yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
293c3b7b9cd2fb81c39aeaa905182332d50c7232
outline/server/auth/google.js
Tom Moor 6d8216c54e feat: Guest email authentication (#1088) 
* feat: API endpoints for email signin

* fix: After testing

* Initial signin flow working

* move shared middleware

* feat: Add guest signin toggle, obey on endpoints

* feat: Basic email signin when enabled

* Improve guest signin email
Disable double signin with JWT

* fix: Simple rate limiting

* create placeholder users in db

* fix: Give invited users default avatar
add invited users to people settings

* test

* add transaction

* tmp: test CI

* derp

* md5

* urgh

* again

* test: pass

* test

* fix: Remove usage of data values

* guest signin page

* Visually separator 'Invited' from other people tabs

* fix: Edge case attempting SSO signin for guest email account

* fix: Correctly set email auth method to cookie

* Improve rate limit error display

* lint: cleanup / comments

* Improve invalid token error display

* style tweaks

* pass guest value to subdomain

* Restore copy link option

* feat: Allow invite revoke from people management

* fix: Incorrect users email schema does not allow for user deletion

* lint

* fix: avatarUrl for deleted user failure

* change default to off for guest invites

* fix: Changing security settings wipes subdomain

* fix: user delete permissioning

* test: Add user.invite specs
2019-12-15 18:46:08 -08:00

155 lines
4.1 KiB
JavaScript
Raw Blame History

// @flow
import Sequelize from 'sequelize';
import crypto from 'crypto';
import Router from 'koa-router';
import { capitalize } from 'lodash';
import { OAuth2Client } from 'google-auth-library';
import { User, Team, Event } from '../models';
import auth from '../middlewares/authentication';
const Op = Sequelize.Op;
const router = new Router();
const client = new OAuth2Client(
process.env.GOOGLE_CLIENT_ID,
process.env.GOOGLE_CLIENT_SECRET,
`${process.env.URL}/auth/google.callback`
);
const allowedDomainsEnv = process.env.GOOGLE_ALLOWED_DOMAINS;
// start the oauth process and redirect user to Google
router.get('google', async ctx => {
// Generate the url that will be used for the consent dialog.
const authorizeUrl = client.generateAuthUrl({
access_type: 'offline',
scope: [
'https://www.googleapis.com/auth/userinfo.profile',
'https://www.googleapis.com/auth/userinfo.email',
],
prompt: 'consent',
});
ctx.redirect(authorizeUrl);
});
// signin callback from Google
router.get('google.callback', auth({ required: false }), async ctx => {
const { code } = ctx.request.query;
ctx.assertPresent(code, 'code is required');
const response = await client.getToken(code);
client.setCredentials(response.tokens);
const profile = await client.request({
url: 'https://www.googleapis.com/oauth2/v1/userinfo',
});
if (!profile.data.hd) {
ctx.redirect('/?notice=google-hd');
return;
}
// allow all domains by default if the env is not set
const allowedDomains = allowedDomainsEnv && allowedDomainsEnv.split(',');
if (allowedDomains && !allowedDomains.includes(profile.data.hd)) {
ctx.redirect('/?notice=hd-not-allowed');
return;
}
const googleId = profile.data.hd;
const hostname = profile.data.hd.split('.')[0];
const teamName = capitalize(hostname);
// attempt to get logo from Clearbit API. If one doesn't exist then
// fall back to using tiley to generate a placeholder logo
const hash = crypto.createHash('sha256');
hash.update(googleId);
const hashedGoogleId = hash.digest('hex');
const cbUrl = `https://logo.clearbit.com/${profile.data.hd}`;
const tileyUrl = `https://tiley.herokuapp.com/avatar/${hashedGoogleId}/${
teamName[0]
}.png`;
const cbResponse = await fetch(cbUrl);
const avatarUrl = cbResponse.status === 200 ? cbUrl : tileyUrl;
const [team, isFirstUser] = await Team.findOrCreate({
where: {
googleId,
},
defaults: {
name: teamName,
avatarUrl,
},
});
try {
const [user, isFirstSignin] = await User.findOrCreate({
where: {
[Op.or]: [
{
service: 'google',
serviceId: profile.data.id,
},
{
service: '',
},
],
teamId: team.id,
},
defaults: {
name: profile.data.name,
email: profile.data.email,
isAdmin: isFirstUser,
avatarUrl: profile.data.picture,
},
});
if (isFirstSignin) {
await Event.create({
name: 'users.create',
actorId: user.id,
userId: user.id,
teamId: team.id,
data: {
name: user.name,
service: 'google',
},
ip: ctx.request.ip,
});
}
// update email address if it's changed in Google
if (!isFirstSignin && profile.data.email !== user.email) {
await user.update({ email: profile.data.email });
}
if (isFirstUser) {
await team.provisionFirstCollection(user.id);
await team.provisionSubdomain(hostname);
}
// set cookies on response and redirect to team subdomain
ctx.signIn(user, team, 'google', isFirstSignin);
} catch (err) {
if (err instanceof Sequelize.UniqueConstraintError) {
const exists = await User.findOne({
where: {
service: 'email',
email: profile.data.email,
teamId: team.id,
},
});
if (exists) {
ctx.redirect(`${team.url}?notice=email-auth-required`);
} else {
ctx.redirect(`${team.url}?notice=auth-error`);
}
return;
}
throw err;
}
});
export default router;
Reference in New Issue View Git Blame Copy Permalink