-
Notifications
You must be signed in to change notification settings - Fork 352
/
Copy pathauth.js
403 lines (365 loc) · 13.5 KB
/
auth.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
import {
getTokenExpiresAtDate,
isBrowserEnv,
createBrowserSafeString,
OAuth2AuthorizationUrl,
OAuth2TokenUrl,
isWorkerEnv,
} from './utils.js';
import { parseResponse } from './response.js';
let fetch;
let crypto;
let Encoder;
// Expiration is 300 seconds but needs to be in milliseconds for Date object
const TokenExpirationBuffer = 300 * 1000;
const PKCELength = 128;
const TokenAccessTypes = ['legacy', 'offline', 'online'];
const GrantTypes = ['code', 'token'];
const IncludeGrantedScopes = ['none', 'user', 'team'];
/**
* @class DropboxAuth
* @classdesc The DropboxAuth class that provides methods to manage, acquire, and refresh tokens.
* @arg {Object} options
* @arg {Function} [options.fetch] - fetch library for making requests.
* @arg {String} [options.accessToken] - An access token for making authenticated
* requests.
* @arg {Date} [options.AccessTokenExpiresAt] - Date of the current access token's
* expiration (if available)
* @arg {String} [options.refreshToken] - A refresh token for retrieving access tokens
* @arg {String} [options.clientId] - The client id for your app. Used to create
* authentication URL.
* @arg {String} [options.clientSecret] - The client secret for your app. Used to create
* authentication URL and refresh access tokens.
* @arg {String} [options.domain] - A custom domain to use when making api requests. This
* should only be used for testing as scaffolding to avoid making network requests.
* @arg {String} [options.domainDelimiter] - A custom delimiter to use when separating domain from
* subdomain. This should only be used for testing as scaffolding.
* @arg {Object} [options.customHeaders] - An object (in the form of header: value) designed to set
* custom headers to use during a request.
* @arg {Boolean} [options.dataOnBody] - Whether request data is sent on body or as URL params.
* Defaults to false.
*/
export default class DropboxAuth {
constructor(options) {
options = options || {};
if (isBrowserEnv()) {
fetch = window.fetch.bind(window);
crypto = window.crypto || window.msCrypto; // for IE11
} else if (isWorkerEnv()) {
/* eslint-disable no-restricted-globals */
fetch = self.fetch.bind(self);
crypto = self.crypto;
/* eslint-enable no-restricted-globals */
} else {
fetch = require('node-fetch'); // eslint-disable-line global-require
crypto = require('crypto'); // eslint-disable-line global-require
}
if (typeof TextEncoder === 'undefined') {
Encoder = require('util').TextEncoder; // eslint-disable-line global-require
} else {
Encoder = TextEncoder;
}
this.fetch = options.fetch || fetch;
this.accessToken = options.accessToken;
this.accessTokenExpiresAt = options.accessTokenExpiresAt;
this.refreshToken = options.refreshToken;
this.clientId = options.clientId;
this.clientSecret = options.clientSecret;
this.domain = options.domain;
this.domainDelimiter = options.domainDelimiter;
this.customHeaders = options.customHeaders;
this.dataOnBody = options.dataOnBody;
}
/**
* Set the access token used to authenticate requests to the API.
* @arg {String} accessToken - An access token
* @returns {undefined}
*/
setAccessToken(accessToken) {
this.accessToken = accessToken;
}
/**
* Get the access token
* @returns {String} Access token
*/
getAccessToken() {
return this.accessToken;
}
/**
* Set the client id, which is used to help gain an access token.
* @arg {String} clientId - Your apps client id
* @returns {undefined}
*/
setClientId(clientId) {
this.clientId = clientId;
}
/**
* Get the client id
* @returns {String} Client id
*/
getClientId() {
return this.clientId;
}
/**
* Set the client secret
* @arg {String} clientSecret - Your app's client secret
* @returns {undefined}
*/
setClientSecret(clientSecret) {
this.clientSecret = clientSecret;
}
/**
* Get the client secret
* @returns {String} Client secret
*/
getClientSecret() {
return this.clientSecret;
}
/**
* Gets the refresh token
* @returns {String} Refresh token
*/
getRefreshToken() {
return this.refreshToken;
}
/**
* Sets the refresh token
* @param refreshToken - A refresh token
*/
setRefreshToken(refreshToken) {
this.refreshToken = refreshToken;
}
/**
* Gets the access token's expiration date
* @returns {Date} date of token expiration
*/
getAccessTokenExpiresAt() {
return this.accessTokenExpiresAt;
}
/**
* Sets the access token's expiration date
* @param accessTokenExpiresAt - new expiration date
*/
setAccessTokenExpiresAt(accessTokenExpiresAt) {
this.accessTokenExpiresAt = accessTokenExpiresAt;
}
/**
* Sets the code verifier for PKCE flow
* @param {String} codeVerifier - new code verifier
*/
setCodeVerifier(codeVerifier) {
this.codeVerifier = codeVerifier;
}
/**
* Gets the code verifier for PKCE flow
* @returns {String} - code verifier for PKCE
*/
getCodeVerifier() {
return this.codeVerifier;
}
generateCodeChallenge() {
const encoder = new Encoder();
const codeData = encoder.encode(this.codeVerifier);
let codeChallenge;
if (isBrowserEnv() || isWorkerEnv()) {
return crypto.subtle.digest('SHA-256', codeData)
.then((digestedHash) => {
const base64String = btoa(String.fromCharCode.apply(null, new Uint8Array(digestedHash)));
codeChallenge = createBrowserSafeString(base64String).substr(0, 128);
this.codeChallenge = codeChallenge;
});
}
const digestedHash = crypto.createHash('sha256').update(codeData).digest();
codeChallenge = createBrowserSafeString(digestedHash);
this.codeChallenge = codeChallenge;
return Promise.resolve();
}
generatePKCECodes() {
let codeVerifier;
if (isBrowserEnv() || isWorkerEnv()) {
const array = new Uint8Array(PKCELength);
const randomValueArray = crypto.getRandomValues(array);
const base64String = btoa(randomValueArray);
codeVerifier = createBrowserSafeString(base64String).substr(0, 128);
} else {
const randomBytes = crypto.randomBytes(PKCELength);
codeVerifier = createBrowserSafeString(randomBytes).substr(0, 128);
}
this.codeVerifier = codeVerifier;
return this.generateCodeChallenge();
}
/**
* Get a URL that can be used to authenticate users for the Dropbox API.
* @arg {String} redirectUri - A URL to redirect the user to after
* authenticating. This must be added to your app through the admin interface.
* @arg {String} [state] - State that will be returned in the redirect URL to help
* prevent cross site scripting attacks.
* @arg {String} [authType] - auth type, defaults to 'token', other option is 'code'
* @arg {String} [tokenAccessType] - type of token to request. From the following:
* null - creates a token with the app default (either legacy or online)
* legacy - creates one long-lived token with no expiration
* online - create one short-lived token with an expiration
* offline - create one short-lived token with an expiration with a refresh token
* @arg {Array<String>} [scope] - scopes to request for the grant
* @arg {String} [includeGrantedScopes] - whether or not to include previously granted scopes.
* From the following:
* user - include user scopes in the grant
* team - include team scopes in the grant
* Note: if this user has never linked the app, include_granted_scopes must be None
* @arg {boolean} [usePKCE] - Whether or not to use Sha256 based PKCE. PKCE should be only use
* on client apps which doesn't call your server. It is less secure than non-PKCE flow but
* can be used if you are unable to safely retrieve your app secret
* @returns {Promise<String>} - Url to send user to for Dropbox API authentication
* returned in a promise
*/
getAuthenticationUrl(redirectUri, state, authType = 'token', tokenAccessType = null, scope = null, includeGrantedScopes = 'none', usePKCE = false) {
const clientId = this.getClientId();
const baseUrl = OAuth2AuthorizationUrl(this.domain);
if (!clientId) {
throw new Error('A client id is required. You can set the client id using .setClientId().');
}
if (authType !== 'code' && !redirectUri) {
throw new Error('A redirect uri is required.');
}
if (!GrantTypes.includes(authType)) {
throw new Error('Authorization type must be code or token');
}
if (tokenAccessType && !TokenAccessTypes.includes(tokenAccessType)) {
throw new Error('Token Access Type must be legacy, offline, or online');
}
if (scope && !(scope instanceof Array)) {
throw new Error('Scope must be an array of strings');
}
if (!IncludeGrantedScopes.includes(includeGrantedScopes)) {
throw new Error('includeGrantedScopes must be none, user, or team');
}
let authUrl;
if (authType === 'code') {
authUrl = `${baseUrl}?response_type=code&client_id=${clientId}`;
} else {
authUrl = `${baseUrl}?response_type=token&client_id=${clientId}`;
}
if (redirectUri) {
authUrl += `&redirect_uri=${redirectUri}`;
}
if (state) {
authUrl += `&state=${state}`;
}
if (tokenAccessType) {
authUrl += `&token_access_type=${tokenAccessType}`;
}
if (scope) {
authUrl += `&scope=${scope.join(' ')}`;
}
if (includeGrantedScopes !== 'none') {
authUrl += `&include_granted_scopes=${includeGrantedScopes}`;
}
if (usePKCE) {
return this.generatePKCECodes()
.then(() => {
authUrl += '&code_challenge_method=S256';
authUrl += `&code_challenge=${this.codeChallenge}`;
return authUrl;
});
}
return Promise.resolve(authUrl);
}
/**
* Get an OAuth2 access token from an OAuth2 Code.
* @arg {String} redirectUri - A URL to redirect the user to after
* authenticating. This must be added to your app through the admin interface.
* @arg {String} code - An OAuth2 code.
* @returns {Object} An object containing the token and related info (if applicable)
*/
getAccessTokenFromCode(redirectUri, code) {
const clientId = this.getClientId();
const clientSecret = this.getClientSecret();
if (!clientId) {
throw new Error('A client id is required. You can set the client id using .setClientId().');
}
let path = OAuth2TokenUrl(this.domain, this.domainDelimiter);
path += '?grant_type=authorization_code';
path += `&code=${code}`;
path += `&client_id=${clientId}`;
if (clientSecret) {
path += `&client_secret=${clientSecret}`;
} else {
if (!this.codeVerifier) {
throw new Error('You must use PKCE when generating the authorization URL to not include a client secret');
}
path += `&code_verifier=${this.codeVerifier}`;
}
if (redirectUri) {
path += `&redirect_uri=${redirectUri}`;
}
const fetchOptions = {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
};
return this.fetch(path, fetchOptions)
.then((res) => parseResponse(res));
}
/**
* Checks if a token is needed, can be refreshed and if the token is expired.
* If so, attempts to refresh access token
* @returns {Promise<*>}
*/
checkAndRefreshAccessToken() {
const canRefresh = this.getRefreshToken() && this.getClientId();
const needsRefresh = !this.getAccessTokenExpiresAt()
|| (new Date(Date.now() + TokenExpirationBuffer)) >= this.getAccessTokenExpiresAt();
const needsToken = !this.getAccessToken();
if ((needsRefresh || needsToken) && canRefresh) {
return this.refreshAccessToken();
}
return Promise.resolve();
}
/**
* Refreshes the access token using the refresh token, if available
* @arg {Array<String>} scope - a subset of scopes from the original
* refresh to acquire with an access token
* @returns {Promise<*>}
*/
refreshAccessToken(scope = null) {
const clientId = this.getClientId();
const clientSecret = this.getClientSecret();
if (!clientId) {
throw new Error('A client id is required. You can set the client id using .setClientId().');
}
if (scope && !(scope instanceof Array)) {
throw new Error('Scope must be an array of strings');
}
let refreshUrl = OAuth2TokenUrl(this.domain, this.domainDelimiter);
const fetchOptions = {
headers: { 'Content-Type': 'application/json' },
method: 'POST',
};
if (this.dataOnBody) {
const body = { grant_type: 'refresh_token', client_id: clientId, refresh_token: this.getRefreshToken() };
if (clientSecret) {
body.client_secret = clientSecret;
}
if (scope) {
body.scope = scope.join(' ');
}
fetchOptions.body = body;
} else {
refreshUrl += `?grant_type=refresh_token&refresh_token=${this.getRefreshToken()}`;
refreshUrl += `&client_id=${clientId}`;
if (clientSecret) {
refreshUrl += `&client_secret=${clientSecret}`;
}
if (scope) {
refreshUrl += `&scope=${scope.join(' ')}`;
}
}
return this.fetch(refreshUrl, fetchOptions)
.then((res) => parseResponse(res))
.then((res) => {
this.setAccessToken(res.result.access_token);
this.setAccessTokenExpiresAt(getTokenExpiresAtDate(res.result.expires_in));
});
}
}