0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

fix: cloud connection should bypass custom JWT flow

This commit is contained in:
Darcy Ye 2024-03-18 18:35:32 +08:00
parent 084ced1bd6
commit 18fb88ecdd
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
2 changed files with 10 additions and 24 deletions

View file

@ -34,20 +34,11 @@ const accessTokenExpirationMargin = 60;
/** The library for connecting to Logto Cloud service. */ /** The library for connecting to Logto Cloud service. */
export class CloudConnectionLibrary { export class CloudConnectionLibrary {
private _isAuthenticated = false;
private client?: Client<typeof router>; private client?: Client<typeof router>;
private accessTokenCache?: { expiresAt: number; accessToken: string }; private accessTokenCache?: { expiresAt: number; accessToken: string };
constructor(private readonly logtoConfigs: LogtoConfigLibrary) {} constructor(private readonly logtoConfigs: LogtoConfigLibrary) {}
get isAuthenticated() {
return this._isAuthenticated;
}
private set isAuthenticated(value: boolean) {
this._isAuthenticated = value;
}
public getCloudConnectionData = async (): Promise<CloudConnection> => { public getCloudConnectionData = async (): Promise<CloudConnection> => {
const { getCloudConnectionData: getCloudServiceM2mCredentials } = this.logtoConfigs; const { getCloudConnectionData: getCloudServiceM2mCredentials } = this.logtoConfigs;
const credentials = await getCloudServiceM2mCredentials(); const credentials = await getCloudServiceM2mCredentials();
@ -76,8 +67,6 @@ export class CloudConnectionLibrary {
if (expiresAt > Date.now() / 1000 + accessTokenExpirationMargin) { if (expiresAt > Date.now() / 1000 + accessTokenExpirationMargin) {
return accessToken; return accessToken;
} }
// Set the cloud connection to not authenticated if the access token is expired.
this.isAuthenticated = false;
} }
const { tokenEndpoint, appId, appSecret, resource } = await this.getCloudConnectionData(); const { tokenEndpoint, appId, appSecret, resource } = await this.getCloudConnectionData();
@ -105,8 +94,6 @@ export class CloudConnectionLibrary {
expiresAt: Date.now() / 1000 + result.data.expires_in, expiresAt: Date.now() / 1000 + result.data.expires_in,
accessToken: result.data.access_token, accessToken: result.data.access_token,
}; };
// Set the cloud connection to `authenticated` if the access token is valid.
this.isAuthenticated = true;
return result.data.access_token; return result.data.access_token;
}; };

View file

@ -215,19 +215,18 @@ export default function initOidc(
return; return;
} }
/**
* The execution on this function relies on the existence of authenticated cloud connection client.
*
* The process that cloud connection get access token also includes this function (`extraTokenClaims`
* is a function that will always be executed during the process of generating an access token), it
* could trigger infinite loop if we do not terminal the process early.
*/
if (!cloudConnection.isAuthenticated) {
return;
}
const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials; const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
/**
* Cloud connection should not go through this custom JWT logic.
*/
if (isTokenClientCredentials) {
const { appId } = await cloudConnection.getCloudConnectionData();
if (token.clientId === appId) {
return;
}
}
const { const {
value: { script, envVars }, value: { script, envVars },
} = (await trySafe( } = (await trySafe(