CartoDB-SQL-API/lib/auth/oauth.js

'use strict';

// too bound to the request object, but ok for now
var _ = require('underscore');
var OAuthUtil = require('oauth-client');
var step = require('step');
var CdbRequest = require('../models/cartodb-request');
var cdbReq = new CdbRequest();

var oAuth = (function () {
    var me = {
        oauth_database: 3,
        oauth_user_key: 'rails:oauth_access_tokens:<%= oauth_access_key %>',
        is_oauth_request: true
    };

    // oauth token cases:
    // * in GET request
    // * in header
    me.parseTokens = function (req) {
        var queryOauth = _.clone(req.method === 'POST' ? req.body : req.query);
        var headerOauth = {};
        var oauthVariables = ['oauth_body_hash',
            'oauth_consumer_key',
            'oauth_token',
            'oauth_signature_method',
            'oauth_signature',
            'oauth_timestamp',
            'oauth_nonce',
            'oauth_version'];

        // pull only oauth tokens out of query
        var nonOauth = _.difference(_.keys(queryOauth), oauthVariables);
        _.each(nonOauth, function (key) { delete queryOauth[key]; });

        // pull oauth tokens out of header
        var headerString = req.headers.authorization;
        if (!_.isUndefined(headerString)) {
            _.each(oauthVariables, function (oauthKey) {
                var matchedString = headerString.match(new RegExp(oauthKey + '="([^"]+)"'));
                if (!_.isNull(matchedString)) {
                    headerOauth[oauthKey] = decodeURIComponent(matchedString[1]);
                }
            });
        }

        // merge header and query oauth tokens. preference given to header oauth
        return _.defaults(headerOauth, queryOauth);
    };

    // remove oauthy tokens from an object
    me.splitParams = function (obj) {
        var removed = null;
        for (var prop in obj) {
            if (/^oauth_\w+$/.test(prop)) {
                if (!removed) {
                    removed = {};
                }
                removed[prop] = obj[prop];
                delete obj[prop];
            }
        }
        return removed;
    };

    me.getAllowedHosts = function () {
        var oauthConfig = global.settings.oauth || {};
        return oauthConfig.allowedHosts || ['carto.com', 'cartodb.com'];
    };

    // do new fancy get User ID
    me.verifyRequest = function (req, metadataBackend, callback) {
        var that = this;
        // TODO: review this
        var httpProto = req.protocol;
        if (!httpProto || (httpProto !== 'http' && httpProto !== 'https')) {
            var msg = 'Unknown HTTP protocol ' + httpProto + '.';
            var unknownProtocolErr = new Error(msg);
            unknownProtocolErr.http_status = 500;
            return callback(unknownProtocolErr);
        }

        var username = cdbReq.userByReq(req);
        var requestTokens;
        var signature;

        step(
            function getTokensFromURL () {
                return oAuth.parseTokens(req);
            },
            function getOAuthHash (err, _requestTokens) {
                if (err) {
                    throw err;
                }

                // this is oauth request only if oauth headers are present
                this.is_oauth_request = !_.isEmpty(_requestTokens);

                if (this.is_oauth_request) {
                    requestTokens = _requestTokens;
                    that.getOAuthHash(metadataBackend, requestTokens.oauth_token, this);
                } else {
                    return null;
                }
            },
            function regenerateSignature (err, oAuthHash) {
                if (err) {
                    throw err;
                }
                if (!this.is_oauth_request) {
                    return null;
                }

                var consumer = OAuthUtil.createConsumer(oAuthHash.consumer_key, oAuthHash.consumer_secret);
                var accessToken = OAuthUtil.createToken(oAuthHash.access_token_token, oAuthHash.access_token_secret);
                var signer = OAuthUtil.createHmac(consumer, accessToken);

                var method = req.method;
                var hostsToValidate = {};
                var requestHost = req.headers.host;
                hostsToValidate[requestHost] = true;
                that.getAllowedHosts().forEach(function (allowedHost) {
                    hostsToValidate[username + '.' + allowedHost] = true;
                });

                that.splitParams(req.query);
                // remove oauth_signature from body
                if (req.body) {
                    delete req.body.oauth_signature;
                }
                signature = requestTokens.oauth_signature;
                // remove signature from requestTokens
                delete requestTokens.oauth_signature;
                var requestParams = _.extend({}, req.body, requestTokens, req.query);

                var hosts = Object.keys(hostsToValidate);
                var requestSignatures = hosts.map(function (host) {
                    var url = httpProto + '://' + host + req.path;
                    return signer.sign(method, url, requestParams);
                });

                return requestSignatures.reduce(function (validSignature, requestSignature) {
                    if (signature === requestSignature && !_.isUndefined(requestSignature)) {
                        validSignature = true;
                    }
                    return validSignature;
                }, false);
            },
            function finishValidation (err, hasValidSignature) {
                const authorizationLevel = hasValidSignature ? 'master' : null;
                return callback(err, authorizationLevel);
            }
        );
    };

    me.getOAuthHash = function (metadataBackend, oAuthAccessKey, callback) {
        metadataBackend.getOAuthHash(oAuthAccessKey, callback);
    };

    return me;
})();

function OAuthAuth (req, metadataBackend) {
    this.req = req;
    this.metadataBackend = metadataBackend;
    this.isOAuthRequest = null;
}

OAuthAuth.prototype.verifyCredentials = function (callback) {
    if (this.hasCredentials()) {
        oAuth.verifyRequest(this.req, this.metadataBackend, callback);
    } else {
        callback(null, false);
    }
};

OAuthAuth.prototype.getCredentials = function () {
    return oAuth.parseTokens(this.req);
};

OAuthAuth.prototype.hasCredentials = function () {
    if (this.isOAuthRequest === null) {
        var passedTokens = oAuth.parseTokens(this.req);
        this.isOAuthRequest = !_.isEmpty(passedTokens);
    }

    return this.isOAuthRequest;
};

module.exports = OAuthAuth;
module.exports.backend = oAuth;
Use strict mode 2018-10-24 21:42:33 +08:00			`'use strict';`

first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00			`// too bound to the request object, but ok for now`
jshint: fix auth directory 2015-05-13 00:00:30 +08:00			`var _ = require('underscore');`
			`var OAuthUtil = require('oauth-client');`
			`var step = require('step');`
Changed folder structure to reflect application functionallity. Renamed files using hyphens instead of underscore to have a more consistent naming across the whole project 2019-10-04 00:24:39 +08:00			`var CdbRequest = require('../models/cartodb-request');`
Allow to setup more than one domain to validate oauth against 2016-07-07 20:20:36 +08:00			`var cdbReq = new CdbRequest();`
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00
Run eslint --fix 2019-12-24 01:19:08 +08:00			`var oAuth = (function () {`
			`var me = {`
			`oauth_database: 3,`
			`oauth_user_key: 'rails:oauth_access_tokens:<%= oauth_access_key %>',`
			`is_oauth_request: true`
			`};`

			`// oauth token cases:`
			`// * in GET request`
			`// * in header`
			`me.parseTokens = function (req) {`
Eslint errors 2019-12-27 01:28:01 +08:00			`var queryOauth = _.clone(req.method === 'POST' ? req.body : req.query);`
			`var headerOauth = {};`
			`var oauthVariables = ['oauth_body_hash',`
Run eslint --fix 2019-12-24 01:19:08 +08:00			`'oauth_consumer_key',`
			`'oauth_token',`
			`'oauth_signature_method',`
			`'oauth_signature',`
			`'oauth_timestamp',`
			`'oauth_nonce',`
			`'oauth_version'];`

			`// pull only oauth tokens out of query`
Eslint errors 2019-12-27 01:28:01 +08:00			`var nonOauth = _.difference(_.keys(queryOauth), oauthVariables);`
			`_.each(nonOauth, function (key) { delete queryOauth[key]; });`
Run eslint --fix 2019-12-24 01:19:08 +08:00
			`// pull oauth tokens out of header`
Eslint errors 2019-12-27 01:28:01 +08:00			`var headerString = req.headers.authorization;`
			`if (!_.isUndefined(headerString)) {`
			`_.each(oauthVariables, function (oauthKey) {`
			`var matchedString = headerString.match(new RegExp(oauthKey + '="([^"]+)"'));`
			`if (!_.isNull(matchedString)) {`
			`headerOauth[oauthKey] = decodeURIComponent(matchedString[1]);`
Run eslint --fix 2019-12-24 01:19:08 +08:00			`}`
			`});`
jshint: fix auth directory 2015-05-13 00:00:30 +08:00			`}`
added body_hash to oauth check and stopped firing exception if incomplete oauth variables sent 2011-08-22 20:33:12 +08:00
Run eslint --fix 2019-12-24 01:19:08 +08:00			`// merge header and query oauth tokens. preference given to header oauth`
Eslint errors 2019-12-27 01:28:01 +08:00			`return _.defaults(headerOauth, queryOauth);`
Run eslint --fix 2019-12-24 01:19:08 +08:00			`};`

			`// remove oauthy tokens from an object`
			`me.splitParams = function (obj) {`
			`var removed = null;`
			`for (var prop in obj) {`
			`if (/^oauth_\w+$/.test(prop)) {`
			`if (!removed) {`
			`removed = {};`
			`}`
			`removed[prop] = obj[prop];`
			`delete obj[prop];`
fixed oauth problems with POST requests fixes #10 2011-12-26 19:51:15 +08:00			`}`
			`}`
Run eslint --fix 2019-12-24 01:19:08 +08:00			`return removed;`
			`};`

			`me.getAllowedHosts = function () {`
			`var oauthConfig = global.settings.oauth \|\| {};`
			`return oauthConfig.allowedHosts \|\| ['carto.com', 'cartodb.com'];`
			`};`

			`// do new fancy get User ID`
			`me.verifyRequest = function (req, metadataBackend, callback) {`
			`var that = this;`
			`// TODO: review this`
			`var httpProto = req.protocol;`
			`if (!httpProto \|\| (httpProto !== 'http' && httpProto !== 'https')) {`
			`var msg = 'Unknown HTTP protocol ' + httpProto + '.';`
			`var unknownProtocolErr = new Error(msg);`
			`unknownProtocolErr.http_status = 500;`
			`return callback(unknownProtocolErr);`
Do not use assert to throw erros as in Node.js > 6 wraps the original error, the keyword 'throw' does the trick and it's backwards compatible 2018-11-08 01:05:39 +08:00			`}`
skip redis with non-oauth requests 2012-06-30 07:54:21 +08:00
Run eslint --fix 2019-12-24 01:19:08 +08:00			`var username = cdbReq.userByReq(req);`
			`var requestTokens;`
			`var signature;`

			`step(`
			`function getTokensFromURL () {`
			`return oAuth.parseTokens(req);`
			`},`
			`function getOAuthHash (err, _requestTokens) {`
			`if (err) {`
			`throw err;`
			`}`

			`// this is oauth request only if oauth headers are present`
			`this.is_oauth_request = !_.isEmpty(_requestTokens);`

			`if (this.is_oauth_request) {`
			`requestTokens = _requestTokens;`
			`that.getOAuthHash(metadataBackend, requestTokens.oauth_token, this);`
			`} else {`
			`return null;`
			`}`
			`},`
			`function regenerateSignature (err, oAuthHash) {`
			`if (err) {`
			`throw err;`
			`}`
			`if (!this.is_oauth_request) {`
			`return null;`
			`}`

			`var consumer = OAuthUtil.createConsumer(oAuthHash.consumer_key, oAuthHash.consumer_secret);`
Eslint errors 2019-12-27 01:28:01 +08:00			`var accessToken = OAuthUtil.createToken(oAuthHash.access_token_token, oAuthHash.access_token_secret);`
			`var signer = OAuthUtil.createHmac(consumer, accessToken);`
Run eslint --fix 2019-12-24 01:19:08 +08:00
			`var method = req.method;`
			`var hostsToValidate = {};`
			`var requestHost = req.headers.host;`
			`hostsToValidate[requestHost] = true;`
			`that.getAllowedHosts().forEach(function (allowedHost) {`
			`hostsToValidate[username + '.' + allowedHost] = true;`
			`});`

			`that.splitParams(req.query);`
			`// remove oauth_signature from body`
			`if (req.body) {`
			`delete req.body.oauth_signature;`
			`}`
			`signature = requestTokens.oauth_signature;`
			`// remove signature from requestTokens`
			`delete requestTokens.oauth_signature;`
			`var requestParams = _.extend({}, req.body, requestTokens, req.query);`

			`var hosts = Object.keys(hostsToValidate);`
			`var requestSignatures = hosts.map(function (host) {`
			`var url = httpProto + '://' + host + req.path;`
			`return signer.sign(method, url, requestParams);`
			`});`

			`return requestSignatures.reduce(function (validSignature, requestSignature) {`
			`if (signature === requestSignature && !_.isUndefined(requestSignature)) {`
			`validSignature = true;`
			`}`
			`return validSignature;`
			`}, false);`
			`},`
			`function finishValidation (err, hasValidSignature) {`
			`const authorizationLevel = hasValidSignature ? 'master' : null;`
			`return callback(err, authorizationLevel);`
			`}`
			`);`
			`};`
skip redis with non-oauth requests 2012-06-30 07:54:21 +08:00
Run eslint --fix 2019-12-24 01:19:08 +08:00			`me.getOAuthHash = function (metadataBackend, oAuthAccessKey, callback) {`
			`metadataBackend.getOAuthHash(oAuthAccessKey, callback);`
			`};`
skip redis with non-oauth requests 2012-06-30 07:54:21 +08:00
Run eslint --fix 2019-12-24 01:19:08 +08:00			`return me;`
jshint: fix auth directory 2015-05-13 00:00:30 +08:00			`})();`
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00
Run eslint --fix 2019-12-24 01:19:08 +08:00			`function OAuthAuth (req, metadataBackend) {`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`this.req = req;`
Fix common interface for auth-backends 2018-02-27 02:02:05 +08:00			`this.metadataBackend = metadataBackend;`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`this.isOAuthRequest = null;`
			`}`

Run eslint --fix 2019-12-24 01:19:08 +08:00			`OAuthAuth.prototype.verifyCredentials = function (callback) {`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`if (this.hasCredentials()) {`
Fix common interface for auth-backends 2018-02-27 02:02:05 +08:00			`oAuth.verifyRequest(this.req, this.metadataBackend, callback);`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`} else {`
			`callback(null, false);`
			`}`
			`};`

Run eslint --fix 2019-12-24 01:19:08 +08:00			`OAuthAuth.prototype.getCredentials = function () {`
			`return oAuth.parseTokens(this.req);`
Implement new auth system based on api-key tokens with scoped permissions 2017-11-25 00:57:54 +08:00			`};`

Run eslint --fix 2019-12-24 01:19:08 +08:00			`OAuthAuth.prototype.hasCredentials = function () {`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`if (this.isOAuthRequest === null) {`
Eslint errors 2019-12-27 01:28:01 +08:00			`var passedTokens = oAuth.parseTokens(this.req);`
			`this.isOAuthRequest = !_.isEmpty(passedTokens);`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`}`

			`return this.isOAuthRequest;`
			`};`

			`module.exports = OAuthAuth;`
			`module.exports.backend = oAuth;`