forked from esconie/dropbox-js
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth_driver.coffee
153 lines (144 loc) · 7.44 KB
/
auth_driver.coffee
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# The interface implemented by dropbox.js OAuth drivers.
#
# This class exists solely for the purpose of documenting the OAuth driver
# interface. It should not be instantiated or inherited from.
class Dropbox.AuthDriver
# The authorization grant type used by this driver.
#
# Currently, server application drivers should return "code" to use
# Authorization Code Grant (RFC 6749 Section 4.1) and drivers that run in
# browsers or mobile clients should return "token" to use Implicit Grant (RFC
# 6749 Section 4.2).
#
# @return {String} one of the OAuth 2.0 authorization grant types implemented
# by dropbox.js
#
# @see http://tools.ietf.org/html/rfc6749#section-4.1 RFC 6749 Section 4.1
# @see http://tools.ietf.org/html/rfc6749#section-4.2 RFC 6749 Section 4.2
authType: ->
"code"
# The redirect URL that should be supplied to the OAuth 2 /authorize call.
#
# The driver must be able to intercept redirects to the returned URL and
# extract the OAuth 2.0 authorization code or access token from the URL.
#
# OAuth 2.0 redirect URLs must be configured on the application's page in
# the {https://www.dropbox.com/developers/apps Dropbox App console}.
#
# @return {String} an URL on the application's list of OAuth 2 redirect URLs
url: ->
"https://some.url"
# Redirects users to /authorize and waits for them to get redirected back.
#
# This method is called when the OAuth 2 process reaches the
# {Dropbox.Client.PARAM_SET} step, meaning that the user must be shown an
# /authorize page on the Dropbox servers, and the application must intercept
# a redirect from that page. The redirect URL contains an OAuth 2
# authorization code or access token.
#
# @param {String} authUrl the URL that users should be sent to in order to
# authorize the application's token; this points to a webpage on
# Dropbox's server
# @param {String} stateParam the nonce sent as the OAuth 2 state parameter;
# the Dropbox Web server will echo this nonce in the 'state' query
# parameter when redirecting users to the URL returned by
# {Dropbox.AuthDriver#url}; the driver should silently ignore any request
# that does not contain the correct 'state' parameter value
# @param {Dropbox.Client} client the client driving the OAuth 2 process
# @param {function(Object<String, String>)} callback called when users have
# completed the authorization flow; the driver should call this when
# Dropbox redirects users to the URL returned by the url() method, and the
# "state" query parameter matches the value passed in "state"; the callback
# should receive the query parameters in the redirect URL
#
# @see Dropbox.Util.Oauth.queryParamsFromUrl
doAuthorize: (authUrl, stateParam, client, callback) ->
callback code: 'access-code'
# (optional) Called to obtain the state param used in the OAuth 2 process.
#
# If a driver does not define this method,
# {Dropbox.Util.Oauth.randomAuthStateParam} is used to generate a random
# state param value.
#
# Server-side drivers should provide custom implementations that use a
# derivative of the CSRF token associated with the user's session cookie.
# This prevents CSRF attacks that would trick the application's server into
# using an attacker's OAuth 2 access token to store anoher user's data in the
# attacker's Dropbox.
#
# Client-side drivers only need to supply a custom implementation if the
# state parameter must be persisted across page reloads, e.g. if the
# authorization is done via redirects.
#
# @param {Dropbox.Client} client the client driving the OAuth 2 process
# @param {function(String)} callback called with the state parameter value
# that should be used in the OAuth 2 authorization process
getStateParam: (client, callback) ->
callback Dropbox.Util.Oauth.randomAuthStateParam()
# (optional) Called to process the /authorize redirect.
#
# This method is called when the OAuth 2 process reaches the
# {Dropbox.Client.PARAM_LOADED} step, meaning that an OAuth 2 state parameter
# value was loaded when the Dropbox.Client object was constructed, or during
# a {Dropbox.Client#setCredentials} call. This means that
# {Dropbox.AuthDriver#doAuthorize} was called earlier, saved that state
# parameter, and did not complete the OAuth 2 process. This happens when the
# OAuth 2 process requires page reloads, e.g. if the authorization is done
# via redirects.
#
# @param {String} stateParam the nonce sent as the OAuth 2 state parameter;
# the Dropbox Web server will echo this nonce in the 'state' query
# parameter when redirecting users to the URL returned by
# {Dropbox.AuthDriver#url}; the driver should silently ignore any request
# that does not contain the correct 'state' parameter value
# @param {Dropbox.Client} client the client driving the OAuth 2 process
# @param {function(Object<String, String>)} callback called when the user has
# completed the authorization flow; the driver should call this when
# Dropbox redirects the user to the URL returned by
# {Dropbox.AuthDriver#url}, and the "state" query parameter matches the
# value passed in "state"; the callback should receive the query parameters
# in the redirect URL
resumeAuthorize: (stateParam, client, callback) ->
callback code: 'access-code'
# If defined, called when there is some progress in the OAuth 2 process.
#
# The OAuth 2 process goes through the following states:
#
# * Dropbox.Client.RESET - the client has no OAuth 2 credentials, and is
# about to generate an OAuth 2 state nonce
# * Dropbox.Client.PARAM_SET - the client (or driver) has generated an OAuth
# 2 state nonce, and is about to attempt to obtain an access token or
# authorization code
# * Dropbox.Client.PARAM_LOADED - the client (or driver) has loaded a
# previously generated OAuth 2 state nonce, and is about to resume the
# process of obtaining an access token or authorization code; this step is
# only used when the OAuth 2 process requires page reloads, e.g. in a
# redirect-based process
# * Dropbox.Client.AUTHORIZED - the client has an authorization code, and is
# about to exchange it for an access token
# * Dropbox.Client.DONE - the client has an OAuth 2 access token that can be
# used for all API calls; the OAuth 2 process is complete, and the callback
# passed to authorize is about to be called
# * Dropbox.Client.SIGNED_OUT - the client's Dropbox.Client#signOut() was
# called, and the client's OAuth 2 access token was invalidated
# * Dropbox.Client.ERROR - the client encounered an error during the OAuth 2
# process; the callback passed to authorize is about to be called with the
# error information
#
# @param {Dropbox.Client} client the client performing the OAuth process
# @param {function()} callback called when onAuthStateChange acknowledges the
# state change
onAuthStepChange: (client, callback) ->
callback()
# Query parameters that should be processed by doAuthorize.
@oauthQueryParams: [
# RFC 6749: 4.2.2. Access Token Response (Implicit Grant)
'access_token', 'expires_in', 'scope', 'token_type',
# RFC 6749: 4.1.2. Authorization Response (Authorization Code)
'code',
# RFC 6749: 4.1.2.1. and 4.2.2.1. Error Response (everything)
'error', 'error_description', 'error_uri',
# draft-ietf-oauth-v2-http-mac-03: 4.1. Session Key Transport to Client
# (Implicit Grant, MAC tokens)
'mac_key', 'mac_algorithm'
].sort()