feat: authenticationProviders API endpoints (#1962)

server/auth/providers/README.md

@@ -0,0 +1,13 @@
+# Authentication Providers
+
+A new auth provider can be added with the addition of a single file in this
+folder, and (optionally) a matching logo in `/app/components/AuthLogo/index.js`
+that will appear on the signin button.
+
+Auth providers generally use [Passport](http://www.passportjs.org/) strategies,
+although they can use any custom logic if needed. See the `google` auth provider for the cleanest example of what is required – some rules:
+
+- The strategy name _must_ be lowercase
+- The strategy _must_ call the `accountProvisioner` command in the verify callback
+- The auth file _must_ export a `config` object with `name` and `enabled` keys
+- The auth file _must_ have a default export with a koa-router

server/auth/providers/email.js

@@ -0,0 +1,109 @@
+// @flow
+import subMinutes from "date-fns/sub_minutes";
+import Router from "koa-router";
+import { find } from "lodash";
+import { AuthorizationError } from "../../errors";
+import mailer from "../../mailer";
+import auth from "../../middlewares/authentication";
+import methodOverride from "../../middlewares/methodOverride";
+import validation from "../../middlewares/validation";
+import { User, Team } from "../../models";
+import { getUserForEmailSigninToken } from "../../utils/jwt";
+
+const router = new Router();
+
+export const config = {
+  name: "Email",
+  enabled: true,
+};
+
+router.use(methodOverride());
+router.use(validation());
+
+router.post("email", async (ctx) => {
+  const { email } = ctx.body;
+
+  ctx.assertEmail(email, "email is required");
+
+  const user = await User.scope("withAuthentications").findOne({
+    where: { email: email.toLowerCase() },
+  });
+
+  if (user) {
+    const team = await Team.scope("withAuthenticationProviders").findByPk(
+      user.teamId
+    );
+    if (!team) {
+      ctx.redirect(`/?notice=auth-error`);
+      return;
+    }
+
+    // If the user matches an email address associated with an SSO
+    // provider then just forward them directly to that sign-in page
+    if (user.authentications.length) {
+      const authProvider = find(team.authenticationProviders, {
+        id: user.authentications[0].authenticationProviderId,
+      });
+      ctx.body = {
+        redirect: `${team.url}/auth/${authProvider.name}`,
+      };
+      return;
+    }
+
+    if (!team.guestSignin) {
+      throw new AuthorizationError();
+    }
+
+    // basic rate limit of endpoint to prevent send email abuse
+    if (
+      user.lastSigninEmailSentAt &&
+      user.lastSigninEmailSentAt > subMinutes(new Date(), 2)
+    ) {
+      ctx.body = {
+        redirect: `${team.url}?notice=email-auth-ratelimit`,
+        message: "Rate limit exceeded",
+        success: false,
+      };
+      return;
+    }
+
+    // send email to users registered address with a short-lived token
+    mailer.signin({
+      to: user.email,
+      token: user.getEmailSigninToken(),
+      teamUrl: team.url,
+    });
+
+    user.lastSigninEmailSentAt = new Date();
+    await user.save();
+  }
+
+  // respond with success regardless of whether an email was sent
+  ctx.body = {
+    success: true,
+  };
+});
+
+router.get("email.callback", auth({ required: false }), async (ctx) => {
+  const { token } = ctx.request.query;
+
+  ctx.assertPresent(token, "token is required");
+
+  try {
+    const user = await getUserForEmailSigninToken(token);
+
+    const team = await Team.findByPk(user.teamId);
+    if (!team.guestSignin) {
+      throw new AuthorizationError();
+    }
+
+    await user.update({ lastActiveAt: new Date() });
+
+    // set cookies on response and redirect to team subdomain
+    ctx.signIn(user, team, "email", false);
+  } catch (err) {
+    ctx.redirect(`${process.env.URL}?notice=expired-token`);
+  }
+});
+
+export default router;

server/auth/providers/google.js

@@ -0,0 +1,98 @@
+// @flow
+import passport from "@outlinewiki/koa-passport";
+import Router from "koa-router";
+import { capitalize } from "lodash";
+import { Strategy as GoogleStrategy } from "passport-google-oauth2";
+import accountProvisioner from "../../commands/accountProvisioner";
+import env from "../../env";
+import {
+  GoogleWorkspaceRequiredError,
+  GoogleWorkspaceInvalidError,
+} from "../../errors";
+import auth from "../../middlewares/authentication";
+import passportMiddleware from "../../middlewares/passport";
+import { getAllowedDomains } from "../../utils/authentication";
+import { StateStore } from "../../utils/passport";
+
+const router = new Router();
+const providerName = "google";
+const GOOGLE_CLIENT_ID = process.env.GOOGLE_CLIENT_ID;
+const GOOGLE_CLIENT_SECRET = process.env.GOOGLE_CLIENT_SECRET;
+const allowedDomains = getAllowedDomains();
+
+const scopes = [
+  "https://www.googleapis.com/auth/userinfo.profile",
+  "https://www.googleapis.com/auth/userinfo.email",
+];
+
+export const config = {
+  name: "Google",
+  enabled: !!GOOGLE_CLIENT_ID,
+};
+
+passport.use(
+  new GoogleStrategy(
+    {
+      clientID: GOOGLE_CLIENT_ID,
+      clientSecret: GOOGLE_CLIENT_SECRET,
+      callbackURL: `${env.URL}/auth/google.callback`,
+      prompt: "select_account consent",
+      passReqToCallback: true,
+      store: new StateStore(),
+      scope: scopes,
+    },
+    async function (req, accessToken, refreshToken, profile, done) {
+      try {
+        const domain = profile._json.hd;
+
+        if (!domain) {
+          throw new GoogleWorkspaceRequiredError();
+        }
+
+        if (allowedDomains.length && !allowedDomains.includes(domain)) {
+          throw new GoogleWorkspaceInvalidError();
+        }
+
+        const subdomain = domain.split(".")[0];
+        const teamName = capitalize(subdomain);
+
+        const result = await accountProvisioner({
+          ip: req.ip,
+          team: {
+            name: teamName,
+            domain,
+            subdomain,
+          },
+          user: {
+            name: profile.displayName,
+            email: profile.email,
+            avatarUrl: profile.picture,
+          },
+          authenticationProvider: {
+            name: providerName,
+            providerId: domain,
+          },
+          authentication: {
+            providerId: profile.id,
+            accessToken,
+            refreshToken,
+            scopes,
+          },
+        });
+        return done(null, result.user, result);
+      } catch (err) {
+        return done(err, null);
+      }
+    }
+  )
+);
+
+router.get("google", passport.authenticate(providerName));
+
+router.get(
+  "google.callback",
+  auth({ required: false }),
+  passportMiddleware(providerName)
+);
+
+export default router;

server/auth/providers/index.js

@@ -0,0 +1,37 @@
+// @flow
+import { signin } from "../../../shared/utils/routeHelpers";
+import { requireDirectory } from "../../utils/fs";
+
+let providers = [];
+
+requireDirectory(__dirname).forEach(([module, id]) => {
+  const { config, default: router } = module;
+
+  if (id === "index") {
+    return;
+  }
+
+  if (!config) {
+    throw new Error(
+      `Auth providers must export a 'config' object, missing in ${id}`
+    );
+  }
+
+  if (!router || !router.routes) {
+    throw new Error(
+      `Default export of an auth provider must be a koa-router, missing in ${id}`
+    );
+  }
+
+  if (config && config.enabled) {
+    providers.push({
+      id,
+      name: config.name,
+      enabled: config.enabled,
+      authUrl: signin(id),
+      router: router,
+    });
+  }
+});
+
+export default providers;

server/auth/providers/slack.js

@@ -0,0 +1,196 @@
+// @flow
+import passport from "@outlinewiki/koa-passport";
+import Router from "koa-router";
+import { Strategy as SlackStrategy } from "passport-slack-oauth2";
+import accountProvisioner from "../../commands/accountProvisioner";
+import env from "../../env";
+import auth from "../../middlewares/authentication";
+import passportMiddleware from "../../middlewares/passport";
+import { Authentication, Collection, Integration, Team } from "../../models";
+import * as Slack from "../../slack";
+import { StateStore } from "../../utils/passport";
+
+const router = new Router();
+const providerName = "slack";
+const SLACK_CLIENT_ID = process.env.SLACK_KEY;
+const SLACK_CLIENT_SECRET = process.env.SLACK_SECRET;
+
+const scopes = [
+  "identity.email",
+  "identity.basic",
+  "identity.avatar",
+  "identity.team",
+];
+
+export const config = {
+  name: "Slack",
+  enabled: !!SLACK_CLIENT_ID,
+};
+
+const strategy = new SlackStrategy(
+  {
+    clientID: SLACK_CLIENT_ID,
+    clientSecret: SLACK_CLIENT_SECRET,
+    callbackURL: `${env.URL}/auth/slack.callback`,
+    passReqToCallback: true,
+    store: new StateStore(),
+    scope: scopes,
+  },
+  async function (req, accessToken, refreshToken, profile, done) {
+    try {
+      const result = await accountProvisioner({
+        ip: req.ip,
+        team: {
+          name: profile.team.name,
+          subdomain: profile.team.domain,
+          avatarUrl: profile.team.image_230,
+        },
+        user: {
+          name: profile.user.name,
+          email: profile.user.email,
+          avatarUrl: profile.user.image_192,
+        },
+        authenticationProvider: {
+          name: providerName,
+          providerId: profile.team.id,
+        },
+        authentication: {
+          providerId: profile.user.id,
+          accessToken,
+          refreshToken,
+          scopes,
+        },
+      });
+      return done(null, result.user, result);
+    } catch (err) {
+      return done(err, null);
+    }
+  }
+);
+
+// For some reason the author made the strategy name capatilised, I don't know
+// why but we need everything lowercase so we just monkey-patch it here.
+strategy.name = providerName;
+passport.use(strategy);
+
+router.get("slack", passport.authenticate(providerName));
+
+router.get(
+  "slack.callback",
+  auth({ required: false }),
+  passportMiddleware(providerName)
+);
+
+router.get("slack.commands", auth({ required: false }), async (ctx) => {
+  const { code, state, error } = ctx.request.query;
+  const user = ctx.state.user;
+  ctx.assertPresent(code || error, "code is required");
+
+  if (error) {
+    ctx.redirect(`/settings/integrations/slack?error=${error}`);
+    return;
+  }
+
+  // this code block accounts for the root domain being unable to
+  // access authentication for subdomains. We must forward to the appropriate
+  // subdomain to complete the oauth flow
+  if (!user) {
+    if (state) {
+      try {
+        const team = await Team.findByPk(state);
+        return ctx.redirect(
+          `${team.url}/auth${ctx.request.path}?${ctx.request.querystring}`
+        );
+      } catch (err) {
+        return ctx.redirect(
+          `/settings/integrations/slack?error=unauthenticated`
+        );
+      }
+    } else {
+      return ctx.redirect(`/settings/integrations/slack?error=unauthenticated`);
+    }
+  }
+
+  const endpoint = `${process.env.URL || ""}/auth/slack.commands`;
+  const data = await Slack.oauthAccess(code, endpoint);
+
+  const authentication = await Authentication.create({
+    service: "slack",
+    userId: user.id,
+    teamId: user.teamId,
+    token: data.access_token,
+    scopes: data.scope.split(","),
+  });
+
+  await Integration.create({
+    service: "slack",
+    type: "command",
+    userId: user.id,
+    teamId: user.teamId,
+    authenticationId: authentication.id,
+    settings: {
+      serviceTeamId: data.team_id,
+    },
+  });
+
+  ctx.redirect("/settings/integrations/slack");
+});
+
+router.get("slack.post", auth({ required: false }), async (ctx) => {
+  const { code, error, state } = ctx.request.query;
+  const user = ctx.state.user;
+  ctx.assertPresent(code || error, "code is required");
+
+  const collectionId = state;
+  ctx.assertUuid(collectionId, "collectionId must be an uuid");
+
+  if (error) {
+    ctx.redirect(`/settings/integrations/slack?error=${error}`);
+    return;
+  }
+
+  // this code block accounts for the root domain being unable to
+  // access authentcation for subdomains. We must forward to the
+  // appropriate subdomain to complete the oauth flow
+  if (!user) {
+    try {
+      const collection = await Collection.findByPk(state);
+      const team = await Team.findByPk(collection.teamId);
+      return ctx.redirect(
+        `${team.url}/auth${ctx.request.path}?${ctx.request.querystring}`
+      );
+    } catch (err) {
+      return ctx.redirect(`/settings/integrations/slack?error=unauthenticated`);
+    }
+  }
+
+  const endpoint = `${process.env.URL || ""}/auth/slack.post`;
+  const data = await Slack.oauthAccess(code, endpoint);
+
+  const authentication = await Authentication.create({
+    service: "slack",
+    userId: user.id,
+    teamId: user.teamId,
+    token: data.access_token,
+    scopes: data.scope.split(","),
+  });
+
+  await Integration.create({
+    service: "slack",
+    type: "post",
+    userId: user.id,
+    teamId: user.teamId,
+    authenticationId: authentication.id,
+    collectionId,
+    events: [],
+    settings: {
+      url: data.incoming_webhook.url,
+      channel: data.incoming_webhook.channel,
+      channelId: data.incoming_webhook.channel_id,
+    },
+  });
+
+  ctx.redirect("/settings/integrations/slack");
+});
+
+export default router;