zeppelin/backend/src/api/auth.ts

import express, { Request, Response } from "express";
import passport, { Strategy } from "passport";
import OAuth2Strategy from "passport-oauth2";
import { Strategy as CustomStrategy } from "passport-custom";
import { ApiLogins } from "../data/ApiLogins";
import pick from "lodash.pick";
import https from "https";
import { ApiUserInfo } from "../data/ApiUserInfo";
import { ApiUserInfoData } from "../data/entities/ApiUserInfo";
import { ApiPermissionAssignments } from "../data/ApiPermissionAssignments";
import { ok } from "./responses";

interface IPassportApiUser {
  apiKey: string;
  userId: number;
}

declare global {
  namespace Express {
    // tslint:disable-next-line:no-empty-interface
    interface User extends IPassportApiUser {}
  }
}

const DISCORD_API_URL = "https://discord.com/api";

function simpleDiscordAPIRequest(bearerToken, path): Promise<any> {
  return new Promise((resolve, reject) => {
    const request = https.get(
      `${DISCORD_API_URL}/${path}`,
      {
        headers: {
          Authorization: `Bearer ${bearerToken}`,
        },
      },
      res => {
        if (res.statusCode !== 200) {
          reject(new Error(`Discord API error ${res.statusCode}`));
          return;
        }

        res.on("data", data => resolve(JSON.parse(data)));
      },
    );

    request.on("error", err => reject(err));
  });
}

export function initAuth(app: express.Express) {
  app.use(passport.initialize());

  if (!process.env.CLIENT_ID) {
    throw new Error("Auth: CLIENT ID missing");
  }

  if (!process.env.CLIENT_SECRET) {
    throw new Error("Auth: CLIENT SECRET missing");
  }

  if (!process.env.OAUTH_CALLBACK_URL) {
    throw new Error("Auth: OAUTH CALLBACK URL missing");
  }

  if (!process.env.DASHBOARD_URL) {
    throw new Error("DASHBOARD_URL missing!");
  }

  passport.serializeUser((user, done) => done(null, user));
  passport.deserializeUser((user, done) => done(null, user));

  const apiLogins = new ApiLogins();
  const apiUserInfo = new ApiUserInfo();
  const apiPermissionAssignments = new ApiPermissionAssignments();

  // Initialize API tokens
  passport.use(
    "api-token",
    new CustomStrategy(async (req, cb) => {
      const apiKey = req.header("X-Api-Key");
      if (!apiKey) return cb("API key missing");

      const userId = await apiLogins.getUserIdByApiKey(apiKey);
      if (userId) {
        return cb(null, { apiKey, userId });
      }

      cb("API key not found");
    }),
  );

  // Initialize OAuth2 for Discord login
  // When the user logs in through OAuth2, we create them a "login" (= api token) and update their user info in the DB
  passport.use(
    new OAuth2Strategy(
      {
        authorizationURL: "https://discord.com/api/oauth2/authorize",
        tokenURL: "https://discord.com/api/oauth2/token",
        clientID: process.env.CLIENT_ID,
        clientSecret: process.env.CLIENT_SECRET,
        callbackURL: process.env.OAUTH_CALLBACK_URL,
        scope: ["identify"],
      },
      async (accessToken, refreshToken, profile, cb) => {
        const user = await simpleDiscordAPIRequest(accessToken, "users/@me");

        // Make sure the user is able to access at least 1 guild
        const permissions = await apiPermissionAssignments.getByUserId(user.id);
        if (permissions.length === 0) {
          cb(null, {});
          return;
        }

        // Generate API key
        const apiKey = await apiLogins.addLogin(user.id);
        const userData = pick(user, ["username", "discriminator", "avatar"]) as ApiUserInfoData;
        await apiUserInfo.update(user.id, userData);
        // TODO: Revoke access token, we don't need it anymore
        cb(null, { apiKey });
      },
    ),
  );

  app.get("/auth/login", passport.authenticate("oauth2"));
  app.get(
    "/auth/oauth-callback",
    passport.authenticate("oauth2", { failureRedirect: "/", session: false }),
    (req: Request, res: Response) => {
      if (req.user && req.user.apiKey) {
        res.redirect(`${process.env.DASHBOARD_URL}/login-callback/?apiKey=${req.user.apiKey}`);
      } else {
        res.redirect(`${process.env.DASHBOARD_URL}/login-callback/?error=noAccess`);
      }
    },
  );
  app.post("/auth/validate-key", async (req: Request, res: Response) => {
    const key = req.body.key;
    if (!key) {
      return res.status(400).json({ error: "No key supplied" });
    }

    const userId = await apiLogins.getUserIdByApiKey(key);
    if (!userId) {
      return res.json({ valid: false });
    }

    res.json({ valid: true });
  });
  app.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {
    await apiLogins.expireApiKey(req.user.apiKey);
    return ok(res);
  });
}

export function apiTokenAuthHandlers() {
  return [
    passport.authenticate("api-token", { failWithError: true }),
    (err, req: Request, res: Response, next) => {
      return res.json({ error: err.message });
    },
  ];
}
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`import express, { Request, Response } from "express";`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`import passport, { Strategy } from "passport";`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`import OAuth2Strategy from "passport-oauth2";`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`import { Strategy as CustomStrategy } from "passport-custom";`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`import { ApiLogins } from "../data/ApiLogins";`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`import pick from "lodash.pick";`
			`import https from "https";`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`import { ApiUserInfo } from "../data/ApiUserInfo";`
			`import { ApiUserInfoData } from "../data/entities/ApiUserInfo";`
More work on API permissions 2019-11-08 00:04:24 +02:00			`import { ApiPermissionAssignments } from "../data/ApiPermissionAssignments";`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`import { ok } from "./responses";`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`interface IPassportApiUser {`
			`apiKey: string;`
			`userId: number;`
			`}`

			`declare global {`
			`namespace Express {`
			`// tslint:disable-next-line:no-empty-interface`
			`interface User extends IPassportApiUser {}`
			`}`
			`}`

discordapp.com -> discord.com 2020-05-04 21:56:15 +03:00			`const DISCORD_API_URL = "https://discord.com/api";`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`function simpleDiscordAPIRequest(bearerToken, path): Promise<any> {`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`return new Promise((resolve, reject) => {`
			`const request = https.get(`
			`${DISCORD_API_URL}/${path}`,
			`{`
			`headers: {`
			Authorization: `Bearer ${bearerToken}`,
			`},`
			`},`
			`res => {`
			`if (res.statusCode !== 200) {`
			reject(new Error(`Discord API error ${res.statusCode}`));
			`return;`
			`}`

			`res.on("data", data => resolve(JSON.parse(data)));`
			`},`
			`);`

			`request.on("error", err => reject(err));`
			`});`
			`}`

Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`export function initAuth(app: express.Express) {`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`app.use(passport.initialize());`

			`if (!process.env.CLIENT_ID) {`
			`throw new Error("Auth: CLIENT ID missing");`
			`}`

			`if (!process.env.CLIENT_SECRET) {`
			`throw new Error("Auth: CLIENT SECRET missing");`
			`}`

			`if (!process.env.OAUTH_CALLBACK_URL) {`
			`throw new Error("Auth: OAUTH CALLBACK URL missing");`
			`}`

			`if (!process.env.DASHBOARD_URL) {`
			`throw new Error("DASHBOARD_URL missing!");`
			`}`

			`passport.serializeUser((user, done) => done(null, user));`
			`passport.deserializeUser((user, done) => done(null, user));`

Dashboard work and related 2019-06-23 19:18:41 +03:00			`const apiLogins = new ApiLogins();`
			`const apiUserInfo = new ApiUserInfo();`
More work on API permissions 2019-11-08 00:04:24 +02:00			`const apiPermissionAssignments = new ApiPermissionAssignments();`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
			`// Initialize API tokens`
			`passport.use(`
			`"api-token",`
			`new CustomStrategy(async (req, cb) => {`
			`const apiKey = req.header("X-Api-Key");`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`if (!apiKey) return cb("API key missing");`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00
Dashboard work and related 2019-06-23 19:18:41 +03:00			`const userId = await apiLogins.getUserIdByApiKey(apiKey);`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`if (userId) {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`return cb(null, { apiKey, userId });`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`}`

Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`cb("API key not found");`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`}),`
			`);`

			`// Initialize OAuth2 for Discord login`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`// When the user logs in through OAuth2, we create them a "login" (= api token) and update their user info in the DB`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`passport.use(`
			`new OAuth2Strategy(`
			`{`
discordapp.com -> discord.com 2020-05-04 21:56:15 +03:00			`authorizationURL: "https://discord.com/api/oauth2/authorize",`
			`tokenURL: "https://discord.com/api/oauth2/token",`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`clientID: process.env.CLIENT_ID,`
			`clientSecret: process.env.CLIENT_SECRET,`
			`callbackURL: process.env.OAUTH_CALLBACK_URL,`
			`scope: ["identify"],`
			`},`
			`async (accessToken, refreshToken, profile, cb) => {`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`const user = await simpleDiscordAPIRequest(accessToken, "users/@me");`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00
			`// Make sure the user is able to access at least 1 guild`
More work on API permissions 2019-11-08 00:04:24 +02:00			`const permissions = await apiPermissionAssignments.getByUserId(user.id);`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`if (permissions.length === 0) {`
			`cb(null, {});`
			`return;`
			`}`

			`// Generate API key`
Dashboard work and related 2019-06-23 19:18:41 +03:00			`const apiKey = await apiLogins.addLogin(user.id);`
			`const userData = pick(user, ["username", "discriminator", "avatar"]) as ApiUserInfoData;`
			`await apiUserInfo.update(user.id, userData);`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`// TODO: Revoke access token, we don't need it anymore`
			`cb(null, { apiKey });`
			`},`
			`),`
			`);`

			`app.get("/auth/login", passport.authenticate("oauth2"));`
			`app.get(`
			`"/auth/oauth-callback",`
			`passport.authenticate("oauth2", { failureRedirect: "/", session: false }),`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`(req: Request, res: Response) => {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`if (req.user && req.user.apiKey) {`
			res.redirect(`${process.env.DASHBOARD_URL}/login-callback/?apiKey=${req.user.apiKey}`);
			`} else {`
dashboard: use webpack for builds; use tailwindcss instead of bulma; all sorts of tweaks 2019-10-10 21:58:00 +03:00			res.redirect(`${process.env.DASHBOARD_URL}/login-callback/?error=noAccess`);
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`}`
Initial dashboard work (auth flow) 2019-05-26 00:13:42 +03:00			`},`
			`);`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`app.post("/auth/validate-key", async (req: Request, res: Response) => {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`const key = req.body.key;`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`if (!key) {`
			`return res.status(400).json({ error: "No key supplied" });`
			`}`

Dashboard work and related 2019-06-23 19:18:41 +03:00			`const userId = await apiLogins.getUserIdByApiKey(key);`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`if (!userId) {`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`return res.json({ valid: false });`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`}`

dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`res.json({ valid: true });`
			`});`
Fix overzealous auth requirement in API 2019-07-22 00:49:05 +03:00			`app.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`await apiLogins.expireApiKey(req.user.apiKey);`
			`return ok(res);`
			`});`
			`}`

Fix overzealous auth requirement in API 2019-07-22 00:49:05 +03:00			`export function apiTokenAuthHandlers() {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`return [`
			`passport.authenticate("api-token", { failWithError: true }),`
Reorganize project. Add folder for shared code between backend/dashboard. Switch from jest to ava for tests. 2019-11-02 22:11:26 +02:00			`(err, req: Request, res: Response, next) => {`
Dashboard styling; don't allow login if you have no guild perms; allow logging out 2019-07-22 00:11:24 +03:00			`return res.json({ error: err.message });`
			`},`
			`];`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`}`