From 8e1cd73f3903063f8afacb71e228030512d1e5f9 Mon Sep 17 00:00:00 2001 From: Matthias Date: Thu, 25 Aug 2022 11:52:37 +0200 Subject: [PATCH] Check gitlab username in verification --- src/services/auth.ts | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/src/services/auth.ts b/src/services/auth.ts index b06b44e..0362e06 100644 --- a/src/services/auth.ts +++ b/src/services/auth.ts @@ -264,18 +264,27 @@ export class AuthService { return user; } - async isGitlabATValid(user: User): Promise { + async getGitlabUserInfo( + req: Request, + user: User + ): Promise { try { - await axios.get(`${GITLAB_API_URL}/oauth/token/info`, { - headers: { Authorization: `Bearer ${user.gitlabAT}` } - }); - return true; + const userInfoResp = await axios.get( + `${GITLAB_API_URL}/api/v4/user`, + { + headers: { Authorization: `Bearer ${user.gitlabAT}` } + } + ); + return userInfoResp.data; } catch (e) { - return false; + return null; } } - async tryRefreshGitlabTokens(req: Request, user: User): Promise { + async tryRefreshGitlabTokens( + req: Request, + user: User + ): Promise { const params = new URLSearchParams(); params.append('redirect_uri', this.getGitlabRedirectUrl(req)); params.append('client_id', GITLAB_ID); @@ -288,16 +297,20 @@ export class AuthService { {} ); const data: GitlabTokenResponse = resp.data; - await this.setGitlabTokens(user, data); - return true; + return this.setGitlabTokens(user, data); } catch (e) { - return false; + return null; } } async verifyGitlabUser(req: Request, user: User): Promise { - if (await this.isGitlabATValid(user)) return true; - return await this.tryRefreshGitlabTokens(req, user); + let info = await this.getGitlabUserInfo(req, user); + if (!info) { + user = await this.tryRefreshGitlabTokens(req, user); + if (!user) return false; + info = await this.getGitlabUserInfo(req, user); + } + return info && info.username == user.name; } }