"
@ -55,6 +55,20 @@ exports.authenticate = async function (ctx, email, password, done) {
  if (await compare(password, dbUser.password)) {
    const sessionId = newid()
    const tenantId = getTenantId()
    if (dbUser.provider || dbUser.providerType || dbUser.pictureUrl) {
      delete dbUser.provider
      delete dbUser.providerType
      delete dbUser.pictureUrl
      try {
        const db = getGlobalDB()
        await db.put(dbUser)
      } catch (err) {
        console.error("OAuth elements could not be purged")
      }
    }
    await createASession(dbUser._id, { sessionId, tenantId })
    dbUser.token = jwt.sign(
--- a/packages/backend-core/src/middleware/passport/oidc.js
+++ b/packages/backend-core/src/middleware/passport/oidc.js
@ -2,6 +2,7 @@ const fetch = require("node-fetch")
 const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy
 const { authenticateThirdParty } = require("./third-party-common")
 const { ssoCallbackUrl } = require("./utils")
 const { Configs } = require("../../../constants")
 const buildVerifyFn = saveUserFn => {
  /**
@ -93,14 +94,16 @@ function validEmail(value) {
 exports.strategyFactory = async function (config, saveUserFn) {
  try {
    const verify = buildVerifyFn(saveUserFn)
-    return new OIDCStrategy(config, verify)
+    const strategy = new OIDCStrategy(config, verify)
    strategy.name = "oidc"
    return strategy
  } catch (err) {
    console.error(err)
    throw new Error("Error constructing OIDC authentication strategy", err)
  }
 }
-export const fetchOIDCStrategyConfig = async (config, callbackUrl) => {
+exports.fetchStrategyConfig = async function (config, callbackUrl) {
  try {
    const { clientID, clientSecret, configUrl } = config
@ -136,8 +139,8 @@ export const fetchOIDCStrategyConfig = async (config, callbackUrl) => {
  }
 }
-export const oidcCallbackUrl = async (db, config) => {
+exports.getCallbackUrl = async function (db, config) {
-  return ssoCallbackUrl(db, config, "oidc")
+  return ssoCallbackUrl(db, config, Configs.OIDC)
 }
 // expose for testing
--- a/packages/builder/cypress/integration/appPublishWorkflow.spec.js
+++ b/packages/builder/cypress/integration/appPublishWorkflow.spec.js
@ -85,12 +85,12 @@ filterTests(['all'], () => {
        cy.get(interact.APP_TABLE_APP_NAME).click({ force: true })
      })
-      cy.get(interact.DEPLOYMENT_TOP_NAV).click()
+      cy.get(interact.DEPLOYMENT_TOP_GLOBE).should("exist").click({ force: true })
-      cy.get(interact.PUBLISH_POPOVER_ACTION).click({ force: true })
+      
-      cy.get(interact.UNPUBLISH_MODAL)
+      cy.get("[data-cy='publish-popover-menu']")
-        .within(() => {
+      .within(() => {
-          cy.get(interact.CONFIRM_WRAP_BUTTON).click({ force: true })
+        cy.get(interact.PUBLISH_POPOVER_ACTION).click({ force: true })
-        })
+      })
      cy.get(interact.UNPUBLISH_MODAL).should("be.visible")
      .within(() => {
--- a/packages/server/src/api/controllers/query/index.ts
+++ b/packages/server/src/api/controllers/query/index.ts
@ -9,7 +9,7 @@ import { getAppDB } from "@budibase/backend-core/context"
 import { quotas } from "@budibase/pro"
 import { events } from "@budibase/backend-core"
 import { getCookie } from "@budibase/backend-core/utils"
-import { Cookies } from "@budibase/backend-core/constants"
+import { Cookies, Configs } from "@budibase/backend-core/constants"
 const Runner = new Thread(ThreadType.QUERY, {
  timeoutMs: QUERY_THREAD_TIMEOUT || 10000,
@ -112,6 +112,21 @@ export async function find(ctx: any) {
  ctx.body = query
 }
 //Required to discern between OIDC OAuth config entries
 function getOAuthConfigCookieId(ctx: any) {
  if (ctx.user.providerType === Configs.OIDC) {
    return getCookie(ctx, Cookies.OIDC_CONFIG)
  }
 }
 function getAuthConfig(ctx: any) {
  const authCookie = getCookie(ctx, Cookies.Auth)
  let authConfigCtx: any = {}
  authConfigCtx["configId"] = getOAuthConfigCookieId(ctx)
  authConfigCtx["sessionId"] = authCookie ? authCookie.sessionId : null
  return authConfigCtx
 }
 export async function preview(ctx: any) {
  const db = getAppDB()
@ -121,9 +136,7 @@ export async function preview(ctx: any) {
  // this stops dynamic variables from calling the same query
  const { fields, parameters, queryVerb, transformer, queryId } = query
-  //check for oAuth elements here?
+  const authConfigCtx: any = getAuthConfig(ctx)
  const configId = getCookie(ctx, Cookies.OIDC_CONFIG)
  console.log(configId)
  try {
    const runFn = () =>
@ -135,6 +148,10 @@ export async function preview(ctx: any) {
        parameters,
        transformer,
        queryId,
        ctx: {
          user: ctx.user,
          auth: { ...authConfigCtx },
        },
      })
    const { rows, keys, info, extra } = await quotas.addQuery(runFn)
    await events.query.previewed(datasource, query)
@ -177,6 +194,9 @@ async function execute(ctx: any, opts = { rowsOnly: false }) {
        parameters: enrichedParameters,
        transformer: query.transformer,
        queryId: ctx.params.queryId,
        ctx: {
          user: ctx.user,
        },
      })
    const { rows, pagination, extra } = await quotas.addQuery(runFn)
--- a/packages/server/src/module.d.ts
+++ b/packages/server/src/module.d.ts
@ -8,3 +8,4 @@ declare module "@budibase/backend-core/constants"
 declare module "@budibase/backend-core/auth"
 declare module "@budibase/backend-core/sessions"
 declare module "@budibase/backend-core/encryption"
 declare module "@budibase/backend-core/utils"
--- a/packages/server/src/threads/query.js
+++ b/packages/server/src/threads/query.js
@ -4,7 +4,12 @@ const ScriptRunner = require("../utilities/scriptRunner")
 const { integrations } = require("../integrations")
 const { processStringSync } = require("@budibase/string-templates")
 const { doInAppContext, getAppDB } = require("@budibase/backend-core/context")
-// const { reUpToken } = require("@budibase/backend-core/auth")
+const {
  refreshOAuthToken,
  updateUserOAuth,
 } = require("@budibase/backend-core/auth")
 const { getGlobalIDFromUserMetadataID } = require("../db/utils")
 const { isSQL } = require("../integrations/utils")
 const {
  enrichQueryFields,
@ -22,20 +27,19 @@ class QueryRunner {
    this.queryId = input.queryId
    this.noRecursiveQuery = flags.noRecursiveQuery
    this.cachedVariables = []
    // Additional context items for enrichment
    this.ctx = input.ctx
    // allows the response from a query to be stored throughout this
    // execution so that if it needs to be re-used for another variable
    // it can be
    this.queryResponse = {}
    this.hasRerun = false
    this.hasRefreshedOAuth = false
  }
  async execute() {
    let { datasource, fields, queryVerb, transformer } = this
    // if(this.ctx.user.oauth2?.refreshToken){
    //   reUpToken(this.ctx.user.oauth2?.refreshToken)
    // }
    const Integration = integrations[datasource.source]
    if (!Integration) {
      throw "Integration type does not exist."
@ -79,15 +83,24 @@ class QueryRunner {
    }
    // if the request fails we retry once, invalidating the cached value
-    if (
+    if (info && info.code >= 400 && !this.hasRerun) {
-      info &&
+      if (
-      info.code >= 400 &&
+        this.ctx.user?.provider &&
-      this.cachedVariables.length > 0 &&
+        info.code === 401 &&
-      !this.hasRerun
+        !this.hasRefreshedOAuth
-    ) {
+      ) {
-      // return { info }
+        // Attempt to refresh the access token from the provider
        this.hasRefreshedOAuth = true
        const authResponse = await this.refreshOAuth2(this.ctx)
        if (!authResponse || authResponse.err) {
          // In this event the user may have oAuth issues that
          // could require re-authenticating with their provider.
          throw new Error("OAuth2 access token could not be refreshed")
        }
      }
      this.hasRerun = true
      // invalidate the cache value
      await threadUtils.invalidateDynamicVariables(this.cachedVariables)
      return this.execute()
    }
@ -133,6 +146,31 @@ class QueryRunner {
    ).execute()
  }
  async refreshOAuth2(ctx) {
    const { oauth2, providerType, _id } = ctx.user
    const { configId } = ctx.auth
    if (!providerType || !oauth2?.refreshToken) {
      console.error("No refresh token found for authenticated user")
      return
    }
    const resp = await refreshOAuthToken(
      oauth2.refreshToken,
      providerType,
      configId
    )
    // Refresh session flow. Should be in same location as refreshOAuthToken
    // There are several other properties available in 'resp'
    if (!resp.error) {
      const globalUserId = getGlobalIDFromUserMetadataID(_id)
      await updateUserOAuth(globalUserId, resp)
    }
    return resp
  }
  async getDynamicVariable(variable) {
    let { parameters } = this
    const queryId = variable.queryId,
--- a/packages/worker/src/api/controllers/global/auth.ts
+++ b/packages/worker/src/api/controllers/global/auth.ts
@ -70,7 +70,7 @@ async function authInternal(ctx: any, user: any, err = null, info = null) {
 export const authenticate = async (ctx: any, next: any) => {
  return passport.authenticate(
    "local",
-    async (err: any, user: User, info: any) => {
+    async (err: any, user: any, info: any) => {
      await authInternal(ctx, user, err, info)
      await context.identity.doInUserContext(user, async () => {
        await events.auth.login("local")
@ -197,7 +197,9 @@ export const googlePreAuth = async (ctx: any, next: any) => {
  const strategy = await google.strategyFactory(config, callbackUrl, users.save)
  return passport.authenticate(strategy, {
-    scope: ["profile", "email"],
+    scope: ["profile", "email", "https://www.googleapis.com/auth/spreadsheets"],
    accessType: "offline",
    prompt: "consent",
  })(ctx, next)
 }
@ -235,7 +237,7 @@ export const oidcStrategyFactory = async (ctx: any, configId: any) => {
  let callbackUrl = await exports.oidcCallbackUrl(chosenConfig)
  //Remote Config
-  const enrichedConfig = await oidc.fetchOIDCStrategyConfig(
+  const enrichedConfig = await oidc.fetchStrategyConfig(
    chosenConfig,
    callbackUrl
  )