Retrieve s2s client credentials from basic auth header (#28)

server/src/configs/type.ts

@@ -36,6 +36,7 @@ export type Context = {
   Bindings: Bindings;
   Variables: {
     access_token_body?: typeConfig.AccessTokenBody;
+    basic_auth_body?: typeConfig.BasicAuthBody;
     session: Session;
     session_key_rotation: boolean;
   };
@@ -61,6 +62,11 @@ export interface AccessTokenBody {
   exp: number;
 }
 
+export interface BasicAuthBody {
+  username: string;
+  password: string;
+}
+
 export interface RefreshTokenBody {
   sub: string;
   azp: string;

server/src/dtos/oauth.ts

@@ -94,22 +94,12 @@ export class PostTokenClientCredentialsReqBodyDto {
   @IsEnum(TokenGrantType)
     grantType: string
 
-  @IsString()
-  @IsNotEmpty()
-    clientId: string
-
-  @IsString()
-  @IsNotEmpty()
-    secret: string
-
   @IsString({ each: true })
   @ArrayMinSize(1)
     scopes: string[]
 
   constructor (dto: PostTokenClientCredentialsReqBodyDto) {
     this.grantType = dto.grantType.toLowerCase()
-    this.clientId = dto.clientId
-    this.secret = dto.secret
     this.scopes = parseScopes(dto.scopes)
   }
 }

server/src/handlers/postTokenReq.ts

@@ -33,8 +33,6 @@ export const parseClientCredentials = async (c: Context<typeConfig.Context>) =>
 
   const bodyDto = new oauthDto.PostTokenClientCredentialsReqBodyDto({
     grantType: String(reqBody.grant_type),
-    clientId: String(reqBody.client_id),
-    secret: String(reqBody.client_secret),
     scopes: reqBody.scope ? String(reqBody.scope).split(',') : [],
   })
   await validateUtil.dto(bodyDto)

server/src/middlewares/accessToken.ts → server/src/middlewares/auth.ts

@@ -1,7 +1,11 @@
-import { Context } from 'hono'
+import {
+  Context, Next,
+} from 'hono'
 import { bearerAuth } from 'hono/bearer-auth'
+import { basicAuth } from 'hono/basic-auth'
 import { typeConfig } from 'configs'
 import { jwtService } from 'services'
+import { oauthDto } from 'dtos'
 
 const parseToken = async (
   c: Context<typeConfig.Context>, token: string, type: typeConfig.ClientType,
@@ -83,3 +87,32 @@ export const s2sReadUser = bearerAuth({
     return true
   },
 })
+
+export const s2sBasicAuth = async (
+  c: Context<typeConfig.Context>, next: Next,
+) => {
+  const reqBody = await c.req.parseBody()
+  const grantType = String(reqBody.grant_type).toLowerCase()
+  if (grantType === oauthDto.TokenGrantType.ClientCredentials) {
+    const authGuard = basicAuth({
+      verifyUser: (
+        username, password, c: Context<typeConfig.Context>,
+      ) => {
+        if (!username || !password) return false
+        c.set(
+          'basic_auth_body',
+          {
+            username, password,
+          },
+        )
+        return true
+      },
+    })
+    return authGuard(
+      c,
+      next,
+    )
+  } else {
+    await next()
+  }
+}

server/src/middlewares/index.ts

@@ -1,3 +1,3 @@
 export * as setupMiddleware from 'middlewares/setup'
-export * as accessTokenMiddleware from 'middlewares/accessToken'
+export * as authMiddleware from 'middlewares/auth'
 export * as csrfMiddleware from 'middlewares/csrf'

server/src/routes/identity.tsx

@@ -12,7 +12,7 @@ import {
   formatUtil, timeUtil,
 } from 'utils'
 import {
-  accessTokenMiddleware, csrfMiddleware,
+  authMiddleware, csrfMiddleware,
 } from 'middlewares'
 import {
   AuthorizePasswordView, AuthorizeConsentView, AuthorizeAccountView,
@@ -232,7 +232,7 @@ export const load = (app: typeConfig.App) => {
 
   app.post(
     `${BaseRoute}/logout`,
-    accessTokenMiddleware.spa,
+    authMiddleware.spa,
     async (c) => {
       const bodyDto = await logoutReqHandler.parsePost(c)
 

server/src/routes/oauth.tsx

@@ -13,7 +13,7 @@ import {
 import {
   cryptoUtil, formatUtil, timeUtil,
 } from 'utils'
-import { accessTokenMiddleware } from 'middlewares'
+import { authMiddleware } from 'middlewares'
 import {
   getAuthorizeReqHandler, logoutReqHandler, postTokenReqHandler,
 } from 'handlers'
@@ -50,6 +50,7 @@ export const load = (app: typeConfig.App) => {
 
   app.post(
     `${BaseRoute}/token`,
+    authMiddleware.s2sBasicAuth,
     async (c) => {
       const reqBody = await c.req.parseBody()
 
@@ -173,12 +174,13 @@ export const load = (app: typeConfig.App) => {
 
         return c.json(result)
       } else if (grantType === oauthDto.TokenGrantType.ClientCredentials) {
+        const basicAuth = c.get('basic_auth_body')!
         const bodyDto = await postTokenReqHandler.parseClientCredentials(c)
 
         const app = await appService.verifyS2SClientRequest(
           c,
-          bodyDto.clientId,
-          bodyDto.secret,
+          basicAuth.username,
+          basicAuth.password,
         )
 
         const validScopes = formatUtil.getValidScopes(
@@ -194,7 +196,7 @@ export const load = (app: typeConfig.App) => {
           c,
           typeConfig.ClientType.S2S,
           currentTimestamp,
-          bodyDto.clientId,
+          basicAuth.username,
           validScopes.join(' '),
         )
 
@@ -229,7 +231,7 @@ export const load = (app: typeConfig.App) => {
 
   app.get(
     `${BaseRoute}/userinfo`,
-    accessTokenMiddleware.spaProfile,
+    authMiddleware.spaProfile,
     async (c) => {
       const accessTokenBody = c.get('access_token_body')!
 

server/src/routes/user.tsx

@@ -1,15 +1,15 @@
 import {
   routeConfig, typeConfig,
 } from 'configs'
-import { accessTokenMiddleware } from 'middlewares'
+import { authMiddleware } from 'middlewares'
 import { userModel } from 'models'
 
 const BaseRoute = routeConfig.InternalRoute.ApiUsers
 
 export const load = (app: typeConfig.App) => {
   app.get(
     `${BaseRoute}`,
-    accessTokenMiddleware.s2sReadUser,
+    authMiddleware.s2sReadUser,
     async (c) => {
       const users = await userModel.getAll(c.env.DB)
       return c.json({ users })
@@ -18,7 +18,7 @@ export const load = (app: typeConfig.App) => {
 
   app.get(
     `${BaseRoute}/:authId`,
-    accessTokenMiddleware.s2sReadUser,
+    authMiddleware.s2sReadUser,
     async (c) => {
       const authId = c.req.param('authId')
       const user = await userModel.getByAuthId(