chore: Move remaining auth methods to plugins (#4900)

* Move Google, Email, and Azure to plugins * Move OIDC provider, remove old loading code * Move AuthLogo to plugin * AuthLogo -> PluginIcon * Lazy load plugin settings
2023-02-19 22:52:08 -05:00
parent 667ffdeaf1
commit 21a1257d06
32 changed files with 302 additions and 314 deletions
--- a/plugins/email/plugin.json
+++ b/plugins/email/plugin.json
@@ -0,0 +1,4 @@
+{
+  "name": "Email",
+  "description": "Adds an email magic link authentication provider."
+}
--- a/plugins/email/server/.babelrc
+++ b/plugins/email/server/.babelrc
@@ -0,0 +1,3 @@
+{ 
+  "extends": "../../../server/.babelrc"
+}
--- a/plugins/email/server/auth/email.test.ts
+++ b/plugins/email/server/auth/email.test.ts
@@ -0,0 +1,221 @@
+import sharedEnv from "@shared/env";
+import SigninEmail from "@server/emails/templates/SigninEmail";
+import WelcomeEmail from "@server/emails/templates/WelcomeEmail";
+import env from "@server/env";
+import { buildUser, buildGuestUser, buildTeam } from "@server/test/factories";
+import { getTestServer } from "@server/test/support";
+
+const server = getTestServer();
+
+describe("email", () => {
+  it("should require email param", async () => {
+    const res = await server.post("/auth/email", {
+      body: {},
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.error).toEqual("validation_error");
+    expect(body.ok).toEqual(false);
+  });
+
+  it("should respond with redirect location when user is SSO enabled", async () => {
+    const spy = jest.spyOn(WelcomeEmail, "schedule");
+    const user = await buildUser();
+    const res = await server.post("/auth/email", {
+      body: {
+        email: user.email,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.redirect).toMatch("slack");
+    expect(spy).not.toHaveBeenCalled();
+    spy.mockRestore();
+  });
+
+  it("should not send email when user is on another subdomain but respond with success", async () => {
+    env.URL = sharedEnv.URL = "http://localoutline.com";
+    env.SUBDOMAINS_ENABLED = sharedEnv.SUBDOMAINS_ENABLED = true;
+    env.DEPLOYMENT = "hosted";
+
+    const user = await buildUser();
+    const spy = jest.spyOn(WelcomeEmail, "schedule");
+    await buildTeam({
+      subdomain: "example",
+    });
+    const res = await server.post("/auth/email", {
+      body: {
+        email: user.email,
+      },
+      headers: {
+        host: "example.localoutline.com",
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.success).toEqual(true);
+    expect(spy).not.toHaveBeenCalled();
+    spy.mockRestore();
+  });
+
+  it("should respond with success and email to be sent when user is not SSO enabled", async () => {
+    const spy = jest.spyOn(SigninEmail, "schedule");
+    const team = await buildTeam({
+      subdomain: "example",
+    });
+    const user = await buildGuestUser({
+      teamId: team.id,
+    });
+    const res = await server.post("/auth/email", {
+      body: {
+        email: user.email,
+      },
+      headers: {
+        host: "example.localoutline.com",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.success).toEqual(true);
+    expect(spy).toHaveBeenCalled();
+    spy.mockRestore();
+  });
+
+  it("should respond with success regardless of whether successful to prevent crawling email logins", async () => {
+    const spy = jest.spyOn(WelcomeEmail, "schedule");
+    await buildTeam({
+      subdomain: "example",
+    });
+    const res = await server.post("/auth/email", {
+      body: {
+        email: "user@example.com",
+      },
+      headers: {
+        host: "example.localoutline.com",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.success).toEqual(true);
+    expect(spy).not.toHaveBeenCalled();
+    spy.mockRestore();
+  });
+  describe("with multiple users matching email", () => {
+    it("should default to current subdomain with SSO", async () => {
+      const spy = jest.spyOn(SigninEmail, "schedule");
+      env.URL = sharedEnv.URL = "http://localoutline.com";
+      env.SUBDOMAINS_ENABLED = sharedEnv.SUBDOMAINS_ENABLED = true;
+      const email = "sso-user@example.org";
+      const team = await buildTeam({
+        subdomain: "example",
+      });
+      await buildGuestUser({
+        email,
+      });
+      await buildUser({
+        email,
+        teamId: team.id,
+      });
+      const res = await server.post("/auth/email", {
+        body: {
+          email,
+        },
+        headers: {
+          host: "example.localoutline.com",
+        },
+      });
+      const body = await res.json();
+      expect(res.status).toEqual(200);
+      expect(body.redirect).toMatch("slack");
+      expect(spy).not.toHaveBeenCalled();
+      spy.mockRestore();
+    });
+
+    it("should default to current subdomain with guest email", async () => {
+      const spy = jest.spyOn(SigninEmail, "schedule");
+      env.URL = sharedEnv.URL = "http://localoutline.com";
+      env.SUBDOMAINS_ENABLED = sharedEnv.SUBDOMAINS_ENABLED = true;
+      const email = "guest-user@example.org";
+      const team = await buildTeam({
+        subdomain: "example",
+      });
+      await buildUser({
+        email,
+      });
+      await buildGuestUser({
+        email,
+        teamId: team.id,
+      });
+      const res = await server.post("/auth/email", {
+        body: {
+          email,
+        },
+        headers: {
+          host: "example.localoutline.com",
+        },
+      });
+      const body = await res.json();
+      expect(res.status).toEqual(200);
+      expect(body.success).toEqual(true);
+      expect(spy).toHaveBeenCalled();
+      spy.mockRestore();
+    });
+
+    it("should default to custom domain with SSO", async () => {
+      const spy = jest.spyOn(WelcomeEmail, "schedule");
+      const email = "sso-user-2@example.org";
+      const team = await buildTeam({
+        domain: "docs.mycompany.com",
+      });
+      await buildGuestUser({
+        email,
+      });
+      await buildUser({
+        email,
+        teamId: team.id,
+      });
+      const res = await server.post("/auth/email", {
+        body: {
+          email,
+        },
+        headers: {
+          host: "docs.mycompany.com",
+        },
+      });
+      const body = await res.json();
+      expect(res.status).toEqual(200);
+      expect(body.redirect).toMatch("slack");
+      expect(spy).not.toHaveBeenCalled();
+      spy.mockRestore();
+    });
+
+    it("should default to custom domain with guest email", async () => {
+      const spy = jest.spyOn(SigninEmail, "schedule");
+      const email = "guest-user-2@example.org";
+      const team = await buildTeam({
+        domain: "docs.mycompany.com",
+      });
+      await buildUser({
+        email,
+      });
+      await buildGuestUser({
+        email,
+        teamId: team.id,
+      });
+      const res = await server.post("/auth/email", {
+        body: {
+          email,
+        },
+        headers: {
+          host: "docs.mycompany.com",
+        },
+      });
+      const body = await res.json();
+      expect(res.status).toEqual(200);
+      expect(body.success).toEqual(true);
+      expect(spy).toHaveBeenCalled();
+      spy.mockRestore();
+    });
+  });
+});
--- a/plugins/email/server/auth/email.ts
+++ b/plugins/email/server/auth/email.ts
@@ -0,0 +1,138 @@
+import Router from "koa-router";
+import { find } from "lodash";
+import { Client } from "@shared/types";
+import { parseDomain } from "@shared/utils/domains";
+import InviteAcceptedEmail from "@server/emails/templates/InviteAcceptedEmail";
+import SigninEmail from "@server/emails/templates/SigninEmail";
+import WelcomeEmail from "@server/emails/templates/WelcomeEmail";
+import env from "@server/env";
+import { AuthorizationError } from "@server/errors";
+import { rateLimiter } from "@server/middlewares/rateLimiter";
+import { User, Team } from "@server/models";
+import { RateLimiterStrategy } from "@server/utils/RateLimiter";
+import { signIn } from "@server/utils/authentication";
+import { getUserForEmailSigninToken } from "@server/utils/jwt";
+import { assertEmail, assertPresent } from "@server/validation";
+
+const router = new Router();
+
+router.post(
+  "email",
+  rateLimiter(RateLimiterStrategy.TenPerHour),
+  async (ctx) => {
+    const { email, client } = ctx.request.body;
+    assertEmail(email, "email is required");
+
+    const domain = parseDomain(ctx.request.hostname);
+
+    let team: Team | null | undefined;
+    if (!env.isCloudHosted()) {
+      team = await Team.scope("withAuthenticationProviders").findOne();
+    } else if (domain.custom) {
+      team = await Team.scope("withAuthenticationProviders").findOne({
+        where: { domain: domain.host },
+      });
+    } else if (env.SUBDOMAINS_ENABLED && domain.teamSubdomain) {
+      team = await Team.scope("withAuthenticationProviders").findOne({
+        where: { subdomain: domain.teamSubdomain },
+      });
+    }
+
+    if (!team?.emailSigninEnabled) {
+      throw AuthorizationError();
+    }
+
+    const user = await User.scope("withAuthentications").findOne({
+      where: {
+        teamId: team.id,
+        email: email.toLowerCase(),
+      },
+    });
+
+    if (!user) {
+      ctx.body = {
+        success: true,
+      };
+      return;
+    }
+
+    // If the user matches an email address associated with an SSO
+    // provider then just forward them directly to that sign-in page
+    if (user.authentications.length) {
+      const authProvider = find(team.authenticationProviders, {
+        id: user.authentications[0].authenticationProviderId,
+      });
+      if (authProvider?.enabled) {
+        ctx.body = {
+          redirect: `${team.url}/auth/${authProvider?.name}`,
+        };
+        return;
+      }
+    }
+
+    // send email to users registered address with a short-lived token
+    await SigninEmail.schedule({
+      to: user.email,
+      token: user.getEmailSigninToken(),
+      teamUrl: team.url,
+      client: client === Client.Desktop ? Client.Desktop : Client.Web,
+    });
+    user.lastSigninEmailSentAt = new Date();
+    await user.save();
+
+    // respond with success regardless of whether an email was sent
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
+router.get("email.callback", async (ctx) => {
+  const { token, client } = ctx.request.query;
+  assertPresent(token, "token is required");
+
+  let user!: User;
+
+  try {
+    user = await getUserForEmailSigninToken(token as string);
+  } catch (err) {
+    ctx.redirect(`/?notice=expired-token`);
+    return;
+  }
+
+  if (!user.team.emailSigninEnabled) {
+    return ctx.redirect("/?notice=auth-error");
+  }
+
+  if (user.isSuspended) {
+    return ctx.redirect("/?notice=suspended");
+  }
+
+  if (user.isInvited) {
+    await WelcomeEmail.schedule({
+      to: user.email,
+      teamUrl: user.team.url,
+    });
+
+    const inviter = await user.$get("invitedBy");
+    if (inviter) {
+      await InviteAcceptedEmail.schedule({
+        to: inviter.email,
+        inviterId: inviter.id,
+        invitedName: user.name,
+        teamUrl: user.team.url,
+      });
+    }
+  }
+
+  // set cookies on response and redirect to team subdomain
+  await signIn(ctx, "email", {
+    user,
+    team: user.team,
+    isNewTeam: false,
+    isNewUser: false,
+    client: client === Client.Desktop ? Client.Desktop : Client.Web,
+  });
+});
+
+export default router;