feat: Move to passport for authentication (#1934)

- Added `accountProvisioner` - Move authentication to use passport strategies - Make authentication more pluggable - Change language of services -> providers closes #1120
2021-03-11 10:02:22 -08:00
parent dc967be4fc
commit 5d6f68d399
33 changed files with 1104 additions and 725 deletions
--- a/server/api/auth.js
+++ b/server/api/auth.js
@@ -1,57 +1,45 @@
 // @flow
+import path from "path";
 import Router from "koa-router";
-import { reject } from "lodash";
+import { find } from "lodash";
 import { parseDomain, isCustomSubdomain } from "../../shared/utils/domains";
 import { signin } from "../../shared/utils/routeHelpers";
 import auth from "../middlewares/authentication";
 import { Team } from "../models";
 import { presentUser, presentTeam, presentPolicies } from "../presenters";
 import { isCustomDomain } from "../utils/domains";
+import { requireDirectory } from "../utils/fs";

 const router = new Router();
+let providers = [];

-let services = [];
-
-if (process.env.GOOGLE_CLIENT_ID) {
-  services.push({
-    id: "google",
-    name: "Google",
-    authUrl: signin("google"),
-  });
-}
-
-if (process.env.SLACK_KEY) {
-  services.push({
-    id: "slack",
-    name: "Slack",
-    authUrl: signin("slack"),
-  });
-}
-
-services.push({
-  id: "email",
-  name: "Email",
-  authUrl: "",
-});
-
-function filterServices(team) {
-  let output = services;
-
-  const providerNames = team
-    ? team.authenticationProviders.map((provider) => provider.name)
-    : [];
-
-  if (team && !providerNames.includes("google")) {
-    output = reject(output, (service) => service.id === "google");
-  }
-  if (team && !providerNames.includes("slack")) {
-    output = reject(output, (service) => service.id === "slack");
-  }
-  if (!team || !team.guestSignin) {
-    output = reject(output, (service) => service.id === "email");
+requireDirectory(path.join(__dirname, "..", "auth")).forEach(
+  ([{ config }, id]) => {
+    if (config && config.enabled) {
+      providers.push({
+        id,
+        name: config.name,
+        authUrl: signin(id),
+      });
+    }
  }
+);

-  return output;
+function filterProviders(team) {
+  return providers
+    .sort((provider) => (provider.id === "email" ? 1 : -1))
+    .filter((provider) => {
+      // guest sign-in is an exception as it does not have an authentication
+      // provider using passport, instead it exists as a boolean option on the team
+      if (provider.id === "email") {
+        return team && team.guestSignin;
+      }
+
+      return (
+        !team ||
+        find(team.authenticationProviders, { name: provider.id, enabled: true })
+      );
+    });
 }

 router.post("auth.config", async (ctx) => {
@@ -66,7 +54,7 @@ router.post("auth.config", async (ctx) => {
      ctx.body = {
        data: {
          name: team.name,
-          services: filterServices(team),
+          providers: filterProviders(team),
        },
      };
      return;
@@ -83,7 +71,7 @@ router.post("auth.config", async (ctx) => {
        data: {
          name: team.name,
          hostname: ctx.request.hostname,
-          services: filterServices(team),
+          providers: filterProviders(team),
        },
      };
      return;
@@ -108,7 +96,7 @@ router.post("auth.config", async (ctx) => {
        data: {
          name: team.name,
          hostname: ctx.request.hostname,
-          services: filterServices(team),
+          providers: filterProviders(team),
        },
      };
      return;
@@ -118,7 +106,7 @@ router.post("auth.config", async (ctx) => {
  // Otherwise, we're requesting from the standard root signin page
  ctx.body = {
    data: {
-      services: filterServices(),
+      providers: filterProviders(),
    },
  };
 });
--- a/server/api/auth.test.js
+++ b/server/api/auth.test.js
@@ -41,3 +41,149 @@ describe("#auth.info", () => {
    expect(res.status).toEqual(401);
  });
 });
+
+describe("#auth.config", () => {
+  it("should return available SSO providers", async () => {
+    const res = await server.post("/api/auth.config");
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(2);
+    expect(body.data.providers[0].name).toBe("Slack");
+    expect(body.data.providers[1].name).toBe("Google");
+  });
+
+  it("should return available providers for team subdomain", async () => {
+    process.env.URL = "http://localoutline.com";
+
+    await buildTeam({
+      guestSignin: false,
+      subdomain: "example",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: { host: `example.localoutline.com` },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(1);
+    expect(body.data.providers[0].name).toBe("Slack");
+  });
+
+  it("should return available providers for team custom domain", async () => {
+    await buildTeam({
+      guestSignin: false,
+      domain: "docs.mycompany.com",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: { host: "docs.mycompany.com" },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(1);
+    expect(body.data.providers[0].name).toBe("Slack");
+  });
+
+  it("should return email provider for team when guest signin enabled", async () => {
+    process.env.URL = "http://localoutline.com";
+
+    await buildTeam({
+      guestSignin: true,
+      subdomain: "example",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: { host: "example.localoutline.com" },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(2);
+    expect(body.data.providers[0].name).toBe("Slack");
+    expect(body.data.providers[1].name).toBe("Email");
+  });
+
+  it("should not return provider when disabled", async () => {
+    process.env.URL = "http://localoutline.com";
+
+    await buildTeam({
+      guestSignin: false,
+      subdomain: "example",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+          enabled: false,
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: { host: "example.localoutline.com" },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(0);
+  });
+
+  describe("self hosted", () => {
+    it("should return available providers for team", async () => {
+      process.env.DEPLOYMENT = "";
+
+      await buildTeam({
+        guestSignin: false,
+        authenticationProviders: [
+          {
+            name: "slack",
+            providerId: "123",
+          },
+        ],
+      });
+      const res = await server.post("/api/auth.config");
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.providers.length).toBe(1);
+      expect(body.data.providers[0].name).toBe("Slack");
+    });
+
+    it("should return email provider for team when guest signin enabled", async () => {
+      process.env.DEPLOYMENT = "";
+
+      await buildTeam({
+        guestSignin: true,
+        authenticationProviders: [
+          {
+            name: "slack",
+            providerId: "123",
+          },
+        ],
+      });
+      const res = await server.post("/api/auth.config");
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.providers.length).toBe(2);
+      expect(body.data.providers[0].name).toBe("Slack");
+      expect(body.data.providers[1].name).toBe("Email");
+    });
+  });
+});