Separate environment configs (#6597)

* Separate environment configs * wip * wip * test * plugins * test * test * .sequelizerc, unfortunately can't go through /utils/environment due to not supporting TS * docker-compose -> docker compose * fix: .local wipes .development * Add custom validation message for invalid SECRET_KEY (often confused)
2024-02-27 09:24:23 -08:00
parent 415383a1c9
commit 60e52d0423
45 changed files with 489 additions and 409 deletions
--- a/plugins/azure/server/auth/azure.ts
+++ b/plugins/azure/server/auth/azure.ts
@@ -6,7 +6,6 @@ import Router from "koa-router";
 import { Profile } from "passport";
 import { slugifyDomain } from "@shared/utils/domains";
 import accountProvisioner from "@server/commands/accountProvisioner";
-import env from "@server/env";
 import { MicrosoftGraphError } from "@server/errors";
 import passportMiddleware from "@server/middlewares/passport";
 import { User } from "@server/models";
@@ -17,6 +16,7 @@ import {
  getTeamFromContext,
  getClientFromContext,
 } from "@server/utils/passport";
+import env from "../env";

 const router = new Router();
 const providerName = "azure";
--- a/plugins/azure/server/azure.ts
+++ b/plugins/azure/server/azure.ts
@@ -0,0 +1,44 @@
+import invariant from "invariant";
+import JWT from "jsonwebtoken";
+import OAuthClient from "@server/utils/oauth";
+import env from "./env";
+
+type AzurePayload = {
+  /** A GUID that represents the Azure AD tenant that the user is from */
+  tid: string;
+};
+
+export default class AzureClient extends OAuthClient {
+  endpoints = {
+    authorize: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+    token: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+    userinfo: "https://graph.microsoft.com/v1.0/me",
+  };
+
+  constructor() {
+    invariant(env.AZURE_CLIENT_ID, "AZURE_CLIENT_ID is required");
+    invariant(env.AZURE_CLIENT_SECRET, "AZURE_CLIENT_SECRET is required");
+
+    super(env.AZURE_CLIENT_ID, env.AZURE_CLIENT_SECRET);
+  }
+
+  async rotateToken(
+    accessToken: string,
+    refreshToken: string
+  ): Promise<{
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt: Date;
+  }> {
+    if (env.isCloudHosted) {
+      return super.rotateToken(accessToken, refreshToken);
+    }
+
+    const payload = JWT.decode(accessToken) as AzurePayload;
+    return super.rotateToken(
+      accessToken,
+      refreshToken,
+      `https://login.microsoftonline.com/${payload.tid}/oauth2/v2.0/token`
+    );
+  }
+}
--- a/plugins/azure/server/env.ts
+++ b/plugins/azure/server/env.ts
@@ -0,0 +1,27 @@
+import { IsOptional } from "class-validator";
+import { Environment } from "@server/env";
+import environment from "@server/utils/environment";
+import { CannotUseWithout } from "@server/utils/validators";
+
+class AzurePluginEnvironment extends Environment {
+  /**
+   * Azure OAuth2 client credentials. To enable authentication with Azure.
+   */
+  @IsOptional()
+  @CannotUseWithout("AZURE_CLIENT_SECRET")
+  public AZURE_CLIENT_ID = this.toOptionalString(environment.AZURE_CLIENT_ID);
+
+  @IsOptional()
+  @CannotUseWithout("AZURE_CLIENT_ID")
+  public AZURE_CLIENT_SECRET = this.toOptionalString(
+    environment.AZURE_CLIENT_SECRET
+  );
+
+  @IsOptional()
+  @CannotUseWithout("AZURE_CLIENT_ID")
+  public AZURE_RESOURCE_APP_ID = this.toOptionalString(
+    environment.AZURE_RESOURCE_APP_ID
+  );
+}
+
+export default new AzurePluginEnvironment();