budibase/packages/auth/src/middleware/passport/third-party-common.js

const env = require("../../environment")
const jwt = require("jsonwebtoken")
const { generateGlobalUserID } = require("../../db/utils")
const { authError } = require("./utils")
const { newid } = require("../../hashing")
const { createASession } = require("../../security/sessions")
const { getGlobalUserByEmail } = require("../../utils")
const { getGlobalDB, getTenantId } = require("../../tenancy")

/**
 * Common authentication logic for third parties. e.g. OAuth, OIDC.
 */
exports.authenticateThirdParty = async function (
  thirdPartyUser,
  requireLocalAccount = true,
  done
) {
  if (!thirdPartyUser.provider) {
    return authError(done, "third party user provider required")
  }
  if (!thirdPartyUser.userId) {
    return authError(done, "third party user id required")
  }
  if (!thirdPartyUser.email) {
    return authError(done, "third party user email required")
  }

  // use the third party id
  const userId = generateGlobalUserID(thirdPartyUser.userId)
  const db = getGlobalDB()

  let dbUser

  // try to load by id
  try {
    dbUser = await db.get(userId)
  } catch (err) {
    // abort when not 404 error
    if (!err.status || err.status !== 404) {
      return authError(
        done,
        "Unexpected error when retrieving existing user",
        err
      )
    }
  }

  // fallback to loading by email
  if (!dbUser) {
    dbUser = await getGlobalUserByEmail(thirdPartyUser.email)
  }

  // exit early if there is still no user and auto creation is disabled
  if (!dbUser && requireLocalAccount) {
    return authError(
      done,
      "Email does not yet exist. You must set up your local budibase account first."
    )
  }

  // first time creation
  if (!dbUser) {
    // setup a blank user using the third party id
    dbUser = {
      _id: userId,
      roles: {},
    }
  }

  dbUser = syncUser(dbUser, thirdPartyUser)

  // create or sync the user
  const response = await db.post(dbUser)
  dbUser._rev = response.rev

  // authenticate
  const sessionId = newid()
  const tenantId = getTenantId()
  await createASession(dbUser._id, { sessionId, tenantId })

  dbUser.token = jwt.sign(
    {
      userId: dbUser._id,
      sessionId,
    },
    env.JWT_SECRET
  )

  return done(null, dbUser)
}

/**
 * @returns a user that has been sync'd with third party information
 */
function syncUser(user, thirdPartyUser) {
  // provider
  user.provider = thirdPartyUser.provider
  user.providerType = thirdPartyUser.providerType

  // email
  user.email = thirdPartyUser.email

  if (thirdPartyUser.profile) {
    const profile = thirdPartyUser.profile

    if (profile.name) {
      const name = profile.name
      // first name
      if (name.givenName) {
        user.firstName = name.givenName
      }
      // last name
      if (name.familyName) {
        user.lastName = name.familyName
      }
    }

    // profile
    user.thirdPartyProfile = {
      ...profile._json,
    }
  }

  // oauth tokens for future use
  if (thirdPartyUser.oauth2) {
    user.oauth2 = {
      ...thirdPartyUser.oauth2,
    }
  }

  return user
}
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`const env = require("../../environment")`
			`const jwt = require("jsonwebtoken")`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-02 19:34:43 +02:00			`const { generateGlobalUserID } = require("../../db/utils")`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`const { authError } = require("./utils")`
Merge branch 'develop' into feature/oidc-support 2021-07-08 21:03:51 +02:00			`const { newid } = require("../../hashing")`
			`const { createASession } = require("../../security/sessions")`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-02 19:34:43 +02:00			`const { getGlobalUserByEmail } = require("../../utils")`
			`const { getGlobalDB, getTenantId } = require("../../tenancy")`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00
			`/**`
Linting 2021-07-08 14:12:25 +02:00			`* Common authentication logic for third parties. e.g. OAuth, OIDC.`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`*/`
			`exports.authenticateThirdParty = async function (`
Linting 2021-07-08 14:12:25 +02:00			`thirdPartyUser,`
			`requireLocalAccount = true,`
			`done`
			`) {`
Merge branch 'develop' of github.com:Budibase/budibase into feature/multi-tenants 2021-07-20 16:56:12 +02:00			`if (!thirdPartyUser.provider) {`
Linting 2021-07-08 14:12:25 +02:00			`return authError(done, "third party user provider required")`
Merge branch 'develop' of github.com:Budibase/budibase into feature/multi-tenants 2021-07-20 16:56:12 +02:00			`}`
			`if (!thirdPartyUser.userId) {`
Linting 2021-07-08 14:12:25 +02:00			`return authError(done, "third party user id required")`
Merge branch 'develop' of github.com:Budibase/budibase into feature/multi-tenants 2021-07-20 16:56:12 +02:00			`}`
			`if (!thirdPartyUser.email) {`
Linting 2021-07-08 14:12:25 +02:00			`return authError(done, "third party user email required")`
Merge branch 'develop' of github.com:Budibase/budibase into feature/multi-tenants 2021-07-20 16:56:12 +02:00			`}`
Linting 2021-07-08 14:12:25 +02:00
			`// use the third party id`
			`const userId = generateGlobalUserID(thirdPartyUser.userId)`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-02 19:34:43 +02:00			`const db = getGlobalDB()`
Merge branch 'develop' of github.com:Budibase/budibase into feature/multi-tenants 2021-07-20 16:56:12 +02:00
			`let dbUser`
Linting 2021-07-08 14:12:25 +02:00
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`// try to load by id`
Linting 2021-07-08 14:12:25 +02:00			`try {`
			`dbUser = await db.get(userId)`
			`} catch (err) {`
			`// abort when not 404 error`
			`if (!err.status \|\| err.status !== 404) {`
			`return authError(`
			`done,`
			`"Unexpected error when retrieving existing user",`
			`err`
			`)`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`}`
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`}`
Linting 2021-07-08 14:12:25 +02:00
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`// fallback to loading by email`
			`if (!dbUser) {`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-02 19:34:43 +02:00			`dbUser = await getGlobalUserByEmail(thirdPartyUser.email)`
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`}`

			`// exit early if there is still no user and auto creation is disabled`
Merge branch 'develop' into feature/oidc-support 2021-07-08 21:03:51 +02:00			`if (!dbUser && requireLocalAccount) {`
Remove redundant check on requireLocalAccount 2021-07-13 11:45:13 +02:00			`return authError(`
			`done,`
			`"Email does not yet exist. You must set up your local budibase account first."`
			`)`
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`}`
Linting 2021-07-08 14:12:25 +02:00
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`// first time creation`
			`if (!dbUser) {`
Always maintain original user id. No longer remove old user during sync 2021-07-08 17:49:07 +02:00			`// setup a blank user using the third party id`
			`dbUser = {`
			`_id: userId,`
			`roles: {},`
			`}`
Linting 2021-07-08 14:12:25 +02:00			`}`

Always maintain original user id. No longer remove old user during sync 2021-07-08 17:49:07 +02:00			`dbUser = syncUser(dbUser, thirdPartyUser)`

sync third party profile on every login 2021-07-08 17:11:48 +02:00			`// create or sync the user`
Always maintain original user id. No longer remove old user during sync 2021-07-08 17:49:07 +02:00			`const response = await db.post(dbUser)`
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`dbUser._rev = response.rev`

Linting 2021-07-08 14:12:25 +02:00			`// authenticate`
Merge branch 'develop' into feature/oidc-support 2021-07-08 21:03:51 +02:00			`const sessionId = newid()`
re-write, to use the ideas that Rory put in place, still WIP, un-tested but all implemented. 2021-08-02 19:34:43 +02:00			`const tenantId = getTenantId()`
Merge branch 'develop' of github.com:Budibase/budibase into feature/multi-tenants 2021-07-20 16:56:12 +02:00			`await createASession(dbUser._id, { sessionId, tenantId })`
Linting 2021-07-08 14:12:25 +02:00
Merge branch 'develop' into feature/oidc-support 2021-07-08 21:03:51 +02:00			`dbUser.token = jwt.sign(`
			`{`
			`userId: dbUser._id,`
			`sessionId,`
			`},`
			`env.JWT_SECRET`
			`)`
Linting 2021-07-08 14:12:25 +02:00
			`return done(null, dbUser)`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`}`

			`/**`
Always maintain original user id. No longer remove old user during sync 2021-07-08 17:49:07 +02:00			`* @returns a user that has been sync'd with third party information`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`*/`
Always maintain original user id. No longer remove old user during sync 2021-07-08 17:49:07 +02:00			`function syncUser(user, thirdPartyUser) {`
			`// provider`
			`user.provider = thirdPartyUser.provider`
			`user.providerType = thirdPartyUser.providerType`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00
Always maintain original user id. No longer remove old user during sync 2021-07-08 17:49:07 +02:00			`// email`
			`user.email = thirdPartyUser.email`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00
			`if (thirdPartyUser.profile) {`
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`const profile = thirdPartyUser.profile`

			`if (profile.name) {`
			`const name = profile.name`
			`// first name`
			`if (name.givenName) {`
			`user.firstName = name.givenName`
			`}`
			`// last name`
			`if (name.familyName) {`
			`user.lastName = name.familyName`
			`}`
			`}`
Merge branch 'develop' into feature/oidc-support 2021-07-08 21:03:51 +02:00
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`// profile`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`user.thirdPartyProfile = {`
sync third party profile on every login 2021-07-08 17:11:48 +02:00			`...profile._json,`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`}`
			`}`

Always maintain original user id. No longer remove old user during sync 2021-07-08 17:49:07 +02:00			`// oauth tokens for future use`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`if (thirdPartyUser.oauth2) {`
			`user.oauth2 = {`
Linting 2021-07-08 14:12:25 +02:00			`...thirdPartyUser.oauth2,`
Merge google/oidc user authentication and surface user relevant error messages during authentication 2021-07-08 12:12:34 +02:00			`}`
			`}`

			`return user`
			`}`