refactor: add server side validation schema for authProviders (#4876)

* refactor: move files to subfolder

* refactor: schema for authenticationProviders.info

* refactor: schema for authenticationProviders.update

* refactor: use validated body

server/routes/api/authenticationProviders/authenticationProviders.test.ts

@@ -0,0 +1,149 @@
+import { v4 as uuidv4 } from "uuid";
+import { buildUser, buildAdmin, buildTeam } from "@server/test/factories";
+import { getTestServer } from "@server/test/support";
+
+const server = getTestServer();
+
+describe("#authenticationProviders.info", () => {
+  it("should return auth provider", async () => {
+    const team = await buildTeam();
+    const user = await buildAdmin({
+      teamId: team.id,
+    });
+    const authenticationProviders = await team.$get("authenticationProviders");
+    const res = await server.post("/api/authenticationProviders.info", {
+      body: {
+        id: authenticationProviders[0].id,
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.name).toBe("slack");
+    expect(body.data.isEnabled).toBe(true);
+    expect(body.data.isConnected).toBe(true);
+    expect(body.policies[0].abilities.read).toBe(true);
+    expect(body.policies[0].abilities.update).toBe(true);
+  });
+
+  it("should require authorization", async () => {
+    const team = await buildTeam();
+    const user = await buildUser();
+    const authenticationProviders = await team.$get("authenticationProviders");
+    const res = await server.post("/api/authenticationProviders.info", {
+      body: {
+        id: authenticationProviders[0].id,
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res.status).toEqual(403);
+  });
+
+  it("should require authentication", async () => {
+    const team = await buildTeam();
+    const authenticationProviders = await team.$get("authenticationProviders");
+    const res = await server.post("/api/authenticationProviders.info", {
+      body: {
+        id: authenticationProviders[0].id,
+      },
+    });
+    expect(res.status).toEqual(401);
+  });
+});
+
+describe("#authenticationProviders.update", () => {
+  it("should not allow admins to disable when last authentication provider", async () => {
+    const team = await buildTeam();
+    const user = await buildAdmin({
+      teamId: team.id,
+    });
+    const authenticationProviders = await team.$get("authenticationProviders");
+    const res = await server.post("/api/authenticationProviders.update", {
+      body: {
+        id: authenticationProviders[0].id,
+        isEnabled: false,
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res.status).toEqual(400);
+  });
+
+  it("should allow admins to disable", async () => {
+    const team = await buildTeam();
+    const user = await buildAdmin({
+      teamId: team.id,
+    });
+    const googleProvider = await team.$create("authenticationProvider", {
+      name: "google",
+      providerId: uuidv4(),
+    });
+    const res = await server.post("/api/authenticationProviders.update", {
+      body: {
+        id: googleProvider.id,
+        isEnabled: false,
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.name).toBe("google");
+    expect(body.data.isEnabled).toBe(false);
+    expect(body.data.isConnected).toBe(true);
+  });
+
+  it("should require authorization", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({
+      teamId: team.id,
+    });
+    const authenticationProviders = await team.$get("authenticationProviders");
+    const res = await server.post("/api/authenticationProviders.update", {
+      body: {
+        id: authenticationProviders[0].id,
+        isEnabled: false,
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res.status).toEqual(403);
+  });
+
+  it("should require authentication", async () => {
+    const team = await buildTeam();
+    const authenticationProviders = await team.$get("authenticationProviders");
+    const res = await server.post("/api/authenticationProviders.update", {
+      body: {
+        id: authenticationProviders[0].id,
+        isEnabled: false,
+      },
+    });
+    expect(res.status).toEqual(401);
+  });
+});
+
+describe("#authenticationProviders.list", () => {
+  it("should return enabled and available auth providers", async () => {
+    const team = await buildTeam();
+    const user = await buildAdmin({
+      teamId: team.id,
+    });
+    const res = await server.post("/api/authenticationProviders.list", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toBe(2);
+    expect(body.data[0].name).toBe("slack");
+    expect(body.data[0].isEnabled).toBe(true);
+    expect(body.data[0].isConnected).toBe(true);
+    expect(body.data[1].name).toBe("google");
+    expect(body.data[1].isEnabled).toBe(false);
+    expect(body.data[1].isConnected).toBe(false);
+  });
+
+  it("should require authentication", async () => {
+    const res = await server.post("/api/authenticationProviders.list");
+    expect(res.status).toEqual(401);
+  });
+});

server/routes/api/authenticationProviders/authenticationProviders.ts

@@ -0,0 +1,120 @@
+import Router from "koa-router";
+import { sequelize } from "@server/database/sequelize";
+import auth from "@server/middlewares/authentication";
+import validate from "@server/middlewares/validate";
+import { AuthenticationProvider, Event } from "@server/models";
+import { authorize } from "@server/policies";
+import {
+  presentAuthenticationProvider,
+  presentPolicies,
+} from "@server/presenters";
+import { APIContext } from "@server/types";
+import allAuthenticationProviders from "../../auth/providers";
+import * as T from "./schema";
+
+const router = new Router();
+
+router.post(
+  "authenticationProviders.info",
+  auth({ admin: true }),
+  validate(T.AuthenticationProvidersInfoSchema),
+  async (ctx: APIContext<T.AuthenticationProvidersInfoReq>) => {
+    const { id } = ctx.input.body;
+    const { user } = ctx.state.auth;
+
+    const authenticationProvider = await AuthenticationProvider.findByPk(id);
+    authorize(user, "read", authenticationProvider);
+
+    ctx.body = {
+      data: presentAuthenticationProvider(authenticationProvider),
+      policies: presentPolicies(user, [authenticationProvider]),
+    };
+  }
+);
+
+router.post(
+  "authenticationProviders.update",
+  auth({ admin: true }),
+  validate(T.AuthenticationProvidersUpdateSchema),
+  async (ctx: APIContext<T.AuthenticationProvidersUpdateReq>) => {
+    const { id, isEnabled } = ctx.input.body;
+    const { user } = ctx.state.auth;
+
+    const authenticationProvider = await sequelize.transaction(
+      async (transaction) => {
+        const authenticationProvider = await AuthenticationProvider.findByPk(
+          id,
+          {
+            transaction,
+            lock: transaction.LOCK.UPDATE,
+          }
+        );
+
+        authorize(user, "update", authenticationProvider);
+        const enabled = !!isEnabled;
+
+        if (enabled) {
+          await authenticationProvider.enable({ transaction });
+        } else {
+          await authenticationProvider.disable({ transaction });
+        }
+
+        await Event.create(
+          {
+            name: "authenticationProviders.update",
+            data: {
+              enabled,
+            },
+            modelId: id,
+            teamId: user.teamId,
+            actorId: user.id,
+            ip: ctx.request.ip,
+          },
+          { transaction }
+        );
+
+        return authenticationProvider;
+      }
+    );
+
+    ctx.body = {
+      data: presentAuthenticationProvider(authenticationProvider),
+      policies: presentPolicies(user, [authenticationProvider]),
+    };
+  }
+);
+
+router.post(
+  "authenticationProviders.list",
+  auth({ admin: true }),
+  async (ctx: APIContext) => {
+    const { user } = ctx.state.auth;
+    authorize(user, "read", user.team);
+
+    const teamAuthenticationProviders = (await user.team.$get(
+      "authenticationProviders"
+    )) as AuthenticationProvider[];
+
+    const data = allAuthenticationProviders
+      .filter((p) => p.id !== "email")
+      .map((p) => {
+        const row = teamAuthenticationProviders.find((t) => t.name === p.id);
+
+        return {
+          id: p.id,
+          name: p.id,
+          displayName: p.name,
+          isEnabled: false,
+          isConnected: false,
+          ...(row ? presentAuthenticationProvider(row) : {}),
+        };
+      })
+      .sort((a) => (a.isEnabled ? -1 : 1));
+
+    ctx.body = {
+      data,
+    };
+  }
+);
+
+export default router;

server/routes/api/authenticationProviders/index.ts

@@ -0,0 +1 @@
+export { default } from "./authenticationProviders";

server/routes/api/authenticationProviders/schema.ts

@@ -0,0 +1,27 @@
+import { z } from "zod";
+import BaseSchema from "@server/routes/api/BaseSchema";
+
+export const AuthenticationProvidersInfoSchema = BaseSchema.extend({
+  body: z.object({
+    /** Authentication Provider Id */
+    id: z.string().uuid(),
+  }),
+});
+
+export type AuthenticationProvidersInfoReq = z.infer<
+  typeof AuthenticationProvidersInfoSchema
+>;
+
+export const AuthenticationProvidersUpdateSchema = BaseSchema.extend({
+  body: z.object({
+    /** Authentication Provider Id */
+    id: z.string().uuid(),
+
+    /** Whether the Authentication Provider is enabled or not */
+    isEnabled: z.boolean(),
+  }),
+});
+
+export type AuthenticationProvidersUpdateReq = z.infer<
+  typeof AuthenticationProvidersUpdateSchema
+>;