// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. /** * @fileoverview * OAuth2 class that handles retrieval/storage of an OAuth2 token. * * Uses a content script to trampoline the OAuth redirect page back into the * extension context. This works around the lack of native support for * chrome-extensions in OAuth2. */ // TODO(jamiewalch): Delete this code once Chromoting is a v2 app and uses the // identity API (http://crbug.com/ 134213). 'use strict'; /** @suppress {duplicate} */ var remoting = remoting || {}; /** @type {remoting.OAuth2} */ remoting.oauth2 = null; /** @constructor */ remoting.OAuth2 = function() { }; // Constants representing keys used for storing persistent state. /** @private */ remoting.OAuth2.prototype.KEY_REFRESH_TOKEN_ = 'oauth2-refresh-token'; /** @private */ remoting.OAuth2.prototype.KEY_REFRESH_TOKEN_REVOKABLE_ = 'oauth2-refresh-token-revokable'; /** @private */ remoting.OAuth2.prototype.KEY_ACCESS_TOKEN_ = 'oauth2-access-token'; /** @private */ remoting.OAuth2.prototype.KEY_XSRF_TOKEN_ = 'oauth2-xsrf-token'; /** @private */ remoting.OAuth2.prototype.KEY_EMAIL_ = 'remoting-email'; // Constants for parameters used in retrieving the OAuth2 credentials. /** @private */ remoting.OAuth2.prototype.SCOPE_ = 'https://www.googleapis.com/auth/chromoting ' + 'https://www.googleapis.com/auth/googletalk ' + 'https://www.googleapis.com/auth/userinfo#email'; // Configurable URLs/strings. /** @private * @return {string} OAuth2 redirect URI. */ remoting.OAuth2.prototype.getRedirectUri_ = function() { return remoting.settings.OAUTH2_REDIRECT_URL; }; /** @private * @return {string} API client ID. */ remoting.OAuth2.prototype.getClientId_ = function() { return remoting.settings.OAUTH2_CLIENT_ID; }; /** @private * @return {string} API client secret. */ remoting.OAuth2.prototype.getClientSecret_ = function() { return remoting.settings.OAUTH2_CLIENT_SECRET; }; /** @private * @return {string} OAuth2 authentication URL. */ remoting.OAuth2.prototype.getOAuth2AuthEndpoint_ = function() { return remoting.settings.OAUTH2_BASE_URL + '/auth'; }; /** @return {boolean} True if the app is already authenticated. */ remoting.OAuth2.prototype.isAuthenticated = function() { if (this.getRefreshToken_()) { return true; } return false; }; /** * Removes all storage, and effectively unauthenticates the user. * * @return {void} Nothing. */ remoting.OAuth2.prototype.clear = function() { window.localStorage.removeItem(this.KEY_EMAIL_); this.clearAccessToken_(); this.clearRefreshToken_(); }; /** * Sets the refresh token. * * This method also marks the token as revokable, so that this object will * revoke the token when it no longer needs it. * * @param {string} token The new refresh token. * @return {void} Nothing. * @private */ remoting.OAuth2.prototype.setRefreshToken_ = function(token) { window.localStorage.setItem(this.KEY_REFRESH_TOKEN_, escape(token)); window.localStorage.setItem(this.KEY_REFRESH_TOKEN_REVOKABLE_, true); window.localStorage.removeItem(this.KEY_EMAIL_); this.clearAccessToken_(); }; /** * Gets the refresh token. * * This method also marks the refresh token as not revokable, so that this * object will not revoke the token when it no longer needs it. After this * object has exported the token, it cannot know whether it is still in use * when this object no longer needs it. * * @return {?string} The refresh token, if authenticated, or NULL. */ remoting.OAuth2.prototype.exportRefreshToken = function() { window.localStorage.removeItem(this.KEY_REFRESH_TOKEN_REVOKABLE_); return this.getRefreshToken_(); }; /** * @return {?string} The refresh token, if authenticated, or NULL. * @private */ remoting.OAuth2.prototype.getRefreshToken_ = function() { var value = window.localStorage.getItem(this.KEY_REFRESH_TOKEN_); if (typeof value == 'string') { return unescape(value); } return null; }; /** * Clears the refresh token. * * @return {void} Nothing. * @private */ remoting.OAuth2.prototype.clearRefreshToken_ = function() { if (window.localStorage.getItem(this.KEY_REFRESH_TOKEN_REVOKABLE_)) { this.revokeToken_(this.getRefreshToken_()); } window.localStorage.removeItem(this.KEY_REFRESH_TOKEN_); window.localStorage.removeItem(this.KEY_REFRESH_TOKEN_REVOKABLE_); }; /** * @param {string} token The new access token. * @param {number} expiration Expiration time in milliseconds since epoch. * @return {void} Nothing. * @private */ remoting.OAuth2.prototype.setAccessToken_ = function(token, expiration) { // Offset expiration by 120 seconds so that we can guarantee that the token // we return will be valid for at least 2 minutes. // If the access token is to be useful, this object must make some // guarantee as to how long the token will be valid for. // The choice of 2 minutes is arbitrary, but that length of time // is part of the contract satisfied by callWithToken(). // Offset by a further 30 seconds to account for RTT issues. var access_token = { 'token': token, 'expiration': (expiration - (120 + 30)) * 1000 + Date.now() }; window.localStorage.setItem(this.KEY_ACCESS_TOKEN_, JSON.stringify(access_token)); }; /** * Returns the current access token, setting it to a invalid value if none * existed before. * * @private * @return {{token: string, expiration: number}} The current access token, or * an invalid token if not authenticated. */ remoting.OAuth2.prototype.getAccessTokenInternal_ = function() { if (!window.localStorage.getItem(this.KEY_ACCESS_TOKEN_)) { // Always be able to return structured data. this.setAccessToken_('', 0); } var accessToken = window.localStorage.getItem(this.KEY_ACCESS_TOKEN_); if (typeof accessToken == 'string') { var result = jsonParseSafe(accessToken); if (result && 'token' in result && 'expiration' in result) { return /** @type {{token: string, expiration: number}} */ result; } } console.log('Invalid access token stored.'); return {'token': '', 'expiration': 0}; }; /** * Returns true if the access token is expired, or otherwise invalid. * * Will throw if !isAuthenticated(). * * @return {boolean} True if a new access token is needed. * @private */ remoting.OAuth2.prototype.needsNewAccessToken_ = function() { if (!this.isAuthenticated()) { throw 'Not Authenticated.'; } var access_token = this.getAccessTokenInternal_(); if (!access_token['token']) { return true; } if (Date.now() > access_token['expiration']) { return true; } return false; }; /** * @return {void} Nothing. * @private */ remoting.OAuth2.prototype.clearAccessToken_ = function() { window.localStorage.removeItem(this.KEY_ACCESS_TOKEN_); }; /** * Update state based on token response from the OAuth2 /token endpoint. * * @param {function(string):void} onOk Called with the new access token. * @param {string} accessToken Access token. * @param {number} expiresIn Expiration time for the access token. * @return {void} Nothing. * @private */ remoting.OAuth2.prototype.onAccessToken_ = function(onOk, accessToken, expiresIn) { this.setAccessToken_(accessToken, expiresIn); onOk(accessToken); }; /** * Update state based on token response from the OAuth2 /token endpoint. * * @param {function():void} onOk Called after the new tokens are stored. * @param {string} refreshToken Refresh token. * @param {string} accessToken Access token. * @param {number} expiresIn Expiration time for the access token. * @return {void} Nothing. * @private */ remoting.OAuth2.prototype.onTokens_ = function(onOk, refreshToken, accessToken, expiresIn) { this.setAccessToken_(accessToken, expiresIn); this.setRefreshToken_(refreshToken); onOk(); }; /** * Redirect page to get a new OAuth2 Refresh Token. * * @return {void} Nothing. */ remoting.OAuth2.prototype.doAuthRedirect = function() { /** @type {remoting.OAuth2} */ var that = this; var xsrf_token = remoting.generateXsrfToken(); window.localStorage.setItem(this.KEY_XSRF_TOKEN_, xsrf_token); var GET_CODE_URL = this.getOAuth2AuthEndpoint_() + '?' + remoting.xhr.urlencodeParamHash({ 'client_id': this.getClientId_(), 'redirect_uri': this.getRedirectUri_(), 'scope': this.SCOPE_, 'state': xsrf_token, 'response_type': 'code', 'access_type': 'offline', 'approval_prompt': 'force' }); /** * Processes the results of the oauth flow. * * @param {Object.} message Dictionary containing the parsed * OAuth redirect URL parameters. */ function oauth2MessageListener(message) { if ('code' in message && 'state' in message) { var onDone = function() { window.location.reload(); }; that.exchangeCodeForToken( message['code'], message['state'], onDone); } else { if ('error' in message) { console.error( 'Could not obtain authorization code: ' + message['error']); } else { // We intentionally don't log the response - since we don't understand // it, we can't tell if it has sensitive data. console.error('Invalid oauth2 response.'); } } chrome.extension.onMessage.removeListener(oauth2MessageListener); } chrome.extension.onMessage.addListener(oauth2MessageListener); window.open(GET_CODE_URL, '_blank', 'location=yes,toolbar=no,menubar=no'); }; /** * Asynchronously exchanges an authorization code for a refresh token. * * @param {string} code The OAuth2 authorization code. * @param {string} state The state parameter received from the OAuth redirect. * @param {function():void} onDone Callback to invoke on completion. * @return {void} Nothing. */ remoting.OAuth2.prototype.exchangeCodeForToken = function(code, state, onDone) { var xsrf_token = window.localStorage.getItem(this.KEY_XSRF_TOKEN_); window.localStorage.removeItem(this.KEY_XSRF_TOKEN_); if (xsrf_token == undefined || state != xsrf_token) { // Invalid XSRF token, or unexpected OAuth2 redirect. Abort. onDone(); } /** @param {remoting.Error} error */ var onError = function(error) { console.error('Unable to exchange code for token: ', error); }; remoting.OAuth2Api.exchangeCodeForTokens( this.onTokens_.bind(this, onDone), onError, this.getClientId_(), this.getClientSecret_(), code, this.getRedirectUri_()); }; /** * Revokes a refresh or an access token. * * @param {string?} token An access or refresh token. * @return {void} Nothing. * @private */ remoting.OAuth2.prototype.revokeToken_ = function(token) { if (!token || (token.length == 0)) { return; } remoting.OAuth2Api.revokeToken(function() {}, function() {}, token); }; /** * Call a function with an access token, refreshing it first if necessary. * The access token will remain valid for at least 2 minutes. * * @param {function(string):void} onOk Function to invoke with access token if * an access token was successfully retrieved. * @param {function(remoting.Error):void} onError Function to invoke with an * error code on failure. * @return {void} Nothing. */ remoting.OAuth2.prototype.callWithToken = function(onOk, onError) { var refreshToken = this.getRefreshToken_(); if (refreshToken) { if (this.needsNewAccessToken_()) { remoting.OAuth2Api.refreshAccessToken( this.onAccessToken_.bind(this, onOk), onError, this.getClientId_(), this.getClientSecret_(), refreshToken); } else { onOk(this.getAccessTokenInternal_()['token']); } } else { onError(remoting.Error.NOT_AUTHENTICATED); } }; /** * Get the user's email address. * * @param {function(string):void} onOk Callback invoked when the email * address is available. * @param {function(remoting.Error):void} onError Callback invoked if an * error occurs. * @return {void} Nothing. */ remoting.OAuth2.prototype.getEmail = function(onOk, onError) { var cached = window.localStorage.getItem(this.KEY_EMAIL_); if (typeof cached == 'string') { onOk(cached); return; } /** @type {remoting.OAuth2} */ var that = this; /** @param {string} email */ var onResponse = function(email) { window.localStorage.setItem(that.KEY_EMAIL_, email); onOk(email); }; this.callWithToken( remoting.OAuth2Api.getEmail.bind(null, onResponse, onError), onError); }; /** * If the user's email address is cached, return it, otherwise return null. * * @return {?string} The email address, if it has been cached by a previous call * to getEmail, otherwise null. */ remoting.OAuth2.prototype.getCachedEmail = function() { var value = window.localStorage.getItem(this.KEY_EMAIL_); if (typeof value == 'string') { return value; } return null; };