mirror of
https://github.com/logto-io/logto.git
synced 2024-12-16 20:26:19 -05:00
fix: cloud connection should bypass custom JWT flow
This commit is contained in:
parent
084ced1bd6
commit
18fb88ecdd
2 changed files with 10 additions and 24 deletions
|
@ -34,20 +34,11 @@ const accessTokenExpirationMargin = 60;
|
||||||
|
|
||||||
/** The library for connecting to Logto Cloud service. */
|
/** The library for connecting to Logto Cloud service. */
|
||||||
export class CloudConnectionLibrary {
|
export class CloudConnectionLibrary {
|
||||||
private _isAuthenticated = false;
|
|
||||||
private client?: Client<typeof router>;
|
private client?: Client<typeof router>;
|
||||||
private accessTokenCache?: { expiresAt: number; accessToken: string };
|
private accessTokenCache?: { expiresAt: number; accessToken: string };
|
||||||
|
|
||||||
constructor(private readonly logtoConfigs: LogtoConfigLibrary) {}
|
constructor(private readonly logtoConfigs: LogtoConfigLibrary) {}
|
||||||
|
|
||||||
get isAuthenticated() {
|
|
||||||
return this._isAuthenticated;
|
|
||||||
}
|
|
||||||
|
|
||||||
private set isAuthenticated(value: boolean) {
|
|
||||||
this._isAuthenticated = value;
|
|
||||||
}
|
|
||||||
|
|
||||||
public getCloudConnectionData = async (): Promise<CloudConnection> => {
|
public getCloudConnectionData = async (): Promise<CloudConnection> => {
|
||||||
const { getCloudConnectionData: getCloudServiceM2mCredentials } = this.logtoConfigs;
|
const { getCloudConnectionData: getCloudServiceM2mCredentials } = this.logtoConfigs;
|
||||||
const credentials = await getCloudServiceM2mCredentials();
|
const credentials = await getCloudServiceM2mCredentials();
|
||||||
|
@ -76,8 +67,6 @@ export class CloudConnectionLibrary {
|
||||||
if (expiresAt > Date.now() / 1000 + accessTokenExpirationMargin) {
|
if (expiresAt > Date.now() / 1000 + accessTokenExpirationMargin) {
|
||||||
return accessToken;
|
return accessToken;
|
||||||
}
|
}
|
||||||
// Set the cloud connection to not authenticated if the access token is expired.
|
|
||||||
this.isAuthenticated = false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const { tokenEndpoint, appId, appSecret, resource } = await this.getCloudConnectionData();
|
const { tokenEndpoint, appId, appSecret, resource } = await this.getCloudConnectionData();
|
||||||
|
@ -105,8 +94,6 @@ export class CloudConnectionLibrary {
|
||||||
expiresAt: Date.now() / 1000 + result.data.expires_in,
|
expiresAt: Date.now() / 1000 + result.data.expires_in,
|
||||||
accessToken: result.data.access_token,
|
accessToken: result.data.access_token,
|
||||||
};
|
};
|
||||||
// Set the cloud connection to `authenticated` if the access token is valid.
|
|
||||||
this.isAuthenticated = true;
|
|
||||||
|
|
||||||
return result.data.access_token;
|
return result.data.access_token;
|
||||||
};
|
};
|
||||||
|
|
|
@ -215,19 +215,18 @@ export default function initOidc(
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* The execution on this function relies on the existence of authenticated cloud connection client.
|
|
||||||
*
|
|
||||||
* The process that cloud connection get access token also includes this function (`extraTokenClaims`
|
|
||||||
* is a function that will always be executed during the process of generating an access token), it
|
|
||||||
* could trigger infinite loop if we do not terminal the process early.
|
|
||||||
*/
|
|
||||||
if (!cloudConnection.isAuthenticated) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
|
const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Cloud connection should not go through this custom JWT logic.
|
||||||
|
*/
|
||||||
|
if (isTokenClientCredentials) {
|
||||||
|
const { appId } = await cloudConnection.getCloudConnectionData();
|
||||||
|
if (token.clientId === appId) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const {
|
const {
|
||||||
value: { script, envVars },
|
value: { script, envVars },
|
||||||
} = (await trySafe(
|
} = (await trySafe(
|
||||||
|
|
Loading…
Reference in a new issue