src/oauthproxy.js

'use strict';

exports = module.exports = {
    start: start,
    stop: stop
};

var appdb = require('./appdb.js'),
    assert = require('assert'),
    clientdb = require('./clientdb.js'),
    config = require('./config.js'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:proxy'),
    express = require('express'),
    http = require('http'),
    proxy = require('proxy-middleware'),
    session = require('cookie-session'),
    superagent = require('superagent'),
    tokendb = require('./tokendb.js'),
    url = require('url'),
    uuid = require('node-uuid');

var gSessions = {};
var gProxyMiddlewareCache = {};
var gHttpServer = null;

var CALLBACK_URI = '/callback';

function clearSession(req) {
    delete gSessions[req.session.id];

    req.session.id = uuid.v4();
    gSessions[req.session.id] = {};

    req.sessionData = gSessions[req.session.id];

}

function attachSessionData(req, res, next) {
    assert.strictEqual(typeof req.session, 'object');

    if (!req.session.id || !gSessions[req.session.id]) clearSession(req);

    // attach the session data to the requeset
    req.sessionData = gSessions[req.session.id];

    next();
}

function verifySession(req, res, next) {
    assert.strictEqual(typeof req.sessionData, 'object');

    if (!req.sessionData.accessToken) {
        req.authenticated = false;
        return next();
    }

    tokendb.get(req.sessionData.accessToken, function (error, token) {
        if (error)  {
            if (error.reason !== DatabaseError.NOT_FOUND) console.error(error);
            clearSession(req);
            req.authenticated = false;
        } else {
            req.authenticated = true;
        }

        next();
    });
}

function authenticate(req, res, next) {
    // proceed if we are authenticated
    if (req.authenticated) return next();

    if (req.path === CALLBACK_URI && req.sessionData.returnTo) {
        // exchange auth code for an access token
        var query = {
            response_type: 'token',
            client_id: req.sessionData.clientId
        };

        var data = {
            grant_type: 'authorization_code',
            code: req.query.code,
            redirect_uri: req.sessionData.returnTo,
            client_id: req.sessionData.clientId,
            client_secret: req.sessionData.clientSecret
        };

        // use http admin origin so that it works with self-signed certs
        superagent
            .post(config.internalAdminOrigin() + '/api/v1/oauth/token')
            .query(query).send(data)
            .end(function (error, result) {
            if (error && !error.response) {
                console.error(error);
                return res.send(500, 'Unable to contact the oauth server.');
            }
            if (result.statusCode !== 200) {
                console.error('Failed to exchange auth code for a token.', result.statusCode, result.body);
                return res.send(500, 'Failed to exchange auth code for a token.');
            }

            req.sessionData.accessToken = result.body.access_token;

            debug('user verified.');

            // now redirect to the actual initially requested URL
            res.redirect(req.sessionData.returnTo);
        });
    } else {
        var port = parseInt(req.headers['x-cloudron-proxy-port'], 10);

        if (!Number.isFinite(port)) {
            console.error('Failed to parse nginx proxy header to get app port.');
            return res.send(500, 'Routing error. No forwarded port.');
        }

        debug('begin verifying user for app on port %s.', port);

        appdb.getByHttpPort(port, function (error, result) {
            if (error) {
                console.error('Unknown app.', error);
                return res.send(500, 'Unknown app.');
            }

            clientdb.getByAppIdAndType(result.id, clientdb.TYPE_PROXY, function (error, result) {
                if (error) {
                    console.error('Unknown OAuth client.', error);
                    return res.send(500, 'Unknown OAuth client.');
                }

                req.sessionData.port = port;
                req.sessionData.returnTo = result.redirectURI + req.path;
                req.sessionData.clientId = result.id;
                req.sessionData.clientSecret = result.clientSecret;

                var callbackUrl = result.redirectURI + CALLBACK_URI;
                var scope = 'profile';
                var oauthLogin = config.adminOrigin() + '/api/v1/oauth/dialog/authorize?response_type=code&client_id=' + result.id + '&redirect_uri=' + callbackUrl + '&scope=' + scope;

                debug('begin OAuth flow for client %s.', result.name);

                // begin the OAuth flow
                res.redirect(oauthLogin);
            });
        });
    }
}

function forwardRequestToApp(req, res, next) {
    var port = req.sessionData.port;

    debug('proxy request for port %s with path %s.', port, req.path);

    var proxyMiddleware = gProxyMiddlewareCache[port];
    if (!proxyMiddleware) {
        console.log('Adding proxy middleware for port %d', port);

        proxyMiddleware = proxy(url.parse('http://127.0.0.1:' + port));
        gProxyMiddlewareCache[port] = proxyMiddleware;
    }

    proxyMiddleware(req, res, next);
}

function initializeServer() {
    var app = express();
    var httpServer = http.createServer(app);

    httpServer.on('error', console.error);

    app
        .use(session({ keys: ['blue', 'cheese', 'is', 'something'] }))
        .use(attachSessionData)
        .use(verifySession)
        .use(authenticate)
        .use(forwardRequestToApp);

    return httpServer;
}

function start(callback) {
    assert.strictEqual(typeof callback, 'function');

    gHttpServer = initializeServer();

    gHttpServer.listen(config.get('oauthProxyPort'), callback);
}

function stop(callback) {
    assert.strictEqual(typeof callback, 'function');

    gHttpServer.close(callback);
}
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`'use strict';`

merge oauthproxy server into box server 2015-09-14 11:57:33 -07:00			`exports = module.exports = {`
			`start: start,`
			`stop: stop`
			`};`

fix require paths 2015-09-14 13:00:03 -07:00			`var appdb = require('./appdb.js'),`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`assert = require('assert'),`
fix require paths 2015-09-14 13:00:03 -07:00			`clientdb = require('./clientdb.js'),`
			`config = require('./config.js'),`
Avoid network request for access token verification in oauth proxy 2015-10-21 16:05:11 +02:00			`DatabaseError = require('./databaseerror.js'),`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`debug = require('debug')('box:proxy'),`
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`express = require('express'),`
			`http = require('http'),`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`proxy = require('proxy-middleware'),`
			`session = require('cookie-session'),`
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`superagent = require('superagent'),`
Avoid network request for access token verification in oauth proxy 2015-10-21 16:05:11 +02:00			`tokendb = require('./tokendb.js'),`
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`url = require('url'),`
			`uuid = require('node-uuid');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
			`var gSessions = {};`
			`var gProxyMiddlewareCache = {};`
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`var gHttpServer = null;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
			`var CALLBACK_URI = '/callback';`

Avoid network request for access token verification in oauth proxy 2015-10-21 16:05:11 +02:00			`function clearSession(req) {`
			`delete gSessions[req.session.id];`

			`req.session.id = uuid.v4();`
			`gSessions[req.session.id] = {};`

			`req.sessionData = gSessions[req.session.id];`

			`}`

oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`function attachSessionData(req, res, next) {`
			`assert.strictEqual(typeof req.session, 'object');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Avoid network request for access token verification in oauth proxy 2015-10-21 16:05:11 +02:00			`if (!req.session.id \|\| !gSessions[req.session.id]) clearSession(req);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`// attach the session data to the requeset`
			`req.sessionData = gSessions[req.session.id];`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`next();`
			`}`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`function verifySession(req, res, next) {`
			`assert.strictEqual(typeof req.sessionData, 'object');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`if (!req.sessionData.accessToken) {`
			`req.authenticated = false;`
			`return next();`
			`}`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Avoid network request for access token verification in oauth proxy 2015-10-21 16:05:11 +02:00			`tokendb.get(req.sessionData.accessToken, function (error, token) {`
			`if (error) {`
			`if (error.reason !== DatabaseError.NOT_FOUND) console.error(error);`
			`clearSession(req);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`req.authenticated = false;`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`} else {`
			`req.authenticated = true;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`

oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`next();`
			`});`
			`}`

			`function authenticate(req, res, next) {`
			`// proceed if we are authenticated`
			`if (req.authenticated) return next();`

			`if (req.path === CALLBACK_URI && req.sessionData.returnTo) {`
			`// exchange auth code for an access token`
			`var query = {`
			`response_type: 'token',`
			`client_id: req.sessionData.clientId`
			`};`

			`var data = {`
			`grant_type: 'authorization_code',`
			`code: req.query.code,`
			`redirect_uri: req.sessionData.returnTo,`
			`client_id: req.sessionData.clientId,`
			`client_secret: req.sessionData.clientSecret`
			`};`

Do not set process.env.NODE_TLS_REJECT_UNAUTHORIZED Doing so will affect all https requests which is dangerous. We have these options to solve this: 1. Use superagent.ca(). Appstore already provides wildcard certs for dev, staging signed with appstore_ca. But we then need to send across the appstore_ca cert across in the provision call. This is a bit of work. 2. Convert superagent into https.request calls and use the rejectUnauthorized option. 3. Simply use http. This is what is done in this commit. Fixes #488 2015-09-16 10:13:11 -07:00			`// use http admin origin so that it works with self-signed certs`
			`superagent`
			`.post(config.internalAdminOrigin() + '/api/v1/oauth/token')`
			`.query(query).send(data)`
			`.end(function (error, result) {`
update superagent the latest superchanged changed the meaning of 'error'. Previously, error implied a network error. With the latest superagent, error means a REST api error i.e 4xx, 5xx are flagged as errors. error && !error.response means network error 2015-12-15 09:12:52 -08:00			`if (error && !error.response) {`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`console.error(error);`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`return res.send(500, 'Unable to contact the oauth server.');`
			`}`
			`if (result.statusCode !== 200) {`
			`console.error('Failed to exchange auth code for a token.', result.statusCode, result.body);`
			`return res.send(500, 'Failed to exchange auth code for a token.');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`

oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`req.sessionData.accessToken = result.body.access_token;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`debug('user verified.');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`// now redirect to the actual initially requested URL`
			`res.redirect(req.sessionData.returnTo);`
			`});`
			`} else {`
			`var port = parseInt(req.headers['x-cloudron-proxy-port'], 10);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`if (!Number.isFinite(port)) {`
			`console.error('Failed to parse nginx proxy header to get app port.');`
			`return res.send(500, 'Routing error. No forwarded port.');`
			`}`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`debug('begin verifying user for app on port %s.', port);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`appdb.getByHttpPort(port, function (error, result) {`
			`if (error) {`
			`console.error('Unknown app.', error);`
			`return res.send(500, 'Unknown app.');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`

getByAppIdAndType 2015-10-19 08:57:41 -07:00			`clientdb.getByAppIdAndType(result.id, clientdb.TYPE_PROXY, function (error, result) {`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`if (error) {`
fix typo 2016-02-09 18:53:14 -08:00			`console.error('Unknown OAuth client.', error);`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`return res.send(500, 'Unknown OAuth client.');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`

oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`req.sessionData.port = port;`
			`req.sessionData.returnTo = result.redirectURI + req.path;`
			`req.sessionData.clientId = result.id;`
			`req.sessionData.clientSecret = result.clientSecret;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`var callbackUrl = result.redirectURI + CALLBACK_URI;`
roleUser is gone as well 2015-10-15 12:50:48 +02:00			`var scope = 'profile';`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`var oauthLogin = config.adminOrigin() + '/api/v1/oauth/dialog/authorize?response_type=code&client_id=' + result.id + '&redirect_uri=' + callbackUrl + '&scope=' + scope;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`debug('begin OAuth flow for client %s.', result.name);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`// begin the OAuth flow`
			`res.redirect(oauthLogin);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`});`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`});`
			`}`
			`}`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`function forwardRequestToApp(req, res, next) {`
			`var port = req.sessionData.port;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`debug('proxy request for port %s with path %s.', port, req.path);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`var proxyMiddleware = gProxyMiddlewareCache[port];`
			`if (!proxyMiddleware) {`
			`console.log('Adding proxy middleware for port %d', port);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`proxyMiddleware = proxy(url.parse('http://127.0.0.1:' + port));`
			`gProxyMiddlewareCache[port] = proxyMiddleware;`
			`}`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`proxyMiddleware(req, res, next);`
			`}`

refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`function initializeServer() {`
			`var app = express();`
			`var httpServer = http.createServer(app);`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`httpServer.on('error', console.error);`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`app`
oauthproxy: refactor for readability 2015-09-14 11:22:28 -07:00			`.use(session({ keys: ['blue', 'cheese', 'is', 'something'] }))`
			`.use(attachSessionData)`
			`.use(verifySession)`
			`.use(authenticate)`
			`.use(forwardRequestToApp);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`return httpServer;`
			`}`

Get oauth proxy port from the configs 2015-09-16 10:01:31 -07:00			`function start(callback) {`
refactor code to prepare for merge into box server 2015-09-14 11:28:49 -07:00			`assert.strictEqual(typeof callback, 'function');`

			`gHttpServer = initializeServer();`

Get oauth proxy port from the configs 2015-09-16 10:01:31 -07:00			`gHttpServer.listen(config.get('oauthProxyPort'), callback);`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`

merge oauthproxy server into box server 2015-09-14 11:57:33 -07:00			`function stop(callback) {`
			`assert.strictEqual(typeof callback, 'function');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
merge oauthproxy server into box server 2015-09-14 11:57:33 -07:00			`gHttpServer.close(callback);`
			`}`