Class: AuthClient
model/postgres/AuthClient.entity.AuthClient
Entity representing a client application that requires access to Gropius and that can ask for authentication.
A client is identified by its client id and CAN optionally be secured by secrets to restrict usage
Constructors
constructor
• new AuthClient()
Properties
clientCredentialFlowUser
• clientCredentialFlowUser: Promise<LoginUser>
The user to use as subject for the client credential flow.
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:95
clientSecrets
• clientSecrets: string[]
The list of hashed client secrets.
Every entry is structured like [CENSORED];[BCRYPT_HASH] with:
- [CENSORED] is a n letter prefix of the actual secret to display to the user for easier association
- [BCRYPT_HASH] is the salted hash of the full secret for use to compare with a later given secret
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:64
id
• id: string
The unique ID of this client
Example
12345678-90ab-cdef-fedc-ab0987654321
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:35
isInternal
• isInternal: boolean = false
If this client is editable. If not, the client can not be changed or deleted.
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:101
isValid
• isValid: boolean
If this is false the client is not valid and no authorization, token, ... requests from it should be answered.
Example
true
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:72
name
• name: string
The (human readable) name of the auth client to be able to keep track ofit.
Doesn't need to be unique
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:43
redirectUrls
• redirectUrls: string[]
The list of valid enpoints to redirect the user back to after authentication has finished.
The actual url to use is given in the authorize request and must be included in this list. If none is given, the first one from this list will be used
Example
["https://example.com/oauth/callback?query=value"]
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:54
requiresSecret
• requiresSecret: boolean
If true requesting a token as this client requires the use
of a client secret accoring to the oauth specification.
If false client secrets can be present and given but are not required
Example
false
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:82
validScopes
• validScopes: TokenScope[]
The list of scopes that this client is allowed to request.
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:88
Methods
addSecret
▸ addSecret(): Promise<{ censored: string ; fingerprint: string ; secretText: string }>
Generates a new secret and adds it to the list of this client. Does NOT save the entitiy!
Note: The secret text is only returned here and will not be saved as plain text. There is no way to retrieve it later. Only a hashed version and a n letter prefix (for easier identification) will be saved
The generated secret will be hex encoded random bytes of length GROPIUS_CLIENT_SECRET_LENGTH
Returns
Promise<{ censored: string ; fingerprint: string ; secretText: string }>
The generated secret text, the fingerprint of the hash of the secret and the censored version
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:125
fingerprint
▸ Private fingerprint(hash): string
Calculated the sha256 hash of the input.
Can be used as fingerprint for the secret hashes.
Parameters
| Name | Type | Description |
|---|---|---|
hash | string | The hash or other data to calculate the fingerprint for |
Returns
string
The hex string of the sha256 hash
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:110
getFullHashesPlusCensoredAndFingerprint
▸ getFullHashesPlusCensoredAndFingerprint(): { censored: string ; fingerprint: string ; secret: string }[]
Returns a list containing not only the string stored in the database, but also the n letter censored prefix and the fingerprint of the hash.
The result of this should NOT be exposed as it contains the full hash.
Returns
{ censored: string ; fingerprint: string ; secret: string }[]
A list of the full stored hash, censore version and the fingerprint of the hash for every secret
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:153
getSecretsShortedAndFingerprint
▸ getSecretsShortedAndFingerprint(): { censored: string ; fingerprint: string }[]
Removes the full hash from the result of AuthClient.getFullHashesPlusCensoredAndFingerprint
May be published on the API
Returns
{ censored: string ; fingerprint: string }[]
A list of censored secret and hash-fingerprint for every secret of this client
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:177
toJSON
▸ toJSON(): Object
Returns
Object
| Name | Type |
|---|---|
id | string |
isInternal | boolean |
isValid | boolean |
name | string |
redirectUrls | string[] |
requiresSecret | boolean |
Defined in
gropius-login-service/backend/src/model/postgres/AuthClient.entity.ts:187