UNPKG

loopback-component-auth

Version:

Extends loopback-component-passport to support custom auth schemes (i.e. other than the supported 'ldap', 'local', 'oauth', 'oauth1', 'oauth 1.0', 'openid', 'openid connect' and 'oauth 2.0')

github.com/benkroeger/loopback-component-auth

benkroeger/loopback-component-auth

259 lines (222 loc) 8.35 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
/* eslint global-require: 0 */ 'use strict'; // core modules const path = require('path'); // npm modules const _ = require('lodash'); const passport = require('passport'); // local modules const logger = require('../logger'); const utils = require('../utils'); module.exports = function setupCustomAuthScheme(app, appAuthDir, models, name, options) { const passportModule = require(options.provider.module); const AuthStrategy = passportModule[options.provider.strategy]; const authSchemeModule = require(path.join(appAuthDir, options.provider.authScheme)); // restore "returnTo" url (if any), set by ensureLoggedIn and remove it from the session function successRedirect(req) { if (req && req.session && req.session.returnTo) { const returnTo = req.session.returnTo; /* eslint-disable no-param-reassign */ delete req.session.returnTo; /* eslint-enable no-param-reassign */ return returnTo; } return options.strategy.successRedirect; } const failureRedirect = options.strategy.failureRedirect; const makeLoginCallback = options.provider.makeLoginCallback || function makeLoginCallback(done) { return (err, user, identity, token) => { const authInfo = { identity, }; if (err) { return done(err, user, authInfo); } if (token) { authInfo.accessToken = token; } return done(err, user, authInfo); }; }; // call authScheme specific method to generate a verify function for passport const verifyFunction = authSchemeModule.makeVerifyFunction(options, models, makeLoginCallback); // register this provider in passport passport.use(name, new AuthStrategy( _.defaults({}, options.strategy, { authInfo: true, passReqToCallback: true, }), verifyFunction )); const passportAuthOptions = _.defaults({}, options.provider, options.strategy); // provide default handling of OAuth 2.0 flow function defaultAuthenticateMiddleware(req, res, next) { // unified handling of a successful auth attempt (regardless of enabled / disabled sessions) function handleAuthSuccess(user, info) { // this is a JSON enabled provider => return access_token and userId accordingly // finish response if (options.provider.json) { return res.status(200).json({ state: 'success', provider_name: name, userId: user.id, access_token: (info && info.accessToken) ? info.accessToken.id : undefined, }); } if (info && info.accessToken) { // we have a legacy client that needs information to be transmitted as cookies res.cookie('access_token', info.accessToken.id, { signed: !!req.signedCookies, // maxAge is in ms maxAge: 1000 * info.accessToken.ttl, domain: _.isString(options.provider.domain) ? options.provider.domain : null, }); res.cookie('userId', user.id.toString(), { signed: !!req.signedCookies, maxAge: 1000 * info.accessToken.ttl, domain: _.isString(options.provider.domain) ? options.provider.domain : null, }); } // finally redirect our client to the success page const redirectTo = utils.appendQuery(successRedirect(req), { state: 'success', provider_name: name, }); return res.redirect(redirectTo); } // The default callback passport.authenticate(name, passportAuthOptions, (err, user, info) => { if (err) { return next(err); } // handle unsuccessful logins (user object was not resolved truthy) if (!user) { if (options.provider.json) { return res.status(401).json({ state: 'failure', provider_name: name, error_code: 401, error_message: 'authentication failed', }); } const redirectTo = utils.appendQuery(failureRedirect, { state: 'failure', provider_name: name, error_code: 401, error_message: 'authentication failed', }); return res.redirect(redirectTo); } // if there is no session support, handle auth success right away if (!options.provider.session) { return handleAuthSuccess(user, info); } // session is enabled, call req.login() manually to establish the secured session return req.logIn(user, (loginErr) => { if (loginErr) { return next(loginErr); } return handleAuthSuccess(user, info); }); })(req, res, next); } const defaultMiddleware = { auth: defaultAuthenticateMiddleware, callback: defaultAuthenticateMiddleware, }; const defaultLinkMiddleware = { auth: passport.authorize(name, passportAuthOptions), callback: [ (req, res, next) => { passport.authorize(name, passportAuthOptions, (authorizeError, user, infoOrChallange, status) => { if (authorizeError) { return next(authorizeError); } if (user) { req.account = user; // eslint-disable-line no-param-reassign return next(); } let errorMessage = infoOrChallange; if (!_.isString(errorMessage)) { try { errorMessage = JSON.stringify(errorMessage); } catch (stringifyError) { logger.error('can not stringify errorMessage object', stringifyError); } } const authorizeFailedError = new Error(errorMessage); authorizeFailedError.status = status || 403; return next(authorizeFailedError); })(req, res, next); }, // passport.authorize doesn't handle json providers, thus we need to ship our own success handler (req, res) => { // @TODO: create spec of what is returned in json version // the resolved account is in req.account now if (options.provider.json) { return res .status(200) .json({ state: 'success', provider_name: name, account: req.account, }); } const redirectTo = utils.appendQuery(successRedirect(req), { state: 'success', provider_name: name, }); return res.redirect(redirectTo); }, (err, req, res, next) => { logger.error(err); if (options.provider.json) { return res.status(err.status || 403).json({ state: 'failure', provider_name: name, error_code: err.status || 403, error_message: err.message, }); } // @TODO: req.flash does not exist since Expressjs 3.x if (options.strategy.failureFlash) { if (typeof req.flash !== 'function') { return next(new TypeError('req.flash is not a function')); } let flash = options.strategy.failureFlash; if (typeof flash === 'string') { flash = { type: 'error', message: flash, }; } const type = flash.type || 'error'; const msg = flash.message || err.message; if (typeof msg === 'string') { req.flash(type, msg); } } const redirectTo = utils.appendQuery(failureRedirect, { state: 'failure', provider_name: name, error_code: err.code || 403, error_message: err.message, }); return res.redirect(redirectTo); }, ], }; // register handlers for each route configured in provider Object.keys(options.route).forEach((routeName) => { const route = options.route[routeName]; const middlewareCatalog = options.provider.link ? defaultLinkMiddleware : defaultMiddleware; const middleware = route.middleware || middlewareCatalog[routeName]; // check for valid middleware if (!(typeof middleware === 'function' || Array.isArray(middleware))) { throw new TypeError(`can not resolve "${routeName}" middleware for provider ${name}`); } app[route.method.toLowerCase()](route.path, middleware); logger.info(`registered handler for "${routeName}" route with path ${route.path}`); }); };