Add support for OAuth 2.0 authentication

2022-09-12 11:38:43 +02:00 · 2022-09-12 11:38:43 +02:00 · e815295503
commit e815295503
parent bbc94c88c0
5 changed files with 228 additions and 4 deletions
--- a/lib/oauth2.js
+++ b/lib/oauth2.js
@ -0,0 +1,109 @@
+function formatQueryString(params) {
+	let l = [];
+	for (let k in params) {
+		l.push(encodeURIComponent(k) + "=" + encodeURIComponent(params[k]));
+	}
+	return l.join("&");
+}
+
+export async function fetchServerMetadata(url) {
+	// TODO: handle path in config.oauth2.url
+	let resp;
+	try {
+		resp = await fetch(url + "/.well-known/oauth-authorization-server");
+		if (!resp.ok) {
+			throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+		}
+	} catch (err) {
+		console.warn("OAuth 2.0 server doesn't support Authorization Server Metadata (retrying with OpenID Connect Discovery): ", err);
+		resp = await fetch(url + "/.well-known/openid-configuration");
+		if (!resp.ok) {
+			throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+		}
+	}
+
+	let data = await resp.json();
+	if (!data.issuer) {
+		throw new Error("Missing issuer in response");
+	}
+	if (!data.authorization_endpoint) {
+		throw new Error("Missing authorization_endpoint in response");
+	}
+	if (!data.token_endpoint) {
+		throw new Error("Missing authorization_endpoint in response");
+	}
+	if (!data.response_types_supported.includes("code")) {
+		throw new Error("Server doesn't support authorization code response type");
+	}
+	return data;
+}
+
+export function redirectAuthorize({ serverMetadata, clientId, redirectUri, scope }) {
+	// TODO: move fragment to query string in redirect_uri
+	// TODO: use the state param to prevent cross-site request
+	// forgery
+	let params = {
+		response_type: "code",
+		client_id: clientId,
+		redirect_uri: redirectUri,
+	};
+	if (scope) {
+		params.scope = scope;
+	}
+	window.location.assign(serverMetadata.authorization_endpoint + "?" + formatQueryString(params));
+}
+
+function buildPostHeaders(clientId, clientSecret) {
+	let headers = {
+		"Content-Type": "application/x-www-form-urlencoded",
+		"Accept": "application/json",
+	};
+	if (clientSecret) {
+		headers["Authorization"] = "Basic " + btoa(encodeURIComponent(clientId) + ":" + encodeURIComponent(clientSecret));
+	}
+	return headers;
+}
+
+export async function exchangeCode({ serverMetadata, redirectUri, code, clientId, clientSecret }) {
+	let data = {
+		grant_type: "authorization_code",
+		code,
+		redirect_uri: redirectUri,
+	};
+	if (!clientSecret) {
+		data.client_id = clientId;
+	}
+
+	let resp = await fetch(serverMetadata.token_endpoint, {
+		method: "POST",
+		headers: buildPostHeaders(clientId, clientSecret),
+		body: formatQueryString(data),
+	});
+
+	if (!resp.ok) {
+		throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+	}
+	data = await resp.json();
+
+	if (data.error) {
+		throw new Error("Authentication failed: " + (data.error_description || data.error));
+	}
+
+	return data;
+}
+
+export async function introspectToken({ serverMetadata, token, clientId, clientSecret }) {
+	let resp = await fetch(serverMetadata.introspection_endpoint, {
+		method: "POST",
+		headers: buildPostHeaders(clientId, clientSecret),
+		body: formatQueryString({ token }),
+	});
+	if (!resp.ok) {
+		throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+	}
+	let data = await resp.json();
+	if (!data.active) {
+		throw new Error("Expired token");
+	}
+	return data;
+}