feat(provider): make client secret non mandatory for public clients

make client secret non mandatory for public clients GH-153
sourcefuse · Mar 31, 2023 · a996951 · a996951
1 parent 0e51de7
commit a996951
Show file tree

Hide file tree

Showing 6 changed files with 136 additions and 78 deletions.
diff --git a/src/error-keys.ts b/src/error-keys.ts
@@ -13,4 +13,5 @@ export const enum AuthErrorKeys {
   KeyInvalid = 'Key Invalid',
   OtpInvalid = 'Otp Invalid',
   OtpExpired = 'Otp Token Incorrect or Expired',
+  ConfidentialClientSecretMissing = 'Confidential Client Secret Missing',
 }
diff --git a/...strategies/passport/passport-client-password/client-password-strategy-factory-provider.ts b/...strategies/passport/passport-client-password/client-password-strategy-factory-provider.ts
@@ -1,6 +1,6 @@
 import {inject, Provider} from '@loopback/core';
 import {HttpErrors, Request} from '@loopback/rest';
-import * as ClientPasswordStrategy from 'passport-oauth2-client-password';
+import * as ClientPasswordStrategy from './client-password-strategy';
 
 import {AuthErrorKeys} from '../../../error-keys';
 import {IAuthClient} from '../../../types';
@@ -27,68 +27,56 @@ export class ClientPasswordStrategyFactoryProvider
       this.getClientPasswordVerifier(options, verifier);
   }
 
+  clientPasswordVerifierHelper(
+    client: IAuthClient | null,
+    clientSecret: string | undefined,
+  ) {
+    if (!client) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientInvalid);
+    } else if (!clientSecret) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientSecretMissing);
+    } else if (!client.clientSecret || client.clientSecret !== clientSecret) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientVerificationFailed);
+    } else {
+      // do nothing
+    }
+  }
+
   getClientPasswordVerifier(
     options?: ClientPasswordStrategy.StrategyOptionsWithRequestInterface,
     verifierPassed?: VerifyFunction.OauthClientPasswordFn,
   ): ClientPasswordStrategy.Strategy {
     const verifyFn = verifierPassed ?? this.verifier;
     if (options?.passReqToCallback) {
       return new ClientPasswordStrategy.Strategy(
-        options,
-
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
         async (
-          req: Request,
           clientId: string,
-          clientSecret: string,
-          cb: (err: Error | null, client?: IAuthClient | false) => void,
+          clientSecret: string | undefined,
+          cb: (err: Error | null, client?: IAuthClient | null) => void,
+          req: Request | undefined,
         ) => {
           try {
             const client = await verifyFn(clientId, clientSecret, req);
-            if (!client) {
-              throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientInvalid);
-            } else if (!clientSecret) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ClientSecretMissing,
-              );
-            } else if (
-              !client.clientSecret ||
-              client.clientSecret !== clientSecret
-            ) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ClientVerificationFailed,
-              );
-            }
+            this.clientPasswordVerifierHelper(client, clientSecret);
             cb(null, client);
           } catch (err) {
             cb(err);
           }
         },
+        options,
       );
     } else {
       return new ClientPasswordStrategy.Strategy(
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
         async (
           clientId: string,
-          clientSecret: string,
-          cb: (err: Error | null, client?: IAuthClient | false) => void,
+          clientSecret: string | undefined,
+          cb: (err: Error | null, client?: IAuthClient | null) => void,
         ) => {
           try {
             const client = await verifyFn(clientId, clientSecret);
-            if (!client) {
-              throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientInvalid);
-            } else if (!clientSecret) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ClientSecretMissing,
-              );
-            } else if (
-              !client.clientSecret ||
-              client.clientSecret !== clientSecret
-            ) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ClientVerificationFailed,
-              );
-            }
+            this.clientPasswordVerifierHelper(client, clientSecret);
             cb(null, client);
           } catch (err) {
             cb(err);

diff --git a/src/strategies/passport/passport-client-password/client-password-strategy.ts b/src/strategies/passport/passport-client-password/client-password-strategy.ts
@@ -0,0 +1,79 @@
+// Type definitions for passport-oauth2-client-password 0.1.2
+// Project: https://github.com/jaredhanson/passport-oauth2-client-password
+// Definitions by: Ivan Zubok <https://github.com/akaNightmare>
+// Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
+// TypeScript Version: 2.3
+
+import * as passport from 'passport';
+import * as express from 'express';
+import {IAuthClient, IAuthSecureClient} from '../../../types';
+
+export interface StrategyOptionsWithRequestInterface {
+  passReqToCallback: boolean;
+}
+
+export interface VerifyFunctionWithRequest {
+  (
+    clientId: string,
+    clientSecret: string | undefined,
+    done: (
+      error: Error | null,
+      client?: IAuthSecureClient | IAuthClient | null,
+      info?: Object | undefined,
+    ) => void,
+    req?: express.Request,
+  ): void;
+}
+
+export class Strategy extends passport.Strategy {
+  constructor(
+    verify: VerifyFunctionWithRequest,
+    options?: StrategyOptionsWithRequestInterface,
+  ) {
+    super();
+    if (!verify)
+      throw new Error(
+        'OAuth 2.0 client password strategy requires a verify function',
+      );
+
+    this.verify = verify;
+    if (options) this.passReqToCallback = options.passReqToCallback;
+    this.name = 'oauth2-client-password';
+  }
+
+  private readonly verify: VerifyFunctionWithRequest;
+  private readonly passReqToCallback: boolean;
+  name: string;
+  authenticate(req: express.Request, options?: {}): void {
+    if (
+      /* eslint-disable @typescript-eslint/prefer-optional-chain */
+      !req.body ||
+      !req.body['client_id']
+    ) {
+      return this.fail();
+    }
+
+    const clientId = req.body['client_id'];
+    const clientSecret = req.body['client_secret'];
+
+    const verified = (
+      err: Error | null,
+      client: IAuthSecureClient | IAuthClient | null | undefined,
+      info: Object | undefined,
+    ) => {
+      if (err) {
+        return this.error(err);
+      }
+      if (!client) {
+        return this.fail();
+      }
+      this.success(client, info);
+    };
+
+    if (this.passReqToCallback) {
+      this.verify(clientId, clientSecret, verified, req);
+    } else {
+      this.verify(clientId, clientSecret, verified);
+    }
+  }
+}
diff --git a/src/strategies/passport/passport-client-password/index.ts b/src/strategies/passport/passport-client-password/index.ts
@@ -1,2 +1,3 @@
 export * from './client-password-verify.provider';
 export * from './client-password-strategy-factory-provider';
+export * from './client-password-strategy';
diff --git a/...ies/passport/passport-client-password/secure-client-password-strategy-factory-provider.ts b/...ies/passport/passport-client-password/secure-client-password-strategy-factory-provider.ts
@@ -3,7 +3,7 @@ import {HttpErrors, Request} from '@loopback/rest';
 import * as ClientPasswordStrategy from './client-password-strategy';
 
 import {AuthErrorKeys} from '../../../error-keys';
-import {ClientType, IAuthClient, IAuthSecureClient} from '../../../types';
+import {ClientType, IAuthSecureClient} from '../../../types';
 import {Strategies} from '../../keys';
 import {VerifyFunction} from '../../types';
 
@@ -27,6 +27,26 @@ export class SecureClientPasswordStrategyFactoryProvider
       this.getSecureClientPasswordVerifier(options, verifier);
   }
 
+  secureClientPasswordVerifierHelper(
+    client: IAuthSecureClient | null,
+    clientSecret: string | undefined,
+  ) {
+    if (!client) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientInvalid);
+    } else if (client.clientType !== ClientType.public && !clientSecret) {
+      throw new HttpErrors.Unauthorized(
+        AuthErrorKeys.ConfidentialClientSecretMissing,
+      );
+    } else if (
+      client.clientType !== ClientType.public &&
+      (!client.clientSecret || client.clientSecret !== clientSecret)
+    ) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientVerificationFailed);
+    } else {
+      // do nothing
+    }
+  }
+
   getSecureClientPasswordVerifier(
     options?: ClientPasswordStrategy.StrategyOptionsWithRequestInterface,
     verifierPassed?: VerifyFunction.OauthSecureClientPasswordFn,
@@ -38,31 +58,12 @@ export class SecureClientPasswordStrategyFactoryProvider
         async (
           clientId: string,
           clientSecret: string | undefined,
-          cb: (err: Error | null, client?: IAuthSecureClient | false) => void,
+          cb: (err: Error | null, client?: IAuthSecureClient | null) => void,
           req: Request | undefined,
         ) => {
           try {
             const client = await verifyFn(clientId, clientSecret, req);
-            if (!client) {
-              throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientInvalid);
-            } else if (
-              client.clientType !== ClientType.public &&
-              !clientSecret
-            ) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ConfidentialClientSecretMissing,
-              );
-            } else if (
-              (client.clientType !== ClientType.public &&
-                !client.clientSecret) ||
-              client.clientSecret !== clientSecret
-            ) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ClientVerificationFailed,
-              );
-            } else {
-              // do nothing
-            }
+            this.secureClientPasswordVerifierHelper(client, clientSecret);
 
             cb(null, client);
           } catch (err) {
@@ -77,30 +78,13 @@ export class SecureClientPasswordStrategyFactoryProvider
         async (
           clientId: string,
           clientSecret: string | undefined,
-          cb: (err: Error | null, client?: IAuthClient | false) => void,
+          cb: (err: Error | null, client?: IAuthSecureClient | null) => void,
         ) => {
           try {
             const client = await verifyFn(clientId, clientSecret);
 
-            if (!client) {
-              throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientInvalid);
-            } else if (
-              client.clientType !== ClientType.public &&
-              !clientSecret
-            ) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ConfidentialClientSecretMissing,
-              );
-            } else if (
-              client.clientType !== ClientType.public &&
-              (!client.clientSecret || client.clientSecret !== clientSecret)
-            ) {
-              throw new HttpErrors.Unauthorized(
-                AuthErrorKeys.ClientVerificationFailed,
-              );
-            } else {
-              // do nothing
-            }
+            this.secureClientPasswordVerifierHelper(client, clientSecret);
+
             cb(null, client);
           } catch (err) {
             cb(err);

diff --git a/src/types.ts b/src/types.ts
@@ -61,3 +61,8 @@ export interface AuthenticationConfig {
   useClientAuthenticationMiddleware?: boolean;
   useUserAuthenticationMiddleware?: boolean;
 }
+
+export enum ClientType {
+  public = 'public',
+  private = 'private',
+}