mtgatracker · Spencatro · Oct 20, 2018 · Oct 15, 2018 · Oct 20, 2018 · Oct 20, 2018
diff --git a/on_demand/api/public-api.js b/on_demand/api/public-api.js
@@ -19,7 +19,7 @@ const {
   verifyAndDecodeToken,
   getTwitchIDToken,
   getDiscordAccessToken,
-  verifyDiscordAccessToken,
+  verifyAccessToken,
   generateInternalToken,
   getOrCreateUser,
   msanitize,
@@ -107,16 +107,21 @@ router.post('/tracker-token/', (req, res, next) => {
 router.post('/twitch-auth-attempt', (req, res, next) => {
   console.log('/twitch-auth-attempt')
   let { code } = req.body;
-  let { MONGO_URL, TWITCH_CLIENT_ID, TWITCH_SECRET_ID, DATABASE } = req.webtaskContext.secrets
+  let { MONGO_URL, TWITCH_CLIENT_ID, TWITCH_SECRET_ID, DATABASE, JWT_SECRET } = req.webtaskContext.secrets
   MongoClient.connect(MONGO_URL).then(dbClient => {
     options = {
       db: dbClient.db(DATABASE),
       client_id: TWITCH_CLIENT_ID,
       client_secret: TWITCH_SECRET_ID,
+      jwtSecret: JWT_SECRET,
       accessCode: code
     }
     getTwitchIDToken(options)
-      .then(verifyAndDecodeToken)
+      //.then(verifyAndDecodeToken)
+      //   not using ID tokens from twitch anymore:
+      //   https://discuss.dev.twitch.tv/t/id-token-missing-when-using-id-twitch-tv-oauth2-token-with-grant-type-refresh-token/18263
+      .then(verifyAccessToken)
+      .then(generateInternalToken)
       .then(getOrCreateUser)
       .then(decodedObj => {
         res.status(200).send({token: decodedObj.id_token, decoded: decodedObj.decoded})
@@ -140,7 +145,7 @@ router.post('/discord-auth-attempt', (req, res, next) => {
       accessCode: code,
     }
     getDiscordAccessToken(options)
-      .then(verifyDiscordAccessToken)
+      .then(verifyAccessToken)
       // discord doesn't support openID tokens :( we have to make one ourselves
       .then(generateInternalToken)
       .then(getOrCreateUser)

diff --git a/on_demand/mtga-tracker-game.js b/on_demand/mtga-tracker-game.js
@@ -5,7 +5,7 @@ import express from 'express';
 import Webtask from 'webtask-tools';
 import { MongoClient, ObjectID } from 'mongodb';
 
-const ejwt = require('express-jwt');
+const ejwt = require('shawkinsl-express-jwt');
 const jwt = require('jsonwebtoken');
 const crypto = require('crypto');
 
@@ -42,6 +42,11 @@ const {
   twitchJWKExpressSecret,
   msanitize,
   assertStringOr400,
+  getRefreshTokenFromDB,
+  generateInternalToken,
+  verifyAccessToken,
+  doTokenRefresh,
+  getOrCreateUser,
 } = require('../util')
 
 const BluebirdPromise = require('bluebird')
@@ -73,6 +78,8 @@ let userIsAdmin = (req, res, next) => {
 
 let userUpToDate = (req, res, next) => {
   if (req.path == "/authorize-token") return next()
+
+  const { userKey } = req;
   const { MONGO_URL, DATABASE } = req.webtaskContext.secrets;
 
   MongoClient.connect(MONGO_URL, (connectErr, client) => {
@@ -140,14 +147,14 @@ function attachTrackerID(req, res, next) {
 }
 
 function attachUserKey(req, res, next) {
-  if (req.user.iss == TWITCH_ISSUER) {
+  if (req.user.iss == LOCAL_ISSUER && req.user.proxyFor == "twitch") {
     req.userKey = `${req.user.sub}:twitch`
     return next()
   } else if (req.user.iss == LOCAL_ISSUER && req.user.proxyFor == "discord") {
     req.userKey = `${req.user.sub}:discord`
     return next()
   }
-  res.status(400).send({"error": "cant_create_user_key"})
+  res.status(401).send({"error": "cant_create_user_key"})
 }
 
 // don't allow any $ operators as keys in any object anywhere in the body
@@ -166,12 +173,59 @@ function ejwt_wrapper(req, res, next) {
 }
 
 function user_ejwt_wrapper(req, res, next) {
-  return ejwt({secret: userSecretCallback, getToken: getCookieToken})
-    (req, res, next);
+  return ejwt({secret: userSecretCallback, getToken: getCookieToken})(req, res, next);
+}
+
+// we only hit this if the previous middleware threw an error
+function handle_ejwt_error(err, req, res, next) {
+
+  const {
+    MONGO_URL,
+    DATABASE,
+    TWITCH_CLIENT_ID,
+    TWITCH_SECRET_ID,
+    DISCORD_CLIENT_ID,
+    JWT_SECRET,
+    DISCORD_SECRET_ID
+  } = req.webtaskContext.secrets;
+
+  if (err.message == "jwt expired" && req.decoded) {
+    // we only refresh twitch ID tokens
+    console.log(req.decoded)
+
+    MongoClient.connect(MONGO_URL).then(dbClient => {
+      options = {
+        db: dbClient.db(DATABASE),
+        twitch_client_id: TWITCH_CLIENT_ID,
+        twitch_client_secret: TWITCH_SECRET_ID,
+        discord_client_id: DISCORD_CLIENT_ID,
+        discord_client_secret: DISCORD_SECRET_ID,
+        jwtSecret: JWT_SECRET,
+        userKey: `${req.decoded.sub}:${req.decoded.proxyFor}`,
+        username: req.decoded.preferred_username,
+        userId: req.decoded.sub,
+        issuer: req.decoded.proxyFor
+      }
+      getRefreshTokenFromDB(options)
+        .then(doTokenRefresh)
+        .then(verifyAccessToken)
+        .then(options => generateInternalToken(options, req))
+        .then(getOrCreateUser)
+        .then(decodedObj => {
+          res.header("set-token", decodedObj.id_token)
+          return next()
+        }).catch(err => {
+          // TODO: clean this up a bit
+          return res.status(401).send({"refresh token error": err})
+        })
+    })
+  } else {
+    return next(err)
+  }
 }
 
 server.use('/public-api', mongoSanitize, publicAPI)
-server.use('/api', user_ejwt_wrapper, mongoSanitize, attachUserKey, attachAuthorizedTrackers, userUpToDate, userAPI)
+server.use('/api', user_ejwt_wrapper, handle_ejwt_error, mongoSanitize, attachUserKey, attachAuthorizedTrackers, userUpToDate, userAPI)
 server.use('/anon-api', ejwt_wrapper, mongoSanitize, anonAPI)
 server.use('/tracker-api', ejwt_wrapper, mongoSanitize, attachTrackerID, trackerAPI)
 server.use('/admin-api', user_ejwt_wrapper, mongoSanitize, attachUserKey, userIsAdmin, adminAPI)