mirror of
https://github.com/mountain-loop/yaak.git
synced 2026-01-18 09:46:44 +01:00
113 lines
3.3 KiB
TypeScript
113 lines
3.3 KiB
TypeScript
import type { Context, HttpRequest } from '@yaakapp/api';
|
|
import { readFileSync } from 'node:fs';
|
|
import type { AccessToken, AccessTokenRawResponse, TokenStoreArgs } from './store';
|
|
import { deleteToken, getToken, storeToken } from './store';
|
|
import { isTokenExpired } from './util';
|
|
|
|
export async function getOrRefreshAccessToken(
|
|
ctx: Context,
|
|
tokenArgs: TokenStoreArgs,
|
|
{
|
|
scope,
|
|
accessTokenUrl,
|
|
credentialsInBody,
|
|
clientId,
|
|
clientSecret,
|
|
forceRefresh,
|
|
}: {
|
|
scope: string | null;
|
|
accessTokenUrl: string;
|
|
credentialsInBody: boolean;
|
|
clientId: string;
|
|
clientSecret: string;
|
|
forceRefresh?: boolean;
|
|
},
|
|
): Promise<AccessToken | null> {
|
|
const token = await getToken(ctx, tokenArgs);
|
|
if (token == null) {
|
|
return null;
|
|
}
|
|
|
|
const isExpired = isTokenExpired(token);
|
|
|
|
// Return the current access token if it's still valid
|
|
if (!isExpired && !forceRefresh) {
|
|
return token;
|
|
}
|
|
|
|
// Token is expired, but there's no refresh token :(
|
|
if (!token.response.refresh_token) {
|
|
return null;
|
|
}
|
|
|
|
// Access token is expired, so get a new one
|
|
const httpRequest: Partial<HttpRequest> = {
|
|
method: 'POST',
|
|
url: accessTokenUrl,
|
|
bodyType: 'application/x-www-form-urlencoded',
|
|
body: {
|
|
form: [
|
|
{ name: 'grant_type', value: 'refresh_token' },
|
|
{ name: 'refresh_token', value: token.response.refresh_token },
|
|
],
|
|
},
|
|
headers: [
|
|
{ name: 'User-Agent', value: 'yaak' },
|
|
{ name: 'Accept', value: 'application/x-www-form-urlencoded, application/json' },
|
|
{ name: 'Content-Type', value: 'application/x-www-form-urlencoded' },
|
|
],
|
|
};
|
|
|
|
if (scope) httpRequest.body!.form.push({ name: 'scope', value: scope });
|
|
|
|
if (credentialsInBody) {
|
|
httpRequest.body!.form.push({ name: 'client_id', value: clientId });
|
|
httpRequest.body!.form.push({ name: 'client_secret', value: clientSecret });
|
|
} else {
|
|
const value = 'Basic ' + Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
|
|
httpRequest.headers!.push({ name: 'Authorization', value });
|
|
}
|
|
|
|
httpRequest.authenticationType = 'none'; // Don't inherit workspace auth
|
|
const resp = await ctx.httpRequest.send({ httpRequest });
|
|
|
|
if (resp.status === 401) {
|
|
// Bad refresh token, so we'll force it to fetch a fresh access token by deleting
|
|
// and returning null;
|
|
console.log('[oauth2] Unauthorized refresh_token request');
|
|
await deleteToken(ctx, tokenArgs);
|
|
return null;
|
|
}
|
|
|
|
const body = resp.bodyPath ? readFileSync(resp.bodyPath, 'utf8') : '';
|
|
|
|
console.log('[oauth2] Got refresh token response', resp.status);
|
|
|
|
if (resp.status < 200 || resp.status >= 300) {
|
|
throw new Error(
|
|
'Failed to refresh access token with status=' + resp.status + ' and body=' + body,
|
|
);
|
|
}
|
|
|
|
let response;
|
|
try {
|
|
response = JSON.parse(body);
|
|
} catch {
|
|
response = Object.fromEntries(new URLSearchParams(body));
|
|
}
|
|
|
|
if (response.error) {
|
|
throw new Error(
|
|
`Failed to fetch access token with ${response.error} -> ${response.error_description}`,
|
|
);
|
|
}
|
|
|
|
const newResponse: AccessTokenRawResponse = {
|
|
...response,
|
|
// Assign a new one or keep the old one,
|
|
refresh_token: response.refresh_token ?? token.response.refresh_token,
|
|
};
|
|
|
|
return storeToken(ctx, tokenArgs, newResponse);
|
|
}
|