@atomist/sdm-pack-aspect/lib/routes/auth.js

an Atomist SDM Extension Pack for visualizing drift across an organization

"use strict";
/*
 * Copyright © 2019 Atomist, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
Object.defineProperty(exports, "__esModule", { value: true });
const automation_client_1 = require("@atomist/automation-client");
const ApolloGraphClient_1 = require("@atomist/automation-client/lib/graph/ApolloGraphClient");
const sdm_core_1 = require("@atomist/sdm-core");
const _ = require("lodash");
const PersonByIdentityQuery = `query PersonByIdentity {
  personByIdentity {
    team {
      id
      name
    }
  }
}
`;
function configureAuth(express) {
    const authParser = require("express-auth-parser");
    express.use(authParser);
}
exports.configureAuth = configureAuth;
function corsHandler() {
    const cors = require("cors");
    const origin = _.get(automation_client_1.configurationValue(), "cors.origin", []);
    const corsOptions = {
        origin,
        credentials: true,
        allowedHeaders: ["x-requested-with", "authorization", "content-type", "credential", "X-XSRF-TOKEN"],
        exposedHeaders: "*",
    };
    return cors(corsOptions);
}
exports.corsHandler = corsHandler;
function authHandlers(secure) {
    // In local mode we don't need auth
    if (sdm_core_1.isInLocalMode() || !secure) {
        return [(req, res, next) => next()];
    }
    const cookieParser = require("cookie-parser");
    return [cookieParser(), (req, res, next) => {
            let creds;
            if (!!req.cookies && !!req.cookies.access_token) {
                creds = req.cookies.access_token;
            }
            else {
                creds = req.authorization.credentials;
            }
            const workspaceId = req.params.workspace_id || req.query.workspace_id;
            if (!workspaceId) {
                next();
            }
            else {
                // Creds are missing; just return 401 error here instead of calling the backend
                if (!creds) {
                    res.sendStatus(401);
                }
                const graphClient = new ApolloGraphClient_1.ApolloGraphClient(automation_client_1.configurationValue().endpoints.graphql.replace("/team", ""), {
                    Authorization: `Bearer ${creds}`,
                });
                graphClient.query({ query: PersonByIdentityQuery, variables: {} })
                    .then(result => {
                    if (result.personByIdentity && result.personByIdentity.some(p => p.team && p.team.id === workspaceId)) {
                        automation_client_1.logger.info("Granting access to workspaceId '%s'", workspaceId);
                        next();
                    }
                    else {
                        automation_client_1.logger.info("Denying access to workspaceId '%s'", workspaceId);
                        res.sendStatus(401);
                    }
                })
                    .catch(err => {
                    automation_client_1.logger.warn("Error granting access to workspaceId '%s'", workspaceId);
                    automation_client_1.logger.warn(err);
                    res.sendStatus(401);
                });
            }
        }];
}
exports.authHandlers = authHandlers;
//# sourceMappingURL=auth.js.map