headless_lms_server/controllers/main_frontend/oauth/
token.rs

1use crate::domain::oauth::dpop::verify_dpop_from_actix;
2use crate::domain::oauth::errors::TokenGrantError;
3use crate::domain::oauth::helpers::{oauth_invalid_client, ok_json_no_cache, scope_has_openid};
4use crate::domain::oauth::oauth_validated::OAuthValidated;
5use crate::domain::oauth::oidc::generate_id_token;
6use crate::domain::oauth::token_query::TokenQuery;
7use crate::domain::oauth::token_response::TokenResponse;
8use crate::domain::oauth::token_service::{
9    TokenGrantRequest, TokenGrantResult, generate_token_pair, process_token_grant,
10};
11use crate::domain::rate_limit_middleware_builder::{RateLimit, RateLimitConfig};
12use crate::prelude::*;
13use actix_web::{HttpResponse, web};
14use chrono::{Duration, Utc};
15use domain::error::{OAuthErrorCode, OAuthErrorData};
16use headless_lms_utils::ApplicationConfiguration;
17use models::{
18    library::oauth::token_digest_sha256, oauth_access_token::TokenType, oauth_client::OAuthClient,
19};
20use sqlx::PgPool;
21
22/// Handles the `/token` endpoint for exchanging authorization codes or refresh tokens.
23///
24/// This endpoint issues and rotates OAuth 2.0 and OpenID Connect tokens with support for
25/// **PKCE**, **DPoP sender-constrained tokens**, and **ID Token issuance**.
26///
27/// ### Authorization Code Grant
28/// - Validates client credentials (`client_id`, `client_secret`) or public client rules.
29/// - Verifies the authorization code, its redirect URI, PKCE binding (`code_verifier`), and expiration.
30/// - Optionally verifies a DPoP proof and binds the issued tokens to the DPoP JWK thumbprint (`dpop_jkt`).
31/// - Issues a new access token, refresh token, and (for OIDC requests) an ID token.
32///
33/// ### Refresh Token Grant
34/// - Validates the refresh token and client binding.
35/// - Verifies DPoP proof when applicable (must match the original `dpop_jkt`).
36/// - Rotates the refresh token (revokes the old one, inserts a new one linked to it).
37/// - Issues a new access token (and ID token if `openid` scope requested).
38///
39/// ### Security Features
40/// - **PKCE (RFC 7636)**: Enforced for public clients and optionally for confidential ones.
41/// - **DPoP (RFC 9449)**: Sender-constrains tokens to a JWK thumbprint.
42/// - **Refresh Token Rotation**: Prevents replay by revoking old RTs on use.
43/// - **OIDC ID Token**: Issued only if `openid` is in the granted scopes.
44///
45/// Follows:
46/// - [RFC 6749 §3.2 — Token Endpoint](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2)
47/// - [RFC 7636 — PKCE](https://datatracker.ietf.org/doc/html/rfc7636)
48/// - [RFC 9449 — DPoP](https://datatracker.ietf.org/doc/html/rfc9449)
49/// - [OIDC Core §3.1.3 — Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint)
50///
51/// # Example
52/// ```http
53/// POST /api/v0/main-frontend/oauth/token HTTP/1.1
54/// Content-Type: application/x-www-form-urlencoded
55///
56/// grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http://localhost&client_id=test-client-id&client_secret=test-secret&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
57/// ```
58///
59/// Successful response:
60/// ```http
61/// HTTP/1.1 200 OK
62/// Content-Type: application/json
63///
64/// {
65///   "access_token": "2YotnFZFEjr1zCsicMWpAA",
66///   "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
67///   "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
68///   "token_type": "DPoP",
69///   "expires_in": 3600
70/// }
71/// ```
72///
73/// Example error:
74/// ```http
75/// HTTP/1.1 401 Unauthorized
76/// Content-Type: application/json
77///
78/// {
79///   "error": "invalid_client",
80///   "error_description": "invalid client secret"
81/// }
82/// ```
83///
84/// Example DPoP error:
85/// ```http
86/// HTTP/1.1 401 Unauthorized
87/// WWW-Authenticate: DPoP error="use_dpop_proof", error_description="Missing DPoP header"
88/// ```
89#[instrument(skip(pool, app_conf, form))]
90pub async fn token(
91    pool: web::Data<PgPool>,
92    OAuthValidated(form): OAuthValidated<TokenQuery>,
93    req: actix_web::HttpRequest,
94    app_conf: web::Data<ApplicationConfiguration>,
95) -> ControllerResult<HttpResponse> {
96    let mut conn = pool.acquire().await?;
97    let server_token = skip_authorize();
98
99    let access_ttl = Duration::hours(1);
100    let refresh_ttl = Duration::days(30);
101
102    let client = OAuthClient::find_by_client_id(&mut conn, &form.client_id)
103        .await
104        .map_err(|_| oauth_invalid_client("invalid client_id"))?;
105
106    // Add non-secret fields to the span for observability
107    tracing::Span::current().record("client_id", &form.client_id);
108
109    if client.is_confidential() {
110        match client.client_secret {
111            Some(ref secret) => {
112                let token_hmac_key = &app_conf.oauth_server_configuration.oauth_token_hmac_key;
113                if !secret.constant_eq(&token_digest_sha256(
114                    &form.client_secret.clone().unwrap_or_default(),
115                    token_hmac_key,
116                )) {
117                    return Err(oauth_invalid_client("invalid client secret"));
118                }
119            }
120            None => {
121                return Err(oauth_invalid_client(
122                    "client_secret required for confidential clients",
123                ));
124            }
125        }
126    }
127
128    // Check if client allows this grant type
129    let grant_kind = form.grant.kind();
130    tracing::Span::current().record("grant_type", format!("{:?}", grant_kind));
131    if !client.allows_grant(grant_kind) {
132        return Err(ControllerError::new(
133            ControllerErrorType::OAuthError(Box::new(OAuthErrorData {
134                error: OAuthErrorCode::UnsupportedGrantType.as_str().into(),
135                error_description: "grant type not allowed for this client".into(),
136                redirect_uri: None,
137                state: None,
138                nonce: None,
139            })),
140            "Grant type not allowed for this client",
141            None::<anyhow::Error>,
142        ));
143    }
144
145    // DPoP vs Bearer selection
146    let dpop_jkt_opt = if req.headers().get("DPoP").is_some() {
147        Some(
148            verify_dpop_from_actix(
149                &mut conn,
150                &req,
151                "POST",
152                &app_conf.oauth_server_configuration.dpop_nonce_key,
153                None,
154            )
155            .await?,
156        )
157    } else {
158        if !client.bearer_allowed {
159            return Err(oauth_invalid_client(
160                "client not allowed to use other than dpop-bound tokens",
161            ));
162        }
163        None
164    };
165
166    let issued_token_type = if dpop_jkt_opt.is_some() {
167        TokenType::DPoP
168    } else {
169        TokenType::Bearer
170    };
171    tracing::Span::current().record("token_type", format!("{:?}", issued_token_type));
172
173    let token_hmac_key = &app_conf.oauth_server_configuration.oauth_token_hmac_key;
174    let token_pair = generate_token_pair(token_hmac_key);
175    let access_token = token_pair.access_token.clone();
176    let refresh_token = token_pair.refresh_token.clone();
177    let refresh_token_expires_at = Utc::now() + refresh_ttl;
178    let access_expires_at = Utc::now() + access_ttl;
179
180    let request = TokenGrantRequest {
181        grant: &form.grant,
182        client: &client,
183        token_pair,
184        access_expires_at,
185        refresh_expires_at: refresh_token_expires_at,
186        issued_token_type,
187        dpop_jkt: dpop_jkt_opt.as_deref(),
188        token_hmac_key,
189    };
190
191    let TokenGrantResult {
192        user_id,
193        scopes: scope_vec,
194        nonce: nonce_opt,
195        access_expires_at: at_expires_at,
196        issue_id_token,
197    } = process_token_grant(&mut conn, request)
198        .await
199        .map_err(|e: TokenGrantError| ControllerError::from(e))?;
200
201    let base_url = app_conf.base_url.trim_end_matches('/');
202    let id_token = if issue_id_token && scope_has_openid(&scope_vec) {
203        Some(generate_id_token(
204            user_id,
205            &client.client_id,
206            &nonce_opt.unwrap_or_default(),
207            at_expires_at,
208            &format!("{}/api/v0/main-frontend/oauth", base_url),
209            &app_conf,
210        )?)
211    } else {
212        None
213    };
214
215    let response = TokenResponse {
216        access_token,
217        refresh_token: Some(refresh_token),
218        id_token,
219        token_type: match issued_token_type {
220            TokenType::Bearer => "Bearer".to_string(),
221            TokenType::DPoP => "DPoP".to_string(),
222        },
223        expires_in: access_ttl.num_seconds() as u32,
224    };
225
226    server_token.authorized_ok(ok_json_no_cache(response))
227}
228
229pub fn _add_routes(cfg: &mut web::ServiceConfig) {
230    cfg.service(
231        web::resource("/token")
232            .wrap(RateLimit::new(RateLimitConfig {
233                per_minute: Some(100),
234                per_hour: Some(500),
235                per_day: Some(2000),
236                per_month: None,
237            }))
238            .route(web::post().to(token)),
239    );
240}