squash new oauth2 flow

server/api/auth.js

@@ -1,28 +1,138 @@
 const log = require('../log')
-const oauth = require('./oauth')
 const get = require('lodash/get')
+const passport = require('passport')
+
+// const oauth = require('./oauth')
+// const User = require('./models/user')
+// const OAuthClient = require('./models/oauth_client')
+// const OAuthCode = require('./models/oauth_code')
+// const OAuthToken = require('./models/oauth_token')
+
+
+// const CustomStrategy = require('passport-custom').Strategy
+// const LocalStrategy = require('passport-local').Strategy
+// const BasicStrategy = require('passport-http').BasicStrategy
+// const ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy
+// const BearerStrategy = require('passport-http-bearer').Strategy
+
+// console.error('dentro passport setup!')
+// passport.use('authenticate', new CustomStrategy(async (req, done) => {
+//   console.error('dentro authenticate strategy')
+
+//   // check if a cookie is passed
+//   const token = get(req.cookies, 'auth._token.local', null)
+//   const authorization = get(req.headers, 'authorization', null)
+//   if (!authorization && token) {
+//     req.headers.authorization = token
+//   }
+
+//   if (!authorization && !token) {
+//     return done(null, false)
+//   }
+
+//   console.error(authorization, token)
+//   return done(null, false)
+
+// }))
+
+/**
+ * LocalStrategy
+ *
+ * This strategy is used to authenticate users based on a username and password.
+ * Anytime a request is made to authorize an application, we must ensure that
+ * a user is logged in before asking them to approve the request.
+ */
+// passport.use(new LocalStrategy(
+//   async (username, password, done) => {
+//     console.error(`sono qui dentro local strategy cerco ${username} ${password}}`)
+//     const user = await User.findOne({ where: { email: username, is_active: true } })
+//     console.error(user)
+//     if (!user) {
+//       return done(null, false)
+//     }
+//     // check if password matches
+//     if (await user.comparePassword(password)) {
+//       console.error('compare password ok!')
+//       return done(null, user)
+//     }
+//     return done(null, false)
+//   }
+// // ))
+
+// passport.serializeUser((user, done) =>  done(null, user.id))
+
+// passport.deserializeUser(async (id, done) => {
+//   const user = await User.findByPk(id)
+//   done(null, user)
+// })
+
+/**
+ * BasicStrategy & ClientPasswordStrategy
+ *
+ * These strategies are used to authenticate registered OAuth clients. They are
+ * employed to protect the `token` endpoint, which consumers use to obtain
+ * access tokens. The OAuth 2.0 specification suggests that clients use the
+ * HTTP Basic scheme to authenticate. Use of the client password strategy
+ * allows clients to send the same credentials in the request body (as opposed
+ * to the `Authorization` header). While this approach is not recommended by
+ * the specification, in practice it is quite common.
+ */
+// async function verifyClient(client_id, client_secret, done) {
+//   console.error('Dentro verify client ', client_id, client_secret)
+//   const client = await OAuthClient.findByPk(client_id, { raw: true })
+//   console.error(client)
+//   if (client_secret && client_secret !== client.client_secret) {
+//     return done(null, false)
+//   }
+
+//   if (client) { client.grants = ['authorization_code', 'password'] } //sure ?
+
+//   return done(null, client)
+// }
+
+// passport.use(new BasicStrategy(verifyClient))
+// passport.use(new ClientPasswordStrategy(verifyClient))
+
+/**
+ * BearerStrategy
+ *
+ * This strategy is used to authenticate either users or clients based on an access token
+ * (aka a bearer token). If a user, they must have previously authorized a client
+ * application, which is issued an access token to make requests on behalf of
+ * the authorizing user.
+ */
+// passport.use(new BearerStrategy(
+//   async (accessToken, done) => {
+//     console.error('dentro bearer strategy')
+//     const token = await OAuthToken.findByPk(accessToken,
+//         { include: [{ model: User, attributes: { exclude: ['password'] } }, { model: OAuthClient, as: 'client' }] })
+
+//     if (!token) return done(null, false)
+//     if (token.userId) {
+//       if (!token.user) {
+//         return done(null, false)
+//       }
+//       // To keep this example simple, restricted scopes are not implemented,
+//       // and this is just for illustrative purposes.
+//       done(null, user, { scope: '*' })
+//     } else {
+//       // The request came from a client only since userId is null,
+//       // therefore the client is passed back instead of a user.
+//       if (!token.client) {
+//         return done(null, false)
+//       }
+//       // To keep this example simple, restricted scopes are not implemented,
+//       // and this is just for illustrative purposes.
+//       done(null, client, { scope: '*' })
+//     }
+//   }
+// ))
 
 const Auth = {
 
-  fillUser (req, res, next) {
-    const token = get(req.cookies, 'auth._token.local', null)
-    const authorization = get(req.headers, 'authorization', null)
-    if (!authorization && token) {
-      req.headers.authorization = token
-    }
-
-    if (!authorization && !token) {
-      return next()
-    }
-
-    oauth.oauthServer.authenticate()(req, res, () => {
-      res.locals.user = get(res, 'locals.oauth.token.user', null)
-      next()
-    })
-  },
-
-  isAuth (_req, res, next) {
-    if (res.locals.user) {
+  isAuth (req, res, next) {
+    // TODO: check anon user
+    if (req.user) {
       next()
     } else {
       res.sendStatus(403)
@@ -30,7 +140,7 @@ const Auth = {
   },
 
   isAdmin (req, res, next) {
-    if (res.locals.user && res.locals.user.is_admin) {
+    if (req.user && req.user.is_admin) {
       next()
     } else {
       res.sendStatus(403)