Merge branch 'main' of https://github.com/meiling-gatekeeper/meiling …

…into main

.github/workflows/deploy-s4ait-production.yml

@@ -10,8 +10,7 @@ on:
     types: [created]
 
 jobs:
-  build:
-
+  deploy:
     runs-on: ubuntu-latest
     environment: Stella IT Accounts Deployment
     steps:

INSTALL.md

@@ -91,7 +91,7 @@ FASTIFY_USE_PROXY=1
 # The "issuer" on OpenID Connect id_token
 OPENID_ISSUING_AUTHORITY="https://demo.meili.ng"
 
-# Deprecated: use "yarn genkey" will automatically generate certificates for creating JWTs
+# Deprecated: use "yarn keygen" will automatically generate certificates for creating JWTs
 OPENID_SECRET_KEY=""
 
 NOTIFICATION_API_HOST="http://notification.meili.ng"
@@ -117,7 +117,7 @@ These are the secret key to sign your OpenID Token. Please make sure this is lon
 
 **Please Run the following:**  
 ```bash
-yarn genkey
+yarn keygen
 ```
 
 

package.json

@@ -1,13 +1,13 @@
 {
   "name": "meiling",
-  "version": "0.7.0",
+  "version": "0.8.1",
   "description": "An easy-to-use, open-source, flexible oAuth2 Authentication Provider and OpenID Connect Server",
   "main": "dist/",
   "repository": "https://github.com/meiling-gatekeeper/meiling",
   "author": "Alex4386 <psh010209@gmail.com>",
   "license": "MIT",
   "dependencies": {
-    "@prisma/client": "^3.7.0",
+    "@prisma/client": "^3.9.1",
     "@xmldom/xmldom": "^0.8.0",
     "ansi-regex": "^6.0.1",
     "axios": "^0.21.2",
@@ -49,7 +49,7 @@
     "husky": "^4.3.0",
     "lint-staged": "^10.5.1",
     "prettier": "^2.1.2",
-    "prisma": "^3.7.0",
+    "prisma": "^3.9.1",
     "ts-node": "^9.0.0"
   },
   "scripts": {

src/common/event/baridegi.ts

@@ -4,8 +4,8 @@ import config from '../../resources/config';
 export enum BaridegiLogType {
   NEW_SESSION = 'new_session',
   AUTHORIZE_APP = 'authorize_app',
-  CREATE_AUTHORIZATION_REQUEST = 'create_authorization_request',
-  VERIFY_AUTHORIZATION_REQUEST = 'verify_authorization_request',
+  CREATE_AUTHENTICATION_REQUEST = 'create_authentication_request',
+  VERIFY_AUTHENTICATION_REQUEST = 'verify_authentication_request',
   CREATE_PASSWORD_RESET_REQUEST = 'create_password_reset_request',
   USER_SIGNIN = 'user_signin',
   USER_SIGNOUT = 'user_signout',

src/common/meiling/authorization/validate.ts → src/common/meiling/authentication/validate.ts

@@ -47,7 +47,7 @@ export function validateOTP(challengeResponse: string, secret: string) {
 export async function sendOTPSMS(phone: PhoneNumber, challenge: string, lang: Notification.TemplateLanguage = 'ko') {
   await Notification.sendNotification(Notification.NotificationMethod.SMS, {
     type: 'template',
-    templateId: Notification.TemplateId.AUTHORIZATION_CODE,
+    templateId: Notification.TemplateId.AUTHENTICATION_CODE,
 
     lang,
     messages: [

src/common/meiling/identity/user.ts

@@ -169,11 +169,12 @@ export async function getAuthorizedApps(user: UserModel | string): Promise<OAuth
   });
 
   const rawNotFiltered = await Promise.all(
-    authRaw.map((n) => getPrismaClient().oAuthClient.findUnique({ where: { id: n.id } })),
+    Utils.getUnique(authRaw, (m, n) => m.clientId === n.clientId).map((n) =>
+      getPrismaClient().oAuthClient.findUnique({ where: { id: n.clientId } }),
+    ),
   );
-  const raw = rawNotFiltered.filter((n) => n !== null) as OAuthClient[];
 
-  return Utils.getUnique(raw, (m, n) => m.id === n.id);
+  return rawNotFiltered.filter((n) => n !== null) as OAuthClient[];
 }
 
 export async function getOwnedApps(user: UserModel | string): Promise<OAuthClient[] | undefined> {
@@ -693,7 +694,7 @@ export async function prevent2FALockout(user: UserModel | string): Promise<void>
   const data = await getInfo(user);
   if (!data) return undefined;
 
-  const authorizations = await getPrismaClient().authentication.count({
+  const authentications = await getPrismaClient().authentication.count({
     where: {
       AND: [
         {
@@ -711,7 +712,7 @@ export async function prevent2FALockout(user: UserModel | string): Promise<void>
     },
   });
 
-  if (authorizations === 0) {
+  if (authentications === 0) {
     await getPrismaClient().user.update({
       where: {
         id: data.id,

src/common/meiling/index.ts

@@ -1,7 +1,7 @@
 export * as OAuth2 from './oauth2';
 export * as SAML2 from './saml2';
 export * as Identity from './identity';
-export * as Authorization from './authorization';
+export * as Authentication from './authentication';
 export * as Database from './database';
 export * as Error from './error';
 export * as Sanitize from './sanitize';

src/common/meiling/oauth2/clientAuthorization.ts

@@ -1,5 +1,5 @@
 import { OAuthClient, OAuthClientAuthorization, OAuthToken, OAuthTokenType, Permission, User } from '@prisma/client';
-import { Authorization } from '..';
+import { Authentication } from '..';
 import { getPrismaClient } from '../../../resources/prisma';
 
 // TODO: OPTIMIZE
@@ -175,10 +175,10 @@ export async function getUser(authorization: OAuthClientAuthorization | string):
 export async function createToken(
   authorization: OAuthClientAuthorization,
   type: OAuthTokenType,
-  metadata?: Authorization.Token.TokenMetadata,
+  metadata?: Authentication.Token.TokenMetadata,
 ): Promise<OAuthToken> {
   // TODO: allow custom generator for token
-  const tokenKey = Authorization.Token.generateToken();
+  const tokenKey = Authentication.Token.generateToken();
 
   const token = await getPrismaClient().oAuthToken.create({
     data: {
@@ -217,9 +217,9 @@ export async function getToken(authorization: OAuthClientAuthorization, type: OA
 
   if (
     !token ||
-    Authorization.Token.getExpiresInByType(type, token.issuedAt) < Authorization.Token.getValidTimeByType(type) * 0.1
+    Authentication.Token.getExpiresInByType(type, token.issuedAt) < Authentication.Token.getValidTimeByType(type) * 0.1
   ) {
-    token = await createToken(authorization, type, token?.metadata as Authorization.Token.TokenMetadata);
+    token = await createToken(authorization, type, token?.metadata as Authentication.Token.TokenMetadata);
   }
 
   updateLastUpdated(authorization);

src/common/meiling/v1/challenge.ts

@@ -2,7 +2,7 @@ import { Authentication } from '@prisma/client';
 import { Meiling } from '../..';
 import { ExtendedAuthMethods, SigninType, SigninExtendedAuthentication } from './interfaces';
 import { AuthenticationJSONObject, AuthenticationOTPObject, AuthenticationPGPSSHKeyObject } from '../identity/user';
-import { validateOTP, validatePGPSign } from '../authorization/validate';
+import { validateOTP, validatePGPSign } from '../authentication/validate';
 import config from '../../../resources/config';
 
 export function getMeilingAvailableAuthMethods(
@@ -53,10 +53,10 @@ export function generateChallenge(signinMethod: ExtendedAuthMethods): string | u
   switch (signinMethod) {
     case ExtendedAuthMethods.PGP_SIGNATURE:
     case ExtendedAuthMethods.SECURITY_KEY:
-      return Meiling.Authorization.Token.generateToken();
+      return Meiling.Authentication.Token.generateToken();
     case ExtendedAuthMethods.SMS:
     case ExtendedAuthMethods.EMAIL:
-      return Meiling.Authorization.Token.generateToken(6, '0123456789');
+      return Meiling.Authentication.Token.generateToken(6, '0123456789');
     case ExtendedAuthMethods.OTP:
     default:
       return undefined;

src/common/meiling/v1/error/error.ts

@@ -26,8 +26,8 @@ function getMeilingErrorStatusCode(type: ErrorType) {
     case ErrorType.ALREADY_SIGNED_IN:
     case ErrorType.ALREADY_SIGNED_OUT:
     case ErrorType.APPLICATION_REDIRECT_URI_INVALID:
-    case ErrorType.AUTHORIZATION_REQUEST_NOT_GENERATED:
-    case ErrorType.AUTHORIZATION_REQUEST_NOT_COMPLETED:
+    case ErrorType.AUTHENTICATION_REQUEST_NOT_GENERATED:
+    case ErrorType.AUTHENTICATION_REQUEST_NOT_COMPLETED:
       return 400;
 
     case ErrorType.UNAUTHORIZED:
@@ -37,7 +37,7 @@ function getMeilingErrorStatusCode(type: ErrorType) {
     case ErrorType.INVALID_SESSION:
     case ErrorType.APPLICATION_NOT_AUTHORIZED_BY_USER:
     case ErrorType.APPLICATION_NOT_AUTHORIZED_SCOPES:
-    case ErrorType.AUTHORIZATION_REQUEST_INVALID:
+    case ErrorType.AUTHENTICATION_REQUEST_INVALID:
       return 401;
 
     case ErrorType.FORBIDDEN:
@@ -50,7 +50,7 @@ function getMeilingErrorStatusCode(type: ErrorType) {
     case ErrorType.UNSUPPORTED_SIGNIN_METHOD:
     case ErrorType.UNSUPPORTED_SCOPE:
     case ErrorType.UNSUPPORTED_RESPONSE_TYPE:
-    case ErrorType.UNSUPPORTED_AUTHORIZATION_TYPE:
+    case ErrorType.UNSUPPORTED_AUTHENTICATION_TYPE:
       return 405;
 
     case ErrorType.MORE_THAN_ONE_USER_MATCHED:
@@ -63,10 +63,9 @@ function getMeilingErrorStatusCode(type: ErrorType) {
       return 409;
 
     case ErrorType.AUTHENTICATION_TIMEOUT:
-    case ErrorType.AUTHORIZATION_REQUEST_TIMEOUT:
       return 410;
 
-    case ErrorType.AUTHORIZATION_REQUEST_RATE_LIMITED:
+    case ErrorType.AUTHENTICATION_REQUEST_RATE_LIMITED:
       return 429;
 
     case ErrorType.INTERNAL_SERVER_ERROR:

src/common/meiling/v1/error/type.ts

@@ -13,13 +13,16 @@ export enum ErrorType {
   UNSUPPORTED_SIGNIN_METHOD = 'unsupported_signin_method',
   UNSUPPORTED_SCOPE = 'unsupported_scope',
   UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type',
-  UNSUPPORTED_AUTHORIZATION_TYPE = 'unsupported_authorization_type',
+  UNSUPPORTED_AUTHENTICATION_TYPE = 'unsupported_authentication_type',
   TWO_FACTOR_AUTHENTICATION_REQUIRED = 'two_factor_authentication_required',
   TWO_FACTOR_AUTHENTICATION_REQUEST_NOT_GENERATED = 'two_factor_authentication_request_not_generated',
   MORE_THAN_ONE_USER_MATCHED = 'more_than_one_user_matched',
   AUTHENTICATION_REQUEST_NOT_GENERATED = 'authentication_request_not_generated',
   AUTHENTICATION_NOT_CURRENT_CHALLENGE_METHOD = 'authentication_not_current_challenge_method',
   AUTHENTICATION_TIMEOUT = 'authentication_timeout',
+  AUTHENTICATION_REQUEST_INVALID = 'authentication_request_invalid',
+  AUTHENTICATION_REQUEST_NOT_COMPLETED = 'authentication_request_not_completed',
+  AUTHENTICATION_REQUEST_RATE_LIMITED = 'authentication_request_rate_limited',
   NOT_IMPLEMENTED = 'not_implemented',
   NOT_FOUND = 'not_found',
   CONFLICT = 'conflict',
@@ -30,11 +33,6 @@ export enum ErrorType {
   APPLICATION_NOT_AUTHORIZED_SCOPES = 'application_not_authorized_scopes',
   APPLICATION_USER_ACTION_REQUIRED = 'application_user_action_required',
   INTERNAL_SERVER_ERROR = 'internal_server_error',
-  AUTHORIZATION_REQUEST_INVALID = 'authorization_request_invalid',
-  AUTHORIZATION_REQUEST_NOT_GENERATED = 'authorization_request_not_generated',
-  AUTHORIZATION_REQUEST_NOT_COMPLETED = 'authorization_request_not_completed',
-  AUTHORIZATION_REQUEST_RATE_LIMITED = 'authorization_request_rate_limited',
-  AUTHORIZATION_REQUEST_TIMEOUT = 'authorization_request_timeout',
   EMAIL_NOT_ALLOWED = 'email_not_allowed',
   PHONE_NOT_ALLOWED = 'phone_not_allowed',
   EXISTING_USERNAME = 'existing_username',

src/common/meiling/v1/session.ts

@@ -131,12 +131,12 @@ export async function isToken(token?: string): Promise<boolean> {
 }
 
 export function getTokenFromRequest(req: FastifyRequest): string | undefined {
-  const token = Meiling.Authorization.Token.getTokenFromRequest(req);
+  const token = Meiling.Authentication.Token.getTokenFromRequest(req);
   return token ? token.token : undefined;
 }
 
 export async function createToken(req: FastifyRequest): Promise<string | undefined> {
-  const token = Meiling.Authorization.Token.generateToken();
+  const token = Meiling.Authentication.Token.generateToken();
   const expiration = new Date(new Date().getTime() + config.session.v1.maxAge * 1000);
   const userTimeFieldMinimum = new Date().getTime() - config.session.v1.rateLimit.timeframe * 1000;
 

src/common/notification.ts

@@ -6,7 +6,7 @@ import { BaridegiLogType, sendBaridegiLog } from './event/baridegi';
 export type TemplateLanguage = 'ko' | 'en';
 
 export enum TemplateId {
-  AUTHORIZATION_CODE = 'authorization_code',
+  AUTHENTICATION_CODE = 'authentication_code',
 }
 
 export enum NotificationMethod {
@@ -19,7 +19,7 @@ type NotificationPayload = SMSPayload | AlimtalkPayload | CallPayload;
 
 type SMSPayload = SMSPlainPayload | TemplatePayload;
 type AlimtalkPayload = TemplatePayload;
-type CallPayload = AuthorizationCodeCallPayload;
+type CallPayload = AuthentcationCodeCallPayload;
 
 // Not Recommended. Please use Template.
 interface SMSPlainPayload {
@@ -46,7 +46,7 @@ interface PlainMessagePayload {
   message: string;
 }
 
-interface AuthorizationCodeCallPayload {
+interface AuthentcationCodeCallPayload {
   type: 'authorization_code';
   to: string;
   lang: TemplateLanguage;

src/common/startup.ts

@@ -3,7 +3,7 @@ import crypto from 'crypto';
 import { Meiling } from '.';
 import config from '../resources/config';
 import Log from './terminal/log';
-import { generateToken } from './meiling/authorization/token';
+import { generateToken } from './meiling/authentication/token';
 
 export function checkIDTokenIssueCredentials(): true | string {
   if (!config.openid.jwt.algorithm) {
@@ -88,7 +88,7 @@ export async function runStartupGarbageCollection(force?: boolean): Promise<void
     await Meiling.V1.Session.garbageCollect();
 
     Log.info('Garbage Collecting for OAuth2 Tokens...');
-    await Meiling.Authorization.Token.garbageCollect();
+    await Meiling.Authentication.Token.garbageCollect();
 
     console.log('Garbage Collecting for OAuth2 ACL Data... This may take awhile...');
     await Meiling.OAuth2.ClientAuthorization.garbageCollect();

src/interface.ts

@@ -1,6 +1,6 @@
 import { OAuthTokenType } from '@prisma/client';
 import { Algorithm } from 'jsonwebtoken';
-import { TokenGenerator } from './common/meiling/authorization/token';
+import { TokenGenerator } from './common/meiling/authentication/token';
 
 export enum NodeEnvironment {
   Production = 'production',

src/routes/v1/admin/index.ts

@@ -26,7 +26,7 @@ const adminV1Plugin = (app: FastifyInstance, opts: FastifyPluginOptions, done: (
       throw new Error('User is not providing proper login credentials for admin');
     }
 
-    const token = Meiling.Authorization.Token.getTokenFromRequest(req);
+    const token = Meiling.Authentication.Token.getTokenFromRequest(req);
     if (!token) {
       rep
         .status(401)

src/routes/v1/admin/internal/index.ts

@@ -9,7 +9,7 @@ const internalAdminHandler = (app: FastifyInstance, opts: FastifyPluginOptions,
       await Meiling.V1.Session.garbageCollect();
 
       Terminal.Log.info('Running Garbage Collect for OAuth2 Tokens...');
-      await Meiling.Authorization.Token.garbageCollect();
+      await Meiling.Authentication.Token.garbageCollect();
 
       Terminal.Log.info('Running Garbage Collect for OAuth2 ACL Data...');
       await Meiling.OAuth2.ClientAuthorization.garbageCollect();

src/routes/v1/admin/tokens/index.ts

@@ -36,16 +36,16 @@ const tokensAdminHandler = (app: FastifyInstance, opts: FastifyPluginOptions, do
       throw new Error('session not found');
     }
 
-    const data = await Meiling.Authorization.Token.serialize(tokenData.token, tokenData.type);
+    const data = await Meiling.Authentication.Token.serialize(tokenData.token, tokenData.type);
 
     rep.send({
       ...tokenData,
       ...data,
       expires_at: new Date(
-        Meiling.Authorization.Token.getExpiresInByType(tokenData.type, new Date()) * 1000 +
+        Meiling.Authentication.Token.getExpiresInByType(tokenData.type, new Date()) * 1000 +
           new Date(tokenData.issuedAt).getTime(),
       ),
-      is_valid: await Meiling.Authorization.Token.isValid(token, tokenData.type),
+      is_valid: await Meiling.Authentication.Token.isValid(token, tokenData.type),
       issued_at: tokenData.issuedAt,
       issuedAt: undefined,
     });