|
|
|
@ -57,6 +57,7 @@ class OAuth2Service extends SiteService { |
|
|
|
registerPassport ( ) { |
|
|
|
const verifyClient = this.verifyClient.bind(this); |
|
|
|
const verifyHttpBearer = this.verifyHttpBearer.bind(this); |
|
|
|
const verifyKaleidoscopeBearer = this.verifyKaleidoscopeBearer.bind(this); |
|
|
|
|
|
|
|
const basicStrategy = new BasicStrategy(verifyClient); |
|
|
|
this.log.info('registering Basic strategy', { name: basicStrategy.name }); |
|
|
|
@ -69,6 +70,10 @@ class OAuth2Service extends SiteService { |
|
|
|
const httpBearerStrategy = new BearerStrategy(verifyHttpBearer); |
|
|
|
this.log.info('registering Bearer strategy', { name: httpBearerStrategy.name }); |
|
|
|
passport.use(httpBearerStrategy); |
|
|
|
|
|
|
|
const kaleidoscopeBearerStrategy = new BearerStrategy(verifyKaleidoscopeBearer); |
|
|
|
this.log.info('registering Kaleidoscope Bearer strategy'); |
|
|
|
passport.use(kaleidoscopeBearerStrategy); |
|
|
|
} |
|
|
|
|
|
|
|
async serializeClient (client, done) { |
|
|
|
@ -392,6 +397,7 @@ class OAuth2Service extends SiteService { |
|
|
|
async verifyHttpBearer (accessToken, done) { |
|
|
|
const token = await this.getAccessToken(accessToken); |
|
|
|
if (!token) { |
|
|
|
this.log.error('no bearer token for client', { accessToken }); |
|
|
|
return done(null, false); |
|
|
|
} |
|
|
|
return done(null, token.user, { scope: token.scope }); |
|
|
|
@ -411,6 +417,45 @@ class OAuth2Service extends SiteService { |
|
|
|
.lean(); |
|
|
|
return tokens; |
|
|
|
} |
|
|
|
|
|
|
|
async getKaleidoscopeClient (accessToken) { |
|
|
|
const client = await OAuth2Client |
|
|
|
.findOne({ 'kaleidoscope.token': accessToken }) |
|
|
|
.select('-secret -kaleidoscope -admin') // don't fetch them
|
|
|
|
.lean(); |
|
|
|
if (!client) { |
|
|
|
return; // we don't have one, be undefined
|
|
|
|
} |
|
|
|
/* |
|
|
|
* extreme paranoia also serializes the object to absolutely prevent leaking |
|
|
|
* a secret even if the underlying Mongoose library has a bug today. |
|
|
|
*/ |
|
|
|
return { |
|
|
|
_id: client._id, |
|
|
|
created: client.created, |
|
|
|
updated: client.updated, |
|
|
|
site: client.site, |
|
|
|
scopes: client.scopes, |
|
|
|
flags: client.flags, |
|
|
|
}; |
|
|
|
} |
|
|
|
|
|
|
|
async verifyKaleidoscopeBearer (accessToken, done) { |
|
|
|
const client = await this.getKaleidoscopeClient(accessToken); |
|
|
|
if (!client) { |
|
|
|
this.log.error('no Kaleidoscope token for client', { accessToken }); |
|
|
|
return done(null, false); |
|
|
|
} |
|
|
|
/* |
|
|
|
* Minor hack here. You don't get a User or CoreUser for use with |
|
|
|
* Kaleidoscope. This is machine-to-machine, there simply is no "user" in |
|
|
|
* this transaction. Instead, you get a Client - the machine. |
|
|
|
* |
|
|
|
* So, up in controller space, req.user isn't a User or CoreUser for |
|
|
|
* Kaleidoscope APIs. It is the OAuth2 Client or Service Node. |
|
|
|
*/ |
|
|
|
return done(null, client); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
module.exports = { |
|
|
|
|
