chore: schema for api/auth (#5481)

server/routes/api/auth/auth.test.ts

@@ -0,0 +1,250 @@
+import sharedEnv from "@shared/env";
+import env from "@server/env";
+import { buildUser, buildTeam } from "@server/test/factories";
+import { getTestServer } from "@server/test/support";
+
+const mockTeamInSessionId = "1e023d05-951c-41c6-9012-c9fa0402e1c3";
+
+jest.mock("@server/utils/authentication", () => ({
+  getSessionsInCookie() {
+    return { [mockTeamInSessionId]: {} };
+  },
+}));
+
+const server = getTestServer();
+
+describe("#auth.info", () => {
+  it("should return current authentication", async () => {
+    const team = await buildTeam();
+    const team2 = await buildTeam();
+    const team3 = await buildTeam({
+      id: mockTeamInSessionId,
+    });
+
+    const user = await buildUser({
+      teamId: team.id,
+    });
+    await buildUser();
+    await buildUser({
+      teamId: team2.id,
+      email: user.email,
+    });
+    const res = await server.post("/api/auth.info", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    const availableTeamIds = body.data.availableTeams.map((t: any) => t.id);
+
+    expect(res.status).toEqual(200);
+    expect(availableTeamIds.length).toEqual(3);
+    expect(availableTeamIds).toContain(team.id);
+    expect(availableTeamIds).toContain(team2.id);
+    expect(availableTeamIds).toContain(team3.id);
+    expect(body.data.user.name).toBe(user.name);
+    expect(body.data.team.name).toBe(team.name);
+    expect(body.data.team.allowedDomains).toEqual([]);
+  });
+
+  it("should require the team to not be deleted", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({
+      teamId: team.id,
+    });
+    await team.destroy();
+    const res = await server.post("/api/auth.info", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res.status).toEqual(401);
+  });
+
+  it("should require authentication", async () => {
+    const res = await server.post("/api/auth.info");
+    expect(res.status).toEqual(401);
+  });
+});
+
+describe("#auth.delete", () => {
+  it("should make the access token unusable", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/auth.delete", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res.status).toEqual(200);
+
+    const res2 = await server.post("/api/auth.info", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    expect(res2.status).toEqual(401);
+  });
+
+  it("should require authentication", async () => {
+    const res = await server.post("/api/auth.delete");
+    expect(res.status).toEqual(401);
+  });
+});
+
+describe("#auth.config", () => {
+  it("should return available SSO providers", async () => {
+    env.DEPLOYMENT = "hosted";
+
+    const res = await server.post("/api/auth.config");
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(3);
+    expect(body.data.providers[0].name).toBe("Slack");
+    expect(body.data.providers[1].name).toBe("OpenID Connect");
+    expect(body.data.providers[2].name).toBe("Google");
+  });
+
+  it("should return available providers for team subdomain", async () => {
+    env.URL = sharedEnv.URL = "http://localoutline.com";
+    env.SUBDOMAINS_ENABLED = sharedEnv.SUBDOMAINS_ENABLED = true;
+    env.DEPLOYMENT = "hosted";
+
+    await buildTeam({
+      guestSignin: false,
+      subdomain: "example",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: {
+        host: `example.localoutline.com`,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(1);
+    expect(body.data.providers[0].name).toBe("Slack");
+  });
+
+  it("should return available providers for team custom domain", async () => {
+    env.DEPLOYMENT = "hosted";
+
+    await buildTeam({
+      guestSignin: false,
+      domain: "docs.mycompany.com",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: {
+        host: "docs.mycompany.com",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(1);
+    expect(body.data.providers[0].name).toBe("Slack");
+  });
+
+  it("should return email provider for team when guest signin enabled", async () => {
+    env.URL = sharedEnv.URL = "http://localoutline.com";
+    env.DEPLOYMENT = "hosted";
+
+    await buildTeam({
+      guestSignin: true,
+      subdomain: "example",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: {
+        host: "example.localoutline.com",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(2);
+    expect(body.data.providers[0].name).toBe("Slack");
+    expect(body.data.providers[1].name).toBe("Email");
+  });
+
+  it("should not return provider when disabled", async () => {
+    env.URL = sharedEnv.URL = "http://localoutline.com";
+    env.DEPLOYMENT = "hosted";
+
+    await buildTeam({
+      guestSignin: false,
+      subdomain: "example",
+      authenticationProviders: [
+        {
+          name: "slack",
+          providerId: "123",
+          enabled: false,
+        },
+      ],
+    });
+    const res = await server.post("/api/auth.config", {
+      headers: {
+        host: "example.localoutline.com",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.providers.length).toBe(0);
+  });
+
+  describe("self hosted", () => {
+    it("should return all configured providers but respect email setting", async () => {
+      env.DEPLOYMENT = "";
+      await buildTeam({
+        guestSignin: false,
+        authenticationProviders: [
+          {
+            name: "slack",
+            providerId: "123",
+          },
+        ],
+      });
+      const res = await server.post("/api/auth.config");
+      const body = await res.json();
+      expect(res.status).toEqual(200);
+      expect(body.data.providers.length).toBe(3);
+      expect(body.data.providers[0].name).toBe("Google");
+      expect(body.data.providers[1].name).toBe("OpenID Connect");
+      expect(body.data.providers[2].name).toBe("Slack");
+    });
+
+    it("should return email provider for team when guest signin enabled", async () => {
+      env.DEPLOYMENT = "";
+      await buildTeam({
+        guestSignin: true,
+        authenticationProviders: [
+          {
+            name: "slack",
+            providerId: "123",
+          },
+        ],
+      });
+      const res = await server.post("/api/auth.config");
+      const body = await res.json();
+      expect(res.status).toEqual(200);
+      expect(body.data.providers.length).toBe(4);
+      expect(body.data.providers[0].name).toBe("Slack");
+      expect(body.data.providers[1].name).toBe("OpenID Connect");
+      expect(body.data.providers[2].name).toBe("Google");
+      expect(body.data.providers[3].name).toBe("Email");
+    });
+  });
+});

server/routes/api/auth/auth.ts

@@ -0,0 +1,180 @@
+import Router from "koa-router";
+import { uniqBy } from "lodash";
+import { TeamPreference } from "@shared/types";
+import { parseDomain } from "@shared/utils/domains";
+import env from "@server/env";
+import auth from "@server/middlewares/authentication";
+import { transaction } from "@server/middlewares/transaction";
+import { Event, Team } from "@server/models";
+import AuthenticationHelper from "@server/models/helpers/AuthenticationHelper";
+import {
+  presentUser,
+  presentTeam,
+  presentPolicies,
+  presentProviderConfig,
+  presentAvailableTeam,
+} from "@server/presenters";
+import ValidateSSOAccessTask from "@server/queues/tasks/ValidateSSOAccessTask";
+import { APIContext } from "@server/types";
+import { getSessionsInCookie } from "@server/utils/authentication";
+import * as T from "./schema";
+
+const router = new Router();
+
+router.post("auth.config", async (ctx: APIContext<T.AuthConfigReq>) => {
+  // If self hosted AND there is only one team then that team becomes the
+  // brand for the knowledge base and it's guest signin option is used for the
+  // root login page.
+  if (!env.isCloudHosted()) {
+    const team = await Team.scope("withAuthenticationProviders").findOne();
+
+    if (team) {
+      ctx.body = {
+        data: {
+          name: team.name,
+          customTheme: team.getPreference(TeamPreference.CustomTheme),
+          logo: team.getPreference(TeamPreference.PublicBranding)
+            ? team.avatarUrl
+            : undefined,
+          providers: AuthenticationHelper.providersForTeam(team).map(
+            presentProviderConfig
+          ),
+        },
+      };
+      return;
+    }
+  }
+
+  const domain = parseDomain(ctx.request.hostname);
+
+  if (domain.custom) {
+    const team = await Team.scope("withAuthenticationProviders").findOne({
+      where: {
+        domain: ctx.request.hostname,
+      },
+    });
+
+    if (team) {
+      ctx.body = {
+        data: {
+          name: team.name,
+          customTheme: team.getPreference(TeamPreference.CustomTheme),
+          logo: team.getPreference(TeamPreference.PublicBranding)
+            ? team.avatarUrl
+            : undefined,
+          hostname: ctx.request.hostname,
+          providers: AuthenticationHelper.providersForTeam(team).map(
+            presentProviderConfig
+          ),
+        },
+      };
+      return;
+    }
+  }
+
+  // If subdomain signin page then we return minimal team details to allow
+  // for a custom screen showing only relevant signin options for that team.
+  else if (env.SUBDOMAINS_ENABLED && domain.teamSubdomain) {
+    const team = await Team.scope("withAuthenticationProviders").findOne({
+      where: {
+        subdomain: domain.teamSubdomain,
+      },
+    });
+
+    if (team) {
+      ctx.body = {
+        data: {
+          name: team.name,
+          customTheme: team.getPreference(TeamPreference.CustomTheme),
+          logo: team.getPreference(TeamPreference.PublicBranding)
+            ? team.avatarUrl
+            : undefined,
+          hostname: ctx.request.hostname,
+          providers: AuthenticationHelper.providersForTeam(team).map(
+            presentProviderConfig
+          ),
+        },
+      };
+      return;
+    }
+  }
+
+  // Otherwise, we're requesting from the standard root signin page
+  ctx.body = {
+    data: {
+      providers: AuthenticationHelper.providersForTeam().map(
+        presentProviderConfig
+      ),
+    },
+  };
+});
+
+router.post("auth.info", auth(), async (ctx: APIContext<T.AuthInfoReq>) => {
+  const { user } = ctx.state.auth;
+  const sessions = getSessionsInCookie(ctx);
+  const signedInTeamIds = Object.keys(sessions);
+
+  const [team, signedInTeams, availableTeams] = await Promise.all([
+    Team.scope("withDomains").findByPk(user.teamId, {
+      rejectOnEmpty: true,
+    }),
+    Team.findAll({
+      where: {
+        id: signedInTeamIds,
+      },
+    }),
+    user.availableTeams(),
+  ]);
+
+  await ValidateSSOAccessTask.schedule({ userId: user.id });
+
+  ctx.body = {
+    data: {
+      user: presentUser(user, {
+        includeDetails: true,
+      }),
+      team: presentTeam(team),
+      availableTeams: uniqBy([...signedInTeams, ...availableTeams], "id").map(
+        (team) =>
+          presentAvailableTeam(
+            team,
+            signedInTeamIds.includes(team.id) || team.id === user.teamId
+          )
+      ),
+    },
+    policies: presentPolicies(user, [team]),
+  };
+});
+
+router.post(
+  "auth.delete",
+  auth(),
+  transaction(),
+  async (ctx: APIContext<T.AuthDeleteReq>) => {
+    const { auth, transaction } = ctx.state;
+    const { user } = auth;
+
+    await user.rotateJwtSecret({ transaction });
+    await Event.create(
+      {
+        name: "users.signout",
+        actorId: user.id,
+        userId: user.id,
+        teamId: user.teamId,
+        data: {
+          name: user.name,
+        },
+        ip: ctx.request.ip,
+      },
+      {
+        transaction,
+      }
+    );
+
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
+export default router;

server/routes/api/auth/index.ts

@@ -0,0 +1 @@
+export { default } from "./auth";

server/routes/api/auth/schema.ts

@@ -0,0 +1,14 @@
+import { z } from "zod";
+import BaseSchema from "../BaseSchema";
+
+export const AuthConfigSchema = BaseSchema;
+
+export type AuthConfigReq = z.infer<typeof AuthConfigSchema>;
+
+export const AuthInfoSchema = BaseSchema;
+
+export type AuthInfoReq = z.infer<typeof AuthInfoSchema>;
+
+export const AuthDeleteSchema = BaseSchema;
+
+export type AuthDeleteReq = z.infer<typeof AuthDeleteSchema>;