feat(api): Authenticate token endpoint via payload optionally

Linkvalue-Interne · Jan 9, 2019 · aee7c4a · aee7c4a
1 parent 31d79d5
commit aee7c4a
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 18 deletions.
diff --git a/packages/api/src/oauth/routes/post-token.js b/packages/api/src/oauth/routes/post-token.js
@@ -103,34 +103,38 @@ module.exports = {
   method: 'POST',
   path: '/oauth/token',
   config: {
-    auth: 'application',
+    auth: {
+      strategy: 'application',
+      mode: 'optional',
+    },
     validate: {
       payload: Joi.object({
         grant_type: Joi.string().valid(grantTypes).required(),
-        username: Joi.any().when('grant_type', {
-          is: 'password',
-          then: Joi.string().required(),
-          else: Joi.any().forbidden(),
-        }),
-        password: Joi.any().when('grant_type', {
-          is: 'password',
-          then: Joi.string().required(),
-          else: Joi.any().forbidden(),
-        }),
+        client_id: Joi.string(),
+        client_secret: Joi.string(),
+        username: Joi.any().when('grant_type', { is: 'password', then: Joi.string().required() }),
+        password: Joi.any().when('grant_type', { is: 'password', then: Joi.string().required() }),
         refresh_token: Joi.alternatives().when('grant_type', { is: 'refresh_token', then: Joi.string().required() }),
-        code: Joi.alternatives().when('grant_type', { is: 'authorization_code', then: Joi.string().required() }),
-        redirect_uri: Joi.alternatives().when('grant_type', {
-          is: 'authorization_code',
-          then: Joi.string().required(),
-        }),
+        code: Joi.any().when('grant_type', { is: 'authorization_code', then: Joi.string().required() }),
+        redirect_uri: Joi.any().when('grant_type', { is: 'authorization_code', then: Joi.string().required() }),
         scope: Joi.array().items(Joi.string().valid(validScopes))
           .when('grant_type', { is: 'refresh_token', then: Joi.optional() })
           .when('grant_type', { is: 'password', then: Joi.optional() }),
       }),
     },
   },
   async handler(req, h) {
-    const app = req.auth.credentials;
+    let app = req.auth.credentials;
+    if (!app) {
+      const { client_id: appId, client_secret: appSecret } = req.payload;
+      if (!appId || !appSecret) {
+        throw Boom.badRequest('missing_credentials');
+      }
+      app = await req.server.plugins.apps.models.Application.findOne({ appId, appSecret });
+      if (!app) {
+        throw Boom.unauthorized('invalid_credentials');
+      }
+    }
 
     let tokens;
     switch (req.payload.grant_type) {

diff --git a/webpack.config.js b/webpack.config.js
@@ -63,7 +63,7 @@ module.exports = {
     overlay: true,
     progress: true,
     proxy: [{
-      context: ['/oauth', '/users', '/login', '/forgot-password', '/reset-password', '/old', '/mdl'],
+      context: ['/oauth', '/users', '/login', '/forgot-password', '/reset-password', '/old', '/mdl', '/apps'],
       target: 'http://localhost:8000',
     }],
   },