parent
0774deea91
commit
70d67c2730
@ -0,0 +1,100 @@
|
|||||||
|
/* eslint camelcase: 0 */
|
||||||
|
import {OAuth2LoginProvider, OAuth2LoginProviderConfig} from './OAuth2LoginProvider'
|
||||||
|
import {Authenticatable} from '../../types'
|
||||||
|
import {Request} from '../../../http/lifecycle/Request'
|
||||||
|
import {ErrorWithContext, uuid4, fetch} from '../../../util'
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OAuth2LoginProvider implementation that authenticates users against a
|
||||||
|
* Starship CoreID server.
|
||||||
|
*/
|
||||||
|
export class CoreIDLoginProvider extends OAuth2LoginProvider<OAuth2LoginProviderConfig> {
|
||||||
|
protected async callback(request: Request): Promise<Authenticatable> {
|
||||||
|
// Get authentication_code from the request
|
||||||
|
const code = String(request.input('code') || '')
|
||||||
|
if ( !code ) {
|
||||||
|
throw new ErrorWithContext('Unable to authenticate user: missing login code', {
|
||||||
|
input: request.input(),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get OAuth2 token from CoreID
|
||||||
|
const token = await this.getToken(code)
|
||||||
|
|
||||||
|
// Get user from endpoint
|
||||||
|
const userData = await this.getUserData(token)
|
||||||
|
|
||||||
|
// Return authenticatable instance
|
||||||
|
const existing = await this.security.repository.getByIdentifier(userData.uid)
|
||||||
|
if ( existing ) {
|
||||||
|
this.updateUser(existing, userData)
|
||||||
|
return existing
|
||||||
|
}
|
||||||
|
|
||||||
|
const user = await this.security.repository.createFromCredentials(userData.uid, uuid4())
|
||||||
|
this.updateUser(user, userData)
|
||||||
|
return user
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Given an access token, look up the associated user's information. */
|
||||||
|
protected async getUserData(token: string): Promise<any> {
|
||||||
|
const userResponse = await fetch(
|
||||||
|
this.config.userUrl,
|
||||||
|
{
|
||||||
|
method: 'GET',
|
||||||
|
headers: {
|
||||||
|
Authorization: `Bearer ${token}`,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
const userData: any = await userResponse.json()
|
||||||
|
if ( !userData?.data?.uid ) {
|
||||||
|
throw new ErrorWithContext('Unable to extract user from response', {
|
||||||
|
userData,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return userData.data
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Given a login code, redeem it for an access token. */
|
||||||
|
protected async getToken(code: string): Promise<string> {
|
||||||
|
const body: string[] = [
|
||||||
|
'code=' + encodeURIComponent(code),
|
||||||
|
'client_id=' + encodeURIComponent(this.config.clientId),
|
||||||
|
'client_secret=' + encodeURIComponent(this.config.clientSecret),
|
||||||
|
'grant_type=authorization_code',
|
||||||
|
]
|
||||||
|
|
||||||
|
const response = await fetch(
|
||||||
|
this.config.tokenUrl,
|
||||||
|
{
|
||||||
|
method: 'POST',
|
||||||
|
headers: {
|
||||||
|
'Content-Type': 'application/x-www-form-urlencoded',
|
||||||
|
},
|
||||||
|
body: body.join('&'),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
const data = await response.json()
|
||||||
|
const token = (data as any).access_token
|
||||||
|
if ( !token ) {
|
||||||
|
throw new ErrorWithContext('Unable to obtain access token from response', {
|
||||||
|
data,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return String(token)
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Update values on the Authenticatable from user data. */
|
||||||
|
protected updateUser(user: any, data: any): void {
|
||||||
|
user.firstName = data.first_name
|
||||||
|
user.lastName = data.last_name
|
||||||
|
user.email = data.email
|
||||||
|
user.tagline = data.tagline
|
||||||
|
user.photoUrl = data.profile_photo
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,98 @@
|
|||||||
|
import {LoginProvider, LoginProviderConfig} from '../LoginProvider'
|
||||||
|
import {ResponseObject, Route} from '../../../http/routing/Route'
|
||||||
|
import {Inject, Injectable} from '../../../di'
|
||||||
|
import {Routing} from '../../../service/Routing'
|
||||||
|
import {GuestRequiredMiddleware} from '../../middleware/GuestRequiredMiddleware'
|
||||||
|
import {redirect} from '../../../http/response/RedirectResponseFactory'
|
||||||
|
import {view} from '../../../http/response/ViewResponseFactory'
|
||||||
|
import {Request} from '../../../http/lifecycle/Request'
|
||||||
|
import {Awaitable} from '../../../util'
|
||||||
|
import {Authenticatable} from '../../types'
|
||||||
|
|
||||||
|
export interface OAuth2LoginProviderConfig extends LoginProviderConfig {
|
||||||
|
displayName: string,
|
||||||
|
clientId: string|number
|
||||||
|
clientSecret: string
|
||||||
|
loginUrl: string
|
||||||
|
loginMessage?: string
|
||||||
|
logoutUrl?: string
|
||||||
|
tokenUrl: string,
|
||||||
|
userUrl: string,
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* LoginProvider implementation for OAuth2-based logins.
|
||||||
|
*/
|
||||||
|
@Injectable()
|
||||||
|
export abstract class OAuth2LoginProvider<TConfig extends OAuth2LoginProviderConfig> extends LoginProvider<TConfig> {
|
||||||
|
@Inject()
|
||||||
|
protected readonly routing!: Routing
|
||||||
|
|
||||||
|
public routes(): void {
|
||||||
|
super.routes()
|
||||||
|
|
||||||
|
Route.any('redirect')
|
||||||
|
.alias(`@auth:${this.name}:redirect`)
|
||||||
|
.pre(GuestRequiredMiddleware)
|
||||||
|
.handledBy(() => redirect(this.getLoginUrl()))
|
||||||
|
|
||||||
|
Route.any('callback')
|
||||||
|
.alias(`@auth:${this.name}:callback`)
|
||||||
|
.pre(GuestRequiredMiddleware)
|
||||||
|
.passingRequest()
|
||||||
|
.handledBy(this.handleCallback.bind(this))
|
||||||
|
}
|
||||||
|
|
||||||
|
protected async handleCallback(request: Request): Promise<ResponseObject> {
|
||||||
|
const user = await this.callback(request)
|
||||||
|
if ( user ) {
|
||||||
|
await this.security.authenticate(user)
|
||||||
|
return this.redirectToIntendedRoute()
|
||||||
|
}
|
||||||
|
|
||||||
|
return redirect(this.routing.getNamedPath(`@auth:${this.name}:login`).toRemote)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* After redirecting back from the OAuth2 server, look up the user information.
|
||||||
|
* @param request
|
||||||
|
* @protected
|
||||||
|
*/
|
||||||
|
protected abstract callback(request: Request): Awaitable<Authenticatable>
|
||||||
|
|
||||||
|
public login(): ResponseObject {
|
||||||
|
const buttonUrl = this.routing
|
||||||
|
.getNamedPath(`@auth:${this.name}:redirect`)
|
||||||
|
.toRemote
|
||||||
|
|
||||||
|
return view('@extollo:auth:message', {
|
||||||
|
message: this.config.loginMessage ?? `Sign-in with ${this.config.displayName} to continue`,
|
||||||
|
buttonText: 'Sign-in',
|
||||||
|
buttonUrl,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
public async logout(): Promise<ResponseObject> {
|
||||||
|
await this.security.flush()
|
||||||
|
|
||||||
|
if ( this.config.logoutUrl ) {
|
||||||
|
return redirect(this.config.logoutUrl)
|
||||||
|
}
|
||||||
|
|
||||||
|
return view('@extollo:auth:message', {
|
||||||
|
message: 'You have been signed-out',
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the URL where the user should be redirected to sign-in.
|
||||||
|
* @protected
|
||||||
|
*/
|
||||||
|
protected getLoginUrl(): string {
|
||||||
|
const callbackRoute = this.routing.getNamedPath(`@auth:${this.name}:callback`)
|
||||||
|
|
||||||
|
return this.config.loginUrl
|
||||||
|
.replace(/%c/g, String(this.config.clientId))
|
||||||
|
.replace(/%r/g, callbackRoute.toRemote)
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,68 @@
|
|||||||
|
import {BaseSerializer, ObjectSerializer} from '../../support/bus'
|
||||||
|
import {Model} from './Model'
|
||||||
|
import {Awaitable, ErrorWithContext, JSONState, Maybe} from '../../util'
|
||||||
|
import {QueryRow} from '../types'
|
||||||
|
import {Inject, Injectable, isInstantiable} from '../../di'
|
||||||
|
import {Canon} from '../../service/Canon'
|
||||||
|
|
||||||
|
export interface ModelSerialPayload extends JSONState {
|
||||||
|
canonicalResolver: string,
|
||||||
|
primaryKey: any,
|
||||||
|
objectValues: QueryRow,
|
||||||
|
}
|
||||||
|
|
||||||
|
@ObjectSerializer()
|
||||||
|
@Injectable()
|
||||||
|
export class ModelSerializer extends BaseSerializer<Model<any>, ModelSerialPayload> {
|
||||||
|
@Inject()
|
||||||
|
protected readonly canon!: Canon
|
||||||
|
|
||||||
|
protected async decodeSerial(serial: ModelSerialPayload): Promise<Model<any>> {
|
||||||
|
const ModelClass = this.canon.getFromFullyQualified(serial.canonicalResolver) as typeof Model
|
||||||
|
if ( !ModelClass || !(ModelClass.prototype instanceof Model) || !isInstantiable<Model<any>>(ModelClass) ) {
|
||||||
|
throw new ErrorWithContext('Cannot decode serialized model as canonical resolver is invalid', {
|
||||||
|
serial,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
let inst: Maybe<Model<any>> = this.make<Model<any>>(ModelClass)
|
||||||
|
if ( serial.primaryKey ) {
|
||||||
|
inst = await ModelClass.query()
|
||||||
|
.whereKey(serial.primaryKey)
|
||||||
|
.first()
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( !inst ) {
|
||||||
|
throw new ErrorWithContext('Could not look up serialized model', {
|
||||||
|
serial,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
await inst.assume(serial.objectValues)
|
||||||
|
return inst
|
||||||
|
}
|
||||||
|
|
||||||
|
protected encodeActual(actual: Model<any>): Awaitable<ModelSerialPayload> {
|
||||||
|
const ctor = actual.constructor as typeof Model
|
||||||
|
const canonicalResolver = ctor.getFullyQualifiedCanonicalResolver()
|
||||||
|
if ( !canonicalResolver ) {
|
||||||
|
throw new ErrorWithContext('Unable to serialize model: no Canonical resolver', {
|
||||||
|
actual,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return {
|
||||||
|
canonicalResolver,
|
||||||
|
primaryKey: actual.key(),
|
||||||
|
objectValues: actual.toObject(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
protected getName(): string {
|
||||||
|
return '@extollo/lib.ModelSerializer'
|
||||||
|
}
|
||||||
|
|
||||||
|
matchActual(some: Model<any>): boolean {
|
||||||
|
return some instanceof Model
|
||||||
|
}
|
||||||
|
}
|
@ -1,21 +0,0 @@
|
|||||||
html
|
|
||||||
head
|
|
||||||
meta(name='viewport' content='width=device-width initial-scale=1')
|
|
||||||
|
|
||||||
block head
|
|
||||||
|
|
||||||
block styles
|
|
||||||
link(rel='stylesheet' href=vendor('@extollo/lib', 'lib/bootstrap.min.css'))
|
|
||||||
link(rel='stylesheet' href=vendor('@extollo/lib', 'auth/theme.css'))
|
|
||||||
body
|
|
||||||
.container-fluid
|
|
||||||
.row.no-gutter
|
|
||||||
.col-md-12.col-lg-12
|
|
||||||
.login.d-flex.align-items-center.py-5
|
|
||||||
.container
|
|
||||||
.row
|
|
||||||
.col-md-9.col-lg-6.mx-auto
|
|
||||||
block content
|
|
||||||
|
|
||||||
block scripts
|
|
||||||
script(src=vendor('@extollo/lib', 'lib/bootstrap.min.js'))
|
|
Loading…
Reference in new issue