This repository has been archived by the owner on Mar 11, 2021. It is now read-only.
/
github-auth-hook.js
197 lines (184 loc) · 7.96 KB
/
github-auth-hook.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
'use strict';
const { User, AuthenticationRequired } = require('unleash-server');
const passport = require('passport');
const request = require('request');
const GitHubStrategy = require('passport-github').Strategy;
const githubOrg = process.env.GITHUB_ORG
? process.env.GITHUB_ORG
: 'rhdt-toggles-test';
const githubTeam = process.env.GITHUB_TEAM
? process.env.GITHUB_TEAM
: 'toggles-admin-test';
passport.use(
new GitHubStrategy(
{
clientID: process.env.GITHUB_CLIENT_ID,
clientSecret: process.env.GITHUB_CLIENT_SECRET,
callbackURL: process.env.GITHUB_CALLBACK_URL,
scope: ['read:org'],
},
(accessToken, refreshToken, profile, done) => {
if (!profile.emails) {
// user can choose to not display any email, then use a default one as unleash required it
console.log(`${profile.displayName} has no email provided`);
profile.emails = [];
profile.emails.push({
value: `${profile.displayName}@unknown.com`,
});
console.log(
`Added ${
profile.displayName
}@unknown.com to profile emails: ${profile.emails[0].value}`
);
}
console.log(
`name ${profile.displayName} email ${profile.emails[0].value}`
);
const user = new User({
name: profile.displayName,
email: profile.emails[0].value,
});
// Successful authentication, now check if the authenticated user is a member of the GH org/team, unless `dev mode` is enabled
console.log(
`Fetching teams on https://api.github.com/orgs/${githubOrg}/teams`
);
request(
{
url: `https://api.github.com/orgs/${githubOrg}/teams`,
headers: {
'User-Agent': 'toggles-admin',
Authorization: `Bearer ${accessToken}`,
},
},
(error, response) => {
if (error) {
console.error('access to GH org failed:', error);
return done(null, false, { message: error });
} else if (response.statusCode !== 200) {
console.error(
'access to GH org failed: ',
response.statusCode,
response.body
);
return done(null, false, {
message: `Unable to get the teams in the ${githubOrg} organization. Please contact your team admin and ask her to add you.`,
});
}
// console.log('access to GH org done. Server responded with:', response.body);
const jsonBody = JSON.parse(response.body);
jsonBody.forEach(team => {
if (team.name === githubTeam) {
const teamMemberURL = team.members_url.replace(
'{/member}',
`/${profile.username}`
);
console.log(
`using team URL: ${teamMemberURL} to check for user '${
profile.username
}' in team '${githubTeam}'... `
);
request(
{
url: teamMemberURL,
headers: {
'User-Agent': 'toggles-admin',
Authorization: `Bearer ${accessToken}`,
},
},
(err, res) => {
if (err) {
console.error(
'access to GH team failed:',
err
);
return done(null, false, {
message: err,
});
} else if (res.statusCode !== 204) {
console.error(
'access to GH team failed: ',
res.statusCode,
res.body
);
return done(null, false, {
message: `User does not belong to the ${githubTeam} team. Please contact your team admin and ask her to add you.`,
});
}
// user belongs to the org/team
done(null, user);
}
);
}
});
}
);
}
)
);
function enableGitHubOAuth(app) {
app.use(passport.initialize());
app.use(passport.session());
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
app.get('/api/admin/login', passport.authenticate('github'));
const context = process.env.TOGGLES_CONTEXT
? process.env.TOGGLES_CONTEXT
: '';
// use custom callback http://www.passportjs.org/docs/authenticate/#custom-callback to better deal with error message
app.get('/api/auth/callback', (req, res, next) => {
passport.authenticate('github', (err, user, info) => {
console.log(
`Calling /api/auth/callback with session user=${user}, info=${info} and error=${err}`
);
if (user) {
req.session.error = null; // reset the error if the a previous session is used
req.session.user = user;
} else {
// if no user, display error
if (info) {
const message = info.message;
req.session.error = message;
}
req.logout();
}
return res.redirect(`${context}/`);
})(req, res, next);
});
app.use('/api/admin/', (req, res, next) => {
// console.log(`Calling /api/admin with session user=${req.session.user} and error=${req.session.error}`)
if (req.session && req.session.error) {
// todo with 403 and AuthorizationRequired - once the ui supports it
return res
.status('401')
.json(
new AuthenticationRequired({
path: `${context}/api/admin/login`,
type: 'none',
message: req.session.error,
})
)
.end();
} else if (req.session && req.session.user) {
req.user = req.session.user;
next();
} else {
// Instruct unleash-frontend to pop-up auth dialog
return res
.status('401')
.json(
new AuthenticationRequired({
path: `${context}/api/admin/login`,
type: 'custom',
message: `You have to identify yourself in order to use Unleash.
Click the button and follow the instructions.`,
})
)
.end();
}
});
}
module.exports = enableGitHubOAuth;