feat: handle GitHub OAuth directly, thru JWTs

7 years ago · f22c22c6b3
parent d6f0b69b72
commit f22c22c6b3
5 changed files with 208 additions and 115 deletions
--- a/site/.env.example
+++ b/site/.env.example
@ -6,3 +6,7 @@ DATABASE_URL=
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 MAPBOX_ACCESS_TOKEN=
 JWT_EXP=30d
 JWT_ALG=HS512
 JWT_KEY=
--- a/site/package.json
+++ b/site/package.json
@ -15,10 +15,13 @@
    "testsrc": "mocha -r esm test/**"
  },
  "dependencies": {
    "@polka/parse": "^1.0.0-next.1",
    "@polka/send": "^1.0.0-next.2",
    "devalue": "^1.1.0",
    "do-not-zip": "^1.0.0",
    "golden-fleece": "^1.0.9",
    "httpie": "^1.1.1",
    "jsonwebtoken": "^8.5.1",
    "limax": "^1.7.0",
    "marked": "^0.6.1",
    "pg": "^7.10.0",
--- a/site/src/backend/auth.js
+++ b/site/src/backend/auth.js
@ -0,0 +1,149 @@
 import polka from 'polka';
 import devalue from 'devalue';
 import send from '@polka/send';
 import { get, post } from 'httpie';
 import { json } from '@polka/parse';
 import { parse, stringify } from 'querystring';
 import { decode, sign, verify } from './token';
 import { find, query } from '../utils/db';
 const {
 	BASEURL,
 	GITHUB_CLIENT_ID,
 	GITHUB_CLIENT_SECRET,
 } = process.env;
 const OAuth = 'https://github.com/login/oauth';
 function exit(res, code, msg='') {
 	send(res, code, msg.charAt(0).toUpperCase() + msg.substring(1));
 }
 function onError(err, req, res) {
 	const code = err.code || err.status || 500;
 	res.headersSent || send(res, code, err.message || err);
 }
 /**
 * Middleware to determine User validity
 */
 export async function isUser(req, res) {
 	const abort = exit.bind(null, res, 401);
 	const auth = req.headers.authorization;
 	if (!auth) return abort('Missing Authorization header');
 	const [scheme, token] = auth.split(' ');
 	if (scheme !== 'Bearer' || !token) return abort('Invalid Authorization format');
 	let data;
 	const decoded = decode(token, { complete:true });
 	if (!decoded || !decoded.header) return abort('Invalid token');
 	try {
 		data = await verify(token);
 	} catch (err) {
 		return abort(err.message);
 	}
 	const { uid, username } = data;
 	if (!uid || !username) return abort('Invalid token payload');
 	try {
 		const row = await find(`select * from users where uid = $1 and username = $2 limit 1`, [uid, username]);
 		return row || abort('Invalid token');
 	} catch (err) {
 		console.error('Auth.isUser', err);
 		return send(res, 500, 'Unknown error occurred');
 	}
 }
 export function toUser(obj={}) {
 	const { uid, username, name:displayName, avatar } = obj;
 	const token = sign({ uid, username });
 	return { uid, username, displayName, avatar, token };
 }
 export function API() {
 	const app = polka({ onError }).use(json());
 	if (GITHUB_CLIENT_ID) {
 		app.get('/auth/login', (req, res) => {
 			try {
 				console.log('inside');
 				const Location = `${OAuth}/authorize?` + stringify({
 					scope: 'read:user',
 					client_id: GITHUB_CLIENT_ID,
 					redirect_uri: `${BASEURL}/auth/callback`,
 				});
 				send(res, 302, Location, { Location });
 			} catch (err) {
 				//
 			}
 		});
 		app.get('/auth/callback', async (req, res) => {
 			try {
 				// Trade "code" for "access_token"
 				const r1 = await post(`${OAuth}/access_token?` + stringify({
 					code: req.query.code,
 					client_id: GITHUB_CLIENT_ID,
 					client_secret: GITHUB_CLIENT_SECRET,
 				}));
 				// Now fetch User details
 				const { access_token } = parse(r1.data);
 				const r2 = await get('https://api.github.com/user', {
 					headers: {
 						'User-Agent': 'svelte.dev',
 						Authorization: `token ${access_token}`
 					}
 				});
 				const { id, name, avatar_url, login } = r2.data;
 				// Upsert `users` table
 				const [user] = await query(`
 					insert into users(uid, name, username, avatar, token)
 					values ($1, $2, $3, $4, $5) on conflict (uid) do update
 					set (name, username, avatar, token) = ($2, $3, $4, $5)
 					returning *
 				`, [id, name, login, avatar_url, access_token]);
 				send(res, 200, `
 					<script>
 						window.opener.postMessage({
 							user: ${devalue(toUser(user))}
 						}, window.location.origin);
 					</script>
 				`, {
 					'Content-Type': 'text/html; charset=utf-8'
 				});
 			} catch (err) {
 				console.error('OAuth Callback', err);
 				send(res, 500, err.data, {
 					'Content-Type': err.headers['content-type'],
 					'Content-Length': err.headers['content-length']
 				});
 			}
 		});
 	} else {
 		// Print "Misconfigured" error
 		app.get('/auth/login', (req, res) => {
 			send(res, 500, `
 				<body style="font-family: sans-serif; background: rgb(255,215,215); border: 2px solid red; margin: 0; padding: 1em;">
 					<h1>Missing .env file</h1>
 					<p>In order to use GitHub authentication, you will need to <a target="_blank" href="https://github.com/settings/developers">register an OAuth application</a> with <code>gist</code> and <code>read:user</code> scopes, and create a .env file:</p>
 					<pre>GITHUB_CLIENT_ID=[YOUR_APP_ID]\nGITHUB_CLIENT_SECRET=[YOUR_APP_SECRET]\nBASEURL=http://localhost:3000</pre>
 					<p>The <code>BASEURL</code> variable should match the callback URL specified for your app.</p>
 				</body>
 			`, {
 				'Content-Type': 'text/html; charset=utf-8'
 			});
 		});
 	}
 	return app;
 }
--- a/site/src/backend/token.js
+++ b/site/src/backend/token.js
@ -0,0 +1,22 @@
 import * as jwt from 'jsonwebtoken';
 const { JWT_KEY, JWT_ALG, JWT_EXP } = process.env;
 const CONFIG = {
 	expiresIn: JWT_EXP,
 	issuer: 'https://svelte.dev',
 	audience: 'https://svelte.dev',
 	algorithm: JWT_ALG,
 };
 export const decode = jwt.decode;
 export function sign(obj, opts, cb) {
 	opts = Object.assign({}, opts, CONFIG);
 	return jwt.sign(obj, JWT_KEY, opts, cb);
 }
 export function verify(str, opts, cb) {
 	opts = Object.assign({}, opts, CONFIG);
 	return jwt.verify(str, JWT_KEY, opts, cb);
 }
--- a/site/src/server.js
+++ b/site/src/server.js
@ -1,108 +1,22 @@
 import 'dotenv/config';
 import sirv from 'sirv';
 import polka from 'polka';
 import devalue from 'devalue';
 import session from 'express-session';
 import passport from 'passport';
 import { Strategy } from 'passport-github';
 import sessionFileStore from 'session-file-store';
 import * as sapper from '@sapper/server';
 import { API } from './backend/auth';
-const app = polka();
+const { PORT=3000 } = process.env;
-if (process.env.GITHUB_CLIENT_ID) {
+API()
-	const FileStore = sessionFileStore(session);
+	.use(
 	passport.use(new Strategy({
 		clientID: process.env.GITHUB_CLIENT_ID,
 		clientSecret: process.env.GITHUB_CLIENT_SECRET,
 		callbackURL: `${process.env.BASEURL}/auth/callback`,
 		userAgent: 'svelte.dev'
 	}, (accessToken, refreshToken, profile, callback) => {
 		return callback(null, {
 			token: accessToken,
 			id: profile.id,
 			username: profile.username,
 			displayName: profile.displayName,
 			photo: profile.photos && profile.photos[0] && profile.photos[0].value
 		});
 	}));
 	passport.serializeUser((user, cb) => {
 		cb(null, user);
 	});
 	passport.deserializeUser((obj, cb) => {
 		cb(null, obj);
 	});
 	app
 		.use(session({
 			secret: 'svelte',
 			resave: true,
 			saveUninitialized: true,
 			cookie: {
 				maxAge: 31536000
 			},
 			store: new FileStore({
 				path: process.env.NOW ? `/tmp/sessions` : `.sessions`
 			})
 		}))
 		.use(passport.initialize())
 		.use(passport.session())
 		.get('/auth/login', (req, res, next) => {
 			const { returnTo } = req.query;
 			req.session.returnTo = returnTo ? decodeURIComponent(returnTo) : '/';
 			next();
 		}, passport.authenticate('github', { scope: ['gist', 'read:user'] }))
 		.post('/auth/logout', (req, res) => {
 			req.logout();
 			res.end('ok');
 		})
 		.get('/auth/callback', passport.authenticate('github', { failureRedirect: '/auth/error' }), (req, res) => {
 			const { id, username, displayName, photo } = req.session.passport && req.session.passport.user;
 			res.setHeader('Content-Type', 'text/html; charset=utf-8');
 			res.end(`
 				<script>
 					window.opener.postMessage({
 						user: ${devalue({ id, username, displayName, photo })}
 					}, window.location.origin);
 				</script>
 			`);
 		});
 } else {
 	app.get('/auth/login', (req, res) => {
 		res.writeHead(500);
 		res.end(`
 			<body style="font-family: sans-serif; background: rgb(255,215,215); border: 2px solid red; margin: 0; padding: 1em;">
 				<h1>Missing .env file</h1>
 				<p>In order to use GitHub authentication, you will need to <a target="_blank" href="https://github.com/settings/developers">register an OAuth application</a> with <code>gist</code> and <code>read:user</code> scopes, and create a .env file:</p>
 				<pre>GITHUB_CLIENT_ID=[YOUR_APP_ID]\nGITHUB_CLIENT_SECRET=[YOUR_APP_SECRET]\nBASEURL=http://localhost:3000</pre>
 				<p>The <code>BASEURL</code> variable should match the callback URL specified for your app.</p>
 			</body>
 		`);
 	});
 }
 app.use(
 		sirv('static', {
 			setHeaders(res) {
 				res.setHeader('Access-Control-Allow-Origin', '*');
 				res.hasHeader('Cache-Control') || res.setHeader('Cache-Control', 'max-age=600'); // 10min default
 			}
 		}),
 		sapper.middleware({
 			// TODO update Sapper so that we can pass props to the client
 			props: req => {
-			const user = req.session && req.session.passport && req.session.passport.user;
+				const user = req.user;
 				return {
 					user: user && {
@ -115,4 +29,5 @@ app.use(
 				};
 			}
 		})
-).listen(process.env.PORT);
+	)
 	.listen(PORT);