Merge pull request #16514 from overleaf/jpa-enforce-oauth-scope

[web] restrict access to oauth endpoints to their respective clients GitOrigin-RevId: 6ffa6008130588e44d336e2af32584ee20ad3ffc
2024-11-21 20:47:08 -05:00 · 2024-01-17 09:29:21 +00:00 · 2024-01-17 09:29:21 +00:00 · 797f2c518d
commit 797f2c518d
parent e01af0e9c6
2 changed files with 20 additions and 12 deletions
--- a/services/web/app/src/Features/Authentication/AuthenticationController.js
+++ b/services/web/app/src/Features/Authentication/AuthenticationController.js
@ -306,19 +306,26 @@ const AuthenticationController = {
    return doRequest
  },

-  requireOauth() {
+  /**
+   * @param {string} scope
+   * @return {import('express').Handler}
+   */
+  requireOauth(scope) {
+    if (typeof scope !== 'string' || !scope) {
+      throw new Error(
+        "requireOauth() expects a non-empty string as 'scope' parameter"
+      )
+    }
+
    // require this here because module may not be included in some versions
    const Oauth2Server = require('../../../../modules/oauth2-server/app/src/Oauth2Server')
    return function (req, res, next) {
-      if (next == null) {
-        next = function () {}
-      }
      const request = new Oauth2Server.Request(req)
      const response = new Oauth2Server.Response(res)
-      return Oauth2Server.server.authenticate(
+      Oauth2Server.server.authenticate(
        request,
        response,
-        {},
+        { scope },
        function (err, token) {
          if (err) {
            // use a 401 status code for malformed header for git-bridge
@ -329,14 +336,15 @@ const AuthenticationController = {
              err.code = 401
            }
            // send all other errors
-            return res
+            res
              .status(err.code)
              .json({ error: err.name, error_description: err.message })
+          } else {
+            req.oauth = { access_token: token.accessToken }
+            req.oauth_token = token
+            req.oauth_user = token.user
+            next()
          }
-          req.oauth = { access_token: token.accessToken }
-          req.oauth_token = token
-          req.oauth_user = token.user
-          return next()
        }
      )
    }
--- a/services/web/test/unit/src/Authentication/AuthenticationControllerTests.js
+++ b/services/web/test/unit/src/Authentication/AuthenticationControllerTests.js
@ -574,7 +574,7 @@ describe('AuthenticationController', function () {
      this.res.json = sinon.stub()
      this.res.status = sinon.stub().returns(this.res)
      this.res.sendStatus = sinon.stub()
-      this.middleware = this.AuthenticationController.requireOauth()
+      this.middleware = this.AuthenticationController.requireOauth('scope')
    })

    describe('when Oauth2Server authenticates', function () {