| package Kalamar::Plugin::Auth; |
| use Mojo::Base 'Mojolicious::Plugin'; |
| use File::Basename 'dirname'; |
| use File::Spec::Functions qw/catdir/; |
| use Mojo::ByteStream 'b'; |
| use Mojo::File qw!path!; |
| use Mojo::Util qw!b64_encode encode!; |
| use Mojo::JSON qw'decode_json encode_json'; |
| use Encode 'is_utf8'; |
| |
| # This is a plugin to deal with the Kustvakt OAuth server. |
| # All tokens are stored in the session. Access tokens are short-lived, |
| # which limits the effects of misuse. |
| # Refresh tokens are bound to client id and client secret, |
| # which again limits the effects of misuse. |
| |
| # TODO: |
| # Establish a plugin 'OAuth' that works independent of 'Auth'. |
| |
| # TODO: |
| # CSRF-protect logout! |
| |
| # TODO: |
| # Remove the Bearer prefix from auth. |
| |
| # In case no expiration time is returned by the server, |
| # take this time. |
| our $EXPECTED_EXPIRATION_IN = 259200; |
| |
| # Register the plugin |
| sub register { |
| my ($plugin, $app, $param) = @_; |
| |
| # Load parameter from config file |
| if (my $config_param = $app->config('Kalamar-Auth')) { |
| $param = { %$param, %$config_param }; |
| }; |
| |
| if ($param->{jwt}) { |
| $app->log->error('JWT flow is no longer supported'); |
| return; |
| }; |
| |
| # Load 'notifications' plugin |
| unless (exists $app->renderer->helpers->{notify}) { |
| $app->plugin(Notifications => { |
| HTML => 1 |
| }); |
| }; |
| |
| # Set session default timeout |
| for ($app->sessions) { |
| $_->default_expiration(60*60*24*3); # Session expires after 3 days of non-use |
| }; |
| |
| # Get client_id and client_secret from client file |
| if ($param->{client_file} || $main::ENV{KALAMAR_CLIENT_FILE}) { |
| $param->{client_file} ||= $main::ENV{KALAMAR_CLIENT_FILE}; |
| my $client_json = decode_json(path($param->{client_file})->slurp); |
| $param->{client_id} //= $client_json->{client_id}; |
| $param->{client_secret} //= $client_json->{client_secret}; |
| }; |
| |
| # Get the client id and the client_secret as a requirement |
| unless ($param->{client_id} && $param->{client_secret}) { |
| $app->log->error('client_id or client_secret not defined'); |
| }; |
| |
| # Load localize |
| $app->plugin('Localize' => { |
| dict => { |
| de => { |
| abort => 'Abbrechen' |
| }, |
| -en => { |
| abort => 'Abort' |
| }, |
| Auth => { |
| _ => sub { $_->locale }, |
| de => { |
| loginPlease => 'Bitte melden Sie sich an!', |
| loginSuccess => 'Anmeldung erfolgreich', |
| loginFail => 'Anmeldung fehlgeschlagen', |
| logoutSuccess => 'Abmeldung erfolgreich', |
| logoutFail => 'Abmeldung fehlgeschlagen', |
| authenticationFail => 'Nicht authentifiziert', |
| csrfFail => 'Fehlerhafter CSRF Token', |
| scopeFail => 'Scope nicht definiert', |
| clientIDFail => 'Client ID nicht definiert', |
| invalidChar => 'Ungültiges Zeichen in Anfrage', |
| openRedirectFail => 'Weiterleitungsfehler', |
| tokenExpired => 'Zugriffstoken abgelaufen', |
| tokenInvalid => 'Zugriffstoken ungültig', |
| refreshFail => 'Fehlerhafter Refresh-Token', |
| responseError => 'Unbekannter Autorisierungsfehler', |
| serverError => 'Unbekannter Serverfehler', |
| revokeFail => 'Der Token kann nicht widerrufen werden', |
| revokeSuccess => 'Der Token wurde erfolgreich widerrufen', |
| paramError => 'Einige Eingaben sind fehlerhaft', |
| redirectUri => 'Weiterleitungsadresse', |
| pluginSrc => 'Beschreibung des Plugins (*.json-Datei)', |
| homepage => 'Webseite', |
| desc => 'Kurzbeschreibung', |
| revoke => 'Widerrufen', |
| clientCredentials => 'Client Daten', |
| clientType => 'Art der Client-Applikation', |
| clientName => 'Name der Client-Applikation', |
| clientID => 'ID der Client-Applikation', |
| clientSecret => 'Client-Secret', |
| clientRegister => 'Neue Client-Applikation registrieren', |
| registerSuccess => 'Registrierung erfolgreich', |
| registerFail => 'Registrierung fehlgeschlagen', |
| oauthSettings => 'OAuth', |
| #for marketplace settings |
| marketplace => 'Marktplatz', |
| plugins => 'Plugins', |
| instplugins => 'Bereits installierte Plugins', |
| regby => 'Registriert von', |
| regdate => 'Registrierungsdatum', |
| instdate=> 'Installationsdatum', |
| install => 'Installieren', |
| installFail => 'Plugin konnte nicht installiert werden', |
| oauthUnregister => { |
| -long => 'Möchten sie <span class="client-name"><%= $client_name %></span> wirklich löschen?', |
| short => 'Löschen' |
| }, |
| oauthHint => 'Die folgende Registrierung (und alle Angaben) für API-Clients folgen der <a href="https://oauth.net/" class="external">OAuth-2.0-Spezifikation</a>.', |
| loginHint => 'Möglicherweise müssen sie sich zunächst einloggen.', |
| oauthIssueToken => { |
| -long => 'Stelle einen neuen Token für <span class="client-name"><%= $client_name %></span> aus', |
| short => 'Neuen Token ausstellen' |
| }, |
| accessToken => 'Access Token', |
| oauthRevokeToken => { |
| -long => 'Widerrufe einen Token für <span class="client-name"><%= $client_name %></span>', |
| short => 'Widerrufe' |
| }, |
| oauthGrantScope => { |
| -long => '<span class="client-name"><%= $client_name %></span> möchte Zugriffsrechte', |
| short => 'Zugriffsrechte erteilen' |
| }, |
| oauthGrantPublicWarn => 'Achtung - dies ist ein öffentlicher Client!', |
| oauthGrantRedirectWarn => 'Die Weiterleitung findet an eine unbekannte Adresse statt', |
| createdAt => 'Erstellt am <time datetime="<%= stash("date") %>"><%= stash("date") %></date>.', |
| expiresIn => 'Läuft in <%= stash("seconds") %> Sekunden ab.', |
| fileSizeExceeded => 'Dateigröße überschritten' |
| }, |
| -en => { |
| loginPlease => 'Please log in!', |
| loginSuccess => 'Login successful', |
| loginFail => 'Access denied', |
| logoutSuccess => 'Logout successful', |
| logoutFail => 'Logout failed', |
| authenticationFail => 'Not authenticated', |
| csrfFail => 'Bad CSRF token', |
| scopeFail => 'Scope required', |
| clientIDFail => 'Client ID required', |
| invalidChar => 'Invalid character in request', |
| openRedirectFail => 'Redirect failure', |
| tokenExpired => 'Access token expired', |
| tokenInvalid => 'Access token invalid', |
| refreshFail => 'Bad refresh token', |
| responseError => 'Unknown authorization error', |
| serverError => 'Unknown server error', |
| revokeFail => 'Token can\'t be revoked', |
| revokeSuccess => 'Token was revoked successfully', |
| paramError => 'Some fields are invalid', |
| redirectUri => 'Redirect URI', |
| pluginSrc => 'Declaration of the plugin (*.json file)', |
| homepage => 'Homepage', |
| desc => 'Short description', |
| revoke => 'Revoke', |
| clientCredentials => 'Client Credentials', |
| clientType => 'Type of the client application', |
| clientName => 'Name of the client application', |
| clientID => 'ID of the client application', |
| clientSecret => 'Client secret', |
| clientRegister => 'Register new client application', |
| registerSuccess => 'Registration successful', |
| registerFail => 'Registration denied', |
| oauthSettings => 'OAuth', |
| #for marketplace settings |
| marketplace => 'Marketplace', |
| plugins => 'Plugins', |
| instplugins => 'Installed Plugins', |
| regby =>'Registered by', |
| regdate =>'Date of Registration', |
| instdate =>'Date of Installation', |
| install => 'Install', |
| uninstall => 'Uninstall', |
| installFail => 'Plugin could not be installed', |
| oauthUnregister => { |
| -long => 'Do you really want to unregister <span class="client-name"><%= $client_name %></span>?', |
| short => 'Unregister' |
| }, |
| oauthHint => 'The following registration of API clients follows the <a href="https://oauth.net/" class="external">OAuth 2.0 specification</a>.', |
| loginHint => 'Maybe you need to log in first?', |
| oauthIssueToken => { |
| -long => 'Issue a new token for <span class="client-name"><%= $client_name %></span>', |
| short => 'Issue new token' |
| }, |
| accessToken => 'Access Token', |
| oauthRevokeToken => { |
| -long => 'Revoke a token for <span class="client-name"><%= $client_name %></span>', |
| short => 'Revoke' |
| }, |
| oauthGrantScope => { |
| -long => '<span class="client-name"><%= $client_name %></span> wants to have access', |
| short => 'Grant access' |
| }, |
| oauthGrantPublicWarn => 'Warning - this is a public client!', |
| oauthGrantRedirectWarn => 'The redirect points to an unknown location', |
| createdAt => 'Created at <time datetime="<%= stash("date") %>"><%= stash("date") %></date>.', |
| expiresIn => 'Expires in <%= stash("seconds") %> seconds.', |
| fileSizeExceeded => 'File size exceeded', |
| confidentialRequired => 'Plugins need to be confidential', |
| jsonRequired => 'Plugin declarations need to be json files', |
| } |
| } |
| } |
| }); |
| |
| |
| # Add login frame to sidebar |
| $app->content_block( |
| sidebar => { |
| template => 'partial/auth/login' |
| } |
| ); |
| |
| |
| # Add logout button to header button list |
| $app->content_block( |
| headerButtonGroup => { |
| template => 'partial/auth/logout' |
| } |
| ); |
| |
| |
| # Add hook after search |
| $app->hook( |
| after_search => sub { |
| my $c = shift; |
| |
| # User is not logged in |
| if ($c->stash('results')->size == 0 && !$c->auth->token) { |
| $c->content_for( |
| 'after_search_results' => |
| $c->render_to_string( |
| inline => '<p class="hint"><%= loc "Auth_loginHint" %></p>' |
| ) |
| ); |
| }; |
| } |
| ); |
| |
| # The plugin path |
| my $path = catdir(dirname(__FILE__), 'Auth'); |
| |
| # Append "templates" |
| push @{$app->renderer->paths}, catdir($path, 'templates'); |
| |
| # Get or set the user token necessary for authorization |
| $app->helper( |
| 'auth.token' => sub { |
| my ($c, $token, $expires_in) = @_; |
| |
| if ($token) { |
| # Set auth token |
| $c->stash(auth => $token); |
| $c->session(auth => $token); |
| $c->session(auth_exp => time + $expires_in); |
| return 1; |
| }; |
| |
| # Get token from stash |
| $token = $c->stash('auth'); |
| |
| return $token if $token; |
| |
| # Get auth from session |
| $token = $c->session('auth') or return; |
| $c->stash(auth => $token); |
| |
| # Return stashed value |
| return $token; |
| } |
| ); |
| |
| # Log in to the system |
| my $r = $app->routes; |
| |
| my $client_id = $param->{client_id}; |
| my $client_secret = $param->{client_secret}; |
| |
| my $no_redirect_ua = Mojo::UserAgent->new( |
| connect_timeout => 30, |
| inactivity_timeout => 30, |
| max_redirects => 0 |
| ); |
| |
| $no_redirect_ua->server->app($app); |
| |
| |
| # Sets a requested token and returns |
| # an error, if it didn't work |
| $app->helper( |
| 'auth.set_tokens_p' => sub { |
| my ($c, $json) = @_; |
| my $promise = Mojo::Promise->new; |
| |
| # No json object |
| unless ($json) { |
| return $promise->reject({ |
| message => 'Response is no valid JSON object (remote)' |
| }); |
| }; |
| |
| # There is an error here |
| # Dealing with errors here |
| if ($json->{error} && ref $json->{error} ne 'ARRAY') { |
| return $promise->reject( |
| { |
| message => $json->{error} . ($json->{error_description} ? ': ' . $json->{error_description} : '') |
| } |
| ); |
| } |
| |
| # There is an array of errors |
| elsif (my $error = $json->{errors} // $json->{error}) { |
| if (ref $error eq 'ARRAY') { |
| my @errors = (); |
| foreach (@{$error}) { |
| if ($_->[1]) { |
| push @errors, { code => $_->[0], message => $_->[1]} |
| }; |
| }; |
| return $promise->reject(@errors); |
| }; |
| |
| return $promise->reject({message => $error}); |
| }; |
| |
| # Everything is fine |
| my $access_token = $json->{access_token}; |
| my $token_type = $json->{token_type}; |
| my $refresh_token = $json->{refresh_token}; |
| my $expires_in = $json->{"expires_in"} // $EXPECTED_EXPIRATION_IN; |
| my $auth = $token_type . ' ' . $access_token; |
| # my $scope = $json->{scope}; |
| |
| # Set session info |
| $c->session(auth => $auth); |
| |
| # Expiration of the token minus tolerance |
| $c->session(auth_exp => time + $expires_in - 60); |
| |
| # Set session info for refresh token |
| # This can be stored in the session, as it is useless |
| # unless the client secret is stolen |
| $c->session(auth_r => $refresh_token) if $refresh_token; |
| |
| # Set stash info |
| $c->stash(auth => $auth); |
| |
| return $promise->resolve; |
| } |
| ); |
| |
| |
| # Refresh tokens and return a promise |
| $app->helper( |
| 'auth.refresh_p' => sub { |
| my $c = shift; |
| my $refresh_token = shift; |
| |
| # Get OAuth access token |
| state $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/token'); |
| |
| $c->app->log->debug("Refresh at $r_url"); |
| |
| return $c->kalamar_ua->post_p($r_url, {} => form => { |
| grant_type => 'refresh_token', |
| client_id => $client_id, |
| client_secret => $client_secret, |
| refresh_token => $refresh_token |
| })->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json; |
| |
| # Response is fine |
| if ($tx->res->is_success) { |
| |
| $c->app->log->info("Refresh was successful"); |
| |
| # Set the tokens and return a promise |
| return $c->auth->set_tokens_p($json); |
| }; |
| |
| # There is a client error - refresh fails |
| if ($tx->res->is_client_error && $json) { |
| |
| $c->stash(auth => undef); |
| $c->stash(auth_exp => undef); |
| delete $c->session->{user}; |
| delete $c->session->{auth}; |
| delete $c->session->{auth_r}; |
| delete $c->session->{auth_exp}; |
| |
| # Response is 400 |
| return Mojo::Promise->reject( |
| $json->{error_description} // $c->loc('Auth_refreshFail') |
| ); |
| }; |
| |
| if ($tx->res->is_server_error) { |
| return Mojo::Promise->reject( |
| '600' |
| ) |
| }; |
| |
| $c->notify(error => $c->loc('Auth_responseError')); |
| return Mojo::Promise->reject; |
| } |
| ) |
| } |
| ); |
| |
| |
| # Issue new token and return a promise |
| $app->helper( |
| 'auth.new_token_p' => sub { |
| my $c = shift; |
| my %param = @_; |
| |
| state $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/authorize'); |
| |
| my $client_id = $param{'client_id'}; |
| |
| return $c->korap_request($no_redirect_ua, post => $r_url, { } => form => { |
| response_type => 'code', |
| client_id => $client_id, |
| redirect_uri => $param{'redirect_uri'}, |
| state => $param{'state'}, |
| scope => $param{'scope'}, |
| })->then( |
| sub { |
| my $tx = shift; |
| |
| unless (ref($tx)) { |
| return Mojo::Promise->reject('Something went wrong'); |
| }; |
| |
| # Check for location header with code in redirects |
| my ($code, $scope, $loc, $name); |
| |
| # Check for location header with code in current tx |
| # and in redirects. |
| # The loop should not be relevant though, as for now |
| # redirects are not allowed. |
| foreach ($tx, @{$tx->redirects}) { |
| $loc = $_->res->headers->header('Location'); |
| |
| next unless $loc; |
| |
| my $url = Mojo::URL->new($loc); |
| |
| if ($url->query->param('code')) { |
| my $q = $url->query; |
| $code = $q->param('code'); |
| $scope = $q->param('scope'); |
| $name = $q->param('name'); |
| last; |
| } elsif (my $err = $url->query->param('error_description')) { |
| return Mojo::Promise->reject($err); |
| } |
| }; |
| |
| return Mojo::Promise->resolve( |
| $loc, |
| $client_id, |
| $param{'redirect_uri'}, |
| $code, |
| $scope, |
| $name |
| ) if $loc; |
| |
| # Failed redirect, but location set |
| if ($tx->res->headers->location) { |
| my $url = Mojo::URL->new($tx->res->headers->location); |
| if (my $err = $url->query->param('error_description')) { |
| return Mojo::Promise->reject($err); |
| }; |
| } |
| |
| $c->stash(redirect_uri => undef); |
| |
| # Maybe json |
| my $json = $tx->res->json; |
| if ($json && $json->{error_description}) { |
| return Mojo::Promise->reject($json->{error_description}); |
| }; |
| |
| # No location code |
| return Mojo::Promise->reject('no location response'); |
| } |
| ) |
| } |
| ); |
| |
| # Get a list of registered clients |
| $app->helper( |
| 'auth.client_list_p' => sub { |
| my $c = shift; |
| |
| |
| # Get list of registered clients |
| state $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/client/list'); |
| |
| # Get the list of all clients |
| return $c->korap_request(post => $r_url, {} => form => { |
| super_client_id => $client_id, |
| super_client_secret => $client_secret, |
| authorized_only => 'no' |
| })->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json; |
| |
| # Response is fine |
| if ($tx->res->is_success) { |
| return Mojo::Promise->resolve($json); |
| }; |
| |
| $c->log->error($tx->res->to_string); |
| |
| # Failure |
| $c->notify(error => $c->loc('Auth_responseError')); |
| return Mojo::Promise->reject($json // 'No response'); |
| } |
| ); |
| } |
| ); |
| |
| # Get info for registered client |
| $app->helper( |
| 'auth.client_info_p' => sub { |
| my $c = shift; |
| my $req_client_id = shift; |
| |
| # Get list of registered clients |
| my $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/client/')->path($req_client_id); |
| |
| my $form = { |
| super_client_id => $client_id, |
| super_client_secret => $client_secret, |
| }; |
| |
| # Get the list of all clients |
| return $c->korap_request(POST => $r_url, {} => form => $form)->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json // {}; |
| |
| # Response is fine |
| if ($tx->res->is_success) { |
| return Mojo::Promise->resolve($json); |
| }; |
| |
| $c->log->error($tx->res->to_string); |
| |
| # Failure |
| return Mojo::Promise->reject($json->{error_description} // 'Client unknown'); |
| } |
| ); |
| } |
| ); |
| |
| |
| # Get a list of registered clients |
| $app->helper( |
| 'auth.token_list_p' => sub { |
| my $c = shift; |
| my $user_client_id = shift; |
| |
| # Revoke the token |
| state $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/token/list'); |
| |
| my $form = { |
| super_client_id => $client_id, |
| super_client_secret => $client_secret, |
| token_type => 'access_token', |
| }; |
| |
| if ($user_client_id) { |
| $form->{client_id} = $user_client_id; |
| }; |
| |
| # Get the list of all clients |
| return $c->korap_request(post => $r_url, {} => form => $form)->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json; |
| |
| # Response is fine |
| if ($tx->res->is_success) { |
| return Mojo::Promise->resolve($json); |
| }; |
| |
| $c->log->error($tx->res->to_string); |
| |
| # Failure |
| $c->notify(error => $c->loc('Auth_responseError')); |
| return Mojo::Promise->reject($json // 'No response'); |
| } |
| ); |
| } |
| ); |
| |
| |
| # Issue a korap request with "oauth"orization |
| # This will override the core request helper |
| $app->helper( |
| korap_request => sub { |
| my $c = shift; |
| |
| # Get plugin user agent |
| my $ua = $c->kalamar_ua; |
| |
| # Override if UA is granted |
| if (ref $_[0] eq 'Mojo::UserAgent') { |
| $ua = shift; |
| }; |
| |
| my $method = shift; |
| my $path = shift; |
| |
| my @param = @_; |
| |
| # TODO: |
| # Check if $tx is not leaked! |
| |
| my $url = Mojo::URL->new($path); |
| my $tx = $ua->build_tx(uc($method), $url->clone, @param); |
| |
| # Set X-Forwarded for |
| $tx->req->headers->header( |
| 'X-Forwarded-For' => $c->client_ip |
| ); |
| |
| # Emit Hook to alter request |
| $c->app->plugins->emit_hook( |
| before_korap_request => ($c, $tx) |
| ); |
| |
| my $h = $tx->req->headers; |
| |
| # If the request already has an Authorization |
| # header, respect it! |
| if ($h->authorization) { |
| return $ua->start_p($tx); |
| }; |
| |
| # Get auth token |
| if (my $auth_token = $c->auth->token) { |
| |
| # The token is already expired! |
| my $exp = $c->session('auth_exp'); |
| if (defined $exp && $exp < time) { |
| |
| # Remove auth ... |
| $c->stash(auth => undef); |
| |
| # And get refresh token from session |
| if (my $refresh_token = $c->session('auth_r')) { |
| |
| $c->app->log->debug("Refresh is required"); |
| |
| # Refresh |
| return $c->auth->refresh_p($refresh_token)->then( |
| sub { |
| $c->app->log->debug("Search with refreshed tokens"); |
| |
| # Tokens were set - now send the request the first time! |
| $tx->req->headers->authorization($c->stash('auth')); |
| return $ua->start_p($tx); |
| } |
| ); |
| } |
| |
| # The token is expired and no refresh token is |
| # available - issue an unauthorized request! |
| else { |
| |
| $c->stash(auth => undef); |
| $c->stash(auth_exp => undef); |
| delete $c->session->{user}; |
| delete $c->session->{auth}; |
| delete $c->session->{auth_r}; |
| delete $c->session->{auth_exp}; |
| |
| # Warn on Error! |
| $c->notify(warn => $c->loc('Auth_tokenExpired')); |
| return $ua->start_p($tx); |
| }; |
| } |
| |
| # Auth token is fine |
| else { |
| |
| # Set auth |
| $h->authorization($auth_token); |
| } |
| } |
| |
| # No token set |
| else { |
| |
| # Return unauthorized request |
| return $ua->start_p($tx); |
| }; |
| |
| # Issue an authorized request and automatically |
| # refresh the token on expiration! |
| return $ua->start_p($tx)->then( |
| sub { |
| my $tx = shift; |
| |
| # Response is fine |
| if ($tx->res->is_success || $tx->res->is_redirect) { |
| return Mojo::Promise->resolve($tx); |
| } |
| |
| # There is a client error - maybe refresh! |
| elsif ($tx->res->is_client_error) { |
| |
| # Check the error |
| my $json = $tx->res->json('/errors/0/1'); |
| if ($json && ($json =~ /expired|invalid/)) { |
| $c->stash(auth => undef); |
| $c->stash(auth_exp => undef); |
| delete $c->session->{user}; |
| delete $c->session->{auth}; |
| |
| # And get refresh token from session |
| if (my $refresh_token = $c->session('auth_r')) { |
| |
| # Refresh |
| return $c->auth->refresh_p($refresh_token)->then( |
| sub { |
| $c->app->log->debug("Search with refreshed tokens"); |
| |
| my $tx = $ua->build_tx(uc($method), $url->clone, @param); |
| |
| # Set X-Forwarded for |
| $tx->req->headers->header( |
| 'X-Forwarded-For' => $c->client_ip |
| ); |
| |
| # Tokens were set - now send the request the first time! |
| $tx->req->headers->authorization($c->stash('auth')); |
| return $ua->start_p($tx); |
| } |
| ) |
| }; |
| |
| # Reject the invalid token |
| $c->notify(error => $c->loc('Auth_tokenInvalid')); |
| return Mojo::Promise->reject; |
| }; |
| |
| return Mojo::Promise->resolve($tx); |
| } |
| |
| # There is a server error - just report |
| elsif ($tx->res->is_server_error) { |
| my $err = $tx->res->error; |
| if ($err) { |
| return Mojo::Promise->reject($err->{code} . ': ' . $err->{message}); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_serverError')); |
| return Mojo::Promise->reject; |
| }; |
| }; |
| |
| $c->notify(error => $c->loc('Auth_responseError')); |
| return Mojo::Promise->reject; |
| } |
| ); |
| } |
| ); |
| |
| # Password flow for OAuth |
| $r->post('/user/login')->to( |
| cb => sub { |
| my $c = shift; |
| |
| # Validate input |
| my $v = $c->validation; |
| $v->required('handle_or_email', 'trim'); |
| $v->required('pwd', 'trim'); |
| $v->csrf_protect; |
| $v->optional('fwd')->closed_redirect; |
| |
| my $user = check_decode($v->param('handle_or_email')); |
| unless ($user) { |
| $c->notify(error => $c->loc('Auth_invalidChar')); |
| $c->param(handle_or_email => ''); |
| return $c->relative_redirect_to('index'); |
| }; |
| |
| my $fwd = $v->param('fwd'); |
| |
| # Set flash for redirect |
| $c->flash(handle_or_email => $user); |
| |
| if ($v->has_error || index($user, ':') >= 0) { |
| if ($v->has_error('fwd')) { |
| $c->notify(error => $c->loc('Auth_openRedirectFail')); |
| } |
| elsif ($v->has_error('csrf_token')) { |
| $c->notify(error => $c->loc('Auth_csrfFail')); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_loginFail')); |
| }; |
| |
| return $c->relative_redirect_to($fwd // 'index'); |
| } |
| |
| my $pwd = $v->param('pwd'); |
| |
| $c->app->log->debug("Login from user $user"); |
| |
| # <specific> |
| |
| # Get OAuth access token |
| my $url = Mojo::URL->new($c->korap->api)->path('oauth2/token'); |
| |
| # Korap request for login |
| $c->korap_request('post', $url, {}, form => { |
| grant_type => 'password', |
| username => $user, |
| password => $pwd, |
| client_id => $client_id, |
| client_secret => $client_secret |
| })->then( |
| sub { |
| # Set the tokens and return a promise |
| return $c->auth->set_tokens_p(shift->result->json) |
| } |
| )->then( |
| sub { |
| # Set user info |
| $c->session(user => $user); |
| $c->stash(user => $user); |
| |
| # Notify on success |
| $c->app->log->debug(qq!Login successful: "$user"!); |
| $c->notify(success => $c->loc('Auth_loginSuccess')); |
| } |
| )->catch( |
| sub { |
| |
| # Notify the user on login failure |
| unless (@_) { |
| $c->notify(error => $c->loc('Auth_loginFail')); |
| } |
| |
| # There are known errors |
| foreach (@_) { |
| if (ref $_ eq 'HASH') { |
| my $err = ($_->{code} ? $_->{code} . ': ' : '') . |
| $_->{message}; |
| $c->notify(error => $err); |
| # Log failure |
| $c->app->log->debug($err); |
| } |
| else { |
| $c->notify(error => $_); |
| $c->app->log->debug($_); |
| }; |
| }; |
| |
| $c->app->log->debug(qq!Login fail: "$user"!); |
| } |
| )->finally( |
| sub { |
| # Redirect to slash |
| return $c->relative_redirect_to($fwd // 'index'); |
| } |
| ) |
| |
| # Start IOLoop |
| ->wait; |
| |
| return 1; |
| } |
| )->name('login'); |
| |
| |
| # Log out of the session |
| $r->get('/user/logout')->to( |
| cb => sub { |
| my $c = shift; |
| |
| # TODO: csrf-protection! |
| |
| my $refresh_token = $c->session('auth_r'); |
| |
| # Revoke the token |
| state $url = Mojo::URL->new($c->korap->api)->path('oauth2/revoke'); |
| |
| $c->kalamar_ua->post_p($url => {} => form => { |
| client_id => $client_id, |
| client_secret => $client_secret, |
| token => $refresh_token, |
| token_type => 'refresh_token' |
| })->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json; |
| |
| my $promise; |
| |
| # Response is fine |
| if ($tx->res->is_success) { |
| $c->app->log->info("Revocation was successful"); |
| $c->notify(success => $c->loc('Auth_logoutSuccess')); |
| |
| $c->stash(auth => undef); |
| $c->stash(auth_exp => undef); |
| $c->flash(handle_or_email => delete $c->session->{user}); |
| delete $c->session->{auth}; |
| delete $c->session->{auth_r}; |
| delete $c->session->{auth_exp}; |
| return Mojo::Promise->resolve; |
| }; |
| |
| # Token may be invalid |
| $c->notify('error', $c->loc('Auth_logoutFail')); |
| |
| # There is a client error - refresh fails |
| if ($tx->res->is_client_error && $json) { |
| |
| return Mojo::Promise->reject( |
| $json->{error_description} |
| ); |
| }; |
| |
| # Resource may not be found (404) |
| return Mojo::Promise->reject |
| |
| } |
| )->catch( |
| sub { |
| my $err = shift; |
| |
| # Server may be irresponsible |
| $c->notify('error', $c->loc('Auth_logoutFail')); |
| return Mojo::Promise->reject($err); |
| } |
| )->finally( |
| sub { |
| return $c->redirect_to('index'); |
| } |
| )->wait; |
| } |
| )->name('logout'); |
| |
| |
| # Add settings |
| $app->navi->add(settings => ( |
| $app->loc('Auth_oauthSettings'), 'oauth' |
| )); |
| |
| # Get configuration for marketplace settings |
| if ($param->{marketplace}) { |
| $app->navi->add(settings => ( |
| $app->loc('Auth_marketplace'), 'marketplace' |
| )); |
| } |
| |
| |
| # Helper: Returns lists of registered plugins (of all users), which are permitted |
| $app->helper( |
| 'auth.plugin_list_p' => sub { |
| my $c = shift; |
| state $l_url = Mojo::URL->new($c->korap->api)->path('plugins'); |
| return $c->korap_request(post => $l_url, {} => form => { |
| super_client_id => $client_id, |
| super_client_secret => $client_secret, |
| #list only permitted plugins |
| permitted_only => 'true' |
| })->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json; |
| # Response is fine |
| if ($tx->res->is_success) { |
| return Mojo::Promise->resolve($json); |
| }; |
| $c->log->error($tx->res->to_string); |
| # Failure |
| $c->notify(error => $c->loc('Auth_responseError')); |
| return Mojo::Promise->reject($json // 'No response'); |
| } |
| ); |
| } |
| ); |
| |
| |
| #Helper: Returns list of all plugins, which are already installed |
| $app->helper( |
| 'auth.plugin_listin_p' => sub { |
| my $c = shift; |
| state $i_url = Mojo::URL->new($c->korap->api)->path('plugins/installed'); |
| return $c->korap_request(post => $i_url, {} => form => { |
| super_client_id => $client_id, |
| super_client_secret => $client_secret, |
| })->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json; |
| # Response is fine |
| if ($tx->res->is_success) { |
| return Mojo::Promise->resolve($json); |
| }; |
| |
| $c->log->error($tx->res->to_string); |
| |
| # Failure |
| $c->notify(error => $c->loc('Auth_responseError')); |
| return Mojo::Promise->reject($json // 'No response'); |
| } |
| ); |
| } |
| ); |
| |
| # Route to marketplace (for installation and deinstallation of plugins) |
| $r->get('/settings/marketplace')->to( |
| cb => sub { |
| my $c = shift; |
| _set_no_cache($c->res->headers); |
| unless ($c->auth->token) { |
| return $c->render( |
| template => 'exception', |
| msg => $c->loc('Auth_authenticationFail'), |
| status => 401 |
| ); |
| }; |
| |
| $c->render_later; |
| my $promiselist = $c->auth->plugin_list_p; |
| my $promiseinlist = $c->auth->plugin_listin_p; |
| |
| Mojo::Promise->all($promiselist, $promiseinlist)-> then( |
| sub { |
| my ($promiselist, $promiseinlist) = @_; |
| my $plist = ref($promiselist->[0]) eq 'ARRAY' ? $promiselist->[0] : []; |
| my $plinlist = ref($promiseinlist->[0]) eq 'ARRAY' ? $promiseinlist->[0] : []; |
| my $clean_pllist = $plist; |
| $c->stash('pluginsin_list', $plinlist); |
| if($plinlist){ |
| foreach my $entry (@$plinlist){ |
| @$clean_pllist = grep{!($_->{client_id} eq $entry->{client_id})} @$clean_pllist ; |
| } |
| } |
| $c->stash('plugin_list', $clean_pllist); |
| } |
| )->catch( |
| sub { |
| return; |
| } |
| )->finally( |
| sub { |
| return $c->render(template => 'auth/marketplace'); |
| } |
| )->wait; |
| } |
| )->name('marketplace'); |
| |
| # Route to install plugin |
| $r->post('/settings/marketplace')->to( |
| cb => sub { |
| my $c = shift; |
| _set_no_cache($c->res->headers); |
| my $v = $c->validation; |
| $v->required('client-id'); |
| |
| if ($v->has_error) { |
| return $c->render( |
| json => [], |
| status => 400 |
| ); |
| }; |
| |
| unless ($c->auth->token) { |
| return $c->render( |
| content => 'Unauthorized', |
| status => 401 |
| ); |
| }; |
| |
| my $mclient_id = $v->param('client-id'); |
| $c->render_later; |
| |
| state $p_url = Mojo::URL->new($c->korap->api)->path('plugins/install'); |
| |
| return $c->korap_request(post => $p_url, {} => form => { |
| super_client_id => $client_id, |
| super_client_secret => $client_secret, |
| client_id => $mclient_id |
| })->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->result->json; |
| # Response is fine |
| if ($tx->res->is_success) { |
| return Mojo::Promise->resolve($json); |
| }; |
| #Log errors |
| $c->log->error($tx->res->to_string); |
| # Failure |
| return Mojo::Promise->reject; |
| } |
| )->catch( |
| sub { |
| $c->notify('error' => $c->loc('Auth_installFail')); |
| } |
| )->finally( |
| sub { |
| return $c->redirect_to('marketplace'); |
| } |
| ); |
| } |
| )->name('install-plugin'); |
| |
| |
| # Route to OAuth settings |
| $r->get('/settings/oauth')->to( |
| cb => sub { |
| my $c = shift; |
| |
| _set_no_cache($c->res->headers); |
| |
| unless ($c->auth->token) { |
| return $c->render( |
| template => 'exception', |
| msg => $c->loc('Auth_authenticationFail'), |
| status => 401 |
| ); |
| }; |
| |
| # Wait for async result |
| $c->render_later; |
| |
| $c->auth->client_list_p->then( |
| sub { |
| $c->stash('client_list' => shift); |
| } |
| )->catch( |
| sub { |
| return; |
| } |
| )->finally( |
| sub { |
| return $c->render(template => 'auth/clients') |
| } |
| ); |
| } |
| )->name('oauth-settings'); |
| |
| # Route to oauth client registration |
| $r->post('/settings/oauth/register')->to( |
| cb => sub { |
| my $c = shift; |
| |
| _set_no_cache($c->res->headers); |
| |
| my $v = $c->validation; |
| |
| unless ($c->auth->token) { |
| return $c->render( |
| content => 'Unauthorized', |
| status => 401 |
| ); |
| }; |
| |
| $v->csrf_protect; |
| $v->required('name', 'trim', 'not_empty')->size(3, 255); |
| $v->required('type')->in('PUBLIC', 'CONFIDENTIAL'); |
| $v->required('desc', 'trim', 'not_empty')->size(3, 255); |
| $v->optional('url', 'trim', 'not_empty')->like(qr/^(http|$)/i); |
| $v->optional('redirect_uri', 'trim', 'not_empty')->like(qr/^(http|$)/i); |
| $v->optional('src', 'not_empty'); |
| |
| $c->stash(template => 'auth/clients'); |
| |
| # Render with error |
| if ($v->has_error) { |
| if ($v->has_error('csrf_token')) { |
| $c->notify(error => $c->loc('Auth_csrfFail')); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_paramError')); |
| }; |
| return $c->render; |
| } elsif ($c->req->is_limit_exceeded) { |
| $c->notify(error => $c->loc('Auth_fileSizeExceeded')); |
| return $c->render; |
| }; |
| |
| my $type = $v->param('type'); |
| my $src = $v->param('src'); |
| my $src_json; |
| |
| my $json_obj = { |
| name => $v->param('name'), |
| type => $type, |
| description => $v->param('desc'), |
| url => $v->param('url'), |
| redirect_uri => $v->param('redirect_uri') |
| }; |
| |
| # Check plugin source |
| if ($src) { |
| |
| # Source need to be a file upload |
| if (!ref $src || !$src->isa('Mojo::Upload')) { |
| $c->notify(error => $c->loc('Auth_jsonRequired')); |
| return $c->render; |
| }; |
| |
| # Uploads can't be too large |
| if ($src->size > 1_000_000) { |
| $c->notify(error => $c->loc('Auth_fileSizeExceeded')); |
| return $c->render; |
| }; |
| |
| # Check upload is not empty |
| if ($src->size > 0 && $src->filename ne '') { |
| |
| # Plugins need to be confidential |
| if ($type ne 'CONFIDENTIAL') { |
| $c->notify(error => $c->loc('Auth_confidentialRequired')); |
| return $c->render; |
| }; |
| |
| my $asset = $src->asset; |
| |
| # Check for json |
| eval { |
| $src_json = decode_json($asset->slurp); |
| }; |
| |
| if ($@ || !ref $src_json || ref $src_json ne 'HASH') { |
| $c->notify(error => $c->loc('Auth_jsonRequired')); |
| return $c->render; |
| }; |
| |
| $json_obj->{source} = $src_json; |
| }; |
| }; |
| |
| # Wait for async result |
| $c->render_later; |
| |
| # Register on server |
| state $url = Mojo::URL->new($c->korap->api)->path('oauth2/client/register'); |
| $c->korap_request('POST', $url => {} => json => $json_obj)->then( |
| sub { |
| my $tx = shift; |
| my $result = $tx->result; |
| |
| if ($result->is_error) { |
| my $json = $result->json; |
| if ($json && $json->{error}) { |
| $c->notify( |
| error => $json->{error} . |
| ($json->{error_description} ? ': ' . $json->{error_description} : '') |
| ) |
| }; |
| |
| return Mojo::Promise->reject; |
| }; |
| |
| my $json = $result->json; |
| |
| my $client_id = $json->{client_id}; |
| my $client_secret = $json->{client_secret}; |
| |
| $c->stash('client_name' => $v->param('name')); |
| $c->stash('client_desc' => $v->param('desc')); |
| $c->stash('client_type' => $v->param('type')); |
| $c->stash('client_url' => $v->param('url')); |
| $c->stash('client_src' => $v->param('source')); |
| $c->stash('client_redirect_uri' => $v->param('redirect_uri')); |
| $c->stash('client_id' => $client_id); |
| |
| if ($client_secret) { |
| $c->stash('client_secret' => $client_secret); |
| }; |
| |
| $c->notify(success => $c->loc('Auth_en_registerSuccess')); |
| |
| return $c->render(template => 'auth/client'); |
| } |
| )->catch( |
| sub { |
| $c->notify('error' => $c->loc('Auth_en_registerFail')); |
| } |
| )->finally( |
| sub { |
| return $c->redirect_to('settings' => { scope => 'oauth' }); |
| } |
| ); |
| } |
| )->name('oauth-register'); |
| |
| |
| # Unregister client page |
| $r->get('/settings/oauth/:client_id/unregister')->to( |
| cb => sub { |
| my $c = shift; |
| _set_no_cache($c->res->headers); |
| $c->render(template => 'auth/unregister'); |
| } |
| )->name('oauth-unregister'); |
| |
| |
| # Unregister client |
| $r->post('/settings/oauth/:client_id/unregister')->to( |
| cb => sub { |
| my $c = shift; |
| _set_no_cache($c->res->headers); |
| |
| my $v = $c->validation; |
| |
| unless ($c->auth->token) { |
| return $c->render( |
| content => 'Unauthorized', |
| status => 401 |
| ); |
| }; |
| |
| $v->csrf_protect; |
| $v->required('client-name', 'trim')->size(3, 255); |
| |
| # Render with error |
| if ($v->has_error) { |
| if ($v->has_error('csrf_token')) { |
| $c->notify(error => $c->loc('Auth_csrfFail')); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_paramError')); |
| }; |
| return $c->redirect_to('oauth-settings'); |
| }; |
| |
| my $client_id = $c->stash('client_id'); |
| my $client_name = $v->param('client-name'); |
| my $client_secret = $v->param('client-secret'); |
| |
| # Get list of registered clients |
| my $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/client/deregister/')->path( |
| $client_id |
| ); |
| |
| my $send = {}; |
| |
| if ($client_secret) { |
| $send->{client_secret} = $client_secret; |
| }; |
| |
| # Get the list of all clients |
| return $c->korap_request(delete => $r_url, {} => form => $send)->then( |
| sub { |
| my $tx = shift; |
| |
| # Response is fine |
| if ($tx->res->is_success) { |
| # Okay |
| $c->notify(success => 'Successfully deleted ' . $client_name); |
| } |
| else { |
| |
| # Failure |
| my $json = $tx->result->json; |
| if ($json && $json->{error_description}) { |
| $c->notify(error => $json->{error_description}); |
| } else { |
| $c->notify(error => $c->loc('Auth_responseError')); |
| }; |
| }; |
| |
| return $c->redirect_to('oauth-settings'); |
| } |
| ); |
| } |
| )->name('oauth-unregister-post'); |
| |
| |
| # OAuth Client authorization |
| $r->get('/settings/oauth/authorize')->to( |
| cb => sub { |
| my $c = shift; |
| |
| _set_no_cache($c->res->headers); |
| |
| my $v = $c->validation; |
| $v->required('client_id', 'trim'); |
| $v->required('scope', 'trim'); |
| $v->optional('state', 'trim'); |
| $v->optional('redirect_uri', 'trim', 'not_empty')->like(qr/^(http|$)/i); |
| |
| # Redirect with error |
| if ($v->has_error) { |
| |
| if ($v->has_error('client_id')) { |
| $c->notify(error => $c->loc('Auth_clientIDFail')); |
| } |
| elsif ($v->has_error('scope')) { |
| $c->notify(error => $c->loc('Auth_scopeFail')); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_paramError')); |
| }; |
| |
| # If logged in, go to oauth settings - otherwise to index |
| return $c->redirect_to($c->auth->token ? 'oauth-settings' : 'index'); |
| }; |
| |
| foreach (qw!scope client_id state redirect_uri!) { |
| $c->stash($_, $v->param($_)); |
| }; |
| |
| # Wait for async result |
| $c->render_later; |
| |
| my $client_id = $v->param('client_id'); |
| |
| my $client_information = $c->auth->client_info_p($client_id)->then( |
| sub { |
| my $cl = shift; |
| $c->stash(client_name => $cl->{'client_name'}); |
| $c->stash(client_type => $cl->{'client_type'}); |
| $c->stash(client_desc => $cl->{'client_description'}); |
| $c->stash(client_url => $cl->{'client_url'}); |
| $c->stash(redirect_uri_server => $cl->{'client_redirect_uri'}); |
| } |
| )->then( |
| sub { |
| |
| # Check, if the client redirect_uri is valid |
| my $redirect_uri_server = $c->stash('redirect_uri_server'); |
| my $redirect_uri = $v->param('redirect_uri'); |
| my ($server_o, $client_o); |
| |
| # Both exist |
| if ($redirect_uri_server && $redirect_uri) { |
| $server_o = Mojo::URL->new($redirect_uri_server); |
| $client_o = Mojo::URL->new($redirect_uri); |
| |
| # Host not valid - take registered URI |
| if ($server_o->host ne $client_o->host) { |
| $c->notify(warn => 'redirect_uri host differs from registered host'); |
| $client_o = $server_o; |
| } |
| |
| # Port not valid - take registered URI |
| elsif (($server_o->port // '') ne ($client_o->port // '')) { |
| $c->notify(warn => 'redirect_uri port differs from registered port'); |
| $client_o = $server_o; |
| }; |
| } |
| |
| # Client sent exists |
| elsif ($redirect_uri) { |
| $client_o = Mojo::URL->new($redirect_uri); |
| $c->stash(redirect_warning => $c->loc('oauthGrantRedirectWarn')) |
| } |
| |
| # Server registered exists |
| elsif ($redirect_uri_server) { |
| $client_o = Mojo::URL->new($redirect_uri_server); |
| } |
| |
| # Redirect unknown |
| else { |
| $c->notify(error => 'redirect_uri not set'); |
| |
| # If logged in, go to oauth settings - otherwise to index |
| return $c->redirect_to($c->auth->token ? 'oauth-settings' : 'index'); |
| }; |
| |
| # No userinfo allowed |
| if ($client_o->userinfo) { |
| $c->notify(warn => 'redirect_uri contains userinfo'); |
| $client_o->userinfo(''); |
| }; |
| |
| # HTTPS warning |
| # if ($client_o->scheme ne 'https') { |
| # $c->notify(warn => 'redirect_uri is not HTTPS'); |
| # }; |
| |
| # Sign redirection URL |
| $c->stash(redirect_uri => $client_o->to_string); |
| $c->stash(close_redirect_uri => '' . $c->close_redirect_to($client_o)); |
| |
| # Get auth token |
| my $auth_token = $c->auth->token; |
| |
| # User is not logged in - log in before! |
| unless ($auth_token) { |
| return $c->render(template => 'auth/login'); |
| }; |
| |
| # Grant authorization |
| return $c->render(template => 'auth/grant_scope'); |
| } |
| )->catch( |
| sub { |
| my $error = shift; |
| $c->notify(error => $error); |
| |
| # If logged in, go to oauth settings - otherwise to index |
| return $c->redirect_to($c->auth->token ? 'oauth-settings' : 'index'); |
| } |
| ); |
| } |
| )->name('oauth-grant-scope'); |
| |
| |
| # OAuth Client authorization |
| # This will return a location information including some info |
| $r->post('/settings/oauth/authorize')->to( |
| cb => sub { |
| my $c = shift; |
| |
| _set_no_cache($c->res->headers); |
| |
| # It's necessary that it's clear this was triggered by |
| # KorAP and not by the client! |
| my $v = $c->validation; |
| $v->csrf_protect; |
| $v->required('client_id', 'trim'); |
| $v->required('scope', 'trim'); |
| $v->optional('state', 'trim'); |
| |
| # Only signed redirects are allowed |
| $v->required('redirect_uri', 'trim', 'not_empty')->closed_redirect; |
| |
| # Render with error |
| if ($v->has_error) { |
| |
| # If logged in, go to oauth settings - otherwise to index |
| my $url = $c->url_for($c->auth->token ? 'oauth-settings' : 'index'); |
| |
| if ($v->has_error('client_id')) { |
| $url->query([error_description => $c->loc('Auth_clientIDFail')]); |
| } |
| elsif ($v->has_error('scope')) { |
| $url->query([error_description => $c->loc('Auth_scopeFail')]); |
| } |
| elsif ($v->has_error('csrf_token')) { |
| $url->query([error_description => $c->loc('Auth_csrfFail')]); |
| } |
| else { |
| $url->query([error_description => $c->loc('Auth_paramError')]); |
| }; |
| |
| return $c->redirect_to($url); |
| }; |
| |
| $c->stash(redirect_uri => Mojo::URL->new($v->param('redirect_uri'))); |
| |
| return $c->auth->new_token_p( |
| client_id => $v->param('client_id'), |
| redirect_uri => $c->stash('redirect_uri'), |
| state => $v->param('state'), |
| scope => $v->param('scope'), |
| )->catch( |
| sub { |
| my $err_msg = shift; |
| my $url = $c->stash('redirect_uri'); |
| |
| # Redirect! |
| if ($url) { |
| if ($err_msg) { |
| $url = $url->query([error_description => $err_msg]); |
| }; |
| } |
| |
| # Do not redirect! |
| else { |
| $c->notify(error => $err_msg); |
| |
| # If logged in, go to oauth settings - otherwise to index |
| $url = $c->url_for($c->auth->token ? 'oauth-settings' : 'index'); |
| }; |
| |
| return Mojo::Promise->resolve($url); |
| } |
| )->then( |
| sub { |
| my $loc = shift; |
| return $c->redirect_to($loc); |
| } |
| )->wait; |
| return $c->rendered; |
| } |
| )->name('oauth-grant-scope-post'); |
| |
| |
| # Show information of a client |
| $r->get('/settings/oauth/:client_id')->to( |
| cb => sub { |
| my $c = shift; |
| |
| _set_no_cache($c->res->headers); |
| |
| $c->render_later; |
| |
| $c->auth->client_list_p->then( |
| sub { |
| my $json = shift; |
| |
| my ($item) = grep { |
| $c->stash('client_id') eq $_->{client_id} |
| } @$json; |
| |
| unless ($item) { |
| return Mojo::Promise->reject; |
| }; |
| |
| $c->stash(client_name => $item->{client_name}); |
| $c->stash(client_desc => $item->{client_description}); |
| $c->stash(client_url => $item->{client_url}); |
| $c->stash(client_type => ($item->{client_type} // 'PUBLIC')); |
| $c->stash(client_redirect_uri => $item->{client_redirect_uri}); |
| $c->stash(client_src => encode_json($item->{source})) if $item->{source}; |
| |
| $c->auth->token_list_p($c->stash('client_id')); |
| } |
| )->then( |
| sub { |
| my $json = shift; |
| |
| $c->stash(tokens => $json); |
| |
| return Mojo::Promise->resolve; |
| } |
| )->catch( |
| sub { |
| return $c->reply->not_found; |
| } |
| )->finally( |
| sub { |
| return $c->render(template => 'auth/client') |
| } |
| ); |
| |
| return; |
| } |
| )->name('oauth-tokens'); |
| |
| |
| # Ask if new token should be issued |
| $r->get('/settings/oauth/:client_id/token')->to( |
| cb => sub { |
| my $c = shift; |
| _set_no_cache($c->res->headers); |
| $c->render(template => 'auth/issue-token'); |
| } |
| )->name('oauth-issue-token'); |
| |
| |
| # Ask if a token should be revoked |
| $r->post('/settings/oauth/:client_id/token/revoke')->to( |
| cb => sub { |
| shift->render(template => 'auth/revoke-token'); |
| } |
| )->name('oauth-revoke-token'); |
| |
| |
| # Issue new token |
| $r->post('/settings/oauth/:client_id/token')->to( |
| cb => sub { |
| my $c = shift; |
| _set_no_cache($c->res->headers); |
| |
| my $v = $c->validation; |
| |
| unless ($c->auth->token) { |
| return $c->render( |
| content => 'Unauthorized', |
| status => 401 |
| ); |
| }; |
| |
| $v->csrf_protect; |
| $v->optional('client-secret'); |
| $v->required('name', 'trim'); |
| |
| # Render with error |
| if ($v->has_error) { |
| if ($v->has_error('csrf_token')) { |
| $c->notify(error => $c->loc('Auth_csrfFail')); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_paramError')); |
| }; |
| return $c->redirect_to('oauth-settings') |
| }; |
| |
| # Get authorization token |
| my $client_id = $c->stash('client_id'); |
| my $name = $v->param('name'); |
| my $redirect_url = $c->url_for->query({name => $name})->to_abs; |
| |
| $c->auth->new_token_p( |
| client_id => $client_id, |
| redirect_uri => $redirect_url, |
| # TODO: State |
| scope => 'search match_info', |
| )->then( |
| sub { |
| my ($loc, $client_id, $redirect_url, $code, $scope, $name) = @_; |
| |
| # Get OAuth access token |
| state $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/token'); |
| return $c->kalamar_ua->post_p($r_url, {} => form => { |
| client_id => $client_id, |
| # NO CLIENT_SECRET YET SUPPORTED |
| grant_type => 'authorization_code', |
| code => $code, |
| redirect_uri => $redirect_url |
| })->then( |
| sub { |
| my $tx = shift; |
| my $json = $tx->res->json; |
| |
| if ($tx->res->is_error) { |
| $c->notify(error => 'Unable to fetch new token'); |
| return Mojo::Promise->reject; |
| }; |
| |
| $c->notify(success => 'New access token created'); |
| |
| $c->redirect_to('oauth-tokens' => { client_id => $client_id }) |
| } |
| )->catch( |
| sub { |
| my $err_msg = shift; |
| |
| # Only raised in case of connection errors |
| if ($err_msg) { |
| $c->notify(error => { src => 'Backend' } => $err_msg) |
| }; |
| |
| $c->render( |
| status => 400, |
| template => 'failure' |
| ); |
| } |
| ) |
| |
| # Start IOLoop |
| ->wait; |
| |
| } |
| )->catch( |
| sub { |
| my $err_msg = shift; |
| |
| # Only raised in case of connection errors |
| if ($err_msg) { |
| $c->notify(error => { src => 'Backend' } => $err_msg) |
| }; |
| |
| return $c->render( |
| status => 400, |
| template => 'failure' |
| ); |
| } |
| ) |
| |
| # Start IOLoop |
| ->wait; |
| |
| return 1; |
| } |
| )->name('oauth-issue-token-post'); |
| |
| |
| # Revoke token |
| $r->delete('/settings/oauth/:client_id/token')->to( |
| cb => sub { |
| my $c = shift; |
| |
| my $v = $c->validation; |
| |
| unless ($c->auth->token) { |
| return $c->render( |
| content => 'Unauthorized', |
| status => 401 |
| ); |
| }; |
| |
| $v->csrf_protect; |
| $v->required('token', 'trim'); |
| $v->optional('name', 'trim'); |
| my $private_client_id = $c->stash('client_id'); |
| |
| # Render with error |
| if ($v->has_error) { |
| if ($v->has_error('csrf_token')) { |
| $c->notify(error => $c->loc('Auth_csrfFail')); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_paramError')); |
| }; |
| return $c->redirect_to('oauth-tokens', client_id => $private_client_id); |
| }; |
| |
| # Revoke token using super client privileges |
| state $r_url = Mojo::URL->new($c->korap->api)->path('oauth2/revoke/super'); |
| |
| my $token = $v->param('token'); |
| |
| return $c->korap_request(post => $r_url, {} => form => { |
| super_client_id => $client_id, |
| super_client_secret => $client_secret, |
| token => $token |
| })->then( |
| sub { |
| my $tx = shift; |
| |
| # Response is fine |
| if ($tx->res->is_success) { |
| $c->notify(success => $c->loc('Auth_revokeSuccess')); |
| return Mojo::Promise->resolve; |
| }; |
| |
| return Mojo::Promise->reject; |
| } |
| )->catch( |
| sub { |
| my $err_msg = shift; |
| if ($err_msg) { |
| $c->notify(error => { src => 'Backend' } => $err_msg ); |
| } |
| else { |
| $c->notify(error => $c->loc('Auth_revokeFail')); |
| }; |
| } |
| )->finally( |
| sub { |
| return $c->redirect_to('oauth-tokens', client_id => $private_client_id); |
| } |
| ) |
| |
| # Start IOLoop |
| ->wait; |
| } |
| )->name('oauth-revoke-token-delete'); |
| |
| $app->log->info('Successfully registered Auth plugin'); |
| }; |
| |
| |
| # Set 'no caching' headers |
| sub _set_no_cache { |
| my $h = shift; |
| $h->cache_control('max-age=0, no-cache, no-store, must-revalidate'); |
| $h->expires('Thu, 01 Jan 1970 00:00:00 GMT'); |
| $h->header('Pragma','no-cache'); |
| }; |
| |
| |
| sub check_decode { |
| no warnings 'uninitialized'; |
| my $str = shift; |
| my $str2 = is_utf8($str) ? b($str)->decode : $str; |
| if (defined($str2) && $str2 && length($str2) > 1) { |
| return $str2 |
| }; |
| return; |
| }; |
| |
| |
| 1; |
| |
| |
| __END__ |
| |
| =pod |
| |
| =encoding utf8 |
| |
| =head1 NAME |
| |
| Kalamar::Plugin::Auth - OAuth-2.0-based authorization plugin |
| |
| =head1 DESCRIPTION |
| |
| L<Kalamar::Plugin::Auth> is an OAuth-2.0-based authorization |
| plugin for L<Kalamar>. It requires a C<Kustvakt> full server |
| with OAuth 2.0 capabilities. |
| It is activated by loading C<Auth> as a plugin in the C<Kalamar.plugins> |
| parameter in the Kalamar configuration. |
| |
| =head1 CONFIGURATION |
| |
| L<Kalamar::Plugin::Auth> supports the following parameter for the |
| C<Kalamar-Auth> configuration section in the Kalamar configuration: |
| |
| =over 2 |
| |
| =item B<client_id> |
| |
| The client identifier of Kalamar to be send with every OAuth 2.0 |
| management request. |
| |
| =item B<client_secret> |
| |
| The client secret of Kalamar to be send with every OAuth 2.0 |
| management request. |
| |
| =item B<experimental_client_registration> |
| |
| Activates the oauth client registration flow. |
| |
| =back |
| |
| =head2 COPYRIGHT AND LICENSE |
| |
| Copyright (C) 2015-2022, L<IDS Mannheim|http://www.ids-mannheim.de/> |
| Author: L<Nils Diewald|http://nils-diewald.de/> |
| |
| Kalamar is developed as part of the L<KorAP|http://korap.ids-mannheim.de/> |
| Corpus Analysis Platform at the |
| L<Leibniz Institute for the German Language (IDS)|http://ids-mannheim.de/>, |
| member of the |
| L<Leibniz-Gemeinschaft|http://www.leibniz-gemeinschaft.de> |
| and supported by the L<KobRA|http://www.kobra.tu-dortmund.de> project, |
| funded by the |
| L<Federal Ministry of Education and Research (BMBF)|http://www.bmbf.de/en/>. |
| |
| Kalamar is free software published under the |
| L<BSD-2 License|https://raw.githubusercontent.com/KorAP/Kalamar/master/LICENSE>. |
| |
| =cut |