parent
0774deea91
commit
70d67c2730
@ -0,0 +1,100 @@
|
||||
/* eslint camelcase: 0 */
|
||||
import {OAuth2LoginProvider, OAuth2LoginProviderConfig} from './OAuth2LoginProvider'
|
||||
import {Authenticatable} from '../../types'
|
||||
import {Request} from '../../../http/lifecycle/Request'
|
||||
import {ErrorWithContext, uuid4, fetch} from '../../../util'
|
||||
|
||||
/**
|
||||
* OAuth2LoginProvider implementation that authenticates users against a
|
||||
* Starship CoreID server.
|
||||
*/
|
||||
export class CoreIDLoginProvider extends OAuth2LoginProvider<OAuth2LoginProviderConfig> {
|
||||
protected async callback(request: Request): Promise<Authenticatable> {
|
||||
// Get authentication_code from the request
|
||||
const code = String(request.input('code') || '')
|
||||
if ( !code ) {
|
||||
throw new ErrorWithContext('Unable to authenticate user: missing login code', {
|
||||
input: request.input(),
|
||||
})
|
||||
}
|
||||
|
||||
// Get OAuth2 token from CoreID
|
||||
const token = await this.getToken(code)
|
||||
|
||||
// Get user from endpoint
|
||||
const userData = await this.getUserData(token)
|
||||
|
||||
// Return authenticatable instance
|
||||
const existing = await this.security.repository.getByIdentifier(userData.uid)
|
||||
if ( existing ) {
|
||||
this.updateUser(existing, userData)
|
||||
return existing
|
||||
}
|
||||
|
||||
const user = await this.security.repository.createFromCredentials(userData.uid, uuid4())
|
||||
this.updateUser(user, userData)
|
||||
return user
|
||||
}
|
||||
|
||||
/** Given an access token, look up the associated user's information. */
|
||||
protected async getUserData(token: string): Promise<any> {
|
||||
const userResponse = await fetch(
|
||||
this.config.userUrl,
|
||||
{
|
||||
method: 'GET',
|
||||
headers: {
|
||||
Authorization: `Bearer ${token}`,
|
||||
},
|
||||
},
|
||||
)
|
||||
|
||||
const userData: any = await userResponse.json()
|
||||
if ( !userData?.data?.uid ) {
|
||||
throw new ErrorWithContext('Unable to extract user from response', {
|
||||
userData,
|
||||
})
|
||||
}
|
||||
|
||||
return userData.data
|
||||
}
|
||||
|
||||
/** Given a login code, redeem it for an access token. */
|
||||
protected async getToken(code: string): Promise<string> {
|
||||
const body: string[] = [
|
||||
'code=' + encodeURIComponent(code),
|
||||
'client_id=' + encodeURIComponent(this.config.clientId),
|
||||
'client_secret=' + encodeURIComponent(this.config.clientSecret),
|
||||
'grant_type=authorization_code',
|
||||
]
|
||||
|
||||
const response = await fetch(
|
||||
this.config.tokenUrl,
|
||||
{
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
},
|
||||
body: body.join('&'),
|
||||
},
|
||||
)
|
||||
|
||||
const data = await response.json()
|
||||
const token = (data as any).access_token
|
||||
if ( !token ) {
|
||||
throw new ErrorWithContext('Unable to obtain access token from response', {
|
||||
data,
|
||||
})
|
||||
}
|
||||
|
||||
return String(token)
|
||||
}
|
||||
|
||||
/** Update values on the Authenticatable from user data. */
|
||||
protected updateUser(user: any, data: any): void {
|
||||
user.firstName = data.first_name
|
||||
user.lastName = data.last_name
|
||||
user.email = data.email
|
||||
user.tagline = data.tagline
|
||||
user.photoUrl = data.profile_photo
|
||||
}
|
||||
}
|
@ -0,0 +1,98 @@
|
||||
import {LoginProvider, LoginProviderConfig} from '../LoginProvider'
|
||||
import {ResponseObject, Route} from '../../../http/routing/Route'
|
||||
import {Inject, Injectable} from '../../../di'
|
||||
import {Routing} from '../../../service/Routing'
|
||||
import {GuestRequiredMiddleware} from '../../middleware/GuestRequiredMiddleware'
|
||||
import {redirect} from '../../../http/response/RedirectResponseFactory'
|
||||
import {view} from '../../../http/response/ViewResponseFactory'
|
||||
import {Request} from '../../../http/lifecycle/Request'
|
||||
import {Awaitable} from '../../../util'
|
||||
import {Authenticatable} from '../../types'
|
||||
|
||||
export interface OAuth2LoginProviderConfig extends LoginProviderConfig {
|
||||
displayName: string,
|
||||
clientId: string|number
|
||||
clientSecret: string
|
||||
loginUrl: string
|
||||
loginMessage?: string
|
||||
logoutUrl?: string
|
||||
tokenUrl: string,
|
||||
userUrl: string,
|
||||
}
|
||||
|
||||
/**
|
||||
* LoginProvider implementation for OAuth2-based logins.
|
||||
*/
|
||||
@Injectable()
|
||||
export abstract class OAuth2LoginProvider<TConfig extends OAuth2LoginProviderConfig> extends LoginProvider<TConfig> {
|
||||
@Inject()
|
||||
protected readonly routing!: Routing
|
||||
|
||||
public routes(): void {
|
||||
super.routes()
|
||||
|
||||
Route.any('redirect')
|
||||
.alias(`@auth:${this.name}:redirect`)
|
||||
.pre(GuestRequiredMiddleware)
|
||||
.handledBy(() => redirect(this.getLoginUrl()))
|
||||
|
||||
Route.any('callback')
|
||||
.alias(`@auth:${this.name}:callback`)
|
||||
.pre(GuestRequiredMiddleware)
|
||||
.passingRequest()
|
||||
.handledBy(this.handleCallback.bind(this))
|
||||
}
|
||||
|
||||
protected async handleCallback(request: Request): Promise<ResponseObject> {
|
||||
const user = await this.callback(request)
|
||||
if ( user ) {
|
||||
await this.security.authenticate(user)
|
||||
return this.redirectToIntendedRoute()
|
||||
}
|
||||
|
||||
return redirect(this.routing.getNamedPath(`@auth:${this.name}:login`).toRemote)
|
||||
}
|
||||
|
||||
/**
|
||||
* After redirecting back from the OAuth2 server, look up the user information.
|
||||
* @param request
|
||||
* @protected
|
||||
*/
|
||||
protected abstract callback(request: Request): Awaitable<Authenticatable>
|
||||
|
||||
public login(): ResponseObject {
|
||||
const buttonUrl = this.routing
|
||||
.getNamedPath(`@auth:${this.name}:redirect`)
|
||||
.toRemote
|
||||
|
||||
return view('@extollo:auth:message', {
|
||||
message: this.config.loginMessage ?? `Sign-in with ${this.config.displayName} to continue`,
|
||||
buttonText: 'Sign-in',
|
||||
buttonUrl,
|
||||
})
|
||||
}
|
||||
|
||||
public async logout(): Promise<ResponseObject> {
|
||||
await this.security.flush()
|
||||
|
||||
if ( this.config.logoutUrl ) {
|
||||
return redirect(this.config.logoutUrl)
|
||||
}
|
||||
|
||||
return view('@extollo:auth:message', {
|
||||
message: 'You have been signed-out',
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the URL where the user should be redirected to sign-in.
|
||||
* @protected
|
||||
*/
|
||||
protected getLoginUrl(): string {
|
||||
const callbackRoute = this.routing.getNamedPath(`@auth:${this.name}:callback`)
|
||||
|
||||
return this.config.loginUrl
|
||||
.replace(/%c/g, String(this.config.clientId))
|
||||
.replace(/%r/g, callbackRoute.toRemote)
|
||||
}
|
||||
}
|
@ -0,0 +1,68 @@
|
||||
import {BaseSerializer, ObjectSerializer} from '../../support/bus'
|
||||
import {Model} from './Model'
|
||||
import {Awaitable, ErrorWithContext, JSONState, Maybe} from '../../util'
|
||||
import {QueryRow} from '../types'
|
||||
import {Inject, Injectable, isInstantiable} from '../../di'
|
||||
import {Canon} from '../../service/Canon'
|
||||
|
||||
export interface ModelSerialPayload extends JSONState {
|
||||
canonicalResolver: string,
|
||||
primaryKey: any,
|
||||
objectValues: QueryRow,
|
||||
}
|
||||
|
||||
@ObjectSerializer()
|
||||
@Injectable()
|
||||
export class ModelSerializer extends BaseSerializer<Model<any>, ModelSerialPayload> {
|
||||
@Inject()
|
||||
protected readonly canon!: Canon
|
||||
|
||||
protected async decodeSerial(serial: ModelSerialPayload): Promise<Model<any>> {
|
||||
const ModelClass = this.canon.getFromFullyQualified(serial.canonicalResolver) as typeof Model
|
||||
if ( !ModelClass || !(ModelClass.prototype instanceof Model) || !isInstantiable<Model<any>>(ModelClass) ) {
|
||||
throw new ErrorWithContext('Cannot decode serialized model as canonical resolver is invalid', {
|
||||
serial,
|
||||
})
|
||||
}
|
||||
|
||||
let inst: Maybe<Model<any>> = this.make<Model<any>>(ModelClass)
|
||||
if ( serial.primaryKey ) {
|
||||
inst = await ModelClass.query()
|
||||
.whereKey(serial.primaryKey)
|
||||
.first()
|
||||
}
|
||||
|
||||
if ( !inst ) {
|
||||
throw new ErrorWithContext('Could not look up serialized model', {
|
||||
serial,
|
||||
})
|
||||
}
|
||||
|
||||
await inst.assume(serial.objectValues)
|
||||
return inst
|
||||
}
|
||||
|
||||
protected encodeActual(actual: Model<any>): Awaitable<ModelSerialPayload> {
|
||||
const ctor = actual.constructor as typeof Model
|
||||
const canonicalResolver = ctor.getFullyQualifiedCanonicalResolver()
|
||||
if ( !canonicalResolver ) {
|
||||
throw new ErrorWithContext('Unable to serialize model: no Canonical resolver', {
|
||||
actual,
|
||||
})
|
||||
}
|
||||
|
||||
return {
|
||||
canonicalResolver,
|
||||
primaryKey: actual.key(),
|
||||
objectValues: actual.toObject(),
|
||||
}
|
||||
}
|
||||
|
||||
protected getName(): string {
|
||||
return '@extollo/lib.ModelSerializer'
|
||||
}
|
||||
|
||||
matchActual(some: Model<any>): boolean {
|
||||
return some instanceof Model
|
||||
}
|
||||
}
|
@ -1,21 +0,0 @@
|
||||
html
|
||||
head
|
||||
meta(name='viewport' content='width=device-width initial-scale=1')
|
||||
|
||||
block head
|
||||
|
||||
block styles
|
||||
link(rel='stylesheet' href=vendor('@extollo/lib', 'lib/bootstrap.min.css'))
|
||||
link(rel='stylesheet' href=vendor('@extollo/lib', 'auth/theme.css'))
|
||||
body
|
||||
.container-fluid
|
||||
.row.no-gutter
|
||||
.col-md-12.col-lg-12
|
||||
.login.d-flex.align-items-center.py-5
|
||||
.container
|
||||
.row
|
||||
.col-md-9.col-lg-6.mx-auto
|
||||
block content
|
||||
|
||||
block scripts
|
||||
script(src=vendor('@extollo/lib', 'lib/bootstrap.min.js'))
|
Loading…
Reference in new issue