MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refresh the OAuth tokens automatically when making rest calls. Fix to remove the password from the api token authentication.

This commit is contained in:
Dean 2022-07-03 21:13:15 +01:00
parent 9972ec403d
commit 1e6845d5cb
10 changed files with 233 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
packages/backend-core/src/auth.js
View File

@ -37,53 +37,118 @@ passport.deserializeUser(async (user, done) => {
}
})
//requestAccessStrategy
//refreshOAuthAccessToken
//configId for google and OIDC??
async function reUpToken(refreshToken, configId) {
const db = getGlobalDB()
console.log(refreshToken, configId)
const config = await getScopedConfig(db, {
type: Configs.OIDC,
group: {}, //ctx.query.group, this was an empty object when authentication initially
})
const chosenConfig = config.configs[0] //.filter((c) => c.uuid === configId)[0]
let callbackUrl = await oidc.oidcCallbackUrl(db, chosenConfig)
//Remote Config
const enrichedConfig = await oidc.fetchOIDCStrategyConfig(
chosenConfig,
callbackUrl
)
const strategy = await oidc.strategyFactory(enrichedConfig, () => {
console.log("saveFn RETURN ARGS", JSON.stringify(arguments))
})
async function refreshOIDCAccessToken(db, chosenConfig, refreshToken) {
const callbackUrl = await oidc.getCallbackUrl(db, chosenConfig)
let enrichedConfig
let strategy
try {
enrichedConfig = await oidc.fetchStrategyConfig(chosenConfig, callbackUrl)
if (!enrichedConfig) {
throw new Error("OIDC Config contents invalid")
}
strategy = await oidc.strategyFactory(enrichedConfig)
} catch (err) {
console.error(err)
throw new Error("Could not refresh OAuth Token")
}
refresh.use(strategy, {
setRefreshOAuth2() {
return strategy._getOAuth2Client(enrichedConfig)
},
})
console.log("Testing")
// By default, the strat calls itself "openidconnect"
return new Promise(resolve => {
refresh.requestNewAccessToken(
Configs.OIDC,
refreshToken,
(err, accessToken, refreshToken, params) => {
resolve({ err, accessToken, refreshToken, params })
}
)
})
}
// refresh.requestNewAccessToken(
// 'openidconnect',
// refToken,
// (err, accessToken, refreshToken) => {
// console.log("REAUTH CB", err, accessToken, refreshToken);
// })
async function refreshGoogleAccessToken(db, config, refreshToken) {
let callbackUrl = await google.getCallbackUrl(db, config)
const googleConfig = await google.fetchStrategyConfig(config)
let strategy
try {
strategy = await google.strategyFactory(googleConfig, callbackUrl)
} catch (err) {
console.error(err)
throw new Error("Error constructing OIDC refresh strategy", err)
}
console.log("end")
refresh.use(strategy)
return new Promise(resolve => {
refresh.requestNewAccessToken(
Configs.GOOGLE,
refreshToken,
(err, accessToken, refreshToken, params) => {
resolve({ err, accessToken, refreshToken, params })
}
)
})
}
async function refreshOAuthToken(refreshToken, configType, configId) {
const db = getGlobalDB()
const config = await getScopedConfig(db, {
type: configType,
group: {},
})
let chosenConfig = {}
let refreshResponse
if (configType === Configs.OIDC) {
// configId - retrieved from cookie.
chosenConfig = config.configs.filter(c => c.uuid === configId)[0]
if (!chosenConfig) {
throw new Error("Invalid OIDC configuration")
}
refreshResponse = await refreshOIDCAccessToken(
db,
chosenConfig,
refreshToken
)
} else {
chosenConfig = config
refreshResponse = await refreshGoogleAccessToken(
db,
chosenConfig,
refreshToken
)
}
console.log(JSON.stringify(refreshResponse))
return refreshResponse
}
async function updateUserOAuth(userId, oAuthConfig) {
const details = { ...oAuthConfig }
try {
const db = getGlobalDB()
const dbUser = db.get(userId)
//Do not overwrite the refresh token if a valid one is not provided.
if (typeof details.refreshToken !== "string") {
delete details.refreshToken
}
dbUser.oAuth2 = {
...dbUser.oAuth2,
...details,
}
await db.put(dbUser)
} catch (e) {
console.error("Could not update OAuth details for current user", e)
}
}
module.exports = {
@ -98,5 +163,6 @@ module.exports = {
authError,
buildCsrfMiddleware: csrf,
internalApi,
reUpToken,
refreshOAuthToken,
updateUserOAuth,
}

2
packages/backend-core/src/middleware/authenticated.js
View File

@ -128,6 +128,8 @@ module.exports = (
}
if (!user && tenantId) {
user = { tenantId }
} else {
delete user.password
}
// be explicit
if (authenticated !== true) {

18
packages/backend-core/src/middleware/passport/google.js
View File

@ -1,6 +1,8 @@
const GoogleStrategy = require("passport-google-oauth").OAuth2Strategy
const { ssoCallbackUrl } = require("./utils")
const { authenticateThirdParty } = require("./third-party-common")
const { Configs } = require("../../../constants")
const environment = require("../../environment")
const buildVerifyFn = saveUserFn => {
return (accessToken, refreshToken, profile, done) => {
@ -57,5 +59,19 @@ exports.strategyFactory = async function (config, callbackUrl, saveUserFn) {
)
}
}
exports.fetchStrategyConfig = async function (googleConfig) {
return (
googleConfig || {
clientID: environment.GOOGLE_CLIENT_ID,
clientSecret: environment.GOOGLE_CLIENT_SECRET,
}
)
}
exports.getCallbackUrl = async function (db, config) {
return ssoCallbackUrl(db, config, Configs.GOOGLE)
}
// expose for testing
exports.buildVerifyFn = buildVerifyFn

16
packages/backend-core/src/middleware/passport/local.js
View File

@ -6,7 +6,7 @@ const users = require("../../users")
const { authError } = require("./utils")
const { newid } = require("../../hashing")
const { createASession } = require("../../security/sessions")
const { getTenantId } = require("../../tenancy")
const { getTenantId, getGlobalDB } = require("../../tenancy")
const INVALID_ERR = "Invalid credentials"
const SSO_NO_PASSWORD = "SSO user does not have a password set"
@ -55,6 +55,20 @@ exports.authenticate = async function (ctx, email, password, done) {
if (await compare(password, dbUser.password)) {
const sessionId = newid()
const tenantId = getTenantId()
if (dbUser.provider || dbUser.providerType || dbUser.pictureUrl) {
delete dbUser.provider
delete dbUser.providerType
delete dbUser.pictureUrl
try {
const db = getGlobalDB()
await db.put(dbUser)
} catch (err) {
console.error("OAuth elements could not be purged")
}
}
await createASession(dbUser._id, { sessionId, tenantId })
dbUser.token = jwt.sign(

11
packages/backend-core/src/middleware/passport/oidc.js
View File

@ -2,6 +2,7 @@ const fetch = require("node-fetch")
const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy
const { authenticateThirdParty } = require("./third-party-common")
const { ssoCallbackUrl } = require("./utils")
const { Configs } = require("../../../constants")
const buildVerifyFn = saveUserFn => {
/**
@ -93,14 +94,16 @@ function validEmail(value) {
exports.strategyFactory = async function (config, saveUserFn) {
try {
const verify = buildVerifyFn(saveUserFn)
return new OIDCStrategy(config, verify)
const strategy = new OIDCStrategy(config, verify)
strategy.name = "oidc"
return strategy
} catch (err) {
console.error(err)
throw new Error("Error constructing OIDC authentication strategy", err)
}
}
export const fetchOIDCStrategyConfig = async (config, callbackUrl) => {
exports.fetchStrategyConfig = async function (config, callbackUrl) {
try {
const { clientID, clientSecret, configUrl } = config
@ -136,8 +139,8 @@ export const fetchOIDCStrategyConfig = async (config, callbackUrl) => {
}
}
export const oidcCallbackUrl = async (db, config) => {
return ssoCallbackUrl(db, config, "oidc")
exports.getCallbackUrl = async function (db, config) {
return ssoCallbackUrl(db, config, Configs.OIDC)
}
// expose for testing

8
packages/builder/cypress/integration/appPublishWorkflow.spec.js
View File

@ -85,11 +85,11 @@ filterTests(['all'], () => {
cy.get(interact.APP_TABLE_APP_NAME).click({ force: true })
})
cy.get(interact.DEPLOYMENT_TOP_NAV).click()
cy.get(interact.PUBLISH_POPOVER_ACTION).click({ force: true })
cy.get(interact.UNPUBLISH_MODAL)
cy.get(interact.DEPLOYMENT_TOP_GLOBE).should("exist").click({ force: true })
cy.get("[data-cy='publish-popover-menu']")
.within(() => {
cy.get(interact.CONFIRM_WRAP_BUTTON).click({ force: true })
cy.get(interact.PUBLISH_POPOVER_ACTION).click({ force: true })
})
cy.get(interact.UNPUBLISH_MODAL).should("be.visible")

28
packages/server/src/api/controllers/query/index.ts
View File

@ -9,7 +9,7 @@ import { getAppDB } from "@budibase/backend-core/context"
import { quotas } from "@budibase/pro"
import { events } from "@budibase/backend-core"
import { getCookie } from "@budibase/backend-core/utils"
import { Cookies } from "@budibase/backend-core/constants"
import { Cookies, Configs } from "@budibase/backend-core/constants"
const Runner = new Thread(ThreadType.QUERY, {
timeoutMs: QUERY_THREAD_TIMEOUT || 10000,
@ -112,6 +112,21 @@ export async function find(ctx: any) {
ctx.body = query
}
//Required to discern between OIDC OAuth config entries
function getOAuthConfigCookieId(ctx: any) {
if (ctx.user.providerType === Configs.OIDC) {
return getCookie(ctx, Cookies.OIDC_CONFIG)
}
}
function getAuthConfig(ctx: any) {
const authCookie = getCookie(ctx, Cookies.Auth)
let authConfigCtx: any = {}
authConfigCtx["configId"] = getOAuthConfigCookieId(ctx)
authConfigCtx["sessionId"] = authCookie ? authCookie.sessionId : null
return authConfigCtx
}
export async function preview(ctx: any) {
const db = getAppDB()
@ -121,9 +136,7 @@ export async function preview(ctx: any) {
// this stops dynamic variables from calling the same query
const { fields, parameters, queryVerb, transformer, queryId } = query
//check for oAuth elements here?
const configId = getCookie(ctx, Cookies.OIDC_CONFIG)
console.log(configId)
const authConfigCtx: any = getAuthConfig(ctx)
try {
const runFn = () =>
@ -135,6 +148,10 @@ export async function preview(ctx: any) {
parameters,
transformer,
queryId,
ctx: {
user: ctx.user,
auth: { ...authConfigCtx },
},
})
const { rows, keys, info, extra } = await quotas.addQuery(runFn)
await events.query.previewed(datasource, query)
@ -177,6 +194,9 @@ async function execute(ctx: any, opts = { rowsOnly: false }) {
parameters: enrichedParameters,
transformer: query.transformer,
queryId: ctx.params.queryId,
ctx: {
user: ctx.user,
},
})
const { rows, pagination, extra } = await quotas.addQuery(runFn)

1
packages/server/src/module.d.ts vendored
View File

@ -8,3 +8,4 @@ declare module "@budibase/backend-core/constants"
declare module "@budibase/backend-core/auth"
declare module "@budibase/backend-core/sessions"
declare module "@budibase/backend-core/encryption"
declare module "@budibase/backend-core/utils"

60
packages/server/src/threads/query.js
View File

@ -4,7 +4,12 @@ const ScriptRunner = require("../utilities/scriptRunner")
const { integrations } = require("../integrations")
const { processStringSync } = require("@budibase/string-templates")
const { doInAppContext, getAppDB } = require("@budibase/backend-core/context")
// const { reUpToken } = require("@budibase/backend-core/auth")
const {
refreshOAuthToken,
updateUserOAuth,
} = require("@budibase/backend-core/auth")
const { getGlobalIDFromUserMetadataID } = require("../db/utils")
const { isSQL } = require("../integrations/utils")
const {
enrichQueryFields,
@ -22,20 +27,19 @@ class QueryRunner {
this.queryId = input.queryId
this.noRecursiveQuery = flags.noRecursiveQuery
this.cachedVariables = []
// Additional context items for enrichment
this.ctx = input.ctx
// allows the response from a query to be stored throughout this
// execution so that if it needs to be re-used for another variable
// it can be
this.queryResponse = {}
this.hasRerun = false
this.hasRefreshedOAuth = false
}
async execute() {
let { datasource, fields, queryVerb, transformer } = this
// if(this.ctx.user.oauth2?.refreshToken){
// reUpToken(this.ctx.user.oauth2?.refreshToken)
// }
const Integration = integrations[datasource.source]
if (!Integration) {
throw "Integration type does not exist."
@ -79,15 +83,24 @@ class QueryRunner {
}
// if the request fails we retry once, invalidating the cached value
if (info && info.code >= 400 && !this.hasRerun) {
if (
info &&
info.code >= 400 &&
this.cachedVariables.length > 0 &&
!this.hasRerun
this.ctx.user?.provider &&
info.code === 401 &&
!this.hasRefreshedOAuth
) {
// return { info }
// Attempt to refresh the access token from the provider
this.hasRefreshedOAuth = true
const authResponse = await this.refreshOAuth2(this.ctx)
if (!authResponse || authResponse.err) {
// In this event the user may have oAuth issues that
// could require re-authenticating with their provider.
throw new Error("OAuth2 access token could not be refreshed")
}
}
this.hasRerun = true
// invalidate the cache value
await threadUtils.invalidateDynamicVariables(this.cachedVariables)
return this.execute()
}
@ -133,6 +146,31 @@ class QueryRunner {
).execute()
}
async refreshOAuth2(ctx) {
const { oauth2, providerType, _id } = ctx.user
const { configId } = ctx.auth
if (!providerType || !oauth2?.refreshToken) {
console.error("No refresh token found for authenticated user")
return
}
const resp = await refreshOAuthToken(
oauth2.refreshToken,
providerType,
configId
)
// Refresh session flow. Should be in same location as refreshOAuthToken
// There are several other properties available in 'resp'
if (!resp.error) {
const globalUserId = getGlobalIDFromUserMetadataID(_id)
await updateUserOAuth(globalUserId, resp)
}
return resp
}
async getDynamicVariable(variable) {
let { parameters } = this
const queryId = variable.queryId,

8
packages/worker/src/api/controllers/global/auth.ts
View File

@ -70,7 +70,7 @@ async function authInternal(ctx: any, user: any, err = null, info = null) {
export const authenticate = async (ctx: any, next: any) => {
return passport.authenticate(
"local",
async (err: any, user: User, info: any) => {
async (err: any, user: any, info: any) => {
await authInternal(ctx, user, err, info)
await context.identity.doInUserContext(user, async () => {
await events.auth.login("local")
@ -197,7 +197,9 @@ export const googlePreAuth = async (ctx: any, next: any) => {
const strategy = await google.strategyFactory(config, callbackUrl, users.save)
return passport.authenticate(strategy, {
scope: ["profile", "email"],
scope: ["profile", "email", "https://www.googleapis.com/auth/spreadsheets"],
accessType: "offline",
prompt: "consent",
})(ctx, next)
}
@ -235,7 +237,7 @@ export const oidcStrategyFactory = async (ctx: any, configId: any) => {
let callbackUrl = await exports.oidcCallbackUrl(chosenConfig)
//Remote Config
const enrichedConfig = await oidc.fetchOIDCStrategyConfig(
const enrichedConfig = await oidc.fetchStrategyConfig(
chosenConfig,
callbackUrl
)