@budibase/backend-core 3.2.4 → 3.2.6

package/src/middleware/passport/sso/oidc.ts

@@ -1,152 +0,0 @@
-import fetch from "node-fetch"
-import * as sso from "./sso"
-import { ssoCallbackUrl } from "../utils"
-import { validEmail } from "../../../utils"
-import {
-  ConfigType,
-  OIDCInnerConfig,
-  SSOProfile,
-  OIDCStrategyConfiguration,
-  SSOAuthDetails,
-  SSOProviderType,
-  JwtClaims,
-  SaveSSOUserFunction,
-} from "@budibase/types"
-
-const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy
-
-export function buildVerifyFn(saveUserFn: SaveSSOUserFunction) {
-  /**
-   * @param issuer The identity provider base URL
-   * @param sub The user ID
-   * @param profile The user profile information. Created by passport from the /userinfo response
-   * @param jwtClaims The parsed id_token claims
-   * @param accessToken The access_token for contacting the identity provider - may or may not be a JWT
-   * @param refreshToken The refresh_token for obtaining a new access_token - usually not a JWT
-   * @param idToken The id_token - always a JWT
-   * @param params The response body from requesting an access_token
-   * @param done The passport callback: err, user, info
-   */
-  return async (
-    issuer: string,
-    sub: string,
-    profile: SSOProfile,
-    jwtClaims: JwtClaims,
-    accessToken: string,
-    refreshToken: string,
-    idToken: string,
-    params: any,
-    done: Function
-  ) => {
-    const details: SSOAuthDetails = {
-      // store the issuer info to enable sync in future
-      provider: issuer,
-      providerType: SSOProviderType.OIDC,
-      userId: profile.id,
-      profile: profile,
-      email: getEmail(profile, jwtClaims),
-      oauth2: {
-        accessToken: accessToken,
-        refreshToken: refreshToken,
-      },
-    }
-
-    return sso.authenticate(
-      details,
-      false, // don't require local accounts to exist
-      done,
-      saveUserFn
-    )
-  }
-}
-
-/**
- * @param profile The structured profile created by passport using the user info endpoint
- * @param jwtClaims The claims returned in the id token
- */
-function getEmail(profile: SSOProfile, jwtClaims: JwtClaims) {
-  // profile not guaranteed to contain email e.g. github connected azure ad account
-  if (profile._json.email) {
-    return profile._json.email
-  }
-
-  // fallback to id token email
-  if (jwtClaims.email) {
-    return jwtClaims.email
-  }
-
-  // fallback to id token preferred username
-  const username = jwtClaims.preferred_username
-  if (username && validEmail(username)) {
-    return username
-  }
-
-  throw new Error(
-    `Could not determine user email from profile ${JSON.stringify(
-      profile
-    )} and claims ${JSON.stringify(jwtClaims)}`
-  )
-}
-
-/**
- * Create an instance of the oidc passport strategy. This wrapper fetches the configuration
- * from couchDB rather than environment variables, using this factory is necessary for dynamically configuring passport.
- * @returns Dynamically configured Passport OIDC Strategy
- */
-export async function strategyFactory(
-  config: OIDCStrategyConfiguration,
-  saveUserFn: SaveSSOUserFunction
-) {
-  try {
-    const verify = buildVerifyFn(saveUserFn)
-    const strategy = new OIDCStrategy(config, verify)
-    strategy.name = "oidc"
-    return strategy
-  } catch (err: any) {
-    throw new Error(`Error constructing OIDC authentication strategy - ${err}`)
-  }
-}
-
-export async function fetchStrategyConfig(
-  oidcConfig: OIDCInnerConfig,
-  callbackUrl?: string
-): Promise<OIDCStrategyConfiguration> {
-  try {
-    const { clientID, clientSecret, configUrl } = oidcConfig
-
-    if (!clientID || !clientSecret || !callbackUrl || !configUrl) {
-      // check for remote config and all required elements
-      throw new Error(
-        "Configuration invalid. Must contain clientID, clientSecret, callbackUrl and configUrl"
-      )
-    }
-
-    const response = await fetch(configUrl)
-
-    if (!response.ok) {
-      throw new Error(
-        `Unexpected response when fetching openid-configuration: ${response.statusText}`
-      )
-    }
-
-    const body = await response.json()
-
-    return {
-      issuer: body.issuer,
-      authorizationURL: body.authorization_endpoint,
-      tokenURL: body.token_endpoint,
-      userInfoURL: body.userinfo_endpoint,
-      clientID: clientID,
-      clientSecret: clientSecret,
-      callbackURL: callbackUrl,
-    }
-  } catch (err) {
-    throw new Error(
-      `Error constructing OIDC authentication configuration - ${err}`
-    )
-  }
-}
-
-export async function getCallbackUrl() {
-  return ssoCallbackUrl(ConfigType.OIDC)
-}

package/src/middleware/passport/sso/sso.ts

@@ -1,138 +0,0 @@
-import { generateGlobalUserID } from "../../../db"
-import { authError } from "../utils"
-import * as users from "../../../users"
-import * as context from "../../../context"
-import {
-  SaveSSOUserFunction,
-  SSOAuthDetails,
-  SSOUser,
-  User,
-} from "@budibase/types"
-
-// no-op function for user save
-// - this allows datasource auth and access token refresh to work correctly
-// - prefer no-op over an optional argument to ensure function is provided to login flows
-export const ssoSaveUserNoOp: SaveSSOUserFunction = (user: SSOUser) =>
-  Promise.resolve(user)
-
-/**
- * Common authentication logic for third parties. e.g. OAuth, OIDC.
- */
-export async function authenticate(
-  details: SSOAuthDetails,
-  requireLocalAccount: boolean = true,
-  done: any,
-  saveUserFn: SaveSSOUserFunction
-) {
-  if (!saveUserFn) {
-    throw new Error("Save user function must be provided")
-  }
-  if (!details.userId) {
-    return authError(done, "sso user id required")
-  }
-  if (!details.email) {
-    return authError(done, "sso user email required")
-  }
-
-  // use the third party id
-  const userId = generateGlobalUserID(details.userId)
-
-  let dbUser: User | undefined
-
-  // try to load by id
-  try {
-    dbUser = await users.getById(userId)
-  } catch (err: any) {
-    // abort when not 404 error
-    if (!err.status || err.status !== 404) {
-      return authError(
-        done,
-        "Unexpected error when retrieving existing user",
-        err
-      )
-    }
-  }
-
-  // fallback to loading by email
-  if (!dbUser) {
-    dbUser = await users.getGlobalUserByEmail(details.email)
-  }
-
-  // exit early if there is still no user and auto creation is disabled
-  if (!dbUser && requireLocalAccount) {
-    return authError(
-      done,
-      "Email does not yet exist. You must set up your local budibase account first."
-    )
-  }
-
-  // first time creation
-  if (!dbUser) {
-    // setup a blank user using the third party id
-    dbUser = {
-      _id: userId,
-      email: details.email,
-      roles: {},
-      tenantId: context.getTenantId(),
-    }
-  }
-
-  let ssoUser = await syncUser(dbUser, details)
-  // never prompt for password reset
-  ssoUser.forceResetPassword = false
-
-  try {
-    // don't try to re-save any existing password
-    delete ssoUser.password
-    // create or sync the user
-    ssoUser = (await saveUserFn(ssoUser, {
-      hashPassword: false,
-      requirePassword: false,
-    })) as SSOUser
-  } catch (err: any) {
-    return authError(done, "Error saving user", err)
-  }
-
-  return done(null, ssoUser)
-}
-
-/**
- * @returns a user that has been sync'd with third party information
- */
-async function syncUser(user: User, details: SSOAuthDetails): Promise<SSOUser> {
-  let firstName
-  let lastName
-  let oauth2
-
-  if (details.profile) {
-    const profile = details.profile
-
-    if (profile.name) {
-      const name = profile.name
-      // first name
-      if (name.givenName) {
-        firstName = name.givenName
-      }
-      // last name
-      if (name.familyName) {
-        lastName = name.familyName
-      }
-    }
-  }
-
-  // oauth tokens for future use
-  if (details.oauth2) {
-    oauth2 = {
-      ...details.oauth2,
-    }
-  }
-
-  return {
-    ...user,
-    provider: details.provider,
-    providerType: details.providerType,
-    firstName,
-    lastName,
-    oauth2,
-  }
-}

package/src/middleware/passport/sso/tests/google.spec.ts

@@ -1,68 +0,0 @@
-import { generator, structures } from "../../../../../tests"
-import { SSOProviderType } from "@budibase/types"
-
-jest.mock("passport-google-oauth")
-const mockStrategy = require("passport-google-oauth").OAuth2Strategy
-
-jest.mock("../sso")
-import * as _sso from "../sso"
-
-const sso = jest.mocked(_sso)
-
-const mockSaveUserFn = jest.fn()
-const mockDone = jest.fn()
-
-import * as google from "../google"
-
-describe("google", () => {
-  describe("strategyFactory", () => {
-    const googleConfig = structures.sso.googleConfig()
-    const callbackUrl = generator.url()
-
-    it("should create successfully create a google strategy", async () => {
-      await google.strategyFactory(googleConfig, callbackUrl, mockSaveUserFn)
-
-      const expectedOptions = {
-        clientID: googleConfig.clientID,
-        clientSecret: googleConfig.clientSecret,
-        callbackURL: callbackUrl,
-      }
-
-      expect(mockStrategy).toHaveBeenCalledWith(
-        expectedOptions,
-        expect.anything()
-      )
-    })
-  })
-
-  describe("authenticate", () => {
-    const details = structures.sso.authDetails()
-    details.provider = "google"
-    details.providerType = SSOProviderType.GOOGLE
-
-    const profile = details.profile!
-    profile.provider = "google"
-
-    beforeEach(() => {
-      jest.clearAllMocks()
-    })
-
-    it("delegates authentication to third party common", async () => {
-      const authenticate = await google.buildVerifyFn(mockSaveUserFn)
-
-      await authenticate(
-        details.oauth2.accessToken,
-        details.oauth2.refreshToken!,
-        profile,
-        mockDone
-      )
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        true,
-        mockDone,
-        mockSaveUserFn
-      )
-    })
-  })
-})

package/src/middleware/passport/sso/tests/oidc.spec.ts

@@ -1,144 +0,0 @@
-import { generator, structures } from "../../../../../tests"
-import {
-  JwtClaims,
-  OIDCInnerConfig,
-  SSOAuthDetails,
-  SSOProviderType,
-} from "@budibase/types"
-import * as _sso from "../sso"
-import * as oidc from "../oidc"
-import nock from "nock"
-
-jest.mock("@techpass/passport-openidconnect")
-const mockStrategy = require("@techpass/passport-openidconnect").Strategy
-
-jest.mock("../sso")
-const sso = jest.mocked(_sso)
-
-const mockSaveUser = jest.fn()
-const mockDone = jest.fn()
-
-describe("oidc", () => {
-  const callbackUrl = generator.url()
-  const oidcConfig: OIDCInnerConfig = structures.sso.oidcConfig()
-  const wellKnownConfig = structures.sso.oidcWellKnownConfig()
-
-  beforeEach(() => {
-    nock.cleanAll()
-    nock(oidcConfig.configUrl).get("/").reply(200, wellKnownConfig)
-  })
-
-  describe("strategyFactory", () => {
-    it("should create successfully create an oidc strategy", async () => {
-      const strategyConfiguration = await oidc.fetchStrategyConfig(
-        oidcConfig,
-        callbackUrl
-      )
-      await oidc.strategyFactory(strategyConfiguration, mockSaveUser)
-
-      const expectedOptions = {
-        issuer: wellKnownConfig.issuer,
-        authorizationURL: wellKnownConfig.authorization_endpoint,
-        tokenURL: wellKnownConfig.token_endpoint,
-        userInfoURL: wellKnownConfig.userinfo_endpoint,
-        clientID: oidcConfig.clientID,
-        clientSecret: oidcConfig.clientSecret,
-        callbackURL: callbackUrl,
-      }
-      expect(mockStrategy).toHaveBeenCalledWith(
-        expectedOptions,
-        expect.anything()
-      )
-    })
-  })
-
-  describe("authenticate", () => {
-    const details: SSOAuthDetails = structures.sso.authDetails()
-    details.providerType = SSOProviderType.OIDC
-    const profile = details.profile!
-    const issuer = profile.provider
-
-    const sub = generator.string()
-    const idToken = generator.string()
-    const params = {}
-
-    let authenticateFn: any
-    let jwtClaims: JwtClaims
-
-    beforeEach(async () => {
-      jest.clearAllMocks()
-      authenticateFn = await oidc.buildVerifyFn(mockSaveUser)
-    })
-
-    async function authenticate() {
-      await authenticateFn(
-        issuer,
-        sub,
-        profile,
-        jwtClaims,
-        details.oauth2.accessToken,
-        details.oauth2.refreshToken,
-        idToken,
-        params,
-        mockDone
-      )
-    }
-
-    it("passes auth details to sso module", async () => {
-      await authenticate()
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        false,
-        mockDone,
-        mockSaveUser
-      )
-    })
-
-    it("uses JWT email to get email", async () => {
-      delete profile._json.email
-
-      jwtClaims = {
-        email: details.email,
-      }
-
-      await authenticate()
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        false,
-        mockDone,
-        mockSaveUser
-      )
-    })
-
-    it("uses JWT username to get email", async () => {
-      delete profile._json.email
-
-      jwtClaims = {
-        email: details.email,
-      }
-
-      await authenticate()
-
-      expect(sso.authenticate).toHaveBeenCalledWith(
-        details,
-        false,
-        mockDone,
-        mockSaveUser
-      )
-    })
-
-    it("uses JWT invalid username to get email", async () => {
-      delete profile._json.email
-
-      jwtClaims = {
-        preferred_username: "invalidUsername",
-      }
-
-      await expect(authenticate()).rejects.toThrow(
-        "Could not determine user email from profile"
-      )
-    })
-  })
-})

package/src/middleware/passport/sso/tests/sso.spec.ts

@@ -1,197 +0,0 @@
-import { structures } from "../../../../../tests"
-import { testEnv } from "../../../../../tests/extra"
-import { SSOAuthDetails, User } from "@budibase/types"
-
-import { HTTPError } from "../../../../errors"
-import * as sso from "../sso"
-import * as context from "../../../../context"
-import nock from "nock"
-
-const mockDone = jest.fn()
-const mockSaveUser = jest.fn()
-
-jest.mock("../../../../users")
-import * as _users from "../../../../users"
-
-const users = jest.mocked(_users)
-
-const getErrorMessage = () => {
-  return mockDone.mock.calls[0][2].message
-}
-
-describe("sso", () => {
-  describe("authenticate", () => {
-    beforeEach(() => {
-      jest.clearAllMocks()
-      testEnv.singleTenant()
-      nock.cleanAll()
-    })
-
-    describe("validation", () => {
-      const testValidation = async (
-        details: SSOAuthDetails,
-        message: string
-      ) => {
-        await sso.authenticate(details, false, mockDone, mockSaveUser)
-
-        expect(mockDone.mock.calls.length).toBe(1)
-        expect(getErrorMessage()).toContain(message)
-      }
-
-      it("user id fails", async () => {
-        const details = structures.sso.authDetails()
-        details.userId = undefined!
-
-        await testValidation(details, "sso user id required")
-      })
-
-      it("email fails", async () => {
-        const details = structures.sso.authDetails()
-        details.email = undefined!
-
-        await testValidation(details, "sso user email required")
-      })
-    })
-
-    describe("when the user doesn't exist", () => {
-      let user: User
-      let details: SSOAuthDetails
-
-      beforeEach(() => {
-        users.getById.mockImplementationOnce(() => {
-          throw new HTTPError("", 404)
-        })
-
-        nock("http://example.com").get("/").reply(200, undefined, {
-          "Content-Type": "image/png",
-        })
-
-        user = structures.users.user()
-        delete user._rev
-        delete user._id
-
-        details = structures.sso.authDetails(user)
-        details.userId = structures.uuid()
-      })
-
-      describe("when a local account is required", () => {
-        it("returns an error message", async () => {
-          const details = structures.sso.authDetails()
-
-          await sso.authenticate(details, true, mockDone, mockSaveUser)
-
-          expect(mockDone.mock.calls.length).toBe(1)
-          expect(getErrorMessage()).toContain(
-            "Email does not yet exist. You must set up your local budibase account first."
-          )
-        })
-      })
-
-      describe("when a local account isn't required", () => {
-        it("creates and authenticates the user", async () => {
-          const ssoUser = structures.users.ssoUser({ user, details })
-          mockSaveUser.mockReturnValueOnce(ssoUser)
-
-          await sso.authenticate(details, false, mockDone, mockSaveUser)
-
-          // default roles for new user
-          ssoUser.roles = {}
-
-          // modified external id to match user format
-          ssoUser._id = "us_" + details.userId
-          delete ssoUser.userId
-
-          // new sso user won't have a password
-          delete ssoUser.password
-
-          // new user isn't saved with rev
-          delete ssoUser._rev
-
-          // tenant id added
-          ssoUser.tenantId = context.getTenantId()
-
-          expect(mockSaveUser).toHaveBeenCalledWith(ssoUser, {
-            hashPassword: false,
-            requirePassword: false,
-          })
-          expect(mockDone).toHaveBeenCalledWith(null, ssoUser)
-        })
-      })
-    })
-
-    describe("when the user exists", () => {
-      let existingUser: User
-      let details: SSOAuthDetails
-
-      beforeEach(() => {
-        existingUser = structures.users.user()
-        existingUser._id = structures.uuid()
-        details = structures.sso.authDetails(existingUser)
-        nock("http://example.com").get("/").reply(200, undefined, {
-          "Content-Type": "image/png",
-        })
-      })
-
-      describe("exists by email", () => {
-        beforeEach(() => {
-          users.getById.mockImplementationOnce(() => {
-            throw new HTTPError("", 404)
-          })
-          users.getGlobalUserByEmail.mockReturnValueOnce(
-            Promise.resolve(existingUser)
-          )
-        })
-
-        it("syncs and authenticates the user", async () => {
-          const ssoUser = structures.users.ssoUser({
-            user: existingUser,
-            details,
-          })
-          mockSaveUser.mockReturnValueOnce(ssoUser)
-
-          await sso.authenticate(details, true, mockDone, mockSaveUser)
-
-          // roles preserved
-          ssoUser.roles = existingUser.roles
-
-          // existing id preserved
-          ssoUser._id = existingUser._id
-
-          expect(mockSaveUser).toHaveBeenCalledWith(ssoUser, {
-            hashPassword: false,
-            requirePassword: false,
-          })
-          expect(mockDone).toHaveBeenCalledWith(null, ssoUser)
-        })
-      })
-
-      describe("exists by id", () => {
-        beforeEach(() => {
-          users.getById.mockReturnValueOnce(Promise.resolve(existingUser))
-        })
-
-        it("syncs and authenticates the user", async () => {
-          const ssoUser = structures.users.ssoUser({
-            user: existingUser,
-            details,
-          })
-          mockSaveUser.mockReturnValueOnce(ssoUser)
-
-          await sso.authenticate(details, true, mockDone, mockSaveUser)
-
-          // roles preserved
-          ssoUser.roles = existingUser.roles
-
-          // existing id preserved
-          ssoUser._id = existingUser._id
-
-          expect(mockSaveUser).toHaveBeenCalledWith(ssoUser, {
-            hashPassword: false,
-            requirePassword: false,
-          })
-          expect(mockDone).toHaveBeenCalledWith(null, ssoUser)
-        })
-      })
-    })
-  })
-})