implemented role and state based authorization

2025-12-13 17:01:50 -05:00
parent 7c4e8d7db8
commit b91ecacb60
8 changed files with 101 additions and 60 deletions
--- a/api/src/routes/auth.ts
+++ b/api/src/routes/auth.ts
@@ -0,0 +1,146 @@
+const passport = require('passport');
+const OpenIDConnectStrategy = require('passport-openidconnect');
+const dotenv = require('dotenv');
+dotenv.config();
+
+const express = require('express');
+const { param } = require('./applications');
+const router = express.Router();
+import { Role } from '@app/shared/types/roles';
+import pool from '../db';
+import { requireLogin } from '../middleware/auth';
+import { getUserRoles } from '../services/rolesService';
+import { getUserState, MemberState } from '../services/memberService';
+const querystring = require('querystring');
+
+
+passport.use(new OpenIDConnectStrategy({
+    issuer: process.env.AUTH_ISSUER,
+    authorizationURL: process.env.AUTH_DOMAIN + '/authorize/',
+    tokenURL: process.env.AUTH_DOMAIN + '/token/',
+    userInfoURL: process.env.AUTH_DOMAIN + '/userinfo/',
+    clientID: process.env.AUTH_CLIENT_ID,
+    clientSecret: process.env.AUTH_CLIENT_SECRET,
+    callbackURL: process.env.AUTH_REDIRECT_URI,
+    scope: ['openid', 'profile']
+}, async function verify(issuer, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) {
+
+    // console.log('--- OIDC verify() called ---');
+    // console.log('issuer:', issuer);
+    // console.log('sub:', sub);
+    // // console.log('profile:', JSON.stringify(profile, null, 2));
+    // console.log('profile:', profile);
+    // console.log('id_token claims:', JSON.stringify(jwtClaims, null, 2));
+    // console.log('preferred_username:', jwtClaims?.preferred_username);
+
+    const con = await pool.getConnection();
+    try {
+        await con.beginTransaction();
+
+        //lookup existing user
+        const existing = await con.query(`SELECT id FROM members WHERE authentik_issuer = ? AND authentik_sub = ? LIMIT 1;`, [issuer, sub]);
+        let memberId;
+        //if member exists
+        if (existing.length > 0) {
+            memberId = existing[0].id;
+        } else {
+            //otherwise: create account
+            const username = sub.username;
+
+            const result = await con.query(
+                `INSERT INTO members (name, authentik_sub, authentik_issuer) VALUES (?, ?, ?)`,
+                [username, sub, issuer]
+            )
+            memberId = Number(result.insertId);
+        }
+        await con.commit();
+        return cb(null, { memberId });
+    } catch (error) {
+        await con.rollback();
+        return cb(error);
+    } finally {
+        con.release();
+    }
+}));
+
+router.get('/login', (req, res, next) => {
+    // Store redirect target in session if provided
+    req.session.redirectTo = req.query.redirect;
+
+    next();
+}, passport.authenticate('openidconnect'));
+
+
+router.get('/callback', (req, res, next) => {
+    const redirectURI = req.session.redirectTo;
+    passport.authenticate('openidconnect', (err, user) => {
+        if (err) return next(err);
+        if (!user) return res.redirect(process.env.CLIENT_URL);
+
+        req.logIn(user, err => {
+            if (err) return next(err);
+
+            // Use redirect saved from session
+            const redirectTo = redirectURI || process.env.CLIENT_URL;
+            delete req.session.redirectTo;
+            return res.redirect(redirectTo);
+        });
+    })(req, res, next);
+});
+
+router.get('/logout', [requireLogin], function (req, res, next) {
+    req.logout(function (err) {
+        if (err) { return next(err); }
+        var params = {
+            client_id: process.env.AUTH_CLIENT_ID,
+            returnTo: process.env.CLIENT_URL
+        };
+        res.redirect(process.env.AUTH_END_SESSION_URI + '?' + querystring.stringify(params));
+    });
+});
+
+passport.serializeUser(function (user, cb) {
+    process.nextTick(function () {
+        cb(null, user);
+    });
+});
+
+passport.deserializeUser(function (user, cb) {
+    process.nextTick(async function () {
+
+        const memberID = user.memberId as number;
+
+        const con = await pool.getConnection();
+
+        var userData: { id: number, name: string, roles: Role[], state: MemberState };
+        try {
+            let userResults = await con.query(`SELECT id, name FROM members WHERE id = ?;`, [memberID])
+            userData = userResults[0];
+            let userRoles = await getUserRoles(memberID);
+            userData.roles = userRoles;
+            userData.state = await getUserState(memberID);
+        } catch (error) {
+            console.error(error)
+        } finally {
+            con.release();
+        }
+        return cb(null, userData);
+    });
+});
+
+declare global {
+    namespace Express {
+        interface Request {
+            user: {
+                id: number;
+                name: string;
+                roles: Role[];
+                state: MemberState;
+            };
+        }
+    }
+}
+
+
+
+module.exports = router;