summaryrefslogtreecommitdiffstats
path: root/.sandstorm-meteor-1.8/oidc_server.js
blob: 91b0e8a4a0633c16e06266fa6c8daf48e59020d9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
Oidc = {};

OAuth.registerService('oidc', 2, null, function(query) {
  var debug = process.env.DEBUG || false;
  var token = getToken(query);
  if (debug) console.log('XXX: register token:', token);

  var accessToken = token.access_token || token.id_token;
  var expiresAt = +new Date() + 1000 * parseInt(token.expires_in, 10);

  var userinfo = getUserInfo(accessToken);
  if (debug) console.log('XXX: userinfo:', userinfo);

  var serviceData = {};
  serviceData.id = userinfo[process.env.OAUTH2_ID_MAP]; // || userinfo["id"];
  serviceData.username = userinfo[process.env.OAUTH2_USERNAME_MAP]; // || userinfo["uid"];
  serviceData.fullname = userinfo[process.env.OAUTH2_FULLNAME_MAP]; // || userinfo["displayName"];
  serviceData.accessToken = accessToken;
  serviceData.expiresAt = expiresAt;
  serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];

  if (accessToken) {
    var tokenContent = getTokenContent(accessToken);
    var fields = _.pick(
      tokenContent,
      getConfiguration().idTokenWhitelistFields,
    );
    _.extend(serviceData, fields);
  }

  if (token.refresh_token) serviceData.refreshToken = token.refresh_token;
  if (debug) console.log('XXX: serviceData:', serviceData);

  var profile = {};
  profile.name = userinfo[process.env.OAUTH2_FULLNAME_MAP]; // || userinfo["displayName"];
  profile.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];
  if (debug) console.log('XXX: profile:', profile);

  return {
    serviceData: serviceData,
    options: { profile: profile },
  };
});

var userAgent = 'Meteor';
if (Meteor.release) {
  userAgent += '/' + Meteor.release;
}

var getToken = function(query) {
  var debug = process.env.DEBUG || false;
  var config = getConfiguration();
  if (config.tokenEndpoint.includes('https://')) {
    var serverTokenEndpoint = config.tokenEndpoint;
  } else {
    var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
  }
  var requestPermissions = config.requestPermissions;
  var response;

  try {
    response = HTTP.post(serverTokenEndpoint, {
      headers: {
        Accept: 'application/json',
        'User-Agent': userAgent,
      },
      params: {
        code: query.code,
        client_id: config.clientId,
        client_secret: OAuth.openSecret(config.secret),
        redirect_uri: OAuth._redirectUri('oidc', config),
        grant_type: 'authorization_code',
        scope: requestPermissions,
        state: query.state,
      },
    });
  } catch (err) {
    throw _.extend(
      new Error(
        'Failed to get token from OIDC ' +
          serverTokenEndpoint +
          ': ' +
          err.message,
      ),
      { response: err.response },
    );
  }
  if (response.data.error) {
    // if the http response was a json object with an error attribute
    throw new Error(
      'Failed to complete handshake with OIDC ' +
        serverTokenEndpoint +
        ': ' +
        response.data.error,
    );
  } else {
    if (debug) console.log('XXX: getToken response: ', response.data);
    return response.data;
  }
};

var getUserInfo = function(accessToken) {
  var debug = process.env.DEBUG || false;
  var config = getConfiguration();
  // Some userinfo endpoints use a different base URL than the authorization or token endpoints.
  // This logic allows the end user to override the setting by providing the full URL to userinfo in their config.
  if (config.userinfoEndpoint.includes('https://')) {
    var serverUserinfoEndpoint = config.userinfoEndpoint;
  } else {
    var serverUserinfoEndpoint = config.serverUrl + config.userinfoEndpoint;
  }
  var response;
  try {
    response = HTTP.get(serverUserinfoEndpoint, {
      headers: {
        'User-Agent': userAgent,
        Authorization: 'Bearer ' + accessToken,
      },
    });
  } catch (err) {
    throw _.extend(
      new Error(
        'Failed to fetch userinfo from OIDC ' +
          serverUserinfoEndpoint +
          ': ' +
          err.message,
      ),
      { response: err.response },
    );
  }
  if (debug) console.log('XXX: getUserInfo response: ', response.data);
  return response.data;
};

var getConfiguration = function() {
  var config = ServiceConfiguration.configurations.findOne({ service: 'oidc' });
  if (!config) {
    throw new ServiceConfiguration.ConfigError('Service oidc not configured.');
  }
  return config;
};

var getTokenContent = function(token) {
  var content = null;
  if (token) {
    try {
      var parts = token.split('.');
      var header = JSON.parse(new Buffer(parts[0], 'base64').toString());
      content = JSON.parse(new Buffer(parts[1], 'base64').toString());
      var signature = new Buffer(parts[2], 'base64');
      var signed = parts[0] + '.' + parts[1];
    } catch (err) {
      this.content = {
        exp: 0,
      };
    }
  }
  return content;
};

Oidc.retrieveCredential = function(credentialToken, credentialSecret) {
  return OAuth.retrieveCredential(credentialToken, credentialSecret);
};