feat(auth): add abuse protection for login and OIDC flows with consent-based authorization handling

ts/reception/classes.oidcmanager.ts

@@ -11,11 +11,21 @@ import { OidcUserConsent } from './classes.oidcuserconsent.js';
  * for third-party client authentication.
  */
 export class OidcManager {
+  private readonly abuseProtectionConfig = {
+    oidcTokenExchange: {
+      maxAttempts: 10,
+      windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 }),
+      blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
+    },
+  };
+
   public receptionRef: Reception;
   public get db() {
     return this.receptionRef.db.smartdataDb;
   }
 
+  public typedRouter = new plugins.typedrequest.TypedRouter();
+
   public COidcAuthorizationCode = plugins.smartdata.setDefaultManagerForDoc(
     this,
     OidcAuthorizationCode
@@ -31,6 +41,35 @@ export class OidcManager {
 
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
+    this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
+
+    this.typedRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization>(
+        'prepareOidcAuthorization',
+        async (requestArg) => {
+          const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+          if (!jwt) {
+            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
+          }
+
+          return this.prepareAuthorizationForUser(jwt.data.userId, requestArg);
+        }
+      )
+    );
+
+    this.typedRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization>(
+        'completeOidcAuthorization',
+        async (requestArg) => {
+          const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+          if (!jwt) {
+            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
+          }
+
+          return this.completeAuthorizationForUser(jwt.data.userId, requestArg);
+        }
+      )
+    );
     this.startCleanupTask();
   }
 
@@ -128,6 +167,10 @@ export class OidcManager {
       return this.errorResponse('unsupported_response_type', 'Only code response type is supported');
     }
 
+    if (prompt && !this.isSupportedPrompt(prompt)) {
+      return this.errorResponse('invalid_request', 'Unsupported prompt value');
+    }
+
     // Validate code challenge method if present
     if (codeChallenge && codeChallengeMethod !== 'S256') {
       return this.errorResponse('invalid_request', 'Only S256 code challenge method is supported');
@@ -169,6 +212,9 @@ export class OidcManager {
     if (nonce) {
       loginUrl.searchParams.set('nonce', nonce);
     }
+    if (prompt) {
+      loginUrl.searchParams.set('prompt', prompt);
+    }
 
     return Response.redirect(loginUrl.toString(), 302);
   }
@@ -202,10 +248,71 @@ export class OidcManager {
     };
 
     await authCode.save();
-    await this.upsertUserConsent(userId, clientId, scopes);
     return code;
   }
 
+  public async prepareAuthorizationForUser(
+    userIdArg: string,
+    requestArg: Omit<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['request'], 'jwt'>
+  ): Promise<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['response']> {
+    const resolvedRequest = await this.resolveAuthorizationRequest(requestArg);
+    const consentState = await this.evaluateConsentRequirement(
+      userIdArg,
+      resolvedRequest.clientId,
+      resolvedRequest.validScopes,
+      resolvedRequest.prompt
+    );
+
+    return {
+      status: consentState.consentRequired ? ('consent_required' as const) : ('ready' as const),
+      clientId: resolvedRequest.clientId,
+      appName: resolvedRequest.app.data.name,
+      appUrl: resolvedRequest.app.data.appUrl,
+      logoUrl: resolvedRequest.app.data.logoUrl,
+      requestedScopes: resolvedRequest.validScopes,
+      grantedScopes: consentState.grantedScopes,
+    };
+  }
+
+  public async completeAuthorizationForUser(
+    userIdArg: string,
+    requestArg: Omit<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'], 'jwt'>
+  ) {
+    const resolvedRequest = await this.resolveAuthorizationRequest(requestArg);
+    const consentState = await this.evaluateConsentRequirement(
+      userIdArg,
+      resolvedRequest.clientId,
+      resolvedRequest.validScopes,
+      resolvedRequest.prompt
+    );
+
+    if (consentState.consentRequired && !requestArg.consentApproved) {
+      throw new Error('Consent required');
+    }
+
+    if (requestArg.consentApproved) {
+      await this.upsertUserConsent(userIdArg, resolvedRequest.clientId, resolvedRequest.validScopes);
+    }
+
+    const code = await this.generateAuthorizationCode(
+      resolvedRequest.clientId,
+      userIdArg,
+      resolvedRequest.validScopes,
+      resolvedRequest.redirectUri,
+      resolvedRequest.codeChallenge,
+      resolvedRequest.nonce
+    );
+
+    const redirectUrl = new URL(resolvedRequest.redirectUri);
+    redirectUrl.searchParams.set('code', code);
+    redirectUrl.searchParams.set('state', resolvedRequest.state);
+
+    return {
+      code,
+      redirectUrl: redirectUrl.toString(),
+    };
+  }
+
   /**
    * Handle the token endpoint request
    */
@@ -236,6 +343,13 @@ export class OidcManager {
       return this.tokenErrorResponse('invalid_client', 'Missing client_id');
     }
 
+    await this.receptionRef.abuseProtectionManager.consumeAttempt(
+      'oidcTokenExchange',
+      clientId,
+      this.abuseProtectionConfig.oidcTokenExchange,
+      'Too many token endpoint attempts. Please wait before retrying.'
+    );
+
     // Find and validate app
     const app = await this.findAppByClientId(clientId);
     if (!app) {
@@ -250,13 +364,20 @@ export class OidcManager {
       }
     }
 
+    let response: Response;
     if (grantType === 'authorization_code') {
-      return this.handleAuthorizationCodeGrant(formData, app);
+      response = await this.handleAuthorizationCodeGrant(formData, app);
     } else if (grantType === 'refresh_token') {
-      return this.handleRefreshTokenGrant(formData, app);
+      response = await this.handleRefreshTokenGrant(formData, app);
     } else {
-      return this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
+      response = this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
     }
+
+    if (response.status === 200) {
+      await this.receptionRef.abuseProtectionManager.clearAttempts('oidcTokenExchange', clientId);
+    }
+
+    return response;
   }
 
   /**
@@ -625,6 +746,78 @@ export class OidcManager {
     return apps[0] || null;
   }
 
+  private isSupportedPrompt(promptArg: string): promptArg is 'none' | 'login' | 'consent' {
+    return ['none', 'login', 'consent'].includes(promptArg);
+  }
+
+  private async resolveAuthorizationRequest(
+    requestArg: Pick<
+      plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'],
+      'clientId' | 'redirectUri' | 'scope' | 'state' | 'prompt' | 'codeChallenge' | 'codeChallengeMethod' | 'nonce'
+    >
+  ) {
+    if (!requestArg.clientId || !requestArg.redirectUri || !requestArg.scope || !requestArg.state) {
+      throw new Error('Missing required OAuth authorization parameters');
+    }
+
+    if (requestArg.prompt && !this.isSupportedPrompt(requestArg.prompt)) {
+      throw new Error('Unsupported prompt value');
+    }
+
+    if (requestArg.codeChallenge && requestArg.codeChallengeMethod !== 'S256') {
+      throw new Error('Only S256 code challenge method is supported');
+    }
+
+    const app = await this.findAppByClientId(requestArg.clientId);
+    if (!app) {
+      throw new Error('Unknown client_id');
+    }
+
+    if (!app.data.oauthCredentials.redirectUris.includes(requestArg.redirectUri)) {
+      throw new Error('Invalid redirect_uri');
+    }
+
+    const requestedScopes = requestArg.scope
+      .split(' ')
+      .filter(Boolean) as plugins.idpInterfaces.data.TOidcScope[];
+    const allowedScopes =
+      app.data.oauthCredentials.allowedScopes as plugins.idpInterfaces.data.TOidcScope[];
+    const validScopes = requestedScopes.filter((scopeArg) => allowedScopes.includes(scopeArg));
+
+    if (!validScopes.includes('openid')) {
+      throw new Error('openid scope is required');
+    }
+
+    return {
+      app,
+      clientId: requestArg.clientId,
+      redirectUri: requestArg.redirectUri,
+      state: requestArg.state,
+      prompt: requestArg.prompt,
+      codeChallenge: requestArg.codeChallenge,
+      codeChallengeMethod: requestArg.codeChallengeMethod,
+      nonce: requestArg.nonce,
+      validScopes,
+    };
+  }
+
+  private async evaluateConsentRequirement(
+    userIdArg: string,
+    clientIdArg: string,
+    scopesArg: plugins.idpInterfaces.data.TOidcScope[],
+    promptArg?: 'none' | 'login' | 'consent'
+  ) {
+    const existingConsent = await this.getUserConsent(userIdArg, clientIdArg);
+    const grantedScopes = existingConsent?.data.scopes || [];
+    const missingScopes = scopesArg.filter((scopeArg) => !grantedScopes.includes(scopeArg));
+
+    return {
+      grantedScopes,
+      missingScopes,
+      consentRequired: promptArg === 'consent' || missingScopes.length > 0,
+    };
+  }
+
   private createOpaqueToken(byteLength = 32): string {
     return plugins.crypto.randomBytes(byteLength).toString('base64url');
   }