1 /*
2  *  Make.org Core API
3  *  Copyright (C) 2018 Make.org
4  *
5  * This program is free software: you can redistribute it and/or modify
6  *  it under the terms of the GNU Affero General Public License as
7  *  published by the Free Software Foundation, either version 3 of the
8  *  License, or (at your option) any later version.
9  *
10  *  This program is distributed in the hope that it will be useful,
11  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
12  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  *  GNU Affero General Public License for more details.
14  *
15  *  You should have received a copy of the GNU Affero General Public License
16  *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
17  *
18  */
19 
20 package org.make.api.technical.auth
21 
22 import cats.implicits._
23 import akka.http.scaladsl.server._
24 import akka.http.scaladsl.model.{HttpRequest, StatusCodes}
25 import akka.http.scaladsl.model.headers.{HttpCookie, SameSite}
26 import grizzled.slf4j.Logging
27 import io.circe.generic.semiauto.deriveDecoder
28 import io.circe.Decoder
29 import io.swagger.annotations._
30 import org.make.api.operation.OperationServiceComponent
31 import org.make.api.question.QuestionServiceComponent
32 import org.make.api.technical.MakeDirectives.MakeDirectivesDependencies
33 import org.make.api.technical._
34 import org.make.api.technical.directives.FutureDirectivesExtensions._
35 import org.make.api.technical.auth.MakeDataHandler.{CreatedAtParameter, RefreshTokenExpirationParameter}
36 import org.make.api.user.UserServiceComponent
37 import org.make.core.auth.{AuthCode, ClientId, UserRights}
38 import org.make.core.{DateHelper, HttpCodes}
39 import scalaoauth2.provider._
40 
41 import javax.ws.rs.Path
42 import scala.annotation.meta.field
43 import scala.concurrent.ExecutionContext.Implicits.global
44 import scala.concurrent.Future
45 import scala.util.{Failure, Success}
46 import org.make.core.RequestContext
47 
48 @Api(value = "Authentication")
49 @Path(value = "/")
50 trait AuthenticationApi extends Directives {
51 
52   @ApiOperation(value = "oauth-access_token", httpMethod = "POST", code = HttpCodes.OK)
53   @ApiImplicitParams(
54     value = Array(
55       new ApiImplicitParam(name = "username", paramType = "form", dataType = "string"),
56       new ApiImplicitParam(name = "password", paramType = "form", dataType = "string"),
57       new ApiImplicitParam(
58         name = "grant_type",
59         paramType = "form",
60         dataType = "string",
61         defaultValue = "password",
62         allowableValues = "authorization_code,refresh_token,client_credentials,password,implicit,reconnect_token"
63       ),
64       new ApiImplicitParam(
65         name = "approvePrivacyPolicy",
66         paramType = "form",
67         dataType = "boolean",
68         defaultValue = "true"
69       )
70     )
71   )
72   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.OK, message = "Ok", response = classOf[TokenResponse])))
73   @Path(value = "/oauth/access_token")
74   def accessTokenRoute: Route
75 
76   @ApiOperation(
77     value = "oauth-get_access_token",
78     httpMethod = "GET",
79     code = HttpCodes.OK,
80     authorizations = Array(
81       new Authorization(
82         value = "MakeApi",
83         scopes = Array(
84           new AuthorizationScope(scope = "user", description = "application user"),
85           new AuthorizationScope(scope = "admin", description = "BO Admin")
86         )
87       )
88     )
89   )
90   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.OK, message = "Ok", response = classOf[TokenResponse])))
91   @Path(value = "/oauth/access_token")
92   def getAccessTokenRoute: Route
93 
94   @ApiOperation(
95     value = "logout",
96     httpMethod = "POST",
97     code = HttpCodes.NoContent,
98     consumes = "text/plain",
99     authorizations = Array(
100       new Authorization(
101         value = "MakeApi",
102         scopes = Array(
103           new AuthorizationScope(scope = "user", description = "application user"),
104           new AuthorizationScope(scope = "admin", description = "BO Admin")
105         )
106       )
107     )
108   )
109   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.NoContent, message = "No content")))
110   @Path(value = "/logout")
111   def logoutRoute: Route
112 
113   @ApiOperation(
114     value = "OAuth-Code",
115     httpMethod = "POST",
116     code = HttpCodes.OK,
117     consumes = "application/json",
118     authorizations = Array(
119       new Authorization(
120         value = "MakeApi",
121         scopes = Array(
122           new AuthorizationScope(scope = "user", description = "application user"),
123           new AuthorizationScope(scope = "admin", description = "BO Admin")
124         )
125       )
126     )
127   )
128   @ApiImplicitParams(
129     value = Array(
130       new ApiImplicitParam(paramType = "body", dataType = "org.make.api.technical.auth.CreateAuthorizationCodeRequest")
131     )
132   )
133   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.OK, message = "Ok", response = classOf[AuthCode])))
134   @Path(value = "/oauth/code")
135   def createAuthorizationCode: Route
136 
137   def form: Route
138 
139   @ApiOperation(
140     value = "reset-cookies",
141     httpMethod = "POST",
142     code = HttpCodes.NoContent,
143     consumes = "text/plain",
144     authorizations = Array(
145       new Authorization(
146         value = "MakeApi",
147         scopes = Array(
148           new AuthorizationScope(scope = "user", description = "application user"),
149           new AuthorizationScope(scope = "admin", description = "BO Admin")
150         )
151       )
152     )
153   )
154   @ApiResponses(value = Array(new ApiResponse(code = HttpCodes.NoContent, message = "No content")))
155   @Path(value = "/resetCookies")
156   def resetCookies: Route
157 
158   def routes: Route =
159     getAccessTokenRoute ~
160       accessTokenRoute ~
161       logoutRoute ~
162       form ~
163       createAuthorizationCode ~
164       resetCookies
165 }
166 
167 object AuthenticationApi {
168 
169   def grantResultToTokenResponse(grantResult: GrantHandlerResult[UserRights]): TokenResponse =
170     TokenResponse(
171       grantResult.tokenType,
172       grantResult.accessToken,
173       grantResult.expiresIn.getOrElse(1L),
174       grantResult.refreshToken,
175       grantResult.params.get(RefreshTokenExpirationParameter).map(_.toLong),
176       grantResult.params.getOrElse(CreatedAtParameter, DateHelper.format(DateHelper.now()))
177     )
178 
179 }
180 
181 trait AuthenticationApiComponent {
182   def authenticationApi: AuthenticationApi
183 }
184 
185 trait DefaultAuthenticationApiComponent
186     extends AuthenticationApiComponent
187     with MakeDirectives
188     with MakeAuthenticationDirectives
189     with Logging {
190   self: MakeDirectivesDependencies
191     with UserServiceComponent
192     with QuestionServiceComponent
193     with OperationServiceComponent =>
194 
195   def tokenEndpoint: TokenEndpoint
196 
197   override lazy val authenticationApi: AuthenticationApi = new DefaultAuthenticationApi
198 
199   class DefaultAuthenticationApi extends AuthenticationApi {
200 
201     override def createAuthorizationCode: Route = {
202       post {
203         path("oauth" / "code") {
204           makeOperation("CreateAuthCode", EndpointType.Public) { _ =>
205             makeOAuth2 { user =>
206               decodeRequest {
207                 entity(as[CreateAuthorizationCodeRequest]) { request =>
208                   oauth2DataHandler
209                     .createAuthorizationCode(user.user.userId, request.clientId, request.scope, request.redirectUri)
210                     .asDirectiveOrNotFound { code =>
211                       complete(StatusCodes.OK -> code)
212                     }
213                 }
214               }
215             }
216           }
217         }
218       }
219     }
220 
221     private val EmailFieldKey = "username"
222 
223     private def getToken(
224       request: HttpRequest,
225       requestContext: RequestContext,
226       fields: Map[String, String]
227     ): Future[Either[OAuthError, GrantHandlerResult[UserRights]]] = {
228       val headers = request.headers.groupMap(_.name())(_.value())
229       logger.info(headers.toString())
230       logger.info(headers.get("Authorization").flatMap(_.headOption).getOrElse("Authorization not found"))
231       val formatted = fields.view.mapValues(Seq(_)).toMap
232       tokenEndpoint
233         .handleRequest(new AuthorizationRequest(headers, formatted), oauth2DataHandler)
234         .flatMap({
235           case Left(e) => Future.successful(Left(e))
236           case Right(result) =>
237             sessionHistoryCoordinatorService
238               .convertSession(requestContext.sessionId, result.authInfo.user.userId, requestContext)
239               .as(Right(result))
240         })
241     }
242 
243     private def handleLoginFailure(username: String, error: Throwable) =
244       userService.registerFailedConnectionAttempt(username).asDirective(_ => failWith(error))
245 
246     private def handleLoginSuccess(
247       grantResult: GrantHandlerResult[UserRights],
248       requestContext: RequestContext,
249       fields: Map[String, String]
250     ) = {
251       val userId = grantResult.authInfo.user.userId
252       userService
253         .getUser(userId)
254         .flatMap(_.fold(Future.unit)(user => {
255           val now = DateHelper.now()
256           val hasApprovedPolicy = fields.get("approvePrivacyPolicy").contains("true")
257           val lastConnection = Some(now)
258           val connectionAttemptsSinceLastSuccessful = 0
259           val privacyPolicyApprovalDate = if (hasApprovedPolicy) Some(now) else user.privacyPolicyApprovalDate
260           userService.updateConnectionInfos(
261             userId,
262             lastConnection,
263             connectionAttemptsSinceLastSuccessful,
264             privacyPolicyApprovalDate
265           )
266         }))
267         .asDirective { _ =>
268           val tokenResponse = AuthenticationApi.grantResultToTokenResponse(grantResult)
269           setMakeSecure(requestContext.applicationName, tokenResponse, userId)(complete(tokenResponse))
270         }
271     }
272 
273     override def accessTokenRoute: Route = post {
274       (path("oauth" / "access_token") | path("oauth" / "make_access_token")) {
275         makeOperation("OauthAccessToken", EndpointType.Public) { requestContext =>
276           formFieldMap { fields =>
277             extractRequest { request =>
278               fields.get("grant_type") match {
279                 case Some("password") =>
280                   val username = fields(EmailFieldKey).toLowerCase
281                   val normalizedFields = fields.updated(EmailFieldKey, username)
282                   userService.isThrottled(username).asDirective {
283                     if (_) complete(StatusCodes.TooManyRequests)
284                     else
285                       onComplete(getToken(request, requestContext, normalizedFields)) {
286                         case Success(Right(grantResult)) =>
287                           handleLoginSuccess(grantResult, requestContext, normalizedFields)
288                         case Success(Left(e)) => handleLoginFailure(username, e)
289                         case Failure(e)       => handleLoginFailure(username, e)
290                       }
291                   }
292                 case _ =>
293                   onComplete(getToken(request, requestContext, fields)) {
294                     case Success(Right(grantResult)) => handleLoginSuccess(grantResult, requestContext, fields)
295                     case Success(Left(e))            => failWith(e)
296                     case Failure(e)                  => failWith(e)
297                   }
298               }
299             }
300           }
301         }
302       }
303     }
304 
305     override def getAccessTokenRoute: Route = pathPrefix("oauth") {
306       get {
307         path("access_token") {
308           makeOperation("OauthGetAccessToken") { requestContext =>
309             makeOAuth2 { _ =>
310               requireToken(requestContext.applicationName) { token =>
311                 oauth2DataHandler.findAccessToken(token).asDirectiveOrNotFound { tokenResult =>
312                   complete(TokenResponse.fromAccessToken(tokenResult))
313                 }
314               }
315             }
316           }
317         }
318       }
319     }
320 
321     override def form: Route = get {
322       path("oauth" / "authenticate") {
323         makeOperation("AuthenticationForm") { _ =>
324           getFromResource("authentication/index.html")
325         }
326       }
327     }
328 
329     override def logoutRoute: Route = post {
330       path("logout") {
331         makeOperation("OauthLogout") { requestContext =>
332           makeOAuth2 { _ =>
333             requireToken(requestContext.applicationName) { token =>
334               onComplete(oauth2DataHandler.removeToken(token)) {
335                 case Success(_) =>
336                   addCookies(requestContext.applicationName, logoutCookies()) { complete(StatusCodes.NoContent) }
337                 case Failure(ex) => failWith(ex)
338               }
339             }
340           }
341         }
342       }
343     }
344 
345     override def resetCookies: Route = post {
346       path("resetCookies") {
347         makeOperation("ResetCookies") { requestContext =>
348           extractToken(requestContext.applicationName) { token =>
349             onComplete(token.map(oauth2DataHandler.removeToken).getOrElse(Future.unit)) {
350               case Success(_) =>
351                 addCookies(
352                   requestContext.applicationName,
353                   logoutCookies() ++
354                     Seq(
355                       HttpCookie(
356                         name = makeSettings.UserIdCookie.name,
357                         value = "",
358                         secure = makeSettings.UserIdCookie.isSecure,
359                         httpOnly = true,
360                         maxAge = Some(0),
361                         path = Some("/")
362                       ).withSameSite(SameSite.Strict),
363                       HttpCookie(
364                         name = makeSettings.VisitorCookie.name,
365                         value = "",
366                         secure = makeSettings.VisitorCookie.isSecure,
367                         httpOnly = true,
368                         maxAge = Some(0),
369                         path = Some("/")
370                       ).withSameSite(SameSite.Strict),
371                       HttpCookie(
372                         name = makeSettings.VisitorCookie.createdAtName,
373                         value = "",
374                         secure = makeSettings.VisitorCookie.isSecure,
375                         httpOnly = true,
376                         maxAge = Some(0),
377                         path = Some("/")
378                       ).withSameSite(SameSite.Strict)
379                     )
380                 ) {
381                   complete(StatusCodes.NoContent)
382                 }
383               case Failure(ex) => failWith(ex)
384             }
385           }
386         }
387       }
388     }
389 
390   }
391 }
392 
393 final case class CreateAuthorizationCodeRequest(
394   @(ApiModelProperty @field)(dataType = "string", example = "11111111-2222-3333-4444-555555555555", required = true)
395   clientId: ClientId,
396   scope: Option[String],
397   redirectUri: Option[String]
398 )
399 
400 object CreateAuthorizationCodeRequest {
401   implicit val decoder: Decoder[CreateAuthorizationCodeRequest] = deriveDecoder[CreateAuthorizationCodeRequest]
402 }