feat: auth0 + discord + github + slack auth modules

d7676513 · Nick · 8af21c02 · d7676513 · d7676513 · d7676513
Commit d7676513 authored Apr 21, 2019 by Nick
20 changed files
--- a/client/components/admin/admin-auth.vue
+++ b/client/components/admin/admin-auth.vue
@@ -183,8 +183,8 @@
              .body-2 Allowed Web Origins
              .body-1 {{host}}
              v-divider.my-3
-              .body-2 Callback URL
+              .body-2 Callback URL / Redirect URI
-              .body-1 {{host}}/login/callback/{{strategy.key}}
+              .body-1 {{host}}/login/{{strategy.key}}/callback
              v-divider.my-3
              .body-2 Login URL
              .body-1 {{host}}/login

--- a/client/components/common/nav-header.vue
+++ b/client/components/common/nav-header.vue
@@ -143,8 +143,10 @@
            span Admin
          v-menu(v-if='isAuthenticated', offset-y, min-width='300', left)
            v-tooltip(bottom, slot='activator')
-              v-btn.btn-animate-grow(icon, slot='activator', outline, color='blue')
+              v-btn(icon, slot='activator', outline, color='blue')
-                v-icon(color='grey') account_circle
+                v-icon(v-if='picture.kind === `initials`', color='grey') account_circle
+                v-avatar(v-else-if='picture.kind === `image`', :size='29')
+                  v-img(:src='picture.url')
              span Account
            v-list.py-0
              v-list-tile.py-3.grey(avatar, :class='$vuetify.dark ? `darken-4-l5` : `lighten-5`')

--- a/package.json
+++ b/package.json
@@ -39,6 +39,7 @@
    "node": ">=10.12"
  },
  "dependencies": {
+    "@aoberoi/passport-slack": "1.0.5",
    "@bugsnag/js": "5.2.0",
    "algoliasearch": "3.32.1",
    "apollo-fetch": "0.7.0",
@@ -135,7 +136,6 @@
    "passport-okta-oauth": "0.0.1",
    "passport-openidconnect": "0.0.2",
    "passport-saml": "1.0.0",
-    "passport-slack": "0.0.7",
    "passport-twitch": "1.0.3",
    "passport-windowslive": "1.0.2",
    "pem-jwk": "2.0.0",

--- a/server/controllers/auth.js
+++ b/server/controllers/auth.js
@@ -27,7 +27,8 @@ router.get('/login/:strategy/callback', async (req, res, next) => {
    const authResult = await WIKI.models.users.login({
      strategy: req.params.strategy
    }, { req, res })
-    console.info(authResult)
+    res.cookie('jwt', authResult.jwt, { expires: moment().add(1, 'y').toDate() })
+    res.redirect('/')
  } catch (err) {
    next(err)
  }

--- a/server/core/auth.js
+++ b/server/core/auth.js
@@ -78,17 +78,12 @@ module.exports = {
        stg.config.callbackURL = `${WIKI.config.host}/login/${stg.key}/callback`
        strategy.init(passport, stg.config)
+        strategy.config = stg.config
-        try {
+        WIKI.auth.strategies[stg.key] = {
-          strategy.icon = await fs.readFile(path.join(WIKI.ROOTPATH, `assets/svg/auth-icon-${strategy.key}.svg`), 'utf8')
+          ...strategy,
-        } catch (err) {
+          ...stg
-          if (err.code === 'ENOENT') {
-            strategy.icon = '[missing icon]'
-          } else {
-            WIKI.logger.warn(err)
-          }
        }
-        WIKI.auth.strategies[stg.key] = strategy
        WIKI.logger.info(`Authentication Strategy ${stg.key}: [ OK ]`)
      }
    } catch (err) {

--- a/server/models/users.js
+++ b/server/models/users.js
@@ -19,13 +19,13 @@ module.exports = class User extends Model {
  static get jsonSchema () {
    return {
      type: 'object',
-      required: ['email', 'name', 'provider'],
+      required: ['email'],
      properties: {
        id: {type: 'integer'},
        email: {type: 'string', format: 'email'},
        name: {type: 'string', minLength: 1, maxLength: 255},
-        providerId: {type: 'number'},
+        providerId: {type: 'string'},
        password: {type: 'string'},
        role: {type: 'string', enum: ['admin', 'guest', 'user']},
        tfaIsActive: {type: 'boolean', default: false},
@@ -154,8 +154,17 @@ module.exports = class User extends Model {
  // Model Methods
  // ------------------------------------------------
-  static async processProfile({ profile, provider }) {
+  static async processProfile({ profile, providerKey }) {
-    // -> Parse email
+    const provider = _.get(WIKI.auth.strategies, providerKey, {})
+    provider.info = _.find(WIKI.data.authentication, ['key', providerKey])
+    // Find existing user
+    let user = await WIKI.models.users.query().findOne({
+      providerId: profile.id,
+      providerKey
+    })
+    // Parse email
    let primaryEmail = ''
    if (_.isArray(profile.emails)) {
      const e = _.find(profile.emails, ['primary', true])
@@ -167,50 +176,75 @@ module.exports = class User extends Model {
    } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
      primaryEmail = profile.user.email
    } else {
-      return Promise.reject(new Error('Missing or invalid email address from profile.'))
+      throw new Error('Missing or invalid email address from profile.')
    }
    primaryEmail = _.toLower(primaryEmail)
-    // -> Find user
+    // Parse display name
-    let user = await WIKI.models.users.query().findOne({
+    let displayName = ''
-      email: primaryEmail,
+    if (_.isString(profile.displayName) && profile.displayName.length > 0) {
-      providerKey: provider
+      displayName = profile.displayName
-    })
+    } else if (_.isString(profile.name) && profile.name.length > 0) {
+      displayName = profile.name
+    } else {
+      displayName = primaryEmail.split('@')[0]
+    }
+    // Parse picture URL
+    let pictureUrl = _.get(profile, 'picture', _.get(user, 'pictureUrl', null))
+    // Update existing user
    if (user) {
-      user.$query().patchAdnFetch({
+      if (!user.isActive) {
+        throw new WIKI.Error.AuthAccountBanned()
+      }
+      if (user.isSystem) {
+        throw new Error('This is a system reserved account and cannot be used.')
+      }
+      user = await user.$query().patchAndFetch({
        email: primaryEmail,
-        providerKey: provider,
+        name: displayName,
-        providerId: profile.id,
+        pictureUrl: pictureUrl
-        name: _.get(profile, 'displayName', primaryEmail.split('@')[0])
      })
-    } else {
-      // user = await WIKI.models.users.query().insertAndFetch({
+      return user
-      //   email: primaryEmail,
-      //   providerKey: provider,
-      //   providerId: profile.id,
-      //   name: profile.displayName || _.split(primaryEmail, '@')[0]
-      // })
    }
-    // Handle unregistered accounts
+    // Self-registration
-    // if (!user && profile.provider !== 'local' && (WIKI.config.auth.defaultReadAccess || profile.provider === 'ldap' || profile.provider === 'azure')) {
+    if (provider.selfRegistration) {
-    //   let nUsr = {
+      // Check if email domain is whitelisted
-    //     email: primaryEmail,
+      if (_.get(provider, 'domainWhitelist', []).length > 0) {
-    //     provider: profile.provider,
+        const emailDomain = _.last(primaryEmail.split('@'))
-    //     providerId: profile.id,
+        if (!_.includes(provider.domainWhitelist, emailDomain)) {
-    //     password: '',
+          throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
-    //     name: profile.displayName || profile.name || profile.cn,
+        }
-    //     rights: [{
+      }
-    //       role: 'read',
-    //       path: '/',
-    //       exact: false,
-    //       deny: false
-    //     }]
-    //   }
-    //   return WIKI.models.users.query().insert(nUsr)
-    // }
-    return user
+      // Create account
+      user = await WIKI.models.users.query().insertAndFetch({
+        providerKey: providerKey,
+        providerId: profile.id,
+        email: primaryEmail,
+        name: displayName,
+        pictureUrl: pictureUrl,
+        localeCode: WIKI.config.lang.code,
+        defaultEditor: 'markdown',
+        tfaIsActive: false,
+        isSystem: false,
+        isActive: true,
+        isVerified: true
+      })
+      // Assign to group(s)
+      if (provider.autoEnrollGroups.length > 0) {
+        await user.$relatedQuery('groups').relate(provider.autoEnrollGroups)
+      }
+      return user
+    }
+    throw new Error('You are not authorized to login.')
  }
  static async login (opts, context) {
@@ -227,7 +261,7 @@ module.exports = class User extends Model {
      return new Promise((resolve, reject) => {
        WIKI.auth.passport.authenticate(opts.strategy, {
          session: !strInfo.useForm,
-          scope: strInfo.scopes ? strInfo.scopes.join(' ') : null
+          scope: strInfo.scopes ? strInfo.scopes : null
        }, async (err, user, info) => {
          if (err) { return reject(err) }
          if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }

--- a/server/modules/authentication/auth0/authentication.js
+++ b/server/modules/authentication/auth0/authentication.js
@@ -15,9 +15,8 @@ module.exports = {
        clientSecret: conf.clientSecret,
        callbackURL: conf.callbackURL
      }, async (accessToken, refreshToken, extraParams, profile, cb) => {
-        console.info(accessToken, refreshToken, extraParams, profile)
        try {
-          const user = WIKI.models.users.processProfile({ profile, provider: 'auth0' })
+          const user = await WIKI.models.users.processProfile({ profile, providerKey: 'auth0' })
          cb(null, user)
        } catch (err) {
          cb(err, null)

--- a/server/modules/authentication/discord/authentication.js
+++ b/server/modules/authentication/discord/authentication.js
@@ -5,6 +5,7 @@
 // ------------------------------------
 const DiscordStrategy = require('passport-discord').Strategy
+const _ = require('lodash')
 module.exports = {
  init (passport, conf) {
@@ -14,12 +15,20 @@ module.exports = {
        clientSecret: conf.clientSecret,
        callbackURL: conf.callbackURL,
        scope: 'identify email'
-      }, function (accessToken, refreshToken, profile, cb) {
+      }, async (accessToken, refreshToken, profile, cb) => {
-        WIKI.models.users.processProfile(profile).then((user) => {
+        try {
-          return cb(null, user) || true
+          const user = await WIKI.models.users.processProfile({
-        }).catch((err) => {
+            profile: {
-          return cb(err, null) || true
+              ...profile,
-        })
+              displayName: profile.username,
+              picture: `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.png`
+            },
+            providerKey: 'discord'
+          })
+          cb(null, user)
+        } catch (err) {
+          cb(err, null)
+        }
      }
      ))
  }

--- a/server/modules/authentication/discord/definition.yml
+++ b/server/modules/authentication/discord/definition.yml
@@ -5,7 +5,16 @@ author: requarks.io
 logo: https://static.requarks.io/logo/discord.svg
 color: indigo lighten-2
 website: https://discordapp.com/
+isAvailable: true
 useForm: false
 props:
-  clientId: String
+  clientId:
-  clientSecret: String
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 1
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 2
--- a/server/modules/authentication/facebook/definition.yml
+++ b/server/modules/authentication/facebook/definition.yml
@@ -5,7 +5,16 @@ author: requarks.io
 logo: https://static.requarks.io/logo/facebook.svg
 color: indigo
 website: https://facebook.com/
+isAvailable: false
 useForm: false
 props:
-  clientId: String
+  clientId:
-  clientSecret: String
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 1
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 2
--- a/server/modules/authentication/firebase/authentication.js
+++ b/server/modules/authentication/firebase/authentication.js
+/* global WIKI */
+// ------------------------------------
+// GitHub Account
+// ------------------------------------
+const GitHubStrategy = require('passport-github2').Strategy
+const _ = require('lodash')
+module.exports = {
+  init (passport, conf) {
+    passport.use('github',
+      new GitHubStrategy({
+        clientID: conf.clientId,
+        clientSecret: conf.clientSecret,
+        callbackURL: conf.callbackURL,
+        scope: ['user:email']
+      }, async (accessToken, refreshToken, profile, cb) => {
+        try {
+          const user = await WIKI.models.users.processProfile({
+            profile: {
+              ...profile,
+              picture: _.get(profile, 'photos[0].value', '')
+            },
+            providerKey: 'github'
+          })
+          cb(null, user)
+        } catch (err) {
+          cb(err, null)
+        }
+      }
+      ))
+  }
+}
--- a/server/modules/authentication/firebase/definition.yml
+++ b/server/modules/authentication/firebase/definition.yml
+key: firebase
+title: Firebase
+description: Firebase is Google's mobile platform that helps you quickly develop high-quality apps and grow your business.
+author: requarks.io
+logo: https://static.requarks.io/logo/firebase.svg
+color: yellow darken-3
+website: https://firebase.google.com/
+isAvailable: false
+useForm: false
+props: {}
--- a/server/modules/authentication/github/authentication.js
+++ b/server/modules/authentication/github/authentication.js
@@ -5,6 +5,7 @@
 // ------------------------------------
 const GitHubStrategy = require('passport-github2').Strategy
+const _ = require('lodash')
 module.exports = {
  init (passport, conf) {
@@ -14,12 +15,19 @@ module.exports = {
        clientSecret: conf.clientSecret,
        callbackURL: conf.callbackURL,
        scope: ['user:email']
-      }, (accessToken, refreshToken, profile, cb) => {
+      }, async (accessToken, refreshToken, profile, cb) => {
-        WIKI.models.users.processProfile(profile).then((user) => {
+        try {
-          return cb(null, user) || true
+          const user = await WIKI.models.users.processProfile({
-        }).catch((err) => {
+            profile: {
-          return cb(err, null) || true
+              ...profile,
-        })
+              picture: _.get(profile, 'photos[0].value', '')
+            },
+            providerKey: 'github'
+          })
+          cb(null, user)
+        } catch (err) {
+          cb(err, null)
+        }
      }
      ))
  }

--- a/server/modules/authentication/github/definition.yml
+++ b/server/modules/authentication/github/definition.yml
@@ -5,7 +5,17 @@ author: requarks.io
 logo: https://static.requarks.io/logo/github.svg
 color: grey darken-3
 website: https://github.com
+isAvailable: true
 useForm: false
 props:
-  clientId: String
+  clientId:
-  clientSecret: String
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 1
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 2
--- a/server/modules/authentication/google/definition.yml
+++ b/server/modules/authentication/google/definition.yml
@@ -5,7 +5,16 @@ author: requarks.io
 logo: https://static.requarks.io/logo/google.svg
 color: red darken-1
 website: https://console.developers.google.com/
+isAvailable: false
 useForm: false
 props:
-  clientId: String
+  clientId:
-  clientSecret: String
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 1
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 2
--- a/server/modules/authentication/microsoft/authentication.js
+++ b/server/modules/authentication/microsoft/authentication.js
@@ -13,12 +13,20 @@ module.exports = {
        clientID: conf.clientId,
        clientSecret: conf.clientSecret,
        callbackURL: conf.callbackURL
-      }, function (accessToken, refreshToken, profile, cb) {
+      }, async (accessToken, refreshToken, profile, cb) => {
-        WIKI.models.users.processProfile(profile).then((user) => {
+        console.info(profile)
-          return cb(null, user) || true
+        try {
-        }).catch((err) => {
+          const user = await WIKI.models.users.processProfile({
-          return cb(err, null) || true
+            profile: {
-        })
+              ...profile,
+              picture: _.get(profile, 'photos[0].value', '')
+            },
+            providerKey: 'microsoft'
+          })
+          cb(null, user)
+        } catch (err) {
+          cb(err, null)
+        }
      }
      ))
  }

--- a/server/modules/authentication/microsoft/definition.yml
+++ b/server/modules/authentication/microsoft/definition.yml
@@ -5,7 +5,20 @@ author: requarks.io
 logo: https://static.requarks.io/logo/microsoft.svg
 color: blue
 website: https://apps.dev.microsoft.com/
+isAvailable: false
 useForm: false
+scopes:
+  - openid
+  - profile
+  - email
 props:
-  clientId: String
+  clientId:
-  clientSecret: String
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 1
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 2
--- a/server/modules/authentication/slack/authentication.js
+++ b/server/modules/authentication/slack/authentication.js
@@ -4,7 +4,8 @@
 // Slack Account
 // ------------------------------------
-const SlackStrategy = require('passport-slack').Strategy
+const SlackStrategy = require('@aoberoi/passport-slack').default.Strategy
+const _ = require('lodash')
 module.exports = {
  init (passport, conf) {
@@ -12,13 +13,21 @@ module.exports = {
      new SlackStrategy({
        clientID: conf.clientId,
        clientSecret: conf.clientSecret,
-        callbackURL: conf.callbackURL
+        callbackURL: conf.callbackURL,
-      }, (accessToken, refreshToken, profile, cb) => {
+        team: conf.team
-        WIKI.models.users.processProfile(profile).then((user) => {
+      }, async (accessToken, scopes, team, extra, { user: userProfile }, cb) => {
-          return cb(null, user) || true
+        try {
-        }).catch((err) => {
+          const user = await WIKI.models.users.processProfile({
-          return cb(err, null) || true
+            profile: {
-        })
+              ...userProfile,
+              picture: _.get(userProfile, 'image_48', '')
+            },
+            providerKey: 'slack'
+          })
+          cb(null, user)
+        } catch (err) {
+          cb(err, null)
+        }
      }
      ))
  }

--- a/server/modules/authentication/slack/definition.yml
+++ b/server/modules/authentication/slack/definition.yml
@@ -5,7 +5,25 @@ author: requarks.io
 logo: https://static.requarks.io/logo/slack.svg
 color: green
 website: https://api.slack.com/docs/oauth
+isAvailable: true
 useForm: false
+scope:
+  - identity.basic
+  - identity.email
+  - identity.avatar
 props:
-  clientId: String
+  clientId:
-  clientSecret: String
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 1
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 2
+  team:
+    type: String
+    title: Team / Workspace ID
+    hint: Optional - Your unique team (workspace) identifier
+    order: 3
--- a/server/modules/authentication/twitch/definition.yml
+++ b/server/modules/authentication/twitch/definition.yml
@@ -5,7 +5,16 @@ author: requarks.io
 logo: https://static.requarks.io/logo/twitch.svg
 color: indigo darken-2
 website: https://dev.twitch.tv/docs/authentication/
+isAvailable: false
 useForm: false
 props:
-  clientId: String
+  clientId:
-  clientSecret: String
+    type: String
+    title: Client ID
+    hint: Application Client ID
+    order: 1
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: Application Client Secret
+    order: 2