actual-budget-rest-api/src/routes/oauth2.js at main · ZoneMix/actual-budget-rest-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
/**
 * OAuth2 Authorization Server endpoints for n8n integration.
 *
 * Implements OAuth2 authorization code flow:
 * 1. GET /oauth/authorize - User authorizes client, receives authorization code
 * 2. POST /oauth/token - Client exchanges code for access token or refresh token for new tokens
 *
 * Supported grant types:
 * - authorization_code: Exchange authorization code for access and refresh tokens
 * - refresh_token: Exchange refresh token for new access and refresh tokens (token rotation)
 *
 * Note: This is simplified for internal n8n use - authorization is auto-approved
 * if the user is already logged in via session.
 */

import express from 'express';
import jwt from 'jsonwebtoken';
import { validateClient } from '../auth/oauth2/client.js';
import { generateAuthCode } from '../auth/oauth2/code.js';
import { validateAuthCode } from '../auth/oauth2/code.js';
import { issueTokens, isTokenRevoked, revokeToken } from '../auth/jwt.js';
import { getRow } from '../db/authDb.js';
import { JWT_REFRESH_SECRET } from '../config/index.js';
import { asyncHandler } from '../middleware/asyncHandler.js';
import { throwBadRequest, throwInternalError, throwUnauthorized } from '../middleware/responseHelpers.js';
import logger, { logAuthEvent } from '../logging/logger.js';

const router = express.Router();

/**
 * GET /oauth/authorize
 *
 * OAuth2 authorization endpoint. Validates client and redirect URI,
 * then generates and returns an authorization code.
 *
 * If user is not logged in via session, redirects to login page.
 * Otherwise, auto-approves and redirects back with authorization code.
 */
router.get('/authorize', asyncHandler(async (req, res) => {
  const { client_id, redirect_uri, scope = 'api', state, response_type = 'code' } = req.query;

  logger.debug('[OAuth2] Authorization request', {
    client_id,
    redirect_uri,
    scope,
    response_type,
    hasSession: !!req.session.user,
    userId: req.session.user?.id
  });

  // Validate OAuth2 parameters
  if (response_type !== 'code') {
    logger.warn('[OAuth2] Unsupported response_type', { response_type, client_id });
    throwBadRequest('Unsupported response_type');
  }

  if (!client_id || !redirect_uri) {
    logger.warn('[OAuth2] Missing parameters', { hasClientId: !!client_id, hasRedirectUri: !!redirect_uri });
    throwBadRequest('Missing parameters');
  }

  // Validate client_id format (alphanumeric, underscore, hyphen, max 255 chars)
  const CLIENT_ID_PATTERN = /^[a-zA-Z0-9_-]{1,255}$/;
  if (!CLIENT_ID_PATTERN.test(client_id)) {
    logger.warn('[OAuth2] Invalid client_id format', { client_id });
    throwBadRequest('Invalid client_id format');
  }

  // Verify client exists
  const client = await getRow('SELECT * FROM clients WHERE client_id = ?', [client_id]);
  if (!client) {
    logger.warn('[OAuth2] Client not found', { client_id });
    throwBadRequest('Invalid client_id');
  }

  // Verify redirect URI is allowed for this client
  if (!client.redirect_uris) {
    logger.warn('[OAuth2] Client has no redirect URIs', { client_id });
    throwBadRequest('Client has no configured redirect URIs');
  }
  const allowedUris = client.redirect_uris.split(',').map(uri => uri.trim()).filter(Boolean);
  if (!allowedUris.includes(redirect_uri)) {
    logger.warn('[OAuth2] Invalid redirect_uri', { client_id, redirect_uri, allowedUris });
    throwBadRequest('Invalid redirect_uri');
  }

  // Require user to be logged in via session
  if (!req.session.user) {
    logger.debug('[OAuth2] User not logged in, redirecting to login', { client_id });
    const params = new URLSearchParams({ ...req.query, return_to: req.originalUrl });
    return res.redirect(`/login?${params}`);
  }

  // Auto-approve and generate authorization code (simplified for internal use)
  // Store state in session for CSRF protection
  if (state) {
    req.session.oauth2_state = state;
  }

  const code = await generateAuthCode(client_id, req.session.user.id, redirect_uri, scope);

  logger.info('[OAuth2] Authorization code generated', {
    client_id,
    userId: req.session.user.id,
    redirect_uri,
    scope,
    hasState: !!state
  });

  // Build redirect URL with state parameter
  const redirectUrl = new URL(redirect_uri);
  redirectUrl.searchParams.set('code', code);
  if (state) {
    redirectUrl.searchParams.set('state', state);
  }

  res.redirect(redirectUrl.toString());
}));

/**
 * Extract client credentials from request.
 * Supports both:
 * 1. HTTP Basic Authentication (Authorization header) - OAuth2 recommended
 * 2. Request body parameters (client_id, client_secret)
 */
const extractClientCredentials = (req) => {
  // Method 1: Try Basic Auth header first (OAuth2 recommended)
  const authHeader = req.headers.authorization;
  if (authHeader && authHeader.startsWith('Basic ')) {
    try {
      const base64Credentials = authHeader.slice(6); // Remove 'Basic ' prefix
      const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');
      const [clientId, clientSecret] = credentials.split(':', 2);

      if (clientId && clientSecret) {
        return { clientId, clientSecret };
      }
    } catch {
      // Invalid Basic Auth format, fall through to body method
    }
  }

  // Method 2: Fall back to request body
  const { client_id, client_secret } = req.body;
  if (client_id && client_secret) {
    return { clientId: client_id, clientSecret: client_secret };
  }

  return null;
};

/**
 * POST /oauth/token
 *
 * OAuth2 token endpoint. Supports two grant types:
 * 1. authorization_code: Exchanges authorization code for access token
 * 2. refresh_token: Exchanges refresh token for new access and refresh tokens
 *
 * Supports client credentials via:
 * - HTTP Basic Authentication (Authorization: Basic <base64(client_id:client_secret)>) - Recommended
 * - Request body (client_id, client_secret) - form-encoded or JSON
 */
router.post('/token', express.json(), express.urlencoded({ extended: true }), asyncHandler(async (req, res) => {
  const { grant_type, code, redirect_uri, refresh_token } = req.body;

  logger.debug('[OAuth2] Token exchange request', {
    grant_type,
    hasCode: !!code,
    hasRefreshToken: !!refresh_token,
    redirect_uri,
    hasBasicAuth: !!req.headers.authorization?.startsWith('Basic ')
  });

  // Support authorization_code and refresh_token grants
  if (grant_type !== 'authorization_code' && grant_type !== 'refresh_token') {
    logger.warn('[OAuth2] Unsupported grant_type', { grant_type });
    throwBadRequest('Unsupported grant_type');
  }

  // Extract client credentials (supports Basic Auth or body)
  // Note: OAuth2 spec allows optional client credentials for refresh_token grant,
  // but we require them for security
  const credentials = extractClientCredentials(req);
  if (!credentials) {
    logger.warn('[OAuth2] Missing client credentials');
    throwBadRequest('Client credentials required. Provide via Basic Auth header or request body (client_id, client_secret)');
  }

  const { clientId, clientSecret } = credentials;

  // Validate client credentials
  await validateClient(clientId, clientSecret);

  // Handle refresh_token grant type
  if (grant_type === 'refresh_token') {
    if (!refresh_token) {
      logger.warn('[OAuth2] Missing refresh_token');
      throwBadRequest('refresh_token is required for refresh_token grant type');
    }

    try {
      // Verify and decode the refresh token
      const decoded = jwt.verify(refresh_token, JWT_REFRESH_SECRET);

      // Check if token was revoked
      if (await isTokenRevoked(decoded.jti)) {
        logAuthEvent('REFRESH_FAILED', decoded.user_id, { reason: 'token_revoked', clientId }, false);
        throwUnauthorized('Refresh token revoked');
      }

      // Get user's current role and scopes from database
      const user = await getRow('SELECT username, role, scopes FROM users WHERE id = ?', [decoded.user_id]);
      if (!user) {
        logger.error('[OAuth2] User not found for refresh token', { userId: decoded.user_id, clientId });
        throwInternalError('User not found');
      }

      const role = user.role || decoded.role || 'user';
      const scopes = user.scopes || decoded.scope || 'api';

      // Issue new tokens (both access and refresh for token rotation)
      const tokens = await issueTokens(decoded.user_id, user.username, scopes, role);

      // Revoke the old refresh token for proper token rotation security
      await revokeToken(decoded.jti);

      logAuthEvent('TOKEN_REFRESHED', decoded.user_id, {
        username: user.username,
        role,
        clientId
      }, true);

      logger.info('[OAuth2] Tokens issued via refresh_token', {
        clientId,
        userId: decoded.user_id,
        username: user.username,
        scope: scopes
      });

      return res.json(tokens);
    } catch (err) {
      // Re-throw HTTP errors (like throwUnauthorized above)
      if (err.status) throw err;

      // Handle JWT verification errors
      logAuthEvent('REFRESH_FAILED', null, {
        reason: 'invalid_token',
        error: err.message,
        clientId
      }, false);
      throwUnauthorized('Invalid or expired refresh token');
    }
  }

  // Handle authorization_code grant type (existing logic)
  if (grant_type === 'authorization_code') {
    if (!code || !redirect_uri) {
      logger.warn('[OAuth2] Missing code or redirect_uri for authorization_code grant');
      throwBadRequest('code and redirect_uri are required for authorization_code grant type');
    }

    // Validate and exchange authorization code
    const { userId, scope } = await validateAuthCode(code, clientId, redirect_uri);

    logger.debug('[OAuth2] Authorization code validated', { clientId, userId, scope });

    // Get user details for token issuance
    const user = await getRow('SELECT username FROM users WHERE id = ?', [userId]);
    if (!user) {
      logger.error('[OAuth2] User not found after code validation', { userId, clientId });
      throwInternalError('User not found');
    }

    // Issue JWT tokens
    const tokens = await issueTokens(userId, user.username, scope);

    logger.info('[OAuth2] Tokens issued via authorization code', {
      clientId,
      userId,
      username: user.username,
      scope
    });

    return res.json(tokens);
  }
}));

export default router;