Documentation

Source

authenticators/oauth2-password-grant.ts

  1. import { makeArray } from '@ember/array';
  2. import { warn } from '@ember/debug';
  3. import { getOwner } from '@ember/application';
  4. import BaseAuthenticator from './base';
  5. import isFastBoot from '../utils/is-fastboot';
  6. import { waitFor } from '@ember/test-waiters';
  7. import { isTesting } from '@embroider/macros';
  8. import type { Timer } from '@ember/runloop';
  9. import { run, later, cancel } from '@ember/runloop';
  11. export type OAuthResponseSuccess = {
  12.   access_token: string;
  13.   token_type: string;
  14.   expires_in?: number;
  15.   expires_at?: number;
  16.   refresh_token?: string;
  17.   scope?: string;
  18. };
  20. export type OAuthPasswordRequestData = {
  21.   grant_type: string;
  22.   username: string;
  23.   password: string;
  24.   client_id?: string;
  25.   scope?: string;
  26. };
  28. export type OAuthInvalidateRequestData = {
  29.   token_type_hint: 'access_token' | 'refresh_token';
  30.   token: string;
  31.   client_id?: string;
  32.   scope?: string;
  33. };
  35. export type OAuthRefreshRequestData = {
  36.   grant_type: 'refresh_token';
  37.   refresh_token: string;
  38.   scope?: string;
  39.   client_id?: string;
  40. };
  42. export type MakeRequestData =
  43.   | OAuthPasswordRequestData
  44.   | OAuthInvalidateRequestData
  45.   | OAuthRefreshRequestData;
  47. export interface OAuth2Response extends Response {
  48.   /**
  49.    * @deprecated 'responseText' is deprecated. This is a legacy AJAX API.
  50.    */
  51.   responseText: string;
  52.   /**
  53.    * @deprecated 'responseJSON' is deprecated. This is a legacy AJAX API.
  54.    */
  55.   responseJSON: string;
  56. }
  58. /**
  59.   Authenticator that conforms to OAuth 2
  60.   ([RFC 6749](http://tools.ietf.org/html/rfc6749)), specifically the _"Resource
  61.   Owner Password Credentials Grant Type"_.
  63.   This authenticator also automatically refreshes access tokens (see
  64.   [RFC 6749, section 6](http://tools.ietf.org/html/rfc6749#section-6)) if the
  65.   server supports it.
  67.   @class OAuth2PasswordGrantAuthenticator
  68.   @extends BaseAuthenticator
  69.   @public
  70. */
  71. export default class OAuth2PasswordGrantAuthenticator extends BaseAuthenticator {
  72.   /**
  73.     Triggered when the authenticator refreshed the access token (see
  74.     [RFC 6749, section 6](http://tools.ietf.org/html/rfc6749#section-6)).
  76.     @memberof OAuth2PasswordGrantAuthenticator
  77.     @event sessionDataUpdated
  78.     @param {Object} data The updated session data
  79.     @public
  80.   */
  82.   /**
  83.     The client_id to be sent to the authentication server (see
  84.     https://tools.ietf.org/html/rfc6749#appendix-A.1).
  86.     This should only be
  87.     used for statistics or logging etc. as it cannot actually be trusted since
  88.     it could have been manipulated on the client!
  90.     @memberof OAuth2PasswordGrantAuthenticator
  91.     @property clientId
  92.     @type String
  93.     @default null
  94.     @public
  95.   */
  96.   clientId: string | null = null;
  98.   /**
  99.     The endpoint on the server that authentication and token refresh requests
  100.     are sent to.
  102.     @memberof OAuth2PasswordGrantAuthenticator
  103.     @property serverTokenEndpoint
  104.     @type String
  105.     @default '/token'
  106.     @public
  107.   */
  108.   serverTokenEndpoint: string = '/token';
  110.   /**
  111.     The endpoint on the server that token revocation requests are sent to. Only
  112.     set this if the server actually supports token revocation. If this is
  113.     `null`, the authenticator will not revoke tokens on session invalidation.
  115.     If token revocation is enabled but fails, session invalidation will be
  116.     intercepted and the session will remain authenticated (see
  117.     {@linkplain OAuth2PasswordGrantAuthenticator.invalidate}.
  119.     @memberof OAuth2PasswordGrantAuthenticator
  120.     @property serverTokenRevocationEndpoint
  121.     @type String
  122.     @default null
  123.     @public
  124.   */
  125.   serverTokenRevocationEndpoint: string | null = null;
  127.   /**
  128.     Sets whether the authenticator automatically refreshes access tokens if the
  129.     server supports it.
  131.     @memberof OAuth2PasswordGrantAuthenticator
  132.     @property refreshAccessTokens
  133.     @type Boolean
  134.     @default true
  135.     @public
  136.   */
  137.   refreshAccessTokens = true;
  139.   /**
  140.     Sets whether the authenticator use the scope when refreshing access tokens
  141.     if the server supports it.
  143.     @memberof OAuth2PasswordGrantAuthenticator
  144.     @property refreshAccessTokensWithScope
  145.     @type Boolean
  146.     @default false
  147.     @public
  148.   */
  149.   refreshAccessTokensWithScope = false;
  151.   /**
  152.     The offset time in milliseconds to refresh the access token. This must
  153.     return a random number. This randomization is needed because in case of
  154.     multiple tabs, we need to prevent the tabs from sending refresh token
  155.     request at the same exact moment.
  157.     When overriding this property, make sure to mark the overridden property
  158.     as volatile so it will actually have a different value each time it is
  159.     accessed.
  161.     @memberof OAuth2PasswordGrantAuthenticator
  162.     @property tokenRefreshOffset
  163.     @type Integer
  164.     @default a random number between 5 and 10
  165.     @public
  166.   */
  167.   get tokenRefreshOffset() {
  168.     const min = 5;
  169.     const max = 10;
  171.     return (Math.floor(Math.random() * (max - min)) + min) * 1000;
  172.   }
  174.   _refreshTokenTimeout: Timer | undefined = undefined;
  176.   /**
  177.     Restores the session from a session data object; __will return a resolving
  178.     promise when there is a non-empty `access_token` in the session data__ and
  179.     a rejecting promise otherwise.
  180.     If the server issues
  181.     [expiring access tokens](https://tools.ietf.org/html/rfc6749#section-5.1)
  182.     and there is an expired access token in the session data along with a
  183.     refresh token, the authenticator will try to refresh the access token and
  184.     return a promise that resolves with the new access token if the refresh was
  185.     successful. If there is no refresh token or the token refresh is not
  186.     successful, a rejecting promise will be returned.
  188.     @memberof OAuth2PasswordGrantAuthenticator
  189.     @method restore
  190.     @param {Object} data The data to restore the session from
  191.     @return {Promise} A promise that when it resolves results in the session becoming or remaining authenticated. If restoration fails, the promise will reject with the server response (in case the access token had expired and was refreshed using a refresh token); however, the authenticator reads that response already so if you need to read it again you need to clone the response object first
  192.     @public
  193.   */
  194.   restore(data: OAuthResponseSuccess) {
  195.     return new Promise((resolve, reject) => {
  196.       const now = new Date().getTime();
  197.       const refreshAccessTokens = this.get('refreshAccessTokens');
  198.       if (data['expires_at'] && data['expires_at'] < now) {
  199.         if (refreshAccessTokens) {
  200.           this._refreshAccessToken(
  201.             data['expires_in'],
  202.             data['refresh_token'] as string,
  203.             data['scope']
  204.           ).then(resolve, reject);
  205.         } else {
  206.           reject();
  207.         }
  208.       } else {
  209.         if (!this._validate(data)) {
  210.           reject();
  211.         } else {
  212.           this._scheduleAccessTokenRefresh(
  213.             data['expires_in'],
  214.             data['expires_at'],
  215.             data['refresh_token']
  216.           );
  217.           resolve(data);
  218.         }
  219.       }
  220.     });
  221.   }
  223.   /**
  224.     Authenticates the session with the specified `identification`, `password`
  225.     and optional `scope`; issues a `POST` request to the
  226.     {@linkplain OAuth2PasswordGrantAuthenticator.serverTokenEndpoint}
  227.     and receives the access token in response (see
  228.     {@link https://tools.ietf.org/html/rfc6749#section-4.3}).
  230.     If the credentials are valid (and the optionally requested scope is
  231.     granted) and thus authentication succeeds, a promise that resolves with the
  232.     server's response is returned, otherwise a promise that rejects with the
  233.     error as returned by the server is returned.
  235.     If the
  236.     [server supports it]{@link https://tools.ietf.org/html/rfc6749#section-5.1}, this
  237.     method also schedules refresh requests for the access token before it
  238.     expires.
  240.     The server responses are expected to look as defined in the spec (see
  241.     http://tools.ietf.org/html/rfc6749#section-5). The response to a successful
  242.     authentication request should be:
  244.     ```json
  245.     HTTP/1.1 200 OK
  246.     Content-Type: application/json;charset=UTF-8
  248.     {
  249.       "access_token":"2YotnFZFEjr1zCsicMWpAA",
  250.       "token_type":"bearer",
  251.       "expires_in":3600, // optional
  252.       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" // optional
  253.     }
  254.     ```
  256.     The response for a failing authentication request should be:
  258.     ```json
  259.     HTTP/1.1 400 Bad Request
  260.     Content-Type: application/json;charset=UTF-8
  262.     {
  263.       "error":"invalid_grant"
  264.     }
  265.     ```
  267.     A full list of error codes can be found
  268.     [here](https://tools.ietf.org/html/rfc6749#section-5.2).
  270.     @memberof OAuth2PasswordGrantAuthenticator
  271.     @method authenticate
  272.     @param {String} identification The resource owner username
  273.     @param {String} password The resource owner password
  274.     @param {String|Array} scope The scope of the access request (see [RFC 6749, section 3.3](http://tools.ietf.org/html/rfc6749#section-3.3))
  275.     @param {Object} headers Optional headers that particular backends may require (for example sending 2FA challenge responses)
  276.     @return {Promise} A promise that when it resolves results in the session becoming authenticated. If authentication fails, the promise will reject with the server response; however, the authenticator reads that response already so if you need to read it again you need to clone the response object first
  277.     @public
  278.   */
  279.   authenticate(identification: string, password: string, scope = [], headers = {}) {
  280.     return new Promise((resolve, reject) => {
  281.       const data: OAuthPasswordRequestData = {
  282.         grant_type: 'password',
  283.         username: identification,
  284.         password,
  285.       };
  286.       const serverTokenEndpoint = this.get('serverTokenEndpoint');
  288.       const scopesString = makeArray(scope).join(' ');
  289.       if (scopesString.trim().length > 0) {
  290.         data.scope = scopesString;
  291.       }
  292.       this.makeRequest(serverTokenEndpoint, data, headers).then(
  293.         response => {
  294.           run(() => {
  295.             if (!this._validate(response)) {
  296.               reject('access_token is missing in server response');
  297.             }
  299.             const expiresAt = this._absolutizeExpirationTime(response['expires_in']);
  300.             this._scheduleAccessTokenRefresh(
  301.               response['expires_in'],
  302.               expiresAt,
  303.               response['refresh_token']
  304.             );
  305.             if (expiresAt) {
  306.               response = Object.assign(response, { expires_at: expiresAt });
  307.             }
  309.             resolve(response);
  310.           });
  311.         },
  312.         response => {
  313.           run(null, reject, response);
  314.         }
  315.       );
  316.     });
  317.   }
  319.   /**
  320.     If token revocation is enabled, this will revoke the access token (and the
  321.     refresh token if present). If token revocation succeeds, this method
  322.     returns a resolving promise, otherwise it will return a rejecting promise,
  323.     thus intercepting session invalidation.
  325.     If token revocation is not enabled this method simply returns a resolving
  326.     promise.
  328.     @memberof OAuth2PasswordGrantAuthenticator
  329.     @method invalidate
  330.     @param {Object} data The current authenticated session data
  331.     @return {Promise} A promise that when it resolves results in the session being invalidated. If invalidation fails, the promise will reject with the server response (in case token revocation is used); however, the authenticator reads that response already so if you need to read it again you need to clone the response object first
  332.     @public
  333.   */
  334.   invalidate(data: OAuthResponseSuccess) {
  335.     const serverTokenRevocationEndpoint = this.get('serverTokenRevocationEndpoint');
  336.     const success = (resolve: (value?: unknown) => void) => {
  337.       cancel(this._refreshTokenTimeout);
  338.       delete this._refreshTokenTimeout;
  339.       resolve();
  340.     };
  341.     return new Promise(resolve => {
  342.       if (!serverTokenRevocationEndpoint) {
  343.         success(resolve);
  344.       } else {
  345.         const requests: Promise<OAuthResponseSuccess>[] = [];
  346.         (['access_token', 'refresh_token'] as const).forEach(tokenType => {
  347.           const token = data[tokenType];
  348.           if (token) {
  349.             requests.push(
  350.               this.makeRequest(serverTokenRevocationEndpoint, {
  351.                 token_type_hint: tokenType,
  352.                 token,
  353.               })
  354.             );
  355.           }
  356.         });
  357.         const succeed = () => {
  358.           success.apply(this, [resolve]);
  359.         };
  360.         Promise.all(requests).then(succeed, succeed);
  361.       }
  362.     });
  363.   }
  365.   /**
  366.     Makes a request to the OAuth 2.0 server.
  368.     @memberof OAuth2PasswordGrantAuthenticator
  369.     @method makeRequest
  370.     @param {String} url The request URL
  371.     @param {Object} data The request data
  372.     @param {Object} headers Additional headers to send in request
  373.     @return {Promise} A promise that resolves with the response object
  374.     @protected
  375.   */
  376.   @waitFor
  377.   makeRequest(
  378.     url: string,
  379.     data: MakeRequestData,
  380.     headers: Record<string, string> = {}
  381.   ): Promise<OAuthResponseSuccess> {
  382.     headers['Content-Type'] = 'application/x-www-form-urlencoded';
  384.     const clientId = this.get('clientId');
  385.     if (clientId) {
  386.       data.client_id = clientId;
  387.     }
  389.     const body = Object.keys(data)
  390.       .map(key => {
  391.         const value = data[key as keyof MakeRequestData];
  393.         if (value) {
  394.           return `${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
  395.         } else {
  396.           return null;
  397.         }
  398.       })
  399.       .filter(Boolean)
  400.       .join('&');
  402.     const options = {
  403.       body,
  404.       headers,
  405.       method: 'POST',
  406.     };
  408.     return new Promise((resolve, reject) => {
  409.       fetch(url, options)
  410.         .then(response => {
  411.           response.text().then(text => {
  412.             try {
  413.               let json = JSON.parse(text);
  414.               if (!response.ok) {
  415.                 (response as OAuth2Response).responseJSON = json;
  416.                 reject(response);
  417.               } else {
  418.                 resolve(json);
  419.               }
  420.             } catch (SyntaxError) {
  421.               (response as OAuth2Response).responseText = text;
  422.               reject(response);
  423.             }
  424.           });
  425.         })
  426.         .catch(reject);
  427.     });
  428.   }
  430.   _scheduleAccessTokenRefresh(
  431.     expiresIn: number | undefined,
  432.     expiresAt: number | null | undefined,
  433.     refreshToken: string | undefined
  434.   ) {
  435.     const refreshAccessTokens = this.get('refreshAccessTokens') && !isFastBoot(getOwner(this));
  436.     if (refreshAccessTokens) {
  437.       const now = new Date().getTime();
  438.       if (!expiresAt && expiresIn) {
  439.         expiresAt = new Date(now + expiresIn * 1000).getTime();
  440.       }
  441.       const offset = this.get('tokenRefreshOffset');
  442.       if (refreshToken && expiresAt && expiresAt > now - offset) {
  443.         cancel(this._refreshTokenTimeout);
  444.         delete this._refreshTokenTimeout;
  445.         if (!isTesting()) {
  446.           this._refreshTokenTimeout = later(
  447.             () => {
  448.               this._refreshAccessToken(expiresIn, refreshToken);
  449.             },
  450.             (expiresAt as number) - now - offset
  451.           );
  452.         }
  453.       }
  454.     }
  455.   }
  457.   _refreshAccessToken(expiresIn: number | undefined, refreshToken: string, scope?: string) {
  458.     const data: OAuthRefreshRequestData = {
  459.       grant_type: 'refresh_token',
  460.       refresh_token: refreshToken,
  461.       scope: '',
  462.     };
  463.     const refreshAccessTokensWithScope = this.get('refreshAccessTokensWithScope');
  464.     if (refreshAccessTokensWithScope && scope) {
  465.       data.scope = scope;
  466.     }
  468.     const serverTokenEndpoint = this.get('serverTokenEndpoint');
  469.     return new Promise((resolve, reject) => {
  470.       this.makeRequest(serverTokenEndpoint, data).then(
  471.         response => {
  472.           run(() => {
  473.             expiresIn = response['expires_in'] || expiresIn;
  474.             refreshToken = response['refresh_token'] || refreshToken;
  475.             scope = response['scope'] || scope;
  476.             const expiresAt = this._absolutizeExpirationTime(expiresIn);
  477.             const data = Object.assign(response, {
  478.               expires_in: expiresIn,
  479.               expires_at: expiresAt,
  480.               refresh_token: refreshToken,
  481.             });
  482.             if (refreshAccessTokensWithScope && scope) {
  483.               data.scope = scope;
  484.             }
  485.             this._scheduleAccessTokenRefresh(expiresIn, null, refreshToken);
  486.             this.trigger('sessionDataUpdated', data);
  487.             resolve(data);
  488.           });
  489.         },
  490.         response => {
  491.           warn(
  492.             `Access token could not be refreshed - server responded with ${response.responseJSON}.`,
  493.             false,
  494.             { id: 'ember-simple-auth.failedOAuth2TokenRefresh' }
  495.           );
  496.           reject();
  497.         }
  498.       );
  499.     });
  500.   }
  502.   _absolutizeExpirationTime(expiresIn: number | undefined) {
  503.     if (expiresIn) {
  504.       return new Date(new Date().getTime() + expiresIn * 1000).getTime();
  505.     }
  506.   }
  508.   _validate(data: OAuthResponseSuccess) {
  509.     return Boolean(data['access_token']);
  510.   }
  511. }