zappyzep/backend/src/api/auth.ts

import express, { Request, Response } from "express";
import https from "https";
import pick from "lodash.pick";
import passport from "passport";
import { Strategy as CustomStrategy } from "passport-custom";
import OAuth2Strategy from "passport-oauth2";
import { ApiLogins } from "../data/ApiLogins";
import { ApiPermissionAssignments } from "../data/ApiPermissionAssignments";
import { ApiUserInfo } from "../data/ApiUserInfo";
import { ApiUserInfoData } from "../data/entities/ApiUserInfo";
import { env } from "../env";
import { ok } from "./responses";

interface IPassportApiUser {
  apiKey: string;
  userId: string;
}

declare global {
  namespace Express {
    interface User extends IPassportApiUser {}
  }
}

const DISCORD_API_URL = "https://discord.com/api";

function simpleDiscordAPIRequest(bearerToken, path): Promise<any> {
  return new Promise((resolve, reject) => {
    const request = https.get(
      `${DISCORD_API_URL}/${path}`,
      {
        headers: {
          Authorization: `Bearer ${bearerToken}`,
        },
      },
      (res) => {
        if (res.statusCode !== 200) {
          reject(new Error(`Discord API error ${res.statusCode}`));
          return;
        }

        let rawData = "";
        res.on("data", (data) => (rawData += data));
        res.on("end", () => {
          resolve(JSON.parse(rawData));
        });
      },
    );

    request.on("error", (err) => reject(err));
  });
}

export function initAuth(router: express.Router) {
  router.use(passport.initialize());

  passport.serializeUser((user, done) => done(null, user));
  passport.deserializeUser((user, done) => done(null, user as IPassportApiUser));

  const apiLogins = new ApiLogins();
  const apiUserInfo = new ApiUserInfo();
  const apiPermissionAssignments = new ApiPermissionAssignments();

  // Initialize API tokens
  passport.use(
    "api-token",
    new CustomStrategy(async (req, cb) => {
      const apiKey = req.header("X-Api-Key") || req.body?.["X-Api-Key"];
      if (!apiKey) return cb("API key missing");

      const userId = await apiLogins.getUserIdByApiKey(apiKey);
      if (userId) {
        void apiLogins.refreshApiKeyExpiryTime(apiKey); // Refresh expiry time in the background
        return cb(null, { apiKey, userId });
      }

      cb("API key not found");
    }),
  );

  // Initialize OAuth2 for Discord login
  // When the user logs in through OAuth2, we create them a "login" (= api token) and update their user info in the DB
  passport.use(
    new OAuth2Strategy(
      {
        authorizationURL: "https://discord.com/api/oauth2/authorize",
        tokenURL: "https://discord.com/api/oauth2/token",
        clientID: env.CLIENT_ID,
        clientSecret: env.CLIENT_SECRET,
        callbackURL: `${env.API_URL}/auth/oauth-callback`,
        scope: ["identify"],
      },
      async (accessToken, refreshToken, profile, cb) => {
        const user = await simpleDiscordAPIRequest(accessToken, "users/@me");

        // Make sure the user is able to access at least 1 guild
        const permissions = await apiPermissionAssignments.getByUserId(user.id);
        if (permissions.length === 0) {
          cb(null, {});
          return;
        }

        // Generate API key
        const apiKey = await apiLogins.addLogin(user.id);
        const userData = pick(user, ["username", "discriminator", "avatar"]) as ApiUserInfoData;
        await apiUserInfo.update(user.id, userData);
        // TODO: Revoke access token, we don't need it anymore
        cb(null, { apiKey });
      },
    ),
  );

  router.get("/auth/login", passport.authenticate("oauth2"));
  router.get(
    "/auth/oauth-callback",
    passport.authenticate("oauth2", { failureRedirect: "/", session: false }),
    (req: Request, res: Response) => {
      if (req.user && req.user.apiKey) {
        res.redirect(`${env.DASHBOARD_URL}/login-callback/?apiKey=${req.user.apiKey}`);
      } else {
        res.redirect(`${env.DASHBOARD_URL}/login-callback/?error=noAccess`);
      }
    },
  );
  router.post("/auth/validate-key", async (req: Request, res: Response) => {
    const key = req.body.key;
    if (!key) {
      return res.status(400).json({ error: "No key supplied" });
    }

    const userId = await apiLogins.getUserIdByApiKey(key);
    if (!userId) {
      return res.json({ valid: false });
    }

    res.json({ valid: true, userId });
  });
  router.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {
    await apiLogins.expireApiKey(req.user!.apiKey);
    return ok(res);
  });

  // API route to refresh the given API token's expiry time
  // The actual refreshing happens in the api-token passport strategy above, so we just return 200 OK here
  router.post("/auth/refresh", ...apiTokenAuthHandlers(), (req, res) => {
    return ok(res);
  });
}

export function apiTokenAuthHandlers() {
  return [
    passport.authenticate("api-token", { failWithError: true, session: false }),
    // eslint-disable-next-line @typescript-eslint/no-unused-vars
    (err, req: Request, res: Response, next) => {
      return res.status(401).json({ error: err.message });
    },
  ];
}
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`import express, { Request, Response } from "express";`
Organise all imports, make Mutes depend on Logs 2021-06-06 23:51:32 +02:00			`import https from "https";`
			`import pick from "lodash.pick";`
Add custom logger. Fix a bunch of errors. Optimize imports. 2020-07-22 22:56:21 +03:00			`import passport from "passport";`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`import { Strategy as CustomStrategy } from "passport-custom";`
Organise all imports, make Mutes depend on Logs 2021-06-06 23:51:32 +02:00			`import OAuth2Strategy from "passport-oauth2";`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`import { ApiLogins } from "../data/ApiLogins";`
Organise all imports, make Mutes depend on Logs 2021-06-06 23:51:32 +02:00			`import { ApiPermissionAssignments } from "../data/ApiPermissionAssignments";`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`import { ApiUserInfo } from "../data/ApiUserInfo";`
			`import { ApiUserInfoData } from "../data/entities/ApiUserInfo";`
Consolidate .env files. More work on dev containers. 2022-06-26 14:34:54 +03:00			`import { env } from "../env";`
Update djs & knub (#395) * update pkgs Signed-off-by: GitHub <noreply@github.com> * new knub typings Signed-off-by: GitHub <noreply@github.com> * more pkg updates Signed-off-by: GitHub <noreply@github.com> * more fixes Signed-off-by: GitHub <noreply@github.com> * channel typings Signed-off-by: GitHub <noreply@github.com> * more message utils typings fixes Signed-off-by: GitHub <noreply@github.com> * migrate permissions Signed-off-by: GitHub <noreply@github.com> * fix: InternalPoster webhookables Signed-off-by: GitHub <noreply@github.com> * djs typings: Attachment & Util Signed-off-by: GitHub <noreply@github.com> * more typings Signed-off-by: GitHub <noreply@github.com> * fix: rename permissionNames Signed-off-by: GitHub <noreply@github.com> * more fixes Signed-off-by: GitHub <noreply@github.com> * half the number of errors * knub commands => messageCommands Signed-off-by: GitHub <noreply@github.com> * configPreprocessor => configParser Signed-off-by: GitHub <noreply@github.com> * fix channel.messages Signed-off-by: GitHub <noreply@github.com> * revert automod any typing Signed-off-by: GitHub <noreply@github.com> * more configParser typings Signed-off-by: GitHub <noreply@github.com> * revert Signed-off-by: GitHub <noreply@github.com> * remove knub type params Signed-off-by: GitHub <noreply@github.com> * fix more MessageEmbed / MessageOptions Signed-off-by: GitHub <noreply@github.com> * dumb commit for @almeidx to see why this is stupid Signed-off-by: GitHub <noreply@github.com> * temp disable custom_events Signed-off-by: GitHub <noreply@github.com> * more minor typings fixes - 23 err left Signed-off-by: GitHub <noreply@github.com> * update djs dep * +debug build method (revert this) Signed-off-by: GitHub <noreply@github.com> * Revert "+debug build method (revert this)" This reverts commit a80af1e729b742d1aad1097df538d224fbd32ce7. * Redo +debug build (Revert this) Signed-off-by: GitHub <noreply@github.com> * uniform before/after Load shorthands Signed-off-by: GitHub <noreply@github.com> * remove unused imports & add prettier plugin Signed-off-by: GitHub <noreply@github.com> * env fixes for web platform hosting Signed-off-by: GitHub <noreply@github.com> * feat: knub v32-next; related fixes * fix: allow legacy keys in change_perms action * fix: request Message Content intent * fix: use Knub's config validation logic in API * fix(dashboard): fix error when there are no message and/or slash commands in a plugin * fix(automod): start_thread action thread options * fix(CustomEvents): message command types * chore: remove unneeded type annotation * feat: add forum channel icon; use thread icon for news threads * chore: make tslint happy * chore: fix formatting --------- Signed-off-by: GitHub <noreply@github.com> Co-authored-by: almeidx <almeidx@pm.me> Co-authored-by: Dragory <2606411+Dragory@users.noreply.github.com> 2023-04-01 12:58:17 +01:00			`import { ok } from "./responses";`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`interface IPassportApiUser {`
			`apiKey: string;`
dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`userId: string;`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`}`

			`declare global {`
			`namespace Express {`
			`interface User extends IPassportApiUser {}`
			`}`
			`}`

discordapp.com -> discord.com 2020-05-04 21:56:15 +03:00			`const DISCORD_API_URL = "https://discord.com/api";`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`function simpleDiscordAPIRequest(bearerToken, path): Promise<any> {`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`return new Promise((resolve, reject) => {`
			`const request = https.get(`
			`${DISCORD_API_URL}/${path}`,
			`{`
			`headers: {`
			Authorization: `Bearer ${bearerToken}`,
			`},`
			`},`
Reformat all files with Prettier 2021-09-11 19:06:51 +03:00			`(res) => {`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`if (res.statusCode !== 200) {`
			reject(new Error(`Discord API error ${res.statusCode}`));
			`return;`
			`}`

Fix handling of partial server responses in simpleDiscordAPIRequest() 2021-04-12 13:04:04 +03:00			`let rawData = "";`
Reformat all files with Prettier 2021-09-11 19:06:51 +03:00			`res.on("data", (data) => (rawData += data));`
Fix handling of partial server responses in simpleDiscordAPIRequest() 2021-04-12 13:04:04 +03:00			`res.on("end", () => {`
			`resolve(JSON.parse(rawData));`
			`});`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`},`
			`);`

Reformat all files with Prettier 2021-09-11 19:06:51 +03:00			`request.on("error", (err) => reject(err));`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`});`
			`}`

feat: add api prefix option 2024-04-06 11:54:31 +00:00			`export function initAuth(router: express.Router) {`
			`router.use(passport.initialize());`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
			`passport.serializeUser((user, done) => done(null, user));`
chore: update dependencies 2023-04-01 20:31:44 +03:00			`passport.deserializeUser((user, done) => done(null, user as IPassportApiUser));`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
Dashboard work and related 2019-06-23 19:18:41 +03:00			`const apiLogins = new ApiLogins();`
			`const apiUserInfo = new ApiUserInfo();`
More work on API permissions 2019-11-08 00:04:24 +02:00			`const apiPermissionAssignments = new ApiPermissionAssignments();`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
			`// Initialize API tokens`
			`passport.use(`
			`"api-token",`
			`new CustomStrategy(async (req, cb) => {`
feat: download data exports directly from the server without a JS download step 2021-11-03 01:14:41 +02:00			`const apiKey = req.header("X-Api-Key") \|\| req.body?.["X-Api-Key"];`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`if (!apiKey) return cb("API key missing");`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
Dashboard work and related 2019-06-23 19:18:41 +03:00			`const userId = await apiLogins.getUserIdByApiKey(apiKey);`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`if (userId) {`
Refresh dashboard authentication on every API call and every 15 minutes 2021-05-22 21:15:13 +03:00			`void apiLogins.refreshApiKeyExpiryTime(apiKey); // Refresh expiry time in the background`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`return cb(null, { apiKey, userId });`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`}`

Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`cb("API key not found");`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`}),`
			`);`

			`// Initialize OAuth2 for Discord login`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`// When the user logs in through OAuth2, we create them a "login" (= api token) and update their user info in the DB`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`passport.use(`
			`new OAuth2Strategy(`
			`{`
discordapp.com -> discord.com 2020-05-04 21:56:15 +03:00			`authorizationURL: "https://discord.com/api/oauth2/authorize",`
			`tokenURL: "https://discord.com/api/oauth2/token",`
Consolidate .env files. More work on dev containers. 2022-06-26 14:34:54 +03:00			`clientID: env.CLIENT_ID,`
			`clientSecret: env.CLIENT_SECRET,`
Simplify dev docker setup 2022-06-26 19:30:46 +03:00			callbackURL: `${env.API_URL}/auth/oauth-callback`,
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`scope: ["identify"],`
			`},`
			`async (accessToken, refreshToken, profile, cb) => {`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`const user = await simpleDiscordAPIRequest(accessToken, "users/@me");`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00
			`// Make sure the user is able to access at least 1 guild`
More work on API permissions 2019-11-08 00:04:24 +02:00			`const permissions = await apiPermissionAssignments.getByUserId(user.id);`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`if (permissions.length === 0) {`
			`cb(null, {});`
			`return;`
			`}`

			`// Generate API key`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`const apiKey = await apiLogins.addLogin(user.id);`
			`const userData = pick(user, ["username", "discriminator", "avatar"]) as ApiUserInfoData;`
			`await apiUserInfo.update(user.id, userData);`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`// TODO: Revoke access token, we don't need it anymore`
			`cb(null, { apiKey });`
			`},`
			`),`
			`);`

feat: add api prefix option 2024-04-06 11:54:31 +00:00			`router.get("/auth/login", passport.authenticate("oauth2"));`
			`router.get(`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`"/auth/oauth-callback",`
			`passport.authenticate("oauth2", { failureRedirect: "/", session: false }),`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`(req: Request, res: Response) => {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`if (req.user && req.user.apiKey) {`
Simplify dev docker setup 2022-06-26 19:30:46 +03:00			res.redirect(`${env.DASHBOARD_URL}/login-callback/?apiKey=${req.user.apiKey}`);
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`} else {`
Simplify dev docker setup 2022-06-26 19:30:46 +03:00			res.redirect(`${env.DASHBOARD_URL}/login-callback/?error=noAccess`);
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`}`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`},`
			`);`
feat: add api prefix option 2024-04-06 11:54:31 +00:00			`router.post("/auth/validate-key", async (req: Request, res: Response) => {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`const key = req.body.key;`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`if (!key) {`
			`return res.status(400).json({ error: "No key supplied" });`
			`}`

Dashboard work and related 2019-06-23 19:18:41 +03:00			`const userId = await apiLogins.getUserIdByApiKey(key);`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`if (!userId) {`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`return res.json({ valid: false });`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`}`

Add rudimentary user management to dashboard 2021-09-05 16:42:35 +03:00			`res.json({ valid: true, userId });`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`});`
feat: add api prefix option 2024-04-06 11:54:31 +00:00			`router.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {`
Turn on strict TS compilation. Fix up and tweak types accordingly. 2020-11-09 20:03:57 +02:00			`await apiLogins.expireApiKey(req.user!.apiKey);`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`return ok(res);`
			`});`
Refresh dashboard authentication on every API call and every 15 minutes 2021-05-22 21:15:13 +03:00
			`// API route to refresh the given API token's expiry time`
			`// The actual refreshing happens in the api-token passport strategy above, so we just return 200 OK here`
feat: add api prefix option 2024-04-06 11:54:31 +00:00			`router.post("/auth/refresh", ...apiTokenAuthHandlers(), (req, res) => {`
Refresh dashboard authentication on every API call and every 15 minutes 2021-05-22 21:15:13 +03:00			`return ok(res);`
			`});`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`}`

Fix overzealous auth requirement in API 2019-07-22 00:49:05 +03:00			`export function apiTokenAuthHandlers() {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`return [`
fix: api key verification/dashboard login 2023-07-01 17:09:23 +00:00			`passport.authenticate("api-token", { failWithError: true, session: false }),`
chore: fix lint errors; tweak lint rules 2023-05-08 22:58:51 +03:00			`// eslint-disable-next-line @typescript-eslint/no-unused-vars`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`(err, req: Request, res: Response, next) => {`
Detect expired dashboard logins and redirect to the splash page 2021-05-22 21:33:34 +03:00			`return res.status(401).json({ error: err.message });`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`},`
			`];`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`}`