/** * @fileoverview Token Manager */// ------------------------------------------------------------------------------// Requirements// ------------------------------------------------------------------------------import Promise from 'bluebird';import httpStatusCodes from 'http-status';import jwt from 'jsonwebtoken';import { v4 as uuidv4 } from 'uuid';import APIRequestManager from './api-request-manager';import errors from './util/errors';import getRetryTimeout from './util/exponential-backoff';// ------------------------------------------------------------------------------// Typedefs and Callbacks// ------------------------------------------------------------------------------type Config = Record<string, any> /* FIXME */;/** * Token request options. Set by the consumer to add/modify the params sent to the * request. * * @typedef {Object} TokenRequestOptions * @property {string} [ip] The IP Address of the requesting user. This IP will be reflected in authentication * notification emails sent to your users on login. Defaults to the IP address of the * server requesting the tokens. */type TokenRequestOptions = { ip?: string;};/** * Parameters for creating a token using a Box shared link via token exchange * @typedef {Object} SharedLinkParams * @property {string} url Shared link URL */type SharedLinkParams = { url: string;};/** * Parameters for creating an actor token via token exchange * @typedef {Object} ActorParams * @property {string} id The external identifier for the actor * @property {string} name The display name of the actor */type ActorParams = { id: string; name: string;};/** * An object representing all token information for a single Box user. * * @typedef {Object} TokenInfo * @property {string} accessToken The API access token. Used to authenticate API requests to a certain * user and/or application. * @property {int} acquiredAtMS The time that the tokens were acquired. * @property {int} accessTokenTTLMS The TTL of the access token. Can be used with acquiredAtMS to * calculate if the current access token has expired. * @property {string} [refreshToken] The API refresh token is a Longer-lasting than an access token, and can * be used to gain a new access token if the current access token becomes * expired. Grants like the 'client credentials' grant don't return a * refresh token, and have no refresh capabilities. */type TokenInfo = { accessToken: string; acquiredAtMS: number; accessTokenTTLMS: number; refreshToken?: string;};/** * Determines whether a JWT auth error can be retried * @param {Error} err The JWT auth error * @returns {boolean} True if the error is retryable */function isJWTAuthErrorRetryable(err: any /* FIXME */) { if ( err.authExpired && err.response.headers.date && (err.response.body.error_description.indexOf('exp') > -1 || err.response.body.error_description.indexOf('jti') > -1) ) { return true; } else if (err.statusCode === 429 || err.statusCode >= 500) { return true; } return false;}// ------------------------------------------------------------------------------// Constants// ------------------------------------------------------------------------------/** * Collection of grant types that can be used to acquire tokens via OAuth2 * * @readonly * @enum {string} */var grantTypes = { AUTHORIZATION_CODE: 'authorization_code', REFRESH_TOKEN: 'refresh_token', CLIENT_CREDENTIALS: 'client_credentials', JWT: 'urn:ietf:params:oauth:grant-type:jwt-bearer', TOKEN_EXCHANGE: 'urn:ietf:params:oauth:grant-type:token-exchange',};/** * Collection of paths to interact with Box OAuth2 tokening system * * @readonly * @enum {string} */enum tokenPaths { ROOT = '/oauth2', GET = '/token', REVOKE = '/revoke',}// Timer used to track elapsed time starting with executing an async request and ending with emitting the response.var asyncRequestTimer: any /* FIXME */;// The XFF header label - Used to give the API better information for uploads, rate-limiting, etc.const HEADER_XFF = 'X-Forwarded-For';const ACCESS_TOKEN_TYPE = 'urn:ietf:params:oauth:token-type:access_token';const ACTOR_TOKEN_TYPE = 'urn:ietf:params:oauth:token-type:id_token';const BOX_JWT_AUDIENCE = 'https://api.box.com/oauth2/token';// ------------------------------------------------------------------------------// Private// ------------------------------------------------------------------------------/** * Parse the response body to create a new TokenInfo object. * * @param {Object} grantResponseBody - (Request lib) response body containing granted token info from API * @returns {TokenInfo} A TokenInfo object. * @private */function getTokensFromGrantResponse( grantResponseBody: Record<string, any> /* FIXME */) { return { // Set the access token & refresh token (if passed) accessToken: grantResponseBody.access_token, refreshToken: grantResponseBody.refresh_token, // Box API sends back expires_in in seconds, we convert to ms for consistency of keeping all time in ms accessTokenTTLMS: parseInt(grantResponseBody.expires_in, 10) * 1000, acquiredAtMS: Date.now(), };}/** * Determines if a given string could represent an authorization code or token. * * @param {string} codeOrToken The code or token to check. * @returns {boolean} True if codeOrToken is valid, false if not. * @private */function isValidCodeOrToken(codeOrToken: string) { return typeof codeOrToken === 'string' && codeOrToken.length > 0;}/** * Determines if a token grant response is valid * * @param {string} grantType the type of token grant * @param {Object} responseBody the body of the response to check * @returns {boolean} True if response body has expected fields, false if not. * @private */function isValidTokenResponse( grantType: string, responseBody: Record<string, any> /* FIXME */) { if (!isValidCodeOrToken(responseBody.access_token)) { return false; } if (typeof responseBody.expires_in !== 'number') { return false; } // Check the refresh_token for certain types of grants if (grantType === 'authorization_code' || grantType === 'refresh_token') { if (!isValidCodeOrToken(responseBody.refresh_token)) { return false; } } return true;}// ------------------------------------------------------------------------------// Public// ------------------------------------------------------------------------------/** * Manager for API access abd refresh tokens * * @param {Config} config The config object * @param {APIRequestManager} requestManager The API Request Manager * @constructor */class TokenManager { config: Config; requestManager: APIRequestManager; oauthBaseURL: string; constructor(config: Config, requestManager: APIRequestManager) { this.config = config; this.oauthBaseURL = config.apiRootURL + tokenPaths.ROOT; this.requestManager = requestManager; } /** * Given a TokenInfo object, returns whether its access token is expired. An access token is considered * expired once its TTL surpasses the current time outside of the given buffer. This is a public method so * that other modules may check the validity of their tokens. * * @param {TokenInfo} tokenInfo the token info to be written * @param {int} [bufferMS] An optional buffer we'd like to test against. The greater this buffer, the more aggressively * we'll call a token invalid. * @returns {boolean} True if token is valid outside of buffer, otherwise false */ isAccessTokenValid(tokenInfo: TokenInfo, bufferMS?: number) { if ( typeof tokenInfo.acquiredAtMS === 'undefined' || typeof tokenInfo.accessTokenTTLMS === 'undefined' ) { return false; } bufferMS = bufferMS || 0; var expireTime = tokenInfo.acquiredAtMS + tokenInfo.accessTokenTTLMS - bufferMS; return expireTime > Date.now(); } /** * Acquires OAuth2 tokens using a grant type (authorization_code, password, refresh_token) * * @param {Object} formParams - should contain all params expected by Box OAuth2 token endpoint * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant, null for default behavior * @returns {Promise<TokenInfo>} Promise resolving to the token info * @private */ getTokens( formParams: Record<string, any>, options?: TokenRequestOptions | null ) { var params = { method: 'POST', url: this.oauthBaseURL + tokenPaths.GET, headers: {} as Record<string, any>, form: formParams, }; options = options || {}; // add in app-specific id and secret to auth with Box params.form.client_id = this.config.clientID; params.form.client_secret = this.config.clientSecret; if (options.ip) { params.headers[HEADER_XFF] = options.ip; } return this.requestManager.makeRequest(params).then(( response: any /* FIXME */ ) => { // Response Error: The API is telling us that we attempted an invalid token grant. This // means that our refresh token or auth code has exipred, so propagate an "Expired Tokens" // error. if ( response.body && response.body.error && response.body.error === 'invalid_grant' ) { var errDescription = response.body.error_description; var message = errDescription ? `Auth Error: ${errDescription}` : undefined; throw errors.buildAuthError(response, message); } // Unexpected Response: If the token request couldn't get a valid response, then we're // out of options. Build an "Unexpected Response" error and propagate it out for the // consumer to handle. if ( response.statusCode !== httpStatusCodes.OK || response.body instanceof Buffer ) { throw errors.buildUnexpectedResponseError(response); } // Check to see if token response is valid in case the API returns us a 200 with a malformed token if (!isValidTokenResponse(formParams.grant_type, response.body)) { throw errors.buildResponseError( response, 'Token format from response invalid' ); } // Got valid token response. Parse out the TokenInfo and propagate it back. return getTokensFromGrantResponse(response.body); }); } /** * Acquires token info using an authorization code * * @param {string} authorizationCode - authorization code issued by Box * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant * @returns {Promise<TokenInfo>} Promise resolving to the token info */ getTokensAuthorizationCodeGrant( authorizationCode: string, options?: TokenRequestOptions ) { if (!isValidCodeOrToken(authorizationCode)) { return Promise.reject(new Error('Invalid authorization code.')); } var params = { grant_type: grantTypes.AUTHORIZATION_CODE, code: authorizationCode, }; return this.getTokens(params, options); } /** * Acquires token info using the client credentials grant. * * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant * @returns {Promise<TokenInfo>} Promise resolving to the token info */ getTokensClientCredentialsGrant(options?: TokenRequestOptions) { var params = { grant_type: grantTypes.CLIENT_CREDENTIALS, box_subject_type: this.config.boxSubjectType, box_subject_id: this.config.boxSubjectId }; return this.getTokens(params, options); } /** * Refreshes the access and refresh tokens for a given refresh token. * * @param {string} refreshToken - A valid OAuth refresh token * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant * @returns {Promise<TokenInfo>} Promise resolving to the token info */ getTokensRefreshGrant(refreshToken: string, options?: TokenRequestOptions) { if (!isValidCodeOrToken(refreshToken)) { return Promise.reject(new Error('Invalid refresh token.')); } var params = { grant_type: grantTypes.REFRESH_TOKEN, refresh_token: refreshToken, }; return this.getTokens(params, options); } /** * Gets tokens for enterprise administration of app users * @param {string} type The type of token to create, "user" or "enterprise" * @param {string} id The ID of the enterprise to generate a token for * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant * @returns {Promise<TokenInfo>} Promise resolving to the token info */ getTokensJWTGrant(type: string, id: string, options?: TokenRequestOptions) { if (!this.config.appAuth || !this.config.appAuth.keyID) { return Promise.reject( new Error('Must provide app auth configuration to use JWT Grant') ); } var claims = { exp: Math.floor(Date.now() / 1000) + this.config.appAuth.expirationTime, box_sub_type: type, }; var jwtOptions = { algorithm: this.config.appAuth.algorithm, audience: BOX_JWT_AUDIENCE, subject: id, issuer: this.config.clientID, jwtid: uuidv4(), noTimestamp: !this.config.appAuth.verifyTimestamp, keyid: this.config.appAuth.keyID, }; var keyParams = { key: this.config.appAuth.privateKey, passphrase: this.config.appAuth.passphrase, }; var assertion; try { assertion = jwt.sign(claims, keyParams, jwtOptions); } catch (jwtErr) { return Promise.reject(jwtErr); } var params = { grant_type: grantTypes.JWT, assertion, }; // Start the request timer immediately before executing the async request asyncRequestTimer = process.hrtime(); return this.getTokens(params, options).catch((err) => this.retryJWTGrant(claims, jwtOptions, keyParams, params, options, err, 0) ); } /** * Attempt a retry if possible and create a new JTI claim. If the request hasn't exceeded it's maximum number of retries, * re-execute the request (after the retry interval). Otherwise, propagate a new error. * * @param {Object} claims - JTI claims object * @param {Object} [jwtOptions] - JWT options for the signature * @param {Object} keyParams - Key JWT parameters object that contains the private key and the passphrase * @param {Object} params - Should contain all params expected by Box OAuth2 token endpoint * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant * @param {Error} error - Error from the previous JWT request * @param {int} numRetries - Number of retries attempted * @returns {Promise<TokenInfo>} Promise resolving to the token info */ // eslint-disable-next-line max-params retryJWTGrant( claims: any /* FIXME */, jwtOptions: any /* FIXME */, keyParams: any /* FIXME */, params: any /* FIXME */, options: TokenRequestOptions | undefined, error: any /* FIXME */, numRetries: number ): any /* FIXME */ { if ( numRetries < this.config.numMaxRetries && isJWTAuthErrorRetryable(error) ) { var retryTimeoutinSeconds; numRetries += 1; // If the retry strategy is defined, then use it to determine the time (in ms) until the next retry or to // propagate an error to the user. if (this.config.retryStrategy) { // Get the total elapsed time so far since the request was executed var totalElapsedTime = process.hrtime(asyncRequestTimer); var totalElapsedTimeMS = totalElapsedTime[0] * 1000 + totalElapsedTime[1] / 1000000; var retryOptions = { error, numRetryAttempts: numRetries, numMaxRetries: this.config.numMaxRetries, retryIntervalMS: this.config.retryIntervalMS, totalElapsedTimeMS, }; retryTimeoutinSeconds = this.config.retryStrategy(retryOptions); // If the retry strategy doesn't return a number/time in ms, then propagate the response error to the user. // However, if the retry strategy returns its own error, this will be propagated to the user instead. if (typeof retryTimeoutinSeconds !== 'number') { if (retryTimeoutinSeconds instanceof Error) { error = retryTimeoutinSeconds; } throw error; } } else if ( error.hasOwnProperty('response') && error.response.hasOwnProperty('headers') && error.response.headers.hasOwnProperty('retry-after') ) { retryTimeoutinSeconds = error.response.headers['retry-after']; } else { retryTimeoutinSeconds = Math.ceil(getRetryTimeout(numRetries, this.config.retryIntervalMS) / 1000); } var time = Math.floor(Date.now() / 1000); if (error.response.headers.date) { time = Math.floor(Date.parse(error.response.headers.date) / 1000); } // Add length of retry timeout to current expiration time to calculate the expiration time for the JTI claim. claims.exp = Math.ceil(time + this.config.appAuth.expirationTime + retryTimeoutinSeconds); jwtOptions.jwtid = uuidv4(); try { params.assertion = jwt.sign(claims, keyParams, jwtOptions); } catch (jwtErr) { throw jwtErr; } return Promise.delay(retryTimeoutinSeconds).then(() => { // Start the request timer immediately before executing the async request asyncRequestTimer = process.hrtime(); return this.getTokens(params, options).catch((err) => this.retryJWTGrant( claims, jwtOptions, keyParams, params, options, err, numRetries ) ); }); } else if (numRetries >= this.config.numMaxRetries) { error.maxRetriesExceeded = true; } throw error; } /** * Exchange a valid access token for one with a lower scope, or delegated to * an external user identifier. * * @param {string} accessToken - The valid access token to exchange * @param {string|string[]} scopes - The scope(s) of the new access token * @param {string} [resource] - The absolute URL of an API resource to restrict the new token to * @param {Object} [options] - Optional parameters * @param {TokenRequestOptions} [options.tokenRequestOptions] - Sets optional behavior for the token grant * @param {ActorParams} [options.actor] - Optional actor parameters for creating annotator tokens * @param {SharedLinkParams} [options.sharedLink] - Optional shared link parameters for creating tokens using shared links * @returns {Promise<TokenInfo>} Promise resolving to the new token info */ exchangeToken( accessToken: string, scopes: string | string[], resource?: string, options?: { tokenRequestOptions?: TokenRequestOptions; actor?: ActorParams; sharedLink?: SharedLinkParams; } ) { var params: { grant_type: string; subject_token_type: string; subject_token: string; scope: string; resource?: string; box_shared_link?: string; actor_token?: string; actor_token_type?: string; } = { grant_type: grantTypes.TOKEN_EXCHANGE, subject_token_type: ACCESS_TOKEN_TYPE, subject_token: accessToken, scope: typeof scopes === 'string' ? scopes : scopes.join(' '), }; if (resource) { params.resource = resource; } if (options && options.sharedLink) { params.box_shared_link = options.sharedLink.url; } if (options && options.actor) { var payload = { iss: this.config.clientID, sub: options.actor.id, aud: BOX_JWT_AUDIENCE, box_sub_type: 'external', name: options.actor.name, }; var jwtOptions = { algorithm: 'none', expiresIn: '1m', noTimestamp: true, jwtid: uuidv4(), }; var token; try { token = jwt.sign(payload, 'UNUSED', jwtOptions as any /* FIXME */); } catch (jwtError) { return Promise.reject(jwtError); } params.actor_token = token; params.actor_token_type = ACTOR_TOKEN_TYPE; } return this.getTokens( params, options && options.tokenRequestOptions ? options.tokenRequestOptions : null ); } /** * Revokes a token pair associated with a given access or refresh token. * * @param {string} token - A valid access or refresh token to revoke * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant * @returns {Promise} Promise resolving if the revoke succeeds */ revokeTokens(token: string, options?: TokenRequestOptions) { var params: { method: string; url: string; form: Record<string, string>; headers?: Record<string, string>; } = { method: 'POST', url: this.oauthBaseURL + tokenPaths.REVOKE, form: { token, client_id: this.config.clientID, client_secret: this.config.clientSecret, }, }; if (options && options.ip) { params.headers = {}; params.headers[HEADER_XFF] = options.ip; } return this.requestManager.makeRequest(params); }}/** * Provides interactions with Box OAuth2 tokening system. * * @module box-node-sdk/lib/token-manager */export = TokenManager;