feat: globalping_client_credentials grant (#7)

.eslintrc

@@ -13,6 +13,11 @@
 			"extends": "@martin-kolarik/eslint-config/typescript-type-checking",
 			"parserOptions": {
 				"project": true
+			},
+			"rules": {
+				"@typescript-eslint/consistent-type-imports": ["error", {
+					"prefer": "no-type-imports"
+				}]
 			}
 		},
 		{

seeds/test/index.ts

@@ -13,7 +13,7 @@ export const clients = [
 		name: 'App One',
 		secrets: '[]',
 		redirect_urls: JSON.stringify([ 'https://example.com/one/callback' ]),
-		grants: JSON.stringify([ 'authorization_code', 'refresh_token', 'client_credentials' ]),
+		grants: JSON.stringify([ 'authorization_code', 'refresh_token', 'globalping_client_credentials' ]),
 	},
 	{
 		id: 'b2a50a7e-6dc5-423d-864e-173ea690992e',
@@ -31,7 +31,7 @@ export const clients = [
 		name: 'Slack App',
 		secrets: '["OSMOYY6tV16Kc0l+BB5ml4eKXFf4JaqARFMCdudKU98="]',
 		redirect_urls: JSON.stringify([ 'https://example.com/three/callback' ]),
-		grants: JSON.stringify([ 'client_credentials' ]),
+		grants: JSON.stringify([ 'globalping_client_credentials', 'refresh_token' ]),
 	},
 ];
 

src/lib/http/middleware/authenticate.ts

@@ -1,7 +1,7 @@
 import config from 'config';
 import { jwtVerify } from 'jose';
 
-import type { ExtendedMiddleware } from '../../../types.js';
+import { ExtendedMiddleware } from '../../../types.js';
 
 const sessionConfig = config.get<AuthenticateOptions['session']>('server.session');
 

src/lib/http/middleware/cors.ts

@@ -1,4 +1,4 @@
-import type { Context, Next } from 'koa';
+import { Context, Next } from 'koa';
 
 export const corsHandler = () => async (ctx: Context, next: Next) => {
 	ctx.set('Access-Control-Allow-Origin', '*');

src/lib/http/middleware/default-json.ts

@@ -1,4 +1,4 @@
-import type { ExtendedMiddleware } from '../../../types.js';
+import { ExtendedMiddleware } from '../../../types.js';
 import createHttpError from 'http-errors';
 import _ from 'lodash';
 

src/lib/http/middleware/error-handler.ts

@@ -1,7 +1,7 @@
 import createHttpError from 'http-errors';
 import newrelic from 'newrelic';
 import { scopedLogger } from '../../logger.js';
-import type { ExtendedMiddleware } from '../../../types.js';
+import { ExtendedMiddleware } from '../../../types.js';
 
 const logger = scopedLogger('error-handler-mw');
 

src/lib/http/middleware/validate.ts

@@ -1,5 +1,5 @@
-import type { Schema } from 'joi';
-import type { ExtendedMiddleware } from '../../../types.js';
+import { Schema } from 'joi';
+import { ExtendedMiddleware } from '../../../types.js';
 import _ from 'lodash';
 
 export const validate = (schema: Schema): ExtendedMiddleware => async (ctx, next) => {

src/lib/redis/client.ts

@@ -1,4 +1,4 @@
-import type { RedisClientOptions } from 'redis';
+import { RedisClientOptions } from 'redis';
 import { createRedisClientInternal, RedisClient } from './shared.js';
 
 let redis: RedisClient;

src/lib/redis/shared.ts

@@ -1,5 +1,12 @@
 import config from 'config';
-import { createClient, RedisClientOptions, RedisClientType, RedisDefaultModules, RedisFunctions, RedisScripts } from 'redis';
+import {
+	createClient,
+	RedisClientOptions,
+	RedisClientType,
+	RedisDefaultModules,
+	RedisFunctions,
+	RedisScripts,
+} from 'redis';
 import { scopedLogger } from '../logger.js';
 
 const logger = scopedLogger('redis-client');

src/lib/server.ts

@@ -1,4 +1,4 @@
-import type { Server } from 'node:http';
+import { Server } from 'node:http';
 
 export const createServer = async (): Promise<Server> => {
 	const { getHttpServer } = await import('./http/server.js');

src/oauth/gp-client-credentials.ts

@@ -0,0 +1,72 @@
+import {
+	AbstractGrantType,
+	InvalidArgumentError,
+	InvalidGrantError,
+	Request,
+} from '@node-oauth/oauth2-server';
+import { ClientCredentialsUser, ClientWithCredentials, GrantTypeOptions, User } from './types.js';
+import OAuthModel from './model.js';
+
+export default class GPClientCredentials extends AbstractGrantType {
+	model: OAuthModel;
+
+	constructor (options: GrantTypeOptions = {}) {
+		if (!options.model) {
+			throw new InvalidArgumentError('Missing parameter: `model`');
+		}
+
+		if (!options.model.getUserFromClient) {
+			throw new InvalidArgumentError('Invalid argument: model does not implement `getUserFromClient()`');
+		}
+
+		if (!options.model.saveToken) {
+			throw new InvalidArgumentError('Invalid argument: model does not implement `saveToken()`');
+		}
+
+		super(options);
+		this.model = options.model;
+	}
+
+	async handle (request: Request, client: ClientWithCredentials) {
+		if (!request) {
+			throw new InvalidArgumentError('Missing parameter: `request`');
+		}
+
+		if (!client) {
+			throw new InvalidArgumentError('Missing parameter: `client`');
+		}
+
+		const scope = this.getScope(request);
+		const user = await this.getUserFromClient(client);
+
+		return this.saveToken(user, client, scope);
+	}
+
+	async getUserFromClient (client: ClientWithCredentials) {
+		const user = await this.model.getUserFromClient(client);
+
+		if (!user) {
+			throw new InvalidGrantError('Invalid grant: user credentials are invalid');
+		}
+
+		return user;
+	}
+
+	async saveToken (user: ClientCredentialsUser, client: ClientWithCredentials, requestedScope: string[]) {
+		const validatedScope = await this.validateScope(user, client, requestedScope) as string[];
+		const accessToken = await this.generateAccessToken(client, user, validatedScope);
+		const refreshToken = await this.generateRefreshToken(client, user, validatedScope);
+		const accessTokenExpiresAt = this.getAccessTokenExpiresAt();
+		const refreshTokenExpiresAt = this.getRefreshTokenExpiresAt();
+
+		const token = {
+			accessToken,
+			accessTokenExpiresAt,
+			refreshToken,
+			refreshTokenExpiresAt,
+			scope: validatedScope,
+		};
+
+		return this.model.saveToken(token, client, user as unknown as User);
+	}
+}

src/oauth/model.ts

@@ -5,17 +5,16 @@ import { base32 } from '@scure/base';
 import _ from 'lodash';
 
 import {
-	AuthorizationCode,
-	AuthorizationCodeModel,
 	InvalidClientError,
 	InvalidRequestError,
+	AuthorizationCode,
+	AuthorizationCodeModel,
 	RefreshToken,
 	RefreshTokenModel,
 	Token as TokenWithClientUser,
 } from '@node-oauth/oauth2-server';
-
-import type { Knex } from 'knex';
-import type { RedisClient } from '../lib/redis/shared.js';
+import { Knex } from 'knex';
+import { RedisClient } from '../lib/redis/shared.js';
 
 import {
 	AuthorizationCodeSaved,
@@ -29,7 +28,7 @@ import {
 	PublicAuthorizationCodeDetails,
 	Token,
 	User,
-	type Approval,
+	Approval,
 } from './types.js';
 
 const getRandomBytes = promisify(randomBytes);

src/oauth/route/approve.ts

@@ -1,7 +1,7 @@
 import { Response as OAuthResponse } from '@node-oauth/oauth2-server';
 import { oAuthServer } from '../server.js';
-import type { ExtendedContext } from '../../types.js';
-import type { ApproveRequest } from '../types.js';
+import { ExtendedContext } from '../../types.js';
+import { ApproveRequest } from '../types.js';
 
 export const approveGet = async (ctx: ExtendedContext): Promise<void> => {
 	const publicCodeId = ctx.params['publicCodeId'];

src/oauth/route/authorize.ts

@@ -1,7 +1,7 @@
 import { Request as OAuthRequest, Response as OAuthResponse } from '@node-oauth/oauth2-server';
 import { oAuthServer } from '../server.js';
-import type { ExtendedContext } from '../../types.js';
-import type { OAuthRouteOptions } from '../types.js';
+import { ExtendedContext } from '../../types.js';
+import { OAuthRouteOptions } from '../types.js';
 
 type StateObject = { state?: string } | undefined;
 

src/oauth/route/index.ts

@@ -1,4 +1,4 @@
-import type Router from '@koa/router';
+import Router from '@koa/router';
 
 import { corsHandler } from '../../lib/http/middleware/cors.js';
 import { authenticate } from '../../lib/http/middleware/authenticate.js';

src/oauth/route/introspect.ts

@@ -1,5 +1,5 @@
 import { oAuthServer } from '../server.js';
-import type { ExtendedContext } from '../../types.js';
+import { ExtendedContext } from '../../types.js';
 import { Request as OAuthRequest, Response as OAuthResponse } from '@node-oauth/oauth2-server';
 
 export const introspectPost = () => {

src/oauth/route/metadata.ts

@@ -20,7 +20,7 @@ export const metadataGet = (options: OAuthRouteOptions) => {
 			],
 			grant_types_supported: [
 				'authorization_code',
-				'client_credentials',
+				'globalping_client_credentials',
 				'refresh_token',
 			],
 			token_endpoint_auth_methods_supported: [

src/oauth/route/revoke.ts

@@ -1,5 +1,5 @@
 import { oAuthServer } from '../server.js';
-import type { ExtendedContext } from '../../types.js';
+import { ExtendedContext } from '../../types.js';
 import { Request as OAuthRequest, Response as OAuthResponse } from '@node-oauth/oauth2-server';
 
 export const revokePost = () => {

src/oauth/route/token.ts

@@ -1,6 +1,6 @@
 import { Request as OAuthRequest, Response as OAuthResponse } from '@node-oauth/oauth2-server';
 import { oAuthServer } from '../server.js';
-import type { ExtendedContext } from '../../types.js';
+import { ExtendedContext } from '../../types.js';
 
 export const tokenPost = () => {
 	return async (ctx: ExtendedContext): Promise<void> => {

src/oauth/server.ts

@@ -2,29 +2,30 @@ import config from 'config';
 
 import {
 	AccessDeniedError,
+	InvalidRequestError,
+	OAuthError,
+	UnauthorizedRequestError,
 	AuthorizationCode,
 	AuthorizeOptions,
 	default as OAuthServer,
-	InvalidRequestError,
-	OAuthError,
 	Request as OAuthRequest,
 	Response as OAuthResponse,
 	ServerOptions,
-	UnauthorizedRequestError,
 	User,
 } from '@node-oauth/oauth2-server';
 
 import { getRedisClient } from '../lib/redis/client.js';
 import { client } from '../lib/sql/client.js';
 import OAuthModel from './model.js';
 
-import type { Context } from 'koa';
+import { Context } from 'koa';
 import {
 	IntrospectionRequest,
 	OAuthRouteOptions,
 	PublicAuthorizationCodeDetails,
 	RevocationRequest,
 } from './types.js';
+import GPClientCredentials from './gp-client-credentials.js';
 
 const serverHost = config.get<string>('server.host');
 const dashHost = config.get<string>('server.dashHost');
@@ -181,6 +182,9 @@ export const oAuthServerOptions = {
 	docsHost,
 	serverHost,
 	directusHost,
+	extendedGrantTypes: {
+		globalping_client_credentials: GPClientCredentials,
+	},
 };
 
 export const oAuthServer = new ExtendedOAuthServer(oAuthServerOptions);

src/oauth/types.ts

@@ -1,11 +1,13 @@
-import { AuthorizationCode, Client, Token as TokenWithClientUser } from '@node-oauth/oauth2-server';
+import { AuthorizationCode, Client, Token as TokenWithClientUser, TokenOptions } from '@node-oauth/oauth2-server';
+import OAuthModel from './model.js';
 
 export type AuthorizationCodeToSave = Pick<AuthorizationCode, 'authorizationCode' | 'expiresAt' | 'redirectUri' | 'scope' | 'codeChallenge' | 'codeChallengeMethod'>;
 export type AuthorizationCodeSaved = AuthorizationCodeToSave & { client: Pick<Client, 'id' | 'name'>, user: User, owner: { name: string | null, url: string | null }, rememberApproval: boolean, scopesToApprove: string[] };
 export type PublicAuthorizationCodeDetails = Pick<AuthorizationCodeSaved, 'scope' | 'client'>;
 export type Token = Pick<TokenWithClientUser, 'accessToken' | 'accessTokenExpiresAt' | 'refreshToken' | 'refreshTokenExpiresAt' | 'scope'>;
 export type ClientWithCredentials = Client & { name: string, secrets: string[], owner_name: string | null, owner_url: string | null, requestSecret: string | null };
 export type User = { id: string; $state: string | null };
+export type GrantTypeOptions = TokenOptions & { model?: OAuthModel };
 
 export type InternalToken = {
 	id: number;

src/types.d.ts

@@ -1,6 +1,6 @@
-import type Koa from 'koa';
-import type Router from '@koa/router';
-import type { AuthenticateState } from './lib/http/middleware/authenticate.js';
+import Koa from 'koa';
+import Router from '@koa/router';
+import { AuthenticateState } from './lib/http/middleware/authenticate.js';
 
 export type CustomState = Koa.DefaultState & AuthenticateState;
 export type CustomContext = Koa.DefaultContext & Router.RouterParamContext;