268 lines
8.8 KiB
JavaScript
268 lines
8.8 KiB
JavaScript
const passport = require('passport');
|
|
const expressSession = require('express-session');
|
|
const config = require('./config');
|
|
|
|
// set up database for express session
|
|
const MongoStore = require('connect-mongo')(expressSession);
|
|
const mongoose = require('mongoose');
|
|
const db = require("qmi-cloud-common/mongo");
|
|
|
|
const sessionStore = new MongoStore({
|
|
mongooseConnection: mongoose.connection,
|
|
url: process.env.MONGO_URI,
|
|
autoRemove: 'interval',
|
|
autoRemoveInterval: 10
|
|
//clear_interval: config.mongoDBSessionMaxAge
|
|
});
|
|
|
|
var OpenIDConnectStrategy = require('passport-openidconnect');
|
|
|
|
const OKTA_DOMAIN = "qlik.okta.com";
|
|
|
|
passport.serializeUser(function(user, done) {
|
|
done(null, user.upn);
|
|
});
|
|
|
|
passport.deserializeUser(function(upn, done) {
|
|
_findByUpn(upn, function (err, user) {
|
|
done(err, user);
|
|
});
|
|
});
|
|
|
|
var _findByUpn = async function(upn, fn) {
|
|
var mongouser = await db.user.getOne({"upn": { $regex: new RegExp(upn, 'i') } });
|
|
if (mongouser && mongouser.upn === upn){
|
|
return fn(null, mongouser);
|
|
} else {
|
|
return fn(null, null);
|
|
}
|
|
};
|
|
|
|
// set up passport
|
|
passport.use('oidc', new OpenIDConnectStrategy({
|
|
issuer: "https://qlik.okta.com",
|
|
authorizationURL: `https://${OKTA_DOMAIN}/oauth2/v1/authorize`,
|
|
tokenURL: `https://${OKTA_DOMAIN}/oauth2/v1/token`,
|
|
clientID: config.creds.clientID,
|
|
clientSecret: config.creds.clientSecret,
|
|
callbackURL: config.creds.redirectUrl,
|
|
scope: config.creds.scope,
|
|
}, async (issuer, profile, context, idToken, accessToken, refreshToken, done) => {
|
|
console.log("OKTA ISSUER ", issuer)
|
|
console.log("OKTA PROFILE ", profile)
|
|
//console.log("OKTA context ", context)
|
|
//console.log("OKTA idToken ", idToken)
|
|
//console.log("OKTA accessToken ", accessToken)
|
|
//console.log("OKTA refreshToken ", refreshToken)
|
|
|
|
|
|
if ( !profile.id ) {
|
|
return done(new Error("No profile id found"), null);
|
|
}
|
|
|
|
// asynchronous verification, for effect...
|
|
process.nextTick(function () {
|
|
_findByUpn(profile.username, async function(err, user) {
|
|
if (err) {
|
|
return done(err);
|
|
}
|
|
if (!user) {
|
|
// "Auto-registration"
|
|
user = await db.user.add({
|
|
"oid": profile.id,
|
|
"upn": profile.username.toLowerCase(),
|
|
"displayName": profile.displayName,
|
|
"lastLogin": new Date(),
|
|
"sub": profile.id,
|
|
"active": true,
|
|
"mail": profile.emails[0].value,
|
|
//"jobTitle": jobTitle
|
|
});
|
|
return done(null, user);
|
|
}
|
|
db.user.update(user._id, {
|
|
"lastLogin": new Date(),
|
|
"sub": profile.id,
|
|
"active": true,
|
|
"mail": profile.emails[0].value,
|
|
//"jobTitle": jobTitle
|
|
});
|
|
return done(null, user);
|
|
});
|
|
|
|
});
|
|
|
|
//return done(null, profile);
|
|
}));
|
|
|
|
|
|
|
|
module.exports.init = function(app){
|
|
|
|
// set up session middleware
|
|
if (config.useMongoDBSessionStore) {
|
|
//mongoose.connect(config.databaseUri);
|
|
app.use(expressSession({
|
|
secret: 'secret',
|
|
cookie: {maxAge: config.mongoDBSessionMaxAge * 1000},
|
|
store: sessionStore,
|
|
resave: true,
|
|
saveUninitialized: false
|
|
}));
|
|
} else {
|
|
app.use(expressSession({
|
|
secret: 'keyboard cat',
|
|
resave: true,
|
|
saveUninitialized: false
|
|
}));
|
|
}
|
|
|
|
|
|
// Initialize Passport! Also use passport.session() middleware, to support
|
|
// persistent login sessions (recommended).
|
|
app.use(passport.initialize());
|
|
app.use(passport.session());
|
|
|
|
app.get('/login',
|
|
function(req, res, next) {
|
|
passport.authenticate('oidc',
|
|
{
|
|
response: res, // required
|
|
resourceURL: config.resourceURL, // optional. Provide a value if you want to specify the resource.
|
|
//customState: 'my_state', // optional. Provide a value if you want to provide custom state value.
|
|
failureRedirect: '/',
|
|
session: false
|
|
}
|
|
)(req, res, next);
|
|
},
|
|
function(req, res) {
|
|
res.redirect('/');
|
|
}
|
|
);
|
|
|
|
//app.use('/login', passport.authenticate('oidc'));
|
|
|
|
app.use('/auth/openid/return', passport.authenticate('oidc', { failureRedirect: '/error' }), (req, res) => {
|
|
|
|
console.log('Passport# We received a return from OKTA ');
|
|
res.redirect('/provisions');
|
|
});
|
|
|
|
|
|
|
|
|
|
/*app.get('/login',
|
|
function(req, res, next) {
|
|
passport.authenticate('azuread-openidconnect',
|
|
{
|
|
response: res, // required
|
|
resourceURL: config.resourceURL, // optional. Provide a value if you want to specify the resource.
|
|
//customState: 'my_state', // optional. Provide a value if you want to provide custom state value.
|
|
failureRedirect: '/',
|
|
session: false
|
|
}
|
|
)(req, res, next);
|
|
},
|
|
function(req, res) {
|
|
res.redirect('/');
|
|
}
|
|
);*/
|
|
|
|
// 'GET returnURL'
|
|
// `passport.authenticate` will try to authenticate the content returned in
|
|
// query (such as authorization code). If authentication fails, user will be
|
|
// redirected to '/' (home page); otherwise, it passes to the next middleware.
|
|
/*app.get('/auth/openid/return',
|
|
function(req, res, next) {
|
|
passport.authenticate('azuread-openidconnect',
|
|
{
|
|
response: res, // required
|
|
failureRedirect: '/'
|
|
}
|
|
)(req, res, next);
|
|
},
|
|
function(req, res) {
|
|
console.log('Passport# We received a return from AzureAD.');
|
|
res.redirect('/provisions');
|
|
}
|
|
);*/
|
|
|
|
// 'POST returnURL'
|
|
// `passport.authenticate` will try to authenticate the content returned in
|
|
// body (such as authorization code). If authentication fails, user will be
|
|
// redirected to '/' (home page); otherwise, it passes to the next middleware.
|
|
/*app.post('/auth/openid/return',
|
|
function(req, res, next) {
|
|
passport.authenticate('azuread-openidconnect',
|
|
{
|
|
response: res, // required
|
|
failureRedirect: '/'
|
|
}
|
|
)(req, res, next);
|
|
},
|
|
function(req, res) {
|
|
console.log('Passport# We received a return from AzureAD.');
|
|
res.redirect('/provisions');
|
|
}
|
|
);*/
|
|
|
|
// 'logout' route, logout from passport, and destroy the session with AAD.
|
|
|
|
app.get('/logout', function(req, res){
|
|
req.session.destroy(function(err) {
|
|
req.logOut();
|
|
res.redirect(config.destroySessionUrl);
|
|
});
|
|
});
|
|
};
|
|
|
|
async function isApiKeyAuthenticated(req) {
|
|
let key = req.query.apiKey || req.get('QMI-ApiKey');
|
|
if ( key ) {
|
|
var result = await db.apiKey.getOne({"apiKey": key});
|
|
if ( result ) {
|
|
req.user = result.user;
|
|
return true;
|
|
} else {
|
|
return false;
|
|
}
|
|
|
|
} else {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
module.exports.ensureAuthenticatedDoLogin = async function(req, res, next) {
|
|
if ( await isApiKeyAuthenticated(req) || req.isAuthenticated() ) {
|
|
return next();
|
|
}
|
|
res.redirect('/login');
|
|
};
|
|
|
|
module.exports.ensureAuthenticated = async function(req, res, next) {
|
|
if ( await isApiKeyAuthenticated(req) || req.isAuthenticated() ) {
|
|
return next();
|
|
}
|
|
res.status(401).send({"error": "Unauthorized"});
|
|
};
|
|
|
|
module.exports.ensureAuthenticatedAndAdmin = async function(req, res, next) {
|
|
if ( ( await isApiKeyAuthenticated(req) || req.isAuthenticated()) && (req.user.role === 'admin' || req.user.role === 'superadmin') ) {
|
|
return next();
|
|
}
|
|
res.status(401).send({"error": "Unauthorized"});
|
|
};
|
|
|
|
module.exports.ensureAuthenticatedAndIsMe = async function (req, res, next) {
|
|
if ( await isApiKeyAuthenticated(req) || req.isAuthenticated() ) {
|
|
var userId = (req.params.userId === 'me')? req.user._id : req.params.userId;
|
|
if ( req.user._id == userId || req.user.role === 'admin' || req.user.role === 'superadmin' ) {
|
|
return next();
|
|
} else {
|
|
return res.status(401).send("Error: Unauthorized");
|
|
}
|
|
}
|
|
return res.status(401).send("Error: Unauthorized");
|
|
};
|
|
|
|
module.exports.sessionStore = sessionStore; |