hedgedoc/old_src/lib/web/auth/oauth2/oauth2-custom-strategy.ts

import { InternalOAuthError, Strategy as OAuth2Strategy } from 'passport-oauth2'
import { config } from '../../../config'
import { PassportProfile, ProviderEnum } from '../utils'
import { logger } from '../../../logger'

function extractProfileAttribute (data, path: string): string {
  // can handle stuff like `attrs[0].name`
  const pathArray = path.split('.')
  for (const segment of pathArray) {
    const regex = /([\d\w]+)\[(.*)\]/
    const m = regex.exec(segment)
    data = m ? data[m[1]][m[2]] : data[segment]
  }
  return data
}

function parseProfile (data): Partial<PassportProfile> {
  const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
  let displayName: string | undefined
  try {
    // This may fail if the config.oauth2.userProfileDisplayNameAttr is undefined,
    // or it is foo.bar and data["foo"] is undefined.
    displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
  } catch (e) {
    displayName = undefined
    logger.debug('\'id_token[%s]\' is undefined. Setting \'displayName\' to \'undefined\'.\n%s', config.oauth2.userProfileDisplayNameAttr, e.message)
  }

  const emails: string[] = []
  try {
    const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
    if (email !== undefined) {
      emails.push(email)
    } else {
      logger.debug('\'id_token[%s]\' is undefined. Setting \'emails\' to [].', config.oauth2.userProfileEmailAttr)
    }
  } catch (e) {
    logger.debug('\'id_token[%s]\' is undefined. Setting \'emails\' to [].\n%s', config.oauth2.userProfileEmailAttr, e.message)
  }

  return {
    id: username,
    username: username,
    displayName: displayName,
    emails: emails
  }
}

class OAuth2CustomStrategy extends OAuth2Strategy {
  private readonly _userProfileURL: string;

  constructor (options, verify) {
    options.customHeaders = options.customHeaders || {}
    super(options, verify)
    this.name = 'oauth2'
    this._userProfileURL = options.userProfileURL
    this._oauth2.useAuthorizationHeaderforGET(true)
  }

  userProfile (accessToken, done): void {
    this._oauth2.get(this._userProfileURL, accessToken, function (err, body, _) {
      let json

      if (err) {
        return done(new InternalOAuthError('Failed to fetch user profile', err))
      }

      try {
        if (body !== undefined) {
          json = JSON.parse(body.toString())
        }
      } catch (ex) {
        return done(new Error('Failed to parse user profile'))
      }

      const profile = parseProfile(json)
      profile.provider = ProviderEnum.oauth2

      done(null, profile)
    })
  }
}

export { OAuth2CustomStrategy }
added auth/oauth2.ts added oauth2 to ProviderEnum Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-13 09:45:29 -04:00			`import { InternalOAuthError, Strategy as OAuth2Strategy } from 'passport-oauth2'`
			`import { config } from '../../../config'`
Move ProviderEnum and PassportProfile to web/auth/utils.ts These two are directly related with auth stuff and seem to fit much better there. Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-06-06 13:59:53 -04:00			`import { PassportProfile, ProviderEnum } from '../utils'`
Allow for undefined email and displayName OAuth2 allows the user to only consent to a subset of the scopes requested. Previously, the Generic Oauth2 implementation assumes that the `username`, `email` and `displayName` attributes are supplied, and may crash if they are not defined. This commit allows for `email` and `displayName` to not be defined, either through the user refusing consent or the OAuth2 configuration not asking for them in the first place (by not setting `userProfile*Attr`). If `email` is not provided, the `emails` property is simply left empty. If `displayName` is not provided, it is left undefined, and CodiMD uses the `username` whenever the `displayName` is expected. This does not deal with the case where `username` is not provided. Since usernames are not unique in CodiMD, it is possible to deal with this by setting a dummy username. This can be added in a future commit if desired. Fixes #406 Signed-off-by: Dexter Chua <dalcde@yahoo.com.hk> 2020-06-17 09:09:47 -04:00			`import { logger } from '../../../logger'`
added auth/oauth2.ts added oauth2 to ProviderEnum Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-13 09:45:29 -04:00
Types and lint fixes in lib/web/auth Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-05-24 12:38:24 -04:00			`function extractProfileAttribute (data, path: string): string {`
added auth/oauth2.ts added oauth2 to ProviderEnum Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-13 09:45:29 -04:00			// can handle stuff like `attrs[0].name`
			`const pathArray = path.split('.')`
			`for (const segment of pathArray) {`
			`const regex = /([\d\w]+)\[(.*)\]/`
			`const m = regex.exec(segment)`
			`data = m ? data[m[1]][m[2]] : data[segment]`
			`}`
			`return data`
			`}`

Move profile-related functions into PhotoProfile The previous Profile type was renamed to PassportProfile, as it is only used for profile-information from Passport plugins. All functions relating to profile-parsing are now encapsulated in the PhotoProfile class (naming still debatable). Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-06-04 15:25:42 -04:00			`function parseProfile (data): Partial<PassportProfile> {`
added auth/oauth2.ts added oauth2 to ProviderEnum Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-13 09:45:29 -04:00			`const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)`
Allow for undefined email and displayName OAuth2 allows the user to only consent to a subset of the scopes requested. Previously, the Generic Oauth2 implementation assumes that the `username`, `email` and `displayName` attributes are supplied, and may crash if they are not defined. This commit allows for `email` and `displayName` to not be defined, either through the user refusing consent or the OAuth2 configuration not asking for them in the first place (by not setting `userProfile*Attr`). If `email` is not provided, the `emails` property is simply left empty. If `displayName` is not provided, it is left undefined, and CodiMD uses the `username` whenever the `displayName` is expected. This does not deal with the case where `username` is not provided. Since usernames are not unique in CodiMD, it is possible to deal with this by setting a dummy username. This can be added in a future commit if desired. Fixes #406 Signed-off-by: Dexter Chua <dalcde@yahoo.com.hk> 2020-06-17 09:09:47 -04:00			`let displayName: string \| undefined`
			`try {`
			`// This may fail if the config.oauth2.userProfileDisplayNameAttr is undefined,`
			`// or it is foo.bar and data["foo"] is undefined.`
			`displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)`
			`} catch (e) {`
			`displayName = undefined`
			`logger.debug('\'id_token[%s]\' is undefined. Setting \'displayName\' to \'undefined\'.\n%s', config.oauth2.userProfileDisplayNameAttr, e.message)`
			`}`

			`const emails: string[] = []`
			`try {`
			`const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)`
			`if (email !== undefined) {`
			`emails.push(email)`
			`} else {`
			`logger.debug('\'id_token[%s]\' is undefined. Setting \'emails\' to [].', config.oauth2.userProfileEmailAttr)`
			`}`
			`} catch (e) {`
			`logger.debug('\'id_token[%s]\' is undefined. Setting \'emails\' to [].\n%s', config.oauth2.userProfileEmailAttr, e.message)`
			`}`
added auth/oauth2.ts added oauth2 to ProviderEnum Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-13 09:45:29 -04:00
			`return {`
			`id: username,`
			`username: username,`
			`displayName: displayName,`
Allow for undefined email and displayName OAuth2 allows the user to only consent to a subset of the scopes requested. Previously, the Generic Oauth2 implementation assumes that the `username`, `email` and `displayName` attributes are supplied, and may crash if they are not defined. This commit allows for `email` and `displayName` to not be defined, either through the user refusing consent or the OAuth2 configuration not asking for them in the first place (by not setting `userProfile*Attr`). If `email` is not provided, the `emails` property is simply left empty. If `displayName` is not provided, it is left undefined, and CodiMD uses the `username` whenever the `displayName` is expected. This does not deal with the case where `username` is not provided. Since usernames are not unique in CodiMD, it is possible to deal with this by setting a dummy username. This can be added in a future commit if desired. Fixes #406 Signed-off-by: Dexter Chua <dalcde@yahoo.com.hk> 2020-06-17 09:09:47 -04:00			`emails: emails`
added auth/oauth2.ts added oauth2 to ProviderEnum Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: David Mehren <dmehren1@gmail.com> 2020-04-13 09:45:29 -04:00			`}`
			`}`

			`class OAuth2CustomStrategy extends OAuth2Strategy {`
			`private readonly _userProfileURL: string;`

			`constructor (options, verify) {`
			`options.customHeaders = options.customHeaders \|\| {}`
			`super(options, verify)`
			`this.name = 'oauth2'`
			`this._userProfileURL = options.userProfileURL`
			`this._oauth2.useAuthorizationHeaderforGET(true)`
			`}`

			`userProfile (accessToken, done): void {`
			`this._oauth2.get(this._userProfileURL, accessToken, function (err, body, _) {`
			`let json`

			`if (err) {`
			`return done(new InternalOAuthError('Failed to fetch user profile', err))`
			`}`

			`try {`
			`if (body !== undefined) {`
			`json = JSON.parse(body.toString())`
			`}`
			`} catch (ex) {`
			`return done(new Error('Failed to parse user profile'))`
			`}`

			`const profile = parseProfile(json)`
			`profile.provider = ProviderEnum.oauth2`

			`done(null, profile)`
			`})`
			`}`
			`}`

			`export { OAuth2CustomStrategy }`