@openneuro/server 4.35.0 → 4.36.0-alpha.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openneuro/server",
-  "version": "4.35.0",
+  "version": "4.36.0-alpha.0",
   "description": "Core service for the OpenNeuro platform.",
   "license": "MIT",
   "main": "src/server.js",
@@ -15,13 +15,13 @@
   },
   "author": "Squishymedia",
   "dependencies": {
-    "@apollo/client": "3.11.8",
-    "@apollo/server": "4.9.3",
+    "@apollo/client": "3.13.8",
+    "@apollo/server": "4.12.1",
     "@apollo/utils.keyvadapter": "3.0.0",
     "@elastic/elasticsearch": "8.13.1",
     "@graphql-tools/schema": "^10.0.0",
     "@keyv/redis": "^2.7.0",
-    "@openneuro/search": "^4.35.0",
+    "@openneuro/search": "^4.36.0-alpha.0",
     "@sentry/node": "^8.25.0",
     "@sentry/profiling-node": "^8.25.0",
     "base64url": "^3.0.0",
@@ -48,6 +48,7 @@
     "node-mailjet": "^3.3.5",
     "object-hash": "2.1.1",
     "passport": "0.7.0",
+    "passport-github2": "^0.1.12",
     "passport-google-oauth20": "2.0.0",
     "passport-jwt": "4.0.1",
     "passport-oauth2-refresh": "2.2.0",
@@ -85,5 +86,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "ce3f98fbbe9da0c9463dcae9fe6357c1000d0fa5"
+  "gitHead": "0d754964177331113f4279c48d6c0fae0f59adc2"
 }

package/src/config.ts

@@ -27,6 +27,10 @@ const config = {
       clientID: process.env.GLOBUS_CLIENT_ID,
       clientSecret: process.env.GLOBUS_CLIENT_SECRET,
     },
+    github: {
+      clientID: process.env.GITHUB_CLIENT_ID,
+      clientSecret: process.env.GITHUB_CLIENT_SECRET,
+    },
     jwt: {
       secret: process.env.JWT_SECRET,
     },

package/src/graphql/resolvers/user.ts

@@ -9,7 +9,7 @@ function isValidOrcid(orcid: string): boolean {
 export const user = (obj, { id }) => {
   if (isValidOrcid(id)) {
     return User.findOne({
-      $or: [{ "orcid": id }, { "providerId": id }],
+      $or: [{ "provider": "orcid", "providerId": id }],
     }).exec()
   } else {
     // If it's not a valid ORCID, fall back to querying by user id

package/src/graphql/schema.ts

@@ -331,6 +331,7 @@ export const typeDefs = `
     location: String
     institution: String
     github: String
+    githubSynced: Date
     links: [String]
   }
 

package/src/libs/__tests__/github.spec.ts

@@ -0,0 +1,33 @@
+import type { Strategy as GitHubStrategy } from "passport-github2"
+import { vi } from "vitest"
+import passport from "passport"
+import { setupGitHubAuth } from "../authentication/github"
+
+// Mock the necessary modules
+vi.mock("../../models/user")
+vi.mock("../../config", () => ({
+  default: {
+    auth: {
+      github: {
+        clientID: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      jwt: {
+        secret: "test-jwt-secret",
+      },
+    },
+    url: "http://localhost",
+    apiPrefix: "/api/",
+  },
+}))
+
+describe("GitHub OAuth Strategy", () => {
+  beforeAll(() => {
+    setupGitHubAuth()
+  })
+
+  it("should initialize GitHub strategy", () => {
+    const strategy = passport._strategies.github as GitHubStrategy
+    expect(strategy).toBeDefined()
+  })
+})

package/src/libs/authentication/github.ts

@@ -0,0 +1,185 @@
+import passport from "passport"
+import jwt from "jsonwebtoken"
+import { Strategy as GitHubStrategy } from "passport-github2"
+import config from "../../config"
+import User from "../../models/user"
+import * as Sentry from "@sentry/node"
+import { addJWT, jwtFromRequest } from "./jwt"
+import type { NextFunction, Request, Response } from "express"
+
+interface GitHubAuthInfo {
+  message?: string
+}
+
+interface GitHubUser {
+  _id: string
+  id: string
+  email?: string
+  name?: string
+  github?: string
+  avatar?: string
+  location?: string
+  institution?: string
+  links?: string[]
+  githubSynced?: Date
+}
+
+// Middleware to store last visited page before authentication
+export const storeRedirect = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  req.query.redirectTo = (req.get("Referer") || "/") as string
+  next()
+}
+
+export const setupGitHubAuth = () => {
+  if (!config.auth.github.clientID || !config.auth.github.clientSecret) return
+
+  const githubStrategy = new GitHubStrategy(
+    {
+      clientID: config.auth.github.clientID,
+      clientSecret: config.auth.github.clientSecret,
+      callbackURL: `${config.url + config.apiPrefix}auth/github/callback`,
+      scope: ["user:email", "read:user"],
+      passReqToCallback: true,
+    },
+    async (req, accessToken, refreshToken, profile, done) => {
+      try {
+        const token = jwtFromRequest(req)
+        const decoded = token ? jwt.verify(token, config.auth.jwt.secret) : null
+
+        if (!decoded || !decoded.sub) {
+          if (req.res) {
+            req.res.redirect("/error/github")
+          }
+          return done(new Error("No authenticated user found"), null)
+        }
+
+        const currentUser = await User.findOne({
+          id: decoded.sub,
+        })
+
+        if (!currentUser) {
+          if (req.res) {
+            req.res.redirect("/error/github")
+          }
+          return done(null, false, {
+            message: "Please login with your ORCID account",
+          })
+        }
+
+        // Updating GitHub info
+        currentUser.github = profile.username
+        currentUser.avatar = profile._json.avatar_url
+
+        if (!currentUser.location && profile._json.location) {
+          currentUser.location = profile._json.location
+        }
+        if (!currentUser.institution && profile._json.company) {
+          currentUser.institution = profile._json.company
+        }
+
+        // Ensure links array exists before adding GitHub profile URL
+        if (!currentUser.links) {
+          currentUser.links = []
+        }
+        if (
+          profile.profileUrl && !currentUser.links.includes(profile.profileUrl)
+        ) {
+          currentUser.links.push(profile.profileUrl)
+        }
+
+        currentUser.githubSynced = new Date()
+        await currentUser.save()
+        return done(null, addJWT(config)(currentUser.toObject()), {
+          message: "GitHub sync successful",
+        })
+      } catch (err) {
+        Sentry.captureException(err)
+        return done(err, null)
+      }
+    },
+  )
+
+  passport.use("github", githubStrategy)
+}
+
+const getStringFromQuery = (
+  query:
+    | string
+    | string[]
+    | Record<string, string | string[] | undefined>
+    | undefined,
+): string | undefined => {
+  if (typeof query === "string") {
+    return query
+  }
+  if (Array.isArray(query) && query.length > 0) {
+    return query[0]
+  }
+  return undefined
+}
+
+export const requestAuth = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  const redirectToParam = req.query.redirectTo as string | undefined // Explicit cast
+  const redirectToQuery: string | undefined = getStringFromQuery(
+    redirectToParam,
+  )
+  const redirectTo: string = redirectToQuery || "/"
+  passport.authenticate("github", {
+    state: encodeURIComponent(redirectTo),
+  })(req, res, next)
+}
+
+export const authCallback = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  passport.authenticate(
+    "github",
+    (err: Error | null, user: GitHubUser | false, info: GitHubAuthInfo) => {
+      const stateParam = req.query.state as string | undefined // Explicit cast
+      const stateQuery: string | undefined = getStringFromQuery(stateParam)
+      const redirectTo: string = stateQuery
+        ? decodeURIComponent(stateQuery)
+        : "/"
+
+      // Remove any existing query parameters
+      const cleanRedirectTo = redirectTo.split("?")[0]
+
+      if (err) {
+        Sentry.captureException(err)
+        return res.redirect(
+          `${cleanRedirectTo}?error=${
+            encodeURIComponent(
+              String(err?.message || "github_auth_failed"),
+            )
+          }`,
+        )
+      }
+
+      if (!user) {
+        Sentry.captureMessage(
+          `GitHub Auth Failed - Info: ${JSON.stringify(info)}`,
+          "warning",
+        )
+        return res.redirect(
+          `${cleanRedirectTo}?error=${
+            encodeURIComponent(
+              info?.message || "github_auth_failed",
+            )
+          }`,
+        )
+      }
+
+      return res.redirect(`${cleanRedirectTo}?success=github_auth_success`)
+    },
+  )(req, res, next)
+}

package/src/libs/authentication/passport.ts

@@ -8,10 +8,12 @@ import User from "../../models/user"
 import { encrypt } from "./crypto"
 import { addJWT, jwtFromRequest } from "./jwt"
 import orcid from "../orcid"
+import { setupGitHubAuth } from "./github"
 
 export const PROVIDERS = {
   GOOGLE: "google",
   ORCID: "orcid",
+  GITHUB: "github",
 }
 
 interface OauthProfile {
@@ -21,6 +23,7 @@ interface OauthProfile {
   providerId: string
   orcid?: string
   refresh?: string
+  avatar?: string
 }
 
 export const loadProfile = (profile): OauthProfile | Error => {
@@ -45,6 +48,13 @@ export const loadProfile = (profile): OauthProfile | Error => {
       orcid: profile.orcid,
       refresh: undefined,
     }
+  } else if (profile.provider === PROVIDERS.GITHUB) {
+    return {
+      email: profile.emails ? profile.emails[0].value : "",
+      name: profile.displayName || profile.username,
+      provider: profile.provider,
+      providerId: profile.id,
+    }
   } else {
     // Some unknown profile type
     return new Error("Unhandled profile type.")
@@ -110,11 +120,7 @@ export const setupPassportAuth = () => {
       { secretOrKey: config.auth.jwt.secret, jwtFromRequest },
       (jwt, done) => {
         if (jwt.scopes?.includes("dataset:indexing")) {
-          done(null, {
-            admin: false,
-            blocked: false,
-            indexer: true,
-          })
+          done(null, { admin: false, blocked: false, indexer: true })
         } else if (jwt.scopes?.includes("dataset:reviewer")) {
           done(null, {
             admin: false,
@@ -125,10 +131,9 @@ export const setupPassportAuth = () => {
         } else {
           // A user must already exist to use a JWT to auth a request
           User.findOne({ id: jwt.sub, provider: jwt.provider })
-            .then((user) => {
-              if (user) done(null, user.toObject())
-              else done(null, false)
-            })
+            .then((user) =>
+              user ? done(null, user.toObject()) : done(null, false)
+            )
             .catch(done)
         }
       },
@@ -168,4 +173,5 @@ export const setupPassportAuth = () => {
     )
     passport.use(PROVIDERS.ORCID, orcidStrategy)
   }
+  setupGitHubAuth()
 }

package/src/models/user.ts

@@ -37,6 +37,8 @@ export interface UserDocument extends Document {
   github: string
   // User profile links
   links: string[]
+  avatar: string
+  githubSynced: Date
 }
 
 const userSchema = new Schema({
@@ -49,6 +51,7 @@ const userSchema = new Schema({
   google: String, // Google ID if this is an ORCID account with a Google account linked
   migrated: { type: Boolean, default: false },
   refresh: String,
+  avatar: String,
   admin: { type: Boolean, default: false },
   blocked: { type: Boolean, default: false },
   created: { type: Date, default: Date.now },
@@ -56,6 +59,7 @@ const userSchema = new Schema({
   location: { type: String, default: "" },
   institution: { type: String, default: "" },
   github: { type: String, default: "" },
+  githubSynced: { type: Date },
   links: { type: [String], default: [] },
 })
 

package/src/routes.ts

@@ -9,11 +9,13 @@ import * as subscriptions from "./handlers/subscriptions"
 import verifyUser from "./libs/authentication/verifyUser"
 import * as google from "./libs/authentication/google"
 import * as orcid from "./libs/authentication/orcid"
+import * as githubAuth from "./libs/authentication/github"
 import * as jwt from "./libs/authentication/jwt"
 import * as auth from "./libs/authentication/states"
 import * as doi from "./handlers/doi"
 import { sitemapHandler } from "./handlers/sitemap"
 import { reviewerHandler } from "./handlers/reviewer"
+import { storeRedirect } from "./libs/authentication/github"
 
 const noCache = (req, res, next) => {
   res.setHeader("Surrogate-Control", "no-store")
@@ -157,6 +159,21 @@ const routes = [
     middleware: [noCache, orcid.authCallback],
     handler: jwt.authSuccessHandler,
   },
+
+  // GitHub authentication route
+  {
+    method: "get",
+    url: "/auth/github",
+    middleware: [storeRedirect],
+    handler: githubAuth.requestAuth,
+  },
+
+  {
+    method: "get",
+    url: "/auth/github/callback",
+    handler: githubAuth.authCallback,
+  },
+
   // Anonymous reviewer access
   {
     method: "get",