user doesnt have access token

apps/app/src/server/models/access-token.ts

@@ -1,6 +1,5 @@
 import crypto from 'crypto';
 
-import type { IAccessToken } from '@growi/core';
 import type { Document, Model, Types } from 'mongoose';
 import { Schema } from 'mongoose';
 import mongoosePaginate from 'mongoose-paginate-v2';
@@ -12,6 +11,16 @@ import { getOrCreateModel } from '../util/mongoose-utils';
 
 const logger = loggerFactory('growi:models:comment');
 
+const generateTokenHash = (token: string) => crypto.createHash('sha256').update(token).digest('hex');
+
+export type IAccessToken = {
+  userId: Types.ObjectId,
+  tokenHash: string,
+  expiredAt: Date,
+  scope: string[],
+  description: string,
+}
+
 export interface IAccessTokenDocument extends IAccessToken, Document {
   userId: Types.ObjectId,
   tokenHash: string,
@@ -25,8 +34,11 @@ export interface IAccessTokenDocument extends IAccessToken, Document {
 export interface IAccessTokenModel extends Model<IAccessTokenDocument> {
   generateToken: (userId: Types.ObjectId, expiredAt: Date, scope: string[], description?: string,) => Promise<string>
   deleteToken: (model: IAccessTokenModel) => Promise<void>
+  deleteAllTokensByUserId: (userId: Types.ObjectId) => Promise<void>
+  deleteExpiredToken: () => Promise<void>
   findUserIdByToken: (token: string) => Promise<IAccessTokenDocument>
   findTokenByUserId: (userId: Types.ObjectId) => Promise<IAccessTokenDocument[]>
+  validateTokenScopes: (token: string, requiredScope: string[]) => Promise<boolean>
 }
 
 const IAccessTokenSchema = new Schema<IAccessTokenDocument, IAccessTokenModel>({
@@ -45,7 +57,7 @@ IAccessTokenSchema.plugin(uniqueValidator);
 IAccessTokenSchema.statics.generateToken = async function(userId: Types.ObjectId, expiredAt: Date, scope?: string[], description?: string) {
 
   const token = crypto.randomBytes(32).toString('hex');
-  const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+  const tokenHash = generateTokenHash(token);
 
   // TODO: scope validation
   try {
@@ -63,7 +75,7 @@ IAccessTokenSchema.statics.generateToken = async function(userId: Types.ObjectId
 };
 
 IAccessTokenSchema.statics.deleteToken = async function(token: string) {
-  const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+  const tokenHash = generateTokenHash(token);
   return this.deleteOne({ tokenHash });
 };
 
@@ -77,7 +89,7 @@ IAccessTokenSchema.statics.deleteExpiredToken = async function() {
 };
 
 IAccessTokenSchema.statics.findUserIdByToken = async function(token: string) {
-  const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+  const tokenHash = generateTokenHash(token);
   const now = new Date();
   return this.findOne({ tokenHash, expiredAt: { $gt: now } }).select('userId');
 };
@@ -87,9 +99,17 @@ IAccessTokenSchema.statics.findTokenByUserId = async function(userId: Types.Obje
   return this.find({ userId, expiredAt: { $gt: now } }).select('expiredAt scope description');
 };
 
+// check token's scope is satisfied
+IAccessTokenSchema.statics.validateTokenScopes = async function(token: string, requiredScopes: string[]) {
+  const tokenHash = generateTokenHash(token);
+  const now = new Date();
+  // TODO: scope validation
+  const tokenData = await this.findOne({ tokenHash, expiredAt: { $gt: now }, scope: { $all: requiredScopes } });
+  return tokenData != null;
+};
+
 IAccessTokenSchema.methods.isExpired = function() {
   return this.expiredAt < new Date();
 };
 
-
 export const AccessToken = getOrCreateModel<IAccessTokenDocument, IAccessToken>('AccessToken', IAccessTokenSchema);

packages/core/src/interfaces/access-token.ts

@@ -1,9 +0,0 @@
-import type { Types } from 'mongoose';
-
-export type IAccessToken = {
-  userId: Types.ObjectId,
-  tokenHash: string,
-  expiredAt: Date,
-  scope: string[],
-  description: string,
-}

packages/core/src/interfaces/user.ts

@@ -1,4 +1,3 @@
-import type { IAccessToken } from './access-token';
 import type { IAttachment } from './attachment';
 import type { Ref } from './common';
 import type { HasObjectId } from './has-object-id';
@@ -16,7 +15,6 @@ export type IUser = {
   admin: boolean,
   readOnly: boolean,
   apiToken?: string,
-  accessToken?: Ref<IAccessToken>,
   isEmailPublished: boolean,
   isInvitationEmailSended: boolean,
   lang: Lang,