feat: main meat for supporting multiple openid clients

julianlam · julianlam · commit ea523b368b5f · 2023-07-31T10:41:17.000-04:00
diff --git a/library.js b/library.js
@@ -1,84 +1,16 @@
 'use strict';
 
-/*
-		Welcome to the SSO OAuth plugin! If you're inspecting this code, you're probably looking to
-		hook up NodeBB with your existing OAuth endpoint.
-
-		Step 1: Fill in the "constants" section below with the requisite informaton. Either the "oauth"
-				or "oauth2" section needs to be filled, depending on what you set "type" to.
-
-		Step 2: Give it a whirl. If you see the congrats message, you're doing well so far!
-
-		Step 3: Customise the `parseUserReturn` method to normalise your user route's data return into
-				a format accepted by NodeBB. Instructions are provided there. (Line 146)
-
-		Step 4: If all goes well, you'll be able to login/register via your OAuth endpoint credentials.
-	*/
-
 const User = require.main.require('./src/user');
 const Groups = require.main.require('./src/groups');
 const db = require.main.require('./src/database');
 const authenticationController = require.main.require('./src/controllers/authentication');
 const routeHelpers = require.main.require('./src/routes/helpers');
 
-const async = require('async');
-
 const passport = module.parent.require('passport');
 const nconf = module.parent.require('nconf');
 const winston = module.parent.require('winston');
 
-/**
-	 * REMEMBER
-	 *   Never save your OAuth Key/Secret or OAuth2 ID/Secret pair in code! It could be published and leaked accidentally.
-	 *   Save it into your config.json file instead:
-	 *
-	 *   {
-	 *     ...
-	 *     "oauth": {
-	 *       "id": "someoauthid",
-	 *       "secret": "youroauthsecret"
-	 *     }
-	 *     ...
-	 *   }
-	 *
-	 *   ... or use environment variables instead:
-	 *
-	 *   `OAUTH__ID=someoauthid OAUTH__SECRET=youroauthsecret node app.js`
-	 */
-
-const constants = Object.freeze({
-	type: '', // Either 'oauth' or 'oauth2'
-	name: '', // Something unique to your OAuth provider in lowercase, like "github", or "nodebb"
-	oauth: {
-		requestTokenURL: '',
-		accessTokenURL: '',
-		userAuthorizationURL: '',
-		consumerKey: nconf.get('oauth:key'), // don't change this line
-		consumerSecret: nconf.get('oauth:secret'), // don't change this line
-	},
-	oauth2: {
-		authorizationURL: '',
-		tokenURL: '',
-		clientID: nconf.get('oauth:id'), // don't change this line
-		clientSecret: nconf.get('oauth:secret'), // don't change this line
-	},
-	userRoute: '', // This is the address to your app's "user profile" API endpoint (expects JSON)
-});
-
 const OAuth = module.exports;
-let configOk = false;
-let passportOAuth;
-let opts;
-
-if (!constants.name) {
-	winston.error('[sso-oauth] Please specify a name for your OAuth provider (library.js:32)');
-} else if (!constants.type || (constants.type !== 'oauth' && constants.type !== 'oauth2')) {
-	winston.error('[sso-oauth] Please specify an OAuth strategy to utilise (library.js:31)');
-} else if (!constants.userRoute) {
-	winston.error('[sso-oauth] User Route required (library.js:31)');
-} else {
-	configOk = true;
-}
 
 OAuth.init = async (params) => {
 	const { router /* , middleware , controllers */ } = params;
@@ -111,9 +43,9 @@ OAuth.addAdminNavigation = (header) => {
 	return header;
 };
 
-OAuth.listStrategies = async () => {
+OAuth.listStrategies = async (full) => {
 	const names = await db.getSortedSetMembers('oauth2-multiple:strategies');
-	const strategies = await db.getObjects(names.map(name => `oauth2-multiple:strategies:${name}`), ['enabled']);
+	const strategies = await db.getObjects(names.map(name => `oauth2-multiple:strategies:${name}`), full ? undefined : ['enabled']);
 	strategies.forEach((strategy, idx) => {
 		strategy.name = names[idx];
 		strategy.enabled = strategy.enabled === 'true';
@@ -123,184 +55,134 @@ OAuth.listStrategies = async () => {
 	return strategies;
 };
 
-OAuth.getStrategy = function (strategies, callback) {
-	if (configOk) {
-		passportOAuth = require('passport-oauth')[constants.type === 'oauth' ? 'OAuthStrategy' : 'OAuth2Strategy'];
-
-		if (constants.type === 'oauth') {
-			// OAuth options
-			opts = constants.oauth;
-			opts.callbackURL = `${nconf.get('url')}/auth/${constants.name}/callback`;
-
-			passportOAuth.Strategy.prototype.userProfile = function (token, secret, params, done) {
-				// If your OAuth provider requires the access token to be sent in the query  parameters
-				// instead of the request headers, comment out the next line:
-				this._oauth._useAuthorizationHeaderForGET = true;
-
-				this._oauth.get(constants.userRoute, token, secret, (err, body/* , res */) => {
-					if (err) {
-						return done(err);
-					}
-
-					try {
-						const json = JSON.parse(body);
-						OAuth.parseUserReturn(json, (err, profile) => {
-							if (err) return done(err);
-							profile.provider = constants.name;
-
-							done(null, profile);
-						});
-					} catch (e) {
-						done(e);
-					}
-				});
-			};
-		} else if (constants.type === 'oauth2') {
-			// OAuth 2 options
-			opts = constants.oauth2;
-			opts.callbackURL = `${nconf.get('url')}/auth/${constants.name}/callback`;
-
-			passportOAuth.Strategy.prototype.userProfile = function (accessToken, done) {
-				// If your OAuth provider requires the access token to be sent in the query  parameters
-				// instead of the request headers, comment out the next line:
-				this._oauth2._useAuthorizationHeaderForGET = true;
-
-				this._oauth2.get(constants.userRoute, accessToken, (err, body/* , res */) => {
-					if (err) {
-						return done(err);
-					}
-
-					try {
-						const json = JSON.parse(body);
-						OAuth.parseUserReturn(json, (err, profile) => {
-							if (err) return done(err);
-							profile.provider = constants.name;
-
-							done(null, profile);
-						});
-					} catch (e) {
-						done(e);
-					}
-				});
-			};
-		}
-
-		opts.passReqToCallback = true;
-
-		passport.use(constants.name, new passportOAuth(opts, async (req, token, secret, profile, done) => {
-			const user = await OAuth.login({
-				oAuthid: profile.id,
-				handle: profile.displayName,
-				email: profile.emails[0].value,
-				isAdmin: profile.isAdmin,
-			});
-
-			authenticationController.onSuccessfulLogin(req, user.uid);
-			done(null, user);
-		}));
-
-		strategies.push({
-			name: constants.name,
-			url: `/auth/${constants.name}`,
-			callbackURL: `/auth/${constants.name}/callback`,
-			icon: 'fa-check-square',
-			scope: (constants.scope || '').split(','),
+OAuth.loadStrategies = async (strategies) => {
+	const passportOAuth = require('passport-oauth').OAuth2Strategy;
+
+	let configured = await OAuth.listStrategies(true);
+	configured = configured.filter(obj => obj.enabled);
+
+	const configs = configured.map(({
+		name,
+		authUrl: authorizationURL,
+		tokenUrl: tokenURL,
+		id: clientID,
+		secret: clientSecret,
+		callbackUrl: callbackURL,
+	}) => new passportOAuth({
+		authorizationURL,
+		tokenURL,
+		clientID,
+		clientSecret,
+		callbackURL,
+		passReqToCallback: true,
+	}, async (req, token, secret, { id, displayName, email }, done) => {
+		const user = await OAuth.login({
+			name,
+			oAuthid: id,
+			handle: displayName,
+			email,
 		});
 
-		callback(null, strategies);
-	} else {
-		callback(new Error('OAuth Configuration is invalid'));
-	}
-};
+		authenticationController.onSuccessfulLogin(req, user.uid);
+		done(null, user);
+	}));
+
+	configs.forEach((strategy, idx) => {
+		strategy.userProfile = OAuth.getUserProfile.bind(strategy, configured[idx].name, configured[idx].userRoute);
+		passport.use(configured[idx].name, strategy);
+	});
 
-OAuth.parseUserReturn = function (data, callback) {
-	// Alter this section to include whatever data is necessary
-	// NodeBB *requires* the following: id, displayName, emails.
-	// Everything else is optional.
+	strategies.push(...configured.map(({ name }) => ({
+		name,
+		url: `/auth/${name}`,
+		callbackURL: `/auth/${name}/callback`,
+		icon: 'fa-check-square',
+		scope: 'openid email profile',
+	})));
 
-	// Find out what is available by uncommenting this line:
-	// console.log(data);
+	return strategies;
+};
 
-	const profile = {};
-	profile.id = data.id;
-	profile.displayName = data.name;
-	profile.emails = [{ value: data.email }];
+OAuth.getUserProfile = function (name, userRoute, accessToken, done) {
+	// If your OAuth provider requires the access token to be sent in the query parameters
+	// instead of the request headers, comment out the next line:
+	this._oauth2._useAuthorizationHeaderForGET = true;
 
-	// Do you want to automatically make somebody an admin? This line might help you do that...
-	// profile.isAdmin = data.isAdmin ? true : false;
+	this._oauth2.get(userRoute, accessToken, (err, body/* , res */) => {
+		if (err) {
+			return done(err);
+		}
+
+		try {
+			const json = JSON.parse(body);
+			const profile = OAuth.parseUserReturn(json);
+			profile.provider = name;
+			done(null, profile);
+		} catch (e) {
+			done(e);
+		}
+	});
+};
 
-	// Delete or comment out the next TWO (2) lines when you are ready to proceed
-	process.stdout.write('===\nAt this point, you\'ll need to customise the above section to id, displayName, and emails into the "profile" object.\n===');
-	return callback(new Error('Congrats! So far so good -- please see server log for details'));
+OAuth.parseUserReturn = ({ sub, nickname, picture, email/* , email_verified */ }) => {
+	const profile = {};
+	profile.id = sub;
+	profile.displayName = nickname;
+	profile.picture = picture;
+	profile.email = email;
 
-	// eslint-disable-next-line
-		callback(null, profile);
+	return profile;
 };
 
 OAuth.login = async (payload) => {
-	let uid = await OAuth.getUidByOAuthid(payload.oAuthid);
+	let uid = await OAuth.getUidByOAuthid(payload.name, payload.oAuthid);
 	if (uid !== null) {
 		// Existing User
-		return ({
-			uid: uid,
-		});
+		return ({ uid });
 	}
 
 	// Check for user via email fallback
 	uid = await User.getUidByEmail(payload.email);
 	if (!uid) {
-		/**
-			 * The email retrieved from the user profile might not be trusted.
-			 * Only you would know — it's up to you to decide whether or not to:
-			 *   - Send the welcome email which prompts for verification (default)
-			 *   - Bypass the welcome email and automatically verify the email (commented out, below)
-			 */
 		const { email } = payload;
 
 		// New user
 		uid = await User.create({
 			username: payload.handle,
-			email, // if you uncomment the block below, comment this line out
 		});
 
 		// Automatically confirm user email
-		// await User.setUserField(uid, 'email', email);
-		// await UserEmail.confirmByUid(uid);
+		await User.setUserField(uid, 'email', email);
+		await User.email.confirmByUid(uid);
 	}
 
 	// Save provider-specific information to the user
-	await User.setUserField(uid, `${constants.name}Id`, payload.oAuthid);
-	await db.setObjectField(`${constants.name}Id:uid`, payload.oAuthid, uid);
+	await User.setUserField(uid, `${payload.name}Id`, payload.oAuthid);
+	await db.setObjectField(`${payload.name}Id:uid`, payload.oAuthid, uid);
 
-	if (payload.isAdmin) {
-		await Groups.join('administrators', uid);
-	}
-
-	return {
-		uid: uid,
-	};
+	return { uid };
 };
 
-OAuth.getUidByOAuthid = async oAuthid => db.getObjectField(`${constants.name}Id:uid`, oAuthid);
+OAuth.getUidByOAuthid = async (name, oAuthid) => db.getObjectField(`${name}Id:uid`, oAuthid);
 
-OAuth.deleteUserData = function (data, callback) {
-	async.waterfall([
-		async.apply(User.getUserField, data.uid, `${constants.name}Id`),
-		function (oAuthIdToDelete, next) {
-			db.deleteObjectField(`${constants.name}Id:uid`, oAuthIdToDelete, next);
-		},
-	], (err) => {
-		if (err) {
-			winston.error(`[sso-oauth] Could not remove OAuthId data for uid ${data.uid}. Error: ${err}`);
-			return callback(err);
+OAuth.deleteUserData = async (data) => {
+	const names = await db.getSortedSetMembers('oauth2-multiple:strategies');
+	const oAuthIds = await User.getUserFields(data.uid, names.map(name => `${name}Id`));
+
+	await Promise.all(oAuthIds.map(async (oAuthIdToDelete, idx) => {
+		if (!oAuthIdToDelete) {
+			return;
 		}
 
-		callback(null, data);
-	});
+		const name = names[idx];
+		await db.deleteObjectField(`${name}Id:uid`, oAuthIdToDelete);
+	}));
 };
 
 // If this filter is not there, the deleteUserData function will fail when getting the oauthId for deletion.
-OAuth.whitelistFields = function (params, callback) {
-	params.whitelist.push(`${constants.name}Id`);
-	callback(null, params);
+OAuth.whitelistFields = async (params) => {
+	const names = await db.getSortedSetMembers('oauth2-multiple:strategies');
+	params.whitelist.push(...names.map(name => `${name}Id`));
+
+	return params;
 };
diff --git a/plugin.json b/plugin.json
@@ -10,7 +10,7 @@
 		{ "hook": "filter:admin.header.build", "method": "addAdminNavigation" },
 		{ "hook": "static:user.delete", "method": "deleteUserData" },
 		{ "hook": "filter:user.whitelistFields", "method": "whitelistFields" },
-		{ "hook": "filter:auth.init", "method": "getStrategy" }
+		{ "hook": "filter:auth.init", "method": "loadStrategies" }
 	],
 	"modules": {
 		"../admin/plugins/sso-oauth2-multiple.js": "./static/lib/admin.js"
