Add front-end error logging

app/assets/error-log.js

@@ -0,0 +1,35 @@
+window.COREID_ERROR_LOG_URL = window.COREID_ERROR_LOG_URL || '/api/v1/log-error'
+
+async function logError(error) {
+    try {
+        await fetch(window.COREID_ERROR_LOG_URL, {
+            method: 'POST',
+            cache: 'no-cache',
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                full_url: window.location.href,
+                trace: [
+                    error.name + ': ' + error.message,
+                    error.stack,
+                ].join('\n')
+            }),
+        })
+    } catch (e) {}
+}
+
+;(function() {
+    var old_onerror = window.onerror
+
+    window.onerror = function(msg, src, line, col, error) {
+        logError(error).then(function() {
+            if ( typeof old_onerror === 'function' ) {
+                try {
+                    old_onerror(msg, src, line, col, error)
+                } catch(e) {}
+            }
+        })
+    }
+})()

app/classes/oidc/CoreIDAdapter.js

@@ -18,6 +18,11 @@ class CoreIDAdapter {
             expiresAt = new Date(Date.now() + (expiresIn * 1000))
         }
 
+        if ( payload.uid ) {
+            payload.originalUid = payload.uid
+            payload.uid = payload.uid.toLowerCase()
+        }
+
         await this.coll().updateOne(
             { _id },
             { $set: { payload, ...(expiresAt ? { expiresAt } : undefined) } },
@@ -34,6 +39,11 @@ class CoreIDAdapter {
         ).limit(1).next()
 
         if (!result) return undefined
+
+        if ( result?.payload?.originalUid ) {
+            result.payload.uid = result.payload.originalUid
+        }
+
         return result.payload
     }
 
@@ -49,11 +59,16 @@ class CoreIDAdapter {
 
     async findByUid(uid) {
         const result = await this.coll().find(
-            { 'payload.uid': uid },
+            { 'payload.uid': uid.toLowerCase() },
             { payload: 1 },
         ).limit(1).next()
 
         if (!result) return undefined
+
+        if ( result?.payload?.originalUid ) {
+            result.payload.uid = result.payload.originalUid
+        }
+
         return result.payload
     }
 

app/controllers/Home.controller.js

@@ -29,6 +29,12 @@ class Home extends Controller {
     async tmpl(req, res) {
         return res.page('tmpl', {...this.Vue.data(), ...this.Vue.session(req)})
     }
+
+    async log_front_end_error(req, res, next) {
+        const FrontEndError = this.models.get('FrontEndError')
+        await FrontEndError.log(req)
+        return res.api()
+    }
 }
 
 module.exports = Home

app/controllers/OpenID.controller.js

@@ -119,14 +119,12 @@ class OpenIDController extends Controller {
             uid, prompt, params, session,
         } = await this.openid_connect.provider.interactionDetails(req, res)
 
-        console.log({uid, prompt, params, session})
-
         const name = prompt.name
         if ( typeof this[name] !== 'function' ) {
             return this.fail(res, 'Sorry, something has gone wrong.')
         }
 
-        return this[name](req, res, { uid: uid, prompt, params, session })
+        return this[name](req, res, { uid: uid.toLowerCase(), prompt, params, session })
     }
 
     async consent(req, res, { uid, prompt, params, session }) {
@@ -142,13 +140,13 @@ class OpenIDController extends Controller {
         const Policy = this.models.get('iam:Policy')
         const application = await Application.findOne({ openid_client_ids: params.client_id })
         if ( !application ) {
-            this.output.warning('IAM Denial!')
+            this.output.warn('IAM Denial!')
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', 'this application'),
                 next_destination: '/dash',
             })
         } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
-            this.output.warning('IAM Denial!')
+            this.output.warn('IAM Denial!')
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', application.name),
                 next_destination: '/dash',
@@ -172,7 +170,7 @@ class OpenIDController extends Controller {
                     {
                         text: req.T('common.grant'),
                         action: 'redirect',
-                        next: `/openid/interaction/${uid}/grant`,
+                        next: `/openid/interaction/${uid.toLowerCase()}/grant`,
                     },
                 ],
             })
@@ -180,7 +178,7 @@ class OpenIDController extends Controller {
     }
 
     async login(req, res, { uid, prompt, params, session }) {
-        return res.redirect(`/openid/interaction/${uid}/start-session`)
+        return res.redirect(`/openid/interaction/${uid.toLowerCase()}/start-session`)
     }
 
     /**
@@ -202,13 +200,13 @@ class OpenIDController extends Controller {
         const Policy = this.models.get('iam:Policy')
         const application = await Application.findOne({ openid_client_ids: params.client_id })
         if ( !application ) {
-            this.output.warning('IAM Denial!')
+            this.output.warn('IAM Denial!')
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', 'this application'),
                 next_destination: '/dash',
             })
         } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
-            this.output.warning('IAM Denial!')
+            this.output.warn('IAM Denial!')
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', application.name),
                 next_destination: '/dash',
@@ -238,13 +236,13 @@ class OpenIDController extends Controller {
         const Policy = this.models.get('iam:Policy')
         const application = await Application.findOne({ openid_client_ids: params.client_id })
         if ( !application ) {
-            this.output.warning('IAM Denial!')
+            this.output.warn('IAM Denial!')
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', 'this application'),
                 next_destination: '/dash',
             })
         } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
-            this.output.warning('IAM Denial!')
+            this.output.warn('IAM Denial!')
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', application.name),
                 next_destination: '/dash',

app/controllers/auth/Oauth2.controller.js

@@ -8,7 +8,7 @@ const Oauth2Controller = require('flitter-auth/controllers/Oauth2')
  */
 class Oauth2 extends Oauth2Controller {
     static get services() {
-        return [...super.services, 'Vue', 'configs', 'models']
+        return [...super.services, 'Vue', 'configs', 'models', 'output']
     }
 
     async authorize_post(req, res, next) {
@@ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller {
         const StarshipClient = this.models.get('oauth:Client')
         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
 
+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warn('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warn('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
         req.user.authorize(starship_client)
         await req.user.save()
         return super.authorize_post(req, res, next)
@@ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller {
         const StarshipClient = this.models.get('oauth:Client')
         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
 
+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warn('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warn('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
         if ( req.user.has_authorized(starship_client) ) {
             return this.Vue.invoke_action(res, {
                 text: 'Grant Access',

app/models/FrontEndError.model.js

@@ -0,0 +1,29 @@
+const { Model } = require('flitter-orm')
+
+class FrontEndErrorModel extends Model {
+    static get schema() {
+        return {
+            user_agent: String,
+            logged_at: { type: Date, default: () => new Date },
+            user_id: String,
+            session_id: String,
+            full_url: String,
+            trace: String,
+        }
+    }
+
+    static async log(request) {
+        const err = new this({
+            user_agent: request.get('user-agent'),
+            user_id: request?.user?.id,
+            session_id: request.sessionID,
+            full_url: request.body.full_url,
+            trace: request.body.trace,
+        })
+
+        await err.save()
+        return err
+    }
+}
+
+module.exports = exports = FrontEndErrorModel

app/routing/middleware/api/Permission.middleware.js

@@ -8,6 +8,7 @@ class PermissionMiddleware extends Middleware {
     async test(req, res, next, { check }) {
         const Policy = this.models.get('iam:Policy')
 
+        if ( !req.additional_api_log_data ) req.additional_api_log_data = {}
         req.additional_api_log_data.permission_check = check
 
         // If the request was authorized using an OAuth2 bearer token,

app/routing/routers/index.routes.js

@@ -59,6 +59,10 @@ const index = {
             'middleware::auth:GuestOnly',
             'controller::api:v1:Password.request_reset',
         ],
+
+        '/api/v1/log-error': [
+            'controller::Home.log_front_end_error'
+        ],
     },
 }
 

app/views/theme/base.pug

@@ -15,6 +15,7 @@ html(lang='en')
         .app-container
             block app
         block script
+            script(src='/assets/error-log.js')
             script(src='/assets/lib/axios/axios.min.js')
             script(src='/assets/lib/jquery/jquery-3.4.1.slim.min.js')
             script(src='/assets/lib/popper/popper-1.16.0.min.js')