src/tokens.js

'use strict';

exports = module.exports = {
    add,
    get,
    update,
    del,

    delByAccessToken,
    delExpired,
    delByUserIdAndType,

    listByUserId,
    getByAccessToken,

    hasScope,

    isIpAllowedSync,

    SCOPES: ['*']//, 'apps', 'domains'],
};

const TOKENS_FIELDS = [ 'id', 'accessToken', 'identifier', 'clientId', 'scopeJson', 'expires', 'name', 'lastUsedTime', 'allowedIpRanges' ].join(',');

const assert = require('node:assert'),
    BoxError = require('./boxerror.js'),
    crypto = require('node:crypto'),
    database = require('./database.js'),
    hat = require('./hat.js'),
    ipaddr = require('./ipaddr.js'),
    safe = require('safetydance');

const gParsedRangesCache = new Map(); // indexed by token.id

function postProcess(result) {
    assert.strictEqual(typeof result, 'object');

    result.scope = safe.JSON.parse(result.scopeJson) || {};
    delete result.scopeJson;

    return result;
}

function validateTokenName(name) {
    assert.strictEqual(typeof name, 'string');

    if (name.length > 64) return new BoxError(BoxError.BAD_FIELD, 'name too long');

    return null;
}

function validateScope(scope) {
    assert.strictEqual(typeof scope, 'object');

    for (const key in scope) {
        if (exports.SCOPES.indexOf(key) === -1) return new BoxError(BoxError.BAD_FIELD, `Unkown token scope ${key}. Valid scopes are ${exports.SCOPES.join(',')}`);
        if (scope[key] !== 'rw' && scope[key] !== 'r') return new BoxError(BoxError.BAD_FIELD, `Unkown token scope value ${scope[key]} for ${key}. Valid values are 'rw' or 'r'`);
    }

    return null;
}

function hasScope(token, method, path) {
    assert.strictEqual(typeof token, 'object');
    assert.strictEqual(typeof method, 'string');
    assert.strictEqual(typeof path, 'string');

    // TODO path checking in the future
    const matchAll = token.scope['*'];
    if (matchAll === 'rw') {
        return true;
    } else if (matchAll === 'r' && (method === 'GET' || method === 'HEAD' || method === 'OPTIONS')) {
        return true;
    } else {
        return false;
    }
}

function parseIpRanges(ipRanges) {
    assert.strictEqual(typeof ipRanges, 'string');

    if (ipRanges.length === 0) return ['0.0.0.0/0', '::/0'];

    const result = [];
    for (const line of ipRanges.split('\n')) {
        if (!line || line.startsWith('#')) continue;
        // each line can have comma separated list. this complexity is because we changed the UI to take a line input instead of textarea
        for (const entry of line.split(',')) {
            const rangeOrIP = entry.trim();
            if (!ipaddr.isValid(rangeOrIP) && !ipaddr.isValidCIDR(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `'${rangeOrIP}' is not a valid IP or range`);
            result.push(rangeOrIP);
        }
    }

    return result;
}

async function add(token) {
    assert.strictEqual(typeof token, 'object');

    const { clientId, identifier, expires, allowedIpRanges } = token;
    const name = token.name || '';
    const scope = token.scope || { '*': 'rw' };

    let error = validateTokenName(name);
    if (error) throw error;

    error = validateScope(scope);
    if (error) throw error;

    parseIpRanges(allowedIpRanges); // validate

    const id = 'tid-' + crypto.randomUUID();
    const accessToken = token.accessToken || hat(8 * 32);

    await database.query('INSERT INTO tokens (id, accessToken, identifier, clientId, expires, scopeJson, name, allowedIpRanges) VALUES (?, ?, ?, ?, ?, ?, ?, ?)', [ id, accessToken, identifier, clientId, expires, JSON.stringify(scope), name, allowedIpRanges ]);

    return { id, accessToken, scope, clientId, identifier, expires, name, allowedIpRanges };
}

async function get(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query(`SELECT ${TOKENS_FIELDS} FROM tokens WHERE id = ?`, [ id ]);
    if (result.length === 0) return null;

    return postProcess(result[0]);
}

async function del(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query('DELETE FROM tokens WHERE id = ?', [ id ]);
    if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Token not found');
}

async function listByUserId(userId) {
    assert.strictEqual(typeof userId, 'string');

    const results = await database.query(`SELECT ${TOKENS_FIELDS} FROM tokens WHERE identifier = ?`, [ userId ]);
    results.forEach(postProcess);

    return results;
}

async function getByAccessToken(accessToken) {
    assert.strictEqual(typeof accessToken, 'string');

    const result = await database.query(`SELECT ${TOKENS_FIELDS} FROM tokens WHERE accessToken = ? AND expires > ?`, [ accessToken, Date.now() ]);
    if (result.length === 0) return null;
    return postProcess(result[0]);
}

async function delByAccessToken(accessToken) {
    assert.strictEqual(typeof accessToken, 'string');

    const result = await database.query('DELETE FROM tokens WHERE accessToken = ?', [ accessToken ]);
    if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Token not found');
}

async function delExpired() {
    const result = await database.query('DELETE FROM tokens WHERE expires <= ?', [ Date.now() ]);
    return result.affectedRows;
}

async function delByUserIdAndType(userId, type) {
    assert.strictEqual(typeof userId, 'string');
    assert.strictEqual(typeof type, 'string');

    const result = await database.query('DELETE FROM tokens WHERE identifier=? AND clientId=?', [ userId, type ]);
    return result.affectedRows;
}

async function update(id, values) {
    assert.strictEqual(typeof id, 'string');
    assert.strictEqual(typeof values, 'object');

    const args = [ ];
    const fields = [ ];
    for (const k in values) {
        fields.push(k + ' = ?');
        args.push(values[k]);
    }
    args.push(id);

    const result = await database.query(`UPDATE tokens SET ${fields.join(', ')} WHERE id = ?`, args);
    if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Token not found');
}

function isIpAllowedSync(token, ip) {
    assert.strictEqual(typeof token, 'object');
    assert.strictEqual(typeof ip, 'string');

    let allowedIpRanges = gParsedRangesCache.get(token.id); // returns undefined if not found
    if (!allowedIpRanges) {
        allowedIpRanges = parseIpRanges(token.allowedIpRanges || '');
        gParsedRangesCache.set(token.id, allowedIpRanges);
    }

    for (const ipOrRange of allowedIpRanges) {
        if (!ipOrRange.includes('/')) {
            if (ipaddr.isEqual(ipOrRange, ip)) return true;
        } else {
            if (ipaddr.includes(ipOrRange, ip)) return true;
        }
    }

    return false;
}
Remove Oauth clients code 2020-02-06 16:57:33 +01:00			`'use strict';`

			`exports = module.exports = {`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00			`add,`
			`get,`
			`update,`
			`del,`
tokens: async'ify 2021-06-04 09:28:40 -07:00
			`delByAccessToken,`
			`delExpired,`
Logout users without 2FA when mandatory 2fa is enabled Fixes #803 2021-09-17 14:32:13 -07:00			`delByUserIdAndType,`
tokens: async'ify 2021-06-04 09:28:40 -07:00
			`listByUserId,`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00			`getByAccessToken,`
Remove Oauth clients code 2020-02-06 16:57:33 +01:00
Validate token scopes 2022-09-23 12:57:13 +02:00			`hasScope,`

tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`isIpAllowedSync,`

Validate token scopes 2022-09-23 12:57:13 +02:00			`SCOPES: ['*']//, 'apps', 'domains'],`
Remove Oauth clients code 2020-02-06 16:57:33 +01:00			`};`

tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`const TOKENS_FIELDS = [ 'id', 'accessToken', 'identifier', 'clientId', 'scopeJson', 'expires', 'name', 'lastUsedTime', 'allowedIpRanges' ].join(',');`
tokens: async'ify 2021-06-04 09:28:40 -07:00
use node: prefix for requires mostly because code is being autogenerated by all the AI stuff using this prefix. it's also used in the stack trace. 2025-08-14 11:17:38 +05:30			`const assert = require('node:assert'),`
Remove Oauth clients code 2020-02-06 16:57:33 +01:00			`BoxError = require('./boxerror.js'),`
use node: prefix for requires mostly because code is being autogenerated by all the AI stuff using this prefix. it's also used in the stack trace. 2025-08-14 11:17:38 +05:30			`crypto = require('node:crypto'),`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`database = require('./database.js'),`
Remove Oauth clients code 2020-02-06 16:57:33 +01:00			`hat = require('./hat.js'),`
replace ipaddr.js 2025-05-06 16:16:33 +02:00			`ipaddr = require('./ipaddr.js'),`
remove uuid module built into node.js now 2025-07-28 12:53:27 +02:00			`safe = require('safetydance');`
Remove Oauth clients code 2020-02-06 16:57:33 +01:00
tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`const gParsedRangesCache = new Map(); // indexed by token.id`

Add token scopes 2022-09-22 21:58:56 +02:00			`function postProcess(result) {`
			`assert.strictEqual(typeof result, 'object');`

			`result.scope = safe.JSON.parse(result.scopeJson) \|\| {};`
Fixup some token tests and error handling 2022-09-24 17:29:42 +02:00			`delete result.scopeJson;`
Add token scopes 2022-09-22 21:58:56 +02:00
			`return result;`
			`}`

Remove Oauth clients code 2020-02-06 16:57:33 +01:00			`function validateTokenName(name) {`
			`assert.strictEqual(typeof name, 'string');`

remove field from errors we have standardized on indexOf in error.message by now 2022-02-07 13:19:59 -08:00			`if (name.length > 64) return new BoxError(BoxError.BAD_FIELD, 'name too long');`
Remove Oauth clients code 2020-02-06 16:57:33 +01:00
			`return null;`
			`}`

Add token scopes 2022-09-22 21:58:56 +02:00			`function validateScope(scope) {`
			`assert.strictEqual(typeof scope, 'object');`

			`for (const key in scope) {`
Fixup some token tests and error handling 2022-09-24 17:29:42 +02:00			if (exports.SCOPES.indexOf(key) === -1) return new BoxError(BoxError.BAD_FIELD, `Unkown token scope ${key}. Valid scopes are ${exports.SCOPES.join(',')}`);
			if (scope[key] !== 'rw' && scope[key] !== 'r') return new BoxError(BoxError.BAD_FIELD, `Unkown token scope value ${scope[key]} for ${key}. Valid values are 'rw' or 'r'`);
Add token scopes 2022-09-22 21:58:56 +02:00			`}`

			`return null;`
			`}`

Validate token scopes 2022-09-23 12:57:13 +02:00			`function hasScope(token, method, path) {`
			`assert.strictEqual(typeof token, 'object');`
			`assert.strictEqual(typeof method, 'string');`
			`assert.strictEqual(typeof path, 'string');`

			`// TODO path checking in the future`
			`const matchAll = token.scope['*'];`
			`if (matchAll === 'rw') {`
			`return true;`
			`} else if (matchAll === 'r' && (method === 'GET' \|\| method === 'HEAD' \|\| method === 'OPTIONS')) {`
			`return true;`
			`} else {`
			`return false;`
			`}`
			`}`

tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`function parseIpRanges(ipRanges) {`
			`assert.strictEqual(typeof ipRanges, 'string');`

			`if (ipRanges.length === 0) return ['0.0.0.0/0', '::/0'];`

			`const result = [];`
			`for (const line of ipRanges.split('\n')) {`
			`if (!line \|\| line.startsWith('#')) continue;`
			`// each line can have comma separated list. this complexity is because we changed the UI to take a line input instead of textarea`
			`for (const entry of line.split(',')) {`
			`const rangeOrIP = entry.trim();`
quote the value in error message 2025-09-08 18:59:47 +02:00			if (!ipaddr.isValid(rangeOrIP) && !ipaddr.isValidCIDR(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `'${rangeOrIP}' is not a valid IP or range`);
tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`result.push(rangeOrIP);`
			`}`
			`}`

			`return result;`
			`}`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function add(token) {`
			`assert.strictEqual(typeof token, 'object');`

tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`const { clientId, identifier, expires, allowedIpRanges } = token;`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const name = token.name \|\| '';`
Add token scopes 2022-09-22 21:58:56 +02:00			`const scope = token.scope \|\| { '*': 'rw' };`

			`let error = validateTokenName(name);`
			`if (error) throw error;`

			`error = validateScope(scope);`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`if (error) throw error;`

tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`parseIpRanges(allowedIpRanges); // validate`

remove uuid module built into node.js now 2025-07-28 12:53:27 +02:00			`const id = 'tid-' + crypto.randomUUID();`
oidc dashboard login 2023-06-02 20:47:36 +02:00			`const accessToken = token.accessToken \|\| hat(8 * 32);`
tokens: async'ify 2021-06-04 09:28:40 -07:00
tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`await database.query('INSERT INTO tokens (id, accessToken, identifier, clientId, expires, scopeJson, name, allowedIpRanges) VALUES (?, ?, ?, ?, ?, ?, ?, ?)', [ id, accessToken, identifier, clientId, expires, JSON.stringify(scope), name, allowedIpRanges ]);`
tokens: async'ify 2021-06-04 09:28:40 -07:00
tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`return { id, accessToken, scope, clientId, identifier, expires, name, allowedIpRanges };`
Remove Oauth clients code 2020-02-06 16:57:33 +01:00			`}`
Add tokens routes 2020-02-07 16:20:05 +01:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function get(id) {`
Add tokens routes 2020-02-07 16:20:05 +01:00			`assert.strictEqual(typeof id, 'string');`

tokens: async'ify 2021-06-04 09:28:40 -07:00			const result = await database.query(`SELECT ${TOKENS_FIELDS} FROM tokens WHERE id = ?`, [ id ]);
			`if (result.length === 0) return null;`
Add tokens routes 2020-02-07 16:20:05 +01:00
Add token scopes 2022-09-22 21:58:56 +02:00			`return postProcess(result[0]);`
Add tokens routes 2020-02-07 16:20:05 +01:00			`}`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function del(id) {`
Add tokens routes 2020-02-07 16:20:05 +01:00			`assert.strictEqual(typeof id, 'string');`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`const result = await database.query('DELETE FROM tokens WHERE id = ?', [ id ]);`
			`if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Token not found');`
Add tokens routes 2020-02-07 16:20:05 +01:00			`}`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function listByUserId(userId) {`
Add tokens routes 2020-02-07 16:20:05 +01:00			`assert.strictEqual(typeof userId, 'string');`

Add token scopes 2022-09-22 21:58:56 +02:00			const results = await database.query(`SELECT ${TOKENS_FIELDS} FROM tokens WHERE identifier = ?`, [ userId ]);
			`results.forEach(postProcess);`

			`return results;`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`}`

			`async function getByAccessToken(accessToken) {`
			`assert.strictEqual(typeof accessToken, 'string');`
Add tokens routes 2020-02-07 16:20:05 +01:00
tokens: add ip restriction 2025-03-07 11:53:03 +01:00			const result = await database.query(`SELECT ${TOKENS_FIELDS} FROM tokens WHERE accessToken = ? AND expires > ?`, [ accessToken, Date.now() ]);
tokens: async'ify 2021-06-04 09:28:40 -07:00			`if (result.length === 0) return null;`
Add token scopes 2022-09-22 21:58:56 +02:00			`return postProcess(result[0]);`
Add tokens routes 2020-02-07 16:20:05 +01:00			`}`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function delByAccessToken(accessToken) {`
			`assert.strictEqual(typeof accessToken, 'string');`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const result = await database.query('DELETE FROM tokens WHERE accessToken = ?', [ accessToken ]);`
			`if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Token not found');`
			`}`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function delExpired() {`
			`const result = await database.query('DELETE FROM tokens WHERE expires <= ?', [ Date.now() ]);`
			`return result.affectedRows;`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00			`}`

Logout users without 2FA when mandatory 2fa is enabled Fixes #803 2021-09-17 14:32:13 -07:00			`async function delByUserIdAndType(userId, type) {`
			`assert.strictEqual(typeof userId, 'string');`
			`assert.strictEqual(typeof type, 'string');`

			`const result = await database.query('DELETE FROM tokens WHERE identifier=? AND clientId=?', [ userId, type ]);`
			`return result.affectedRows;`
			`}`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function update(id, values) {`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00			`assert.strictEqual(typeof id, 'string');`
			`assert.strictEqual(typeof values, 'object');`

const 2025-02-02 11:45:48 +01:00			`const args = [ ];`
			`const fields = [ ];`
			`for (const k in values) {`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`fields.push(k + ' = ?');`
			`args.push(values[k]);`
			`}`
			`args.push(id);`

tokens: add ip restriction 2025-03-07 11:53:03 +01:00			const result = await database.query(`UPDATE tokens SET ${fields.join(', ')} WHERE id = ?`, args);
tokens: async'ify 2021-06-04 09:28:40 -07:00			`if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Token not found');`
			`}`
tokens: add ip restriction 2025-03-07 11:53:03 +01:00
			`function isIpAllowedSync(token, ip) {`
			`assert.strictEqual(typeof token, 'object');`
			`assert.strictEqual(typeof ip, 'string');`

			`let allowedIpRanges = gParsedRangesCache.get(token.id); // returns undefined if not found`
			`if (!allowedIpRanges) {`
			`allowedIpRanges = parseIpRanges(token.allowedIpRanges \|\| '');`
			`gParsedRangesCache.set(token.id, allowedIpRanges);`
			`}`

			`for (const ipOrRange of allowedIpRanges) {`
			`if (!ipOrRange.includes('/')) {`
replace ipaddr.js 2025-05-06 16:16:33 +02:00			`if (ipaddr.isEqual(ipOrRange, ip)) return true;`
tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`} else {`
replace ipaddr.js 2025-05-06 16:16:33 +02:00			`if (ipaddr.includes(ipOrRange, ip)) return true;`
tokens: add ip restriction 2025-03-07 11:53:03 +01:00			`}`
			`}`

			`return false;`
			`}`