@openneuro/server 4.34.2 → 4.35.0-alpha.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openneuro/server",
-  "version": "4.34.2",
+  "version": "4.35.0-alpha.0",
   "description": "Core service for the OpenNeuro platform.",
   "license": "MIT",
   "main": "src/server.js",
@@ -21,7 +21,7 @@
     "@elastic/elasticsearch": "8.13.1",
     "@graphql-tools/schema": "^10.0.0",
     "@keyv/redis": "^2.7.0",
-    "@openneuro/search": "^4.34.2",
+    "@openneuro/search": "^4.35.0-alpha.0",
     "@sentry/node": "^8.25.0",
     "@sentry/profiling-node": "^8.25.0",
     "base64url": "^3.0.0",
@@ -85,5 +85,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "6420eabb1a1b5068990523eb57991597faffb73e"
+  "gitHead": "aef6b8ec1097cd7cd19ca9de82e17d8dfa87be71"
 }

package/src/libs/authentication/google.ts

@@ -1,7 +1,19 @@
 import passport from "passport"
+import * as Sentry from "@sentry/node"
+import User from "../../models/user"
+import { PROVIDERS } from "./passport"
+import { userMigration } from "./user-migration"
+
+const loginErrorHandler = (next) => (loginErr) => {
+  if (loginErr) {
+    Sentry.captureException(loginErr)
+    return next(loginErr) // Pass error to Express error handler
+  }
+  return next()
+}
 
 export const requestAuth = (req, res, next) =>
-  passport.authenticate("google", {
+  passport.authenticate(PROVIDERS.GOOGLE, {
     scope: [
       "https://www.googleapis.com/auth/userinfo.email",
       "https://www.googleapis.com/auth/userinfo.profile",
@@ -12,7 +24,45 @@ export const requestAuth = (req, res, next) =>
     state: req.query.redirectPath || null,
   })(req, res, next)
 
-export const authCallback = passport.authenticate("google", {
-  failureRedirect: "/",
-  session: false,
-})
+export const authCallback = async (req, res, next) => {
+  // Google auth and redirect to linking page
+  return passport.authenticate(
+    PROVIDERS.GOOGLE,
+    { session: false },
+    async (err, user, _info) => {
+      // First we check if an ORCID user exists for this login
+      let orcidUser
+      if (user?.orcid) {
+        orcidUser = await User.findOne({
+          providerId: user.orcid,
+          provider: PROVIDERS.ORCID,
+        })
+      }
+      if (orcidUser && user?.migrated) {
+        // User has ORCID linked already, redirect to login as linked account
+        return res.redirect("/crn/auth/orcid")
+      } else if (orcidUser && !(user?.migrated)) {
+        // Linked but not migrated, migrate here and then login
+        try {
+          await userMigration(orcidUser.providerId, user.id)
+        } catch (_err) {
+          // Already logged, just redirect to error page
+          return next(_err)
+        }
+        return res.redirect("/crn/auth/orcid")
+      } else {
+        if (err) {
+          Sentry.captureException(err)
+          // Redirect to a generic error page or handle specific errors if possible
+          return res.redirect("/error/google/unknown")
+        }
+        if (!user) {
+          // Authentication failed (e.g., user denied access)
+          return res.redirect("/")
+        }
+        req.query.state = Buffer.from("/orcid-link").toString("base64")
+        return req.logIn(user, { session: false }, loginErrorHandler(next))
+      }
+    },
+  )(req, res, next)
+}

package/src/libs/authentication/jwt.ts

@@ -7,9 +7,9 @@ import config from "../../config"
 
 interface OpenNeuroTokenProfile {
   sub: string
-  email: string
-  provider: string
-  name: string
+  email?: string
+  provider?: string
+  name?: string
   admin: boolean
   iat: number
   exp: number

package/src/libs/authentication/orcid.ts

@@ -1,7 +1,7 @@
 import passport from "passport"
-import User from "../../models/user"
 import { parsedJwtFromRequest } from "./jwt"
 import * as Sentry from "@sentry/node"
+import { userMigration } from "./user-migration"
 
 export const requestAuth = passport.authenticate("orcid", {
   session: false,
@@ -20,19 +20,18 @@ export const authCallback = (req, res, next) =>
     if (!user) {
       return res.redirect("/")
     }
+    // Google user
     const existingAuth = parsedJwtFromRequest(req)
     if (existingAuth) {
-      // Save ORCID to primary account
-      User.findOne({ id: existingAuth.sub })
-        .then((userModel) => {
-          userModel.orcid = user.providerId
-          return userModel.save().then(() => {
-            res.redirect("/")
+      // Migrate Google to ORCID
+      if (existingAuth.provider === "google") {
+        return userMigration(user.providerId, existingAuth.sub).then(() => {
+          // Complete login with ORCID as primary account
+          req.logIn(user, { session: false }, (err) => {
+            return next(err)
           })
         })
-        .catch((err) => {
-          return next(err)
-        })
+      }
     } else {
       // Complete login with ORCID as primary account
       req.logIn(user, { session: false }, (err) => {

package/src/libs/authentication/passport.ts

@@ -9,7 +9,7 @@ import { encrypt } from "./crypto"
 import { addJWT, jwtFromRequest } from "./jwt"
 import orcid from "../orcid"
 
-const PROVIDERS = {
+export const PROVIDERS = {
   GOOGLE: "google",
   ORCID: "orcid",
 }

package/src/libs/authentication/user-migration.ts

@@ -0,0 +1,121 @@
+import mongoose from "mongoose"
+import User from "../../models/user"
+import UserMigration from "../../models/userMigration"
+import Dataset from "../../models/dataset"
+import Permission from "../../models/permission"
+import Comment from "../../models/comment"
+import Deletion from "../../models/deletion"
+import * as Sentry from "@sentry/node"
+
+/**
+ * Move content from a Google account to an ORCID one
+ *
+ * Automatic rollback and error reporting if anything here fails
+ *
+ * Records the migration steps taken in the UserMigration model
+ *
+ * @param orcid ORCID iD of the user's primary account
+ * @param userId Account being merged with the ORCID account
+ */
+export async function userMigration(orcid: string, userId: string) {
+  const session = await mongoose.startSession()
+  try {
+    await session.withTransaction(async () => {
+      try {
+        // Load both original records
+        const orcidUser = await User.findOne(
+          {
+            providerId: orcid,
+            provider: "orcid",
+          },
+          null,
+          { session },
+        )
+        const googleUser = await User.findOne(
+          {
+            id: userId,
+            provider: "google",
+          },
+          null,
+          { session },
+        )
+
+        // Save the original user records
+        const migration = new UserMigration({ session })
+        migration.users.push(orcidUser.toObject())
+        migration.users.push(googleUser.toObject())
+        await migration.save({ session })
+
+        // Migrate dataset ownership
+        const datasets = await Dataset.find({ uploader: googleUser.id }, null, {
+          session,
+        })
+        for (const dataset of datasets) {
+          dataset.uploader = orcidUser.id
+          // Record this dataset uploader as migrated
+          migration.datasets.push(dataset.id)
+          await dataset.save({ session })
+        }
+
+        // Migrate dataset permissions
+        const permissions = await Permission.find(
+          { userId: googleUser.id },
+          null,
+          {
+            session,
+          },
+        )
+        for (const permission of permissions) {
+          permission.userId = orcidUser.id
+          // Record this permission as migrated
+          migration.permissions.push(permission.toObject())
+          await permission.save({ session })
+        }
+
+        // Migrate dataset deletions
+        const deletions = await Deletion.find({ userId: googleUser.id }, null, {
+          session,
+        })
+        for (const deletion of deletions) {
+          deletion.user._id = orcidUser.id
+          // Record this deletion as migrated
+          migration.deletions.push(deletion.toObject())
+          await deletion.save({ session })
+        }
+
+        // Migrate comments
+        const comments = await Comment.find({ userId: googleUser.id }, null, {
+          session,
+        })
+        for (const comment of comments) {
+          comment.user._id = orcidUser.id
+          // Record this comment as migrated
+          migration.comments.push(comment.toObject())
+          await comment.save({ session })
+        }
+
+        // Migrate admin permissions if different
+        if (googleUser.admin) {
+          orcidUser.admin = true
+        }
+        // If either account is blocked should we even migrate?
+        if (googleUser.blocked) {
+          orcidUser.blocked = true
+        }
+        await orcidUser.save({ session })
+        // Save the orcid value that was actually used for future logins
+        googleUser.orcid = orcidUser.providerId
+        googleUser.migrated = true
+        await googleUser.save({ session })
+        // Save success
+        migration.success = true
+        await migration.save({ session })
+      } catch (err) {
+        Sentry.captureException(err)
+        throw err
+      }
+    })
+  } finally {
+    await session.endSession()
+  }
+}

package/src/models/user.ts

@@ -5,20 +5,37 @@ const { Schema, model } = mongoose
 
 export interface UserDocument extends Document {
   _id: string
+  // OpenNeuro specific user uuid
   id: string
+  // Best contact email for the user (notifications)
   email: string
+  // User's preferred name (visible)
   name: string
+  // Login provider
   provider: StaticRangeInit
+  // The id from the login provider
   providerId: string
+  // ORCID iD associated with this OpenNeuro user
   orcid: string
+  // Google account id associated with this OpenNeuro user
+  google: string
+  // Is this a migrated account? Migrated accounts were Google accounts moved to ORCID and disabled
+  migrated: boolean
   refresh: string
+  // Is this user a site admin with permissions for all datasets?
   admin: boolean
+  // Has this user been banned from the site?
   blocked: boolean
+  // Original account creation time
   created: Date
+  // Last time the user authenticated
   lastSeen: Date
   location: string
+  // Institution populated from ORCID
   institution: string
+  // GitHub account linked
   github: string
+  // User profile links
   links: string[]
 }
 
@@ -29,6 +46,8 @@ const userSchema = new Schema({
   provider: String, // Login provider
   providerId: String, // Login provider unique id
   orcid: String, // ORCID iD regardless of provider id
+  google: String, // Google ID if this is an ORCID account with a Google account linked
+  migrated: { type: Boolean, default: false },
   refresh: String,
   admin: { type: Boolean, default: false },
   blocked: { type: Boolean, default: false },

package/src/models/userMigration.ts

@@ -0,0 +1,32 @@
+import { v4 as uuidv4 } from "uuid"
+import mongoose from "mongoose"
+import type { Document } from "mongoose"
+const { Schema, model } = mongoose
+
+export interface UserMigrationDocument extends Document {
+  _id: string
+  orcid: string
+  google: string
+  users: object[]
+  datasets: string[]
+  permissions: object[]
+  comments: object[]
+  deletions: object[]
+  success: boolean
+}
+
+const userMigrationSchema = new Schema({
+  id: { type: String, default: uuidv4 }, // OpenNeuro id
+  orcid: String,
+  google: String,
+  datasets: { type: [String], default: [] },
+  permissions: { type: [Object], default: [] },
+  comments: { type: [String], default: [] },
+  deletions: { type: [String], default: [] },
+  users: { type: [Object], default: [] },
+  success: Boolean,
+})
+
+const User = model<UserMigrationDocument>("UserMigration", userMigrationSchema)
+
+export default User

package/src/routes.ts

@@ -178,6 +178,7 @@ const router = express.Router()
 
 for (const route of routes) {
   const arr = Object.hasOwn(route, "middleware") ? route.middleware : []
+  // @ts-expect-error This is actually working.
   arr.unshift(route.url)
   arr.push(route.handler)
   router[route.method](...arr)