WIP exchange credential for profile
This commit is contained in:
		
							parent
							
								
									8397b8a38c
								
							
						
					
					
						commit
						81b213ec4b
					
				
							
								
								
									
										182
									
								
								accounts.js
									
									
									
									
									
								
							
							
						
						
									
										182
									
								
								accounts.js
									
									
									
									
									
								
							| @ -62,18 +62,20 @@ function validateOtp(codeStore, codeId, token) { | ||||
| } | ||||
| 
 | ||||
| function getOrCreate(store, username) { | ||||
|   return store.IssuerOauth3OrgAccounts.get(username).then(function (account) { | ||||
|     if (account) { | ||||
|       return account; | ||||
|   // account => profile
 | ||||
|   return store.IssuerOauth3OrgAccounts.get(username).then(function (profile) { | ||||
|     if (profile) { | ||||
|       return profile; | ||||
|     } | ||||
| 
 | ||||
|     account = { | ||||
|     // TODO profile should be ecdsa256 pub/privkeypair
 | ||||
|     profile = { | ||||
|       username:  username, | ||||
|       accountId: makeB64UrlSafe(crypto.randomBytes(32).toString('base64')), | ||||
|     }; | ||||
|     return store.IssuerOauth3OrgAccounts.create(username, account).then(function () { | ||||
|     return store.IssuerOauth3OrgAccounts.create(username, profile).then(function () { | ||||
|       // TODO: put sort sort of email notification to the server managers?
 | ||||
|       return account; | ||||
|       return profile; | ||||
|     }); | ||||
|   }); | ||||
| } | ||||
| @ -168,12 +170,13 @@ function createOtp(store, params) { | ||||
|   }); | ||||
| } | ||||
| 
 | ||||
| function create(app) { | ||||
| function create(deps, app) { | ||||
|   var restful = {}; | ||||
| 
 | ||||
|   restful.sendOtp = function (req, res) { | ||||
|     var params = req.body; | ||||
|     var promise = req.getSiteStore().then(function (store) { | ||||
|       store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts; | ||||
|       return createOtp(store, params).then(function (code) { | ||||
|         var emailParams = { | ||||
|           to:      params.username, | ||||
| @ -202,8 +205,13 @@ function create(app) { | ||||
|     app.handlePromise(req, res, promise, '[issuer@oauth3.org] send one-time-password'); | ||||
|   }; | ||||
| 
 | ||||
|   // This should exchange:
 | ||||
|   //    * 3rd party PPIDs for 1st Party Profile
 | ||||
|   //    * Opaque Tokens for PPID Tokens
 | ||||
|   restful.exchangeToken = function (req, res) { | ||||
|     var OAUTH3 = require('./oauth3.js'); | ||||
|     var store = req.Models; | ||||
| 
 | ||||
|     console.log('[exchangeToken] req.oauth3:'); | ||||
|     console.log(req.oauth3); // req.oauth3.encodedToken
 | ||||
| 
 | ||||
| @ -218,47 +226,133 @@ function create(app) { | ||||
|         credentialId: decoded.payload.sub + '@' + decoded.payload.iss | ||||
|       //, sub: decoded.payload.sub
 | ||||
|       //, iss: decoded.payload.iss
 | ||||
|       }).then(function (results) { | ||||
|       }).then(function (joins) { | ||||
|         console.log('[exchangeToken] credentials profiles:'); | ||||
|         console.log(results); | ||||
|         console.log(joins); | ||||
| 
 | ||||
|         if (!results) { | ||||
|           return { tokens: [] }; | ||||
|         function getToken(token) { | ||||
|           var tokenInfo = { | ||||
|             iat: Math.round(Date.now() / 1000) | ||||
|           , sub: token.sub | ||||
|           , iss: token.iss | ||||
|           , azp: token.iss | ||||
|           , aud: token.iss | ||||
|           }; | ||||
|           return restful.createToken._helper(req, res, tokenInfo); | ||||
|         } | ||||
| 
 | ||||
|         results = results.filter(function (el) { | ||||
|         function createProfile(credential, profile) { | ||||
|           var bs58 = require('bs58'); | ||||
|           var EC = require('elliptic').ec; | ||||
|           var ec = new EC('secp256k1'); | ||||
|           // TODO should be able to generate a private key without a library
 | ||||
|           // https://crypto.stackexchange.com/a/30273/53868
 | ||||
|           var key = ec.genKeyPair(); | ||||
|           //var ec = new EC('curve25519');
 | ||||
|           var pub = bs58.encode(Buffer.from(key.derive(key.getPublic()).toString('hex'), 'hex')); | ||||
|           var priv = bs58.encode(Buffer.from(key.priv.toString('hex'), 'hex')); | ||||
|           var parts = []; | ||||
| 
 | ||||
|           if (!credential.sub) { | ||||
|             return deps.Promise.reject(new Error("missing 'sub' from credential")); | ||||
|           } | ||||
| 
 | ||||
|           if (credential.sub !== profile.sub || credential.iss !== profile.iss) { | ||||
|             return deps.Promise.reject(new Error("credential 'sub' and 'iss' do not match information in profile")); | ||||
|           } | ||||
| 
 | ||||
|           parts.push(pub); | ||||
|           if (req.experienceId) { | ||||
|             parts.push(req.experienceId); | ||||
|           } | ||||
| 
 | ||||
|           var username = parts.join('@'); | ||||
|           var profile = { | ||||
|             accountId: pub // profile.sub
 | ||||
|           , sub: pub // profile.sub
 | ||||
|           , iss: req.experienceId | ||||
|           , prv: priv | ||||
|           , typ: 'oauth3' | ||||
|           }; | ||||
| 
 | ||||
|           function getId(token) { | ||||
|             var id = token.sub; | ||||
|             if (token.iss) { | ||||
|               id += '@' + token.iss; | ||||
|             } | ||||
|             return id || token.accountId; | ||||
|           } | ||||
| 
 | ||||
|           console.log('[debug] username, credential, profile:'); | ||||
|           console.log(username); | ||||
|           console.log(credential); | ||||
|           console.log(profile); | ||||
| 
 | ||||
|           return deps.Promise.reject(new Error("blah blah grrr grrr")); | ||||
| 
 | ||||
|           return store.IssuerOauth3OrgAccounts.create(username, profile).then(function () { | ||||
|             var id = crypto.randomBytes(16).toString('hex'); | ||||
|             return store.IssuerOauth3OrgCredentialsProfiles.create(id, { | ||||
|               credentialId: getId(credential) | ||||
|             , profileId: getId(profile) | ||||
|             }).then(function () { | ||||
|               // TODO: put sort sort of email notification to the server managers?
 | ||||
|               return getToken(profile).then(function (token) { | ||||
|                 return { | ||||
|                   tokens: [ token ] | ||||
|                 //, error: { code: "E_NO_IMPL", message: "not implemented [177]" }
 | ||||
|                 }; | ||||
|               }); | ||||
|             }); | ||||
|           }); | ||||
|         } | ||||
| 
 | ||||
|         function getProfile() { | ||||
|           var query = { username: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') }; | ||||
|           //var query = { accountId: 'IN ' + joins.map(function (el) { return el.profileId }).join(',') };
 | ||||
|           //var query = { accountId: joins.map(function (el) { return el.profileId })[0] };
 | ||||
|           console.log('[DEBUG] query profiles:'); | ||||
|           console.log(query); | ||||
|           return req.Models.IssuerOauth3OrgAccounts.find(query).then(function (profiles) { | ||||
|             console.log('[DEBUG] Profiles:'); | ||||
|             console.log(profiles); | ||||
| 
 | ||||
|             profiles = (profiles||[]).filter(function (el) { | ||||
|               return !el.revokedAt && !el.deletedAt; | ||||
|             }); | ||||
| 
 | ||||
|             if (!profiles.length) { | ||||
|               return { tokens: [] }; | ||||
|             } | ||||
| 
 | ||||
|             return deps.Promise.all(profiles.map(function (profile) { | ||||
|               return getToken(profile); | ||||
|             })).then(function (tokens) { | ||||
|               return { | ||||
|                 tokens: tokens | ||||
|               //, error: { code: "E_NO_IMPL", message: "not implemented [172]" }
 | ||||
|               }; | ||||
|             }); | ||||
|           }); | ||||
|         } | ||||
| 
 | ||||
|         joins = (joins||[]).filter(function (el) { | ||||
|           return !el.revokedAt && !el.deletedAt; | ||||
|         }); | ||||
| 
 | ||||
|         if (!results.length) { | ||||
|           return { tokens: [] }; | ||||
|         if (joins.length) { | ||||
|           console.log('[DEBUG] CredentialsProfiles:'); | ||||
|           console.log(joins); | ||||
|           return getProfile(); | ||||
|         } | ||||
| 
 | ||||
|         return req.Models.IssuerOauth3OrgAccounts.find({ | ||||
|           accountId: 'IN ' + results.map(function (el) { return el.credentialId }).join(',') | ||||
|         }).then(function (profiles) { | ||||
|           if (!results) { | ||||
|             return { tokens: [] }; | ||||
|           } | ||||
| 
 | ||||
|           profiles = profiles.filter(function (el) { | ||||
|             return !el.revokedAt && !el.deletedAt; | ||||
|           }); | ||||
| 
 | ||||
|           if (!results.length) { | ||||
|             return { tokens: [] }; | ||||
|           } | ||||
| 
 | ||||
|           return req.deps.Promise.all(profiles.map(function (profile) { | ||||
|             var tokenInfo = { sub: profile.sub, iss: profile.iss, azp: profile.iss, aud: profile.iss }; | ||||
|             return restful.createToken._helper(req, res, tokenInfo); | ||||
|           })).then(function (tokens) { | ||||
|             return { | ||||
|               error: { code: "E_NO_IMPL", message: "not implemented [172]" } | ||||
|             , tokens: tokens | ||||
|             }; | ||||
|           }); | ||||
|         }); | ||||
|         if (!req.body || !req.body.create) { | ||||
|           console.log('[DEBUG] will not create'); | ||||
|           return { tokens: [] }; | ||||
|         } else { | ||||
|           console.log('[DEBUG] will create profile'); | ||||
|           return createProfile(req.oauth3.token, req.body); | ||||
|         } | ||||
|       }); | ||||
|     }); | ||||
| 
 | ||||
| @ -269,6 +363,7 @@ function create(app) { | ||||
|     var store; | ||||
|     var promise = req.getSiteStore().then(function (_store) { | ||||
|       store = _store; | ||||
|       store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts; | ||||
|       if (!req.body || !req.body.grant_type) { | ||||
|         throw new OpErr("missing 'grant_type' from the body"); | ||||
|       } | ||||
| @ -294,7 +389,7 @@ function create(app) { | ||||
|     app.handlePromise(req, res, promise, '[issuer@oauth3.org] create tokens'); | ||||
|   }; | ||||
|   restful.createToken._helper = function (req, res, token_info) { | ||||
|     return req.deps.Promise.resolve().then(function () { | ||||
|     return deps.Promise.resolve().then(function () { | ||||
|       token_info.iss = req.experienceId; | ||||
|       if (!token_info.aud) { | ||||
|         throw new OpErr("missing required token field 'aud'"); | ||||
| @ -318,7 +413,7 @@ function create(app) { | ||||
|         } | ||||
|       }); | ||||
| 
 | ||||
|       return store.IssuerOauth3OrgGrants.find(search).then(function (grants) { | ||||
|       return req.Models.IssuerOauth3OrgGrants.find(search).then(function (grants) { | ||||
|         if (!grants.length) { | ||||
|           throw new OpErr("'"+token_info.azp+"' not given any grants from '"+(token_info.sub || token_info.azpSub)+"'"); | ||||
|         } | ||||
| @ -332,7 +427,7 @@ function create(app) { | ||||
|         return token_info; | ||||
|       }); | ||||
|     }).then(function (token_info) { | ||||
|       return getPrivKey(store, req.experienceId).then(function (jwk) { | ||||
|       return getPrivKey(req.Models, req.experienceId).then(function (jwk) { | ||||
|         var pem = require('jwk-to-pem')(jwk, { private: true }); | ||||
|         var payload =  { | ||||
|           // standard
 | ||||
| @ -391,6 +486,7 @@ function create(app) { | ||||
|     var codeId = crypto.createHash('sha256').update(params.username_type+':'+params.username).digest('base64'); | ||||
|     codeId = makeB64UrlSafe(codeId); | ||||
|     return req.getSiteStore().then(function (store) { | ||||
|       store.IssuerOauth3OrgProfiles = store.IssuerOauth3OrgProfiles || store.IssuerOauth3OrgAccounts; | ||||
|       return validateOtp(store.IssuerOauth3OrgCodes, codeId, params.password) | ||||
|       .then(function () { | ||||
|         return getOrCreate(store, params.username); | ||||
| @ -406,7 +502,7 @@ function create(app) { | ||||
|           console.log(contactClaim); | ||||
|           return req.Models.IssuerOauth3OrgContactNodes.upsert(contactClaim).then(function () { | ||||
|             return { | ||||
|               sub: account.accountId, | ||||
|               sub: account.sub || account.accountId, | ||||
|               aud: req.params.aud || req.body.aud || req.experienceId, | ||||
|               azp: req.params.azp || req.body.azp || req.body.client_id || req.body.client_uri || req.experienceId, | ||||
|             }; | ||||
|  | ||||
| @ -29,7 +29,8 @@ module.exports = [ | ||||
|   { // TODO rename to profiles
 | ||||
|     tablename: apiname + '_accounts', | ||||
|     idname: 'username', | ||||
|     indices: baseFields.concat([ 'accountId' ]), | ||||
|     // make sub an ecdsa256 key
 | ||||
|     indices: baseFields.concat([ 'accountId', 'sub', 'iss', 'typ', 'privateKey' ]), // comment, recoveryNode
 | ||||
|   }, | ||||
|   { | ||||
|     tablename: apiname + '_contact_nodes', | ||||
|  | ||||
| @ -12,6 +12,7 @@ | ||||
|   }, | ||||
|   "dependencies": { | ||||
|     "bluebird": "^3.5.0", | ||||
|     "bs58": "^4.0.1", | ||||
|     "elliptic": "^6.4.0", | ||||
|     "jsonwebtoken": "^7.4.1", | ||||
|     "jwk-to-pem": "^1.2.6", | ||||
|  | ||||
							
								
								
									
										2
									
								
								rest.js
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								rest.js
									
									
									
									
									
								
							| @ -3,7 +3,7 @@ | ||||
| module.exports.create = function (bigconf, deps, app) { | ||||
|   var Jwks = require('./jwks').create(app); | ||||
|   var Grants = require('./grants').create(app); | ||||
|   var Accounts = require('./accounts').create(app); | ||||
|   var Accounts = require('./accounts').create(deps, app); | ||||
| 
 | ||||
|   // This tablename is based on the tablename found in the objects in model.js.
 | ||||
|   // Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user