@openneuro/server 4.35.0-alpha.0 → 4.35.0-alpha.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openneuro/server",
-  "version": "4.35.0-alpha.0",
+  "version": "4.35.0-alpha.1",
   "description": "Core service for the OpenNeuro platform.",
   "license": "MIT",
   "main": "src/server.js",
@@ -21,7 +21,7 @@
     "@elastic/elasticsearch": "8.13.1",
     "@graphql-tools/schema": "^10.0.0",
     "@keyv/redis": "^2.7.0",
-    "@openneuro/search": "^4.35.0-alpha.0",
+    "@openneuro/search": "^4.35.0-alpha.1",
     "@sentry/node": "^8.25.0",
     "@sentry/profiling-node": "^8.25.0",
     "base64url": "^3.0.0",
@@ -85,5 +85,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "aef6b8ec1097cd7cd19ca9de82e17d8dfa87be71"
+  "gitHead": "ac9c013877e5d9c1fa9615a177f79e0da0747f84"
 }

package/src/graphql/__tests__/permissions.spec.ts

@@ -68,9 +68,15 @@ describe("resolver permissions helpers", () => {
     })
     it("resolves to true for admins", () => {
       return expect(
-        checkDatasetWrite("ds000001", "1234", { admin: true }, undefined, {
-          checkExists: false,
-        }),
+        checkDatasetWrite(
+          "ds000001",
+          "1234",
+          { email: "test@example.com", admin: true },
+          undefined,
+          {
+            checkExists: false,
+          },
+        ),
       ).resolves.toBe(true)
     })
   })
@@ -104,7 +110,7 @@ describe("resolver permissions helpers", () => {
         checkDatasetAdmin(
           "ds000001",
           "1234",
-          { admin: true },
+          { email: "test@example.com", admin: true },
           { checkExists: false },
         ),
       ).resolves.toBe(true)

package/src/graphql/permissions.ts

@@ -138,6 +138,9 @@ export const checkDatasetWrite = async (
     // Quick path for anonymous writes
     throw new Error(state.errorMessage)
   }
+  if (userId && !(userInfo.email)) {
+    throw new Error("Connect an email to make contributions to OpenNeuro.")
+  }
   if (userId && userInfo.admin) {
     // Always allow site admins
     return true

package/src/libs/authentication/orcid.ts

@@ -7,6 +7,27 @@ export const requestAuth = passport.authenticate("orcid", {
   session: false,
 })
 
+/**
+ * Complete a successful login
+ */
+export function completeRequestLogin(req, res, next, user) {
+  return req.logIn(user, { session: false }, (err) => {
+    if (err) {
+      Sentry.captureException(err)
+      return next(err)
+    }
+    // If no email is provided for a logged in user, warn the user
+    if (!req.user.email && req.user && req.user.token) {
+      // Set the access token manually and redirect
+      res.cookie("accessToken", req.user.token, { sameSite: "Lax" as const })
+      res.redirect("/error/email-warning")
+    } else {
+      // Login normally
+      return next()
+    }
+  })
+}
+
 export const authCallback = (req, res, next) =>
   passport.authenticate("orcid", (err, user) => {
     if (err) {
@@ -26,16 +47,10 @@ export const authCallback = (req, res, next) =>
       // Migrate Google to ORCID
       if (existingAuth.provider === "google") {
         return userMigration(user.providerId, existingAuth.sub).then(() => {
-          // Complete login with ORCID as primary account
-          req.logIn(user, { session: false }, (err) => {
-            return next(err)
-          })
+          return completeRequestLogin(req, res, next, user)
         })
       }
     } else {
-      // Complete login with ORCID as primary account
-      req.logIn(user, { session: false }, (err) => {
-        return next(err)
-      })
+      return completeRequestLogin(req, res, next, user)
     }
   })(req, res, next)