(core) Add authSubject and authProvider to sessions

Summary:
This also updates Authorizer to link the authSubject
to Grist users if not previously linked. Linked subjects
are now used as the username for password-based logins,
instead of emails, which remain as a fallback.

Test Plan: Existing tests, and tested login flows manually.

Reviewers: paulfitz

Reviewed By: paulfitz

Differential Revision: https://phab.getgrist.com/D3356
This commit is contained in:
George Gevoian 2022-04-11 11:08:44 -07:00
parent 14f7e30e6f
commit 859c593448
9 changed files with 56 additions and 29 deletions

View File

@ -135,6 +135,8 @@ export interface Document extends DocumentProperties {
export interface UserOptions {
// Whether signing in with Google is allowed. Defaults to true if unset.
allowGoogleLogin?: boolean;
// The "sub" (subject) from the JWT issued by the password-based authentication provider.
authSubject?: string;
// Whether user is a consultant. Consultant users can be added to sites
// without being counted for billing. Defaults to false if unset.
isConsultant?: boolean;

View File

@ -203,6 +203,12 @@ export interface DocAuthResult {
cachedDoc?: Document; // For cases where stale info is ok.
}
interface GetUserOptions {
manager?: EntityManager;
profile?: UserProfile;
userOptions?: UserOptions;
}
// Represent a DocAuthKey as a string. The format is "<urlId>:<org> <userId>".
// flushSingleDocAuthCache() depends on this format.
function stringifyDocAuthKey(key: DocAuthKey): string {
@ -402,7 +408,7 @@ export class HomeDBManager extends EventEmitter {
public async testClearUserPrefs(emails: string[]) {
return await this._connection.transaction(async manager => {
for (const email of emails) {
const user = await this.getUserByLogin(email, undefined, manager);
const user = await this.getUserByLogin(email, {manager});
if (user) {
await manager.delete(Pref, {userId: user.id});
}
@ -493,16 +499,16 @@ export class HomeDBManager extends EventEmitter {
// for an email key conflict failure. This is in case our transaction conflicts with a peer
// doing the same thing. This is quite likely if the first page visited by a previously
// unseen user fires off multiple api calls.
public async getUserByLoginWithRetry(email: string, profile: UserProfile): Promise<User|undefined> {
public async getUserByLoginWithRetry(email: string, options: GetUserOptions = {}): Promise<User|undefined> {
try {
return await this.getUserByLogin(email, profile);
return await this.getUserByLogin(email, options);
} catch (e) {
if (e.name === 'QueryFailedError' && e.detail &&
e.detail.match(/Key \(email\)=[^ ]+ already exists/)) {
// This is a postgres-specific error message. This problem cannot arise in sqlite,
// because we have to serialize sqlite transactions in any case to get around a typeorm
// limitation.
return await this.getUserByLogin(email, profile);
return await this.getUserByLogin(email, options);
}
throw e;
}
@ -513,15 +519,12 @@ export class HomeDBManager extends EventEmitter {
* Fetches a user record based on an email address. If a user record already
* exists linked to the email address supplied, that is the record returned.
* Otherwise a fresh record is created, linked to the supplied email address.
* The name supplied is used to create this fresh record - otherwise it is
* ignored.
* The supplied `options` are used when creating a fresh record, or updating
* unset/outdated fields of an existing record.
*
*/
public async getUserByLogin(
email: string,
profile?: UserProfile,
transaction?: EntityManager
): Promise<User|undefined> {
public async getUserByLogin(email: string, options: GetUserOptions = {}): Promise<User|undefined> {
const {manager: transaction, profile, userOptions} = options;
const normalizedEmail = normalizeEmail(email);
const userByLogin = await this._runInTransaction(transaction, async manager => {
let needUpdate = false;
@ -580,6 +583,11 @@ export class HomeDBManager extends EventEmitter {
login.displayEmail = email;
needUpdate = true;
}
if (!user.options?.authSubject && userOptions?.authSubject) {
// Link subject from password-based authentication provider if not previously linked.
user.options = {...(user.options ?? {}), authSubject: userOptions.authSubject};
needUpdate = true;
}
if (needUpdate) {
login.user = user;
await manager.save([user, login]);
@ -2879,7 +2887,7 @@ export class HomeDBManager extends EventEmitter {
// get or create user - with retry, since there'll be a race to create the
// user if a bunch of servers start simultaneously and the user doesn't exist
// yet.
const user = await this.getUserByLoginWithRetry(profile.email, profile);
const user = await this.getUserByLoginWithRetry(profile.email, {profile});
if (user) { id = this._specialUserIds[profile.email] = user.id; }
}
if (!id) { throw new Error(`Could not find or create user ${profile.email}`); }
@ -2979,7 +2987,7 @@ export class HomeDBManager extends EventEmitter {
const emailMap = delta.users;
const emails = Object.keys(emailMap);
const emailUsers = await Promise.all(
emails.map(async email => await this.getUserByLogin(email, undefined, transaction))
emails.map(async email => await this.getUserByLogin(email, {manager: transaction}))
);
emails.forEach((email, i) => {
const userIdAffected = emailUsers[i]!.id;

View File

@ -3,6 +3,7 @@ import {OpenDocMode} from 'app/common/DocListAPI';
import {ErrorWithCode} from 'app/common/ErrorWithCode';
import {FullUser, UserProfile} from 'app/common/LoginSessionAPI';
import {canEdit, canView, getWeakestRole, Role} from 'app/common/roles';
import {UserOptions} from 'app/common/UserAPI';
import {Document} from 'app/gen-server/entity/Document';
import {User} from 'app/gen-server/entity/User';
import {DocAuthKey, DocAuthResult, HomeDBManager} from 'app/gen-server/lib/HomeDBManager';
@ -243,8 +244,14 @@ export async function addRequestUser(dbManager: HomeDBManager, permitStore: IPer
// Modify request session object to link the current org with our choice of
// profile. Express-session will save this change.
sessionUser = linkOrgWithEmail(session, option.email, mreq.org);
const userOptions: UserOptions = {};
if (sessionUser?.profile?.loginMethod === 'Email + Password') {
// Link the session authSubject, if present, to the user. This has no effect
// if the user already has an authSubject set in the db.
userOptions.authSubject = sessionUser.authSubject;
}
// In this special case of initially linking a profile, we need to look up the user's info.
mreq.user = await dbManager.getUserByLogin(option.email);
mreq.user = await dbManager.getUserByLogin(option.email, {userOptions});
mreq.userId = option.id;
mreq.userIsAuthorized = true;
} else {
@ -263,12 +270,18 @@ export async function addRequestUser(dbManager: HomeDBManager, permitStore: IPer
}
}
profile = sessionUser && sessionUser.profile || undefined;
profile = sessionUser?.profile ?? undefined;
// If we haven't computed a userId yet, check for one using an email address in the profile.
// A user record will be created automatically for emails we've never seen before.
if (profile && !mreq.userId) {
const user = await dbManager.getUserByLoginWithRetry(profile.email, profile);
const userOptions: UserOptions = {};
if (profile?.loginMethod === 'Email + Password') {
// Link the session authSubject, if present, to the user. This has no effect
// if the user already has an authSubject set in the db.
userOptions.authSubject = sessionUser.authSubject;
}
const user = await dbManager.getUserByLoginWithRetry(profile.email, {profile, userOptions});
if (user) {
mreq.user = user;
mreq.userId = user.id;
@ -280,7 +293,7 @@ export async function addRequestUser(dbManager: HomeDBManager, permitStore: IPer
if (!mreq.userId) {
profile = getRequestProfile(mreq);
if (profile) {
const user = await dbManager.getUserByLoginWithRetry(profile.email, profile);
const user = await dbManager.getUserByLoginWithRetry(profile.email, {profile});
if(user) {
mreq.user = user;
mreq.users = [profile];
@ -290,7 +303,6 @@ export async function addRequestUser(dbManager: HomeDBManager, permitStore: IPer
}
}
// If no userId has been found yet, fall back on anonymous.
if (!mreq.userId) {
const anon = dbManager.getAnonymousUser();

View File

@ -19,9 +19,17 @@ export interface SessionUserObj {
*/
lastLoginTimestamp?: number;
// [UNUSED] Authentication provider string indicating the login method used.
/**
* The authentication provider. (Typically the JWT "iss".)
*/
authProvider?: string;
/**
* Identifier for the user from the authentication provider. (Typically
* the JWT "sub".)
*/
authSubject?: string;
// [UNUSED] Login ID token used to access AWS services.
idToken?: string;

View File

@ -24,7 +24,7 @@ export async function getMinimalLoginSystem(): Promise<GristLoginSystem> {
// If working without a login system, make sure default user exists.
const dbManager = gristServer.getHomeDBManager();
const profile = getDefaultProfile();
const user = await dbManager.getUserByLoginWithRetry(profile.email, profile);
const user = await dbManager.getUserByLoginWithRetry(profile.email, {profile});
if (user) {
// No need to survey this user!
user.isFirstTimeUser = false;

View File

@ -21,6 +21,7 @@ export const TEST_HTTPS_OFFSET = process.env.GRIST_TEST_HTTPS_OFFSET ?
const INTERNAL_FIELDS = new Set([
'apiKey', 'billingAccountId', 'firstLoginAt', 'filteredOut', 'ownerId', 'gracePeriodStart', 'stripeCustomerId',
'stripeSubscriptionId', 'stripePlanId', 'stripeProductId', 'userId', 'isFirstTimeUser', 'allowGoogleLogin',
'authSubject',
]);
/**

View File

@ -78,10 +78,8 @@ export async function main() {
if (!email) {
throw new Error('need GRIST_DEFAULT_EMAIL to create site');
}
const user = await db.getUserByLogin(email, {
email,
name: email,
});
const profile = {email, name: email};
const user = await db.getUserByLogin(email, {profile});
if (!user) {
// This should not happen.
throw new Error('failed to create GRIST_DEFAULT_EMAIL user');

View File

@ -32,7 +32,7 @@ export function configForUser(username: string): AxiosRequestConfig {
export async function createUser(dbManager: HomeDBManager, name: string): Promise<Organization> {
const username = name.toLowerCase();
const email = `${username}@getgrist.com`;
const user = await dbManager.getUserByLogin(email, {email, name});
const user = await dbManager.getUserByLogin(email, {profile: {email, name}});
if (!user) { throw new Error('failed to create user'); }
user.apiKey = `api_key_for_${username}`;
await user.save();

View File

@ -1760,10 +1760,8 @@ export async function addSupportUserIfPossible() {
if (!server.isExternalServer() && process.env.TEST_SUPPORT_API_KEY) {
// Make sure we have a test support user.
const dbManager = await server.getDatabase();
const user = await dbManager.getUserByLoginWithRetry('support@getgrist.com', {
email: 'support@getgrist.com',
name: 'Support',
});
const profile = {email: 'support@getgrist.com', name: 'Support'};
const user = await dbManager.getUserByLoginWithRetry('support@getgrist.com', {profile});
if (!user) {
throw new Error('Failed to create test support user');
}