From c2254ce7e9e96c9febe9b1baef75e52ea28439c9 Mon Sep 17 00:00:00 2001
From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Fri, 22 Jan 2021 04:46:57 -0500
Subject: [PATCH] Add support for OIDC type tokens.

---
 lib/helpers.js | 2 +-
 lib/index.js   | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/helpers.js b/lib/helpers.js
index b9e4173..759f38c 100644
--- a/lib/helpers.js
+++ b/lib/helpers.js
@@ -16,7 +16,7 @@ const {generateId} = require('bnid');
 // load config defaults
 require('./config');
 
-const TOKEN_TYPES = ['password', 'nonce', 'challenge', 'totp'];
+const TOKEN_TYPES = ['password', 'nonce', 'challenge', 'totp', 'oidc'];
 
 // numeric-only digits for human readibility and easy mobile entry
 const NUMERIC_DIGITS = '0123456789';
diff --git a/lib/index.js b/lib/index.js
index 1515f79..6ec42bf 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -77,7 +77,7 @@ const PERMISSIONS = bedrock.config.permission.permissions;
 api.set = async ({
   actor, account, email, type, clientId, serviceId, hash,
   authenticationMethod = type, requiredAuthenticationMethods = [],
-  notify = true, typeOptions = {entryStyle: 'human'}
+  notify = true, typeOptions = {entryStyle: 'human'}, userId
 } = {}) => {
   assert.optionalString(account, 'account');
   assert.optionalString(email, 'email');
@@ -118,6 +118,8 @@ api.set = async ({
     validateBcryptHash(hash);
     token.salt = getBcryptSalt(hash);
     token.sha256 = prefixedHash(hash);
+  } else if(type === 'oidc') {
+    token.userId = userId;
   } else if(type === 'nonce') {
     // FIXME: may need to allow up to N tokens, one per `clientId` if
     // `clientId` is set
@@ -504,7 +506,7 @@ api.verify = async ({
   }
 
   assert.optionalString(challenge, 'challenge');
-  if(!(hash || challenge)) {
+  if(type !== 'oidc' && !(hash || challenge)) {
     throw new SyntaxError(
       'One of "hash" or "challenge" must be provided.');
   }
@@ -537,6 +539,7 @@ api.verify = async ({
   }
 
   let tokenValue = record.meta['bedrock-authn-token'].tokens[type];
+
   const now = new Date();
   if(type === 'nonce') {
     for(const token of tokenValue) {
@@ -597,6 +600,8 @@ api.verify = async ({
     verified = crypto.timingSafeEqual(
       new Buffer(token.sha256, 'base64'),
       new Buffer(prefixedHash(hash), 'base64'));
+  } else if(type === 'oidc') {
+    verified = token.userId === challenge;
   } else if(type === 'totp') {
     const cfg = config['authn-token'];
     const {window} = cfg.totp;