169 lines
5.5 KiB
TypeScript
169 lines
5.5 KiB
TypeScript
const passport = require('passport');
|
|
const OpenIDConnectStrategy = require('passport-openidconnect');
|
|
const dotenv = require('dotenv');
|
|
dotenv.config();
|
|
|
|
const express = require('express');
|
|
const { param } = require('./applications');
|
|
const router = express.Router();
|
|
import { Role } from '@app/shared/types/roles';
|
|
import pool from '../db';
|
|
import { requireLogin } from '../middleware/auth';
|
|
import { getUserRoles } from '../services/rolesService';
|
|
import { getUserState, mapDiscordtoID } from '../services/memberService';
|
|
import { MemberState } from '@app/shared/types/member';
|
|
import { toDateTime } from '@app/shared/utils/time';
|
|
const querystring = require('querystring');
|
|
|
|
function parseJwt(token) {
|
|
return JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString());
|
|
}
|
|
|
|
passport.use(new OpenIDConnectStrategy({
|
|
issuer: process.env.AUTH_ISSUER,
|
|
authorizationURL: process.env.AUTH_DOMAIN + '/authorize/',
|
|
tokenURL: process.env.AUTH_DOMAIN + '/token/',
|
|
userInfoURL: process.env.AUTH_DOMAIN + '/userinfo/',
|
|
clientID: process.env.AUTH_CLIENT_ID,
|
|
clientSecret: process.env.AUTH_CLIENT_SECRET,
|
|
callbackURL: process.env.AUTH_REDIRECT_URI,
|
|
scope: ['openid', 'profile', 'discord']
|
|
}, async function verify(issuer, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) {
|
|
|
|
// console.log('--- OIDC verify() called ---');
|
|
// console.log('issuer:', issuer);
|
|
// console.log('sub:', sub);
|
|
// // console.log('discord:', discord);
|
|
// console.log('profile:', profile);
|
|
// console.log('jwt: ', parseJwt(jwtClaims));
|
|
// console.log('params:', params);
|
|
|
|
|
|
try {
|
|
var con = await pool.getConnection();
|
|
|
|
await con.beginTransaction();
|
|
|
|
//lookup existing user
|
|
const existing = await con.query(`SELECT id FROM members WHERE authentik_issuer = ? AND authentik_sub = ? LIMIT 1;`, [issuer, sub]);
|
|
let memberId: number;
|
|
//if member exists
|
|
if (existing.length > 0) {
|
|
memberId = existing[0].id;
|
|
} else {
|
|
//otherwise: create account
|
|
const jwt = parseJwt(jwtClaims);
|
|
const discordID = jwt.discord.id as number;
|
|
|
|
//check if account is available to claim
|
|
memberId = await mapDiscordtoID(discordID);
|
|
|
|
if (memberId === null) {
|
|
// create new account
|
|
const username = sub.username;
|
|
const result = await con.query(
|
|
`INSERT INTO members (name, authentik_sub, authentik_issuer) VALUES (?, ?, ?)`,
|
|
[username, sub, issuer]
|
|
)
|
|
memberId = Number(result.insertId);
|
|
} else {
|
|
// claim existing account
|
|
const result = await con.query(
|
|
`UPDATE members SET authentik_sub = ?, authentik_issuer = ? WHERE id = ?;`,
|
|
[sub, issuer, memberId]
|
|
)
|
|
}
|
|
}
|
|
|
|
await con.query(`UPDATE members SET last_login = ? WHERE id = ?`, [toDateTime(new Date()), memberId])
|
|
|
|
await con.commit();
|
|
return cb(null, { memberId });
|
|
} catch (error) {
|
|
await con.rollback();
|
|
return cb(error);
|
|
} finally {
|
|
con.release();
|
|
}
|
|
}));
|
|
|
|
router.get('/login', (req, res, next) => {
|
|
// Store redirect target in session if provided
|
|
req.session.redirectTo = req.query.redirect;
|
|
|
|
next();
|
|
}, passport.authenticate('openidconnect'));
|
|
|
|
|
|
router.get('/callback', (req, res, next) => {
|
|
const redirectURI = req.session.redirectTo;
|
|
passport.authenticate('openidconnect', (err, user) => {
|
|
if (err) return next(err);
|
|
if (!user) return res.redirect(process.env.CLIENT_URL);
|
|
|
|
req.logIn(user, err => {
|
|
if (err) return next(err);
|
|
|
|
// Use redirect saved from session
|
|
const redirectTo = redirectURI || process.env.CLIENT_URL;
|
|
delete req.session.redirectTo;
|
|
return res.redirect(redirectTo);
|
|
});
|
|
})(req, res, next);
|
|
});
|
|
|
|
router.get('/logout', [requireLogin], function (req, res, next) {
|
|
req.logout(function (err) {
|
|
if (err) { return next(err); }
|
|
var params = {
|
|
client_id: process.env.AUTH_CLIENT_ID,
|
|
returnTo: process.env.CLIENT_URL
|
|
};
|
|
res.redirect(process.env.AUTH_END_SESSION_URI + '?' + querystring.stringify(params));
|
|
});
|
|
});
|
|
|
|
passport.serializeUser(function (user, cb) {
|
|
process.nextTick(function () {
|
|
cb(null, user);
|
|
});
|
|
});
|
|
|
|
passport.deserializeUser(function (user, cb) {
|
|
process.nextTick(async function () {
|
|
|
|
const memberID = user.memberId as number;
|
|
|
|
|
|
var userData: { id: number, name: string, roles: Role[], state: MemberState };
|
|
try {
|
|
var con = await pool.getConnection();
|
|
let userResults = await con.query(`SELECT id, name FROM members WHERE id = ?;`, [memberID])
|
|
userData = userResults[0];
|
|
let userRoles = await getUserRoles(memberID);
|
|
userData.roles = userRoles || [];
|
|
userData.state = await getUserState(memberID);
|
|
} catch (error) {
|
|
console.error(error)
|
|
} finally {
|
|
con.release();
|
|
}
|
|
return cb(null, userData);
|
|
});
|
|
});
|
|
|
|
declare global {
|
|
namespace Express {
|
|
interface Request {
|
|
user: {
|
|
id: number;
|
|
name: string;
|
|
roles: Role[];
|
|
state: MemberState;
|
|
};
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
export const authRouter = router; |