@stamhoofd/backend 2.75.1 → 2.76.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.75.1",
+    "version": "2.76.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -37,14 +37,14 @@
         "@simonbackx/simple-encoding": "2.20.0",
         "@simonbackx/simple-endpoints": "1.19.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.75.1",
-        "@stamhoofd/backend-middleware": "2.75.1",
-        "@stamhoofd/email": "2.75.1",
-        "@stamhoofd/models": "2.75.1",
-        "@stamhoofd/queues": "2.75.1",
-        "@stamhoofd/sql": "2.75.1",
-        "@stamhoofd/structures": "2.75.1",
-        "@stamhoofd/utility": "2.75.1",
+        "@stamhoofd/backend-i18n": "2.76.0",
+        "@stamhoofd/backend-middleware": "2.76.0",
+        "@stamhoofd/email": "2.76.0",
+        "@stamhoofd/models": "2.76.0",
+        "@stamhoofd/queues": "2.76.0",
+        "@stamhoofd/sql": "2.76.0",
+        "@stamhoofd/structures": "2.76.0",
+        "@stamhoofd/utility": "2.76.0",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -64,5 +64,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "4c6a7f14c62e4832885325d02c5aaeeccf27568b"
+    "gitHead": "85e0625ba777d83d92ad582443df1666955d51f6"
 }

package/src/endpoints/auth/OpenIDConnectAuthTokenEndpoint.ts

@@ -0,0 +1,43 @@
+import { AutoEncoder, field, StringDecoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+
+import { Context } from '../../helpers/Context';
+import { SSOService } from '../../services/SSOService';
+import { OpenIDAuthTokenResponse } from '@stamhoofd/structures';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = undefined;
+type ResponseBody = OpenIDAuthTokenResponse;
+
+/**
+ * This endpoint does nothing but build a URL to start the OpenID Connect flow.
+ * It is used to provide authenticateion data to the url that is temporarily valid (allows to connect an SSO provider to an existing account)
+ */
+export class OpenIDConnectAuthTokenEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'POST') {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, '/openid/auth-token', {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        // Check webshop and/or organization
+        await Context.setUserOrganizationScope();
+        await Context.authenticate({ allowWithoutAccount: false });
+
+        // Create a SSO auth token that can only be used once
+        const token = await SSOService.createToken();
+
+        return new Response(OpenIDAuthTokenResponse.create({
+            ssoAuthToken: token,
+        }));
+    }
+}

package/src/endpoints/auth/OpenIDConnectStartEndpoint.ts

@@ -6,15 +6,15 @@ import { Context } from '../../helpers/Context';
 import { SSOService } from '../../services/SSOService';
 
 type Params = Record<string, never>;
-type Query = undefined;
-type Body = StartOpenIDFlowStruct;
+type Query = StartOpenIDFlowStruct;
+type Body = undefined;
 type ResponseBody = undefined;
 
 export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
-    bodyDecoder = StartOpenIDFlowStruct as Decoder<StartOpenIDFlowStruct>;
+    queryDecoder = StartOpenIDFlowStruct as Decoder<StartOpenIDFlowStruct>;
 
     protected doesMatch(request: Request): [true, Params] | [false] {
-        if (request.method !== 'POST') {
+        if (request.method !== 'GET') {
             return [false];
         }
 
@@ -29,8 +29,7 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
     async handle(request: DecodedRequest<Params, Query, Body>) {
         // Check webshop and/or organization
         await Context.setUserOrganizationScope();
-        await Context.optionalAuthenticate({ allowWithoutAccount: false });
-        const service = await SSOService.fromContext(request.body.provider);
-        return await service.validateAndStartAuthCodeFlow(request.body);
+        const service = await SSOService.fromContext(request.query.provider);
+        return await service.validateAndStartAuthCodeFlow(request.query);
     }
 }

package/src/endpoints/global/files/UploadFile.ts

@@ -186,7 +186,7 @@ export class UploadFile extends Endpoint<Params, Query, Body, ResponseBody> {
                 throw new SimpleError({
                     code: 'failed_to_sign',
                     message: 'Failed to sign file',
-                    human: $t('Er ging iet mis bij het uploaden van jouw bestand. Probeer het later opnieuw (foutcode: SIGN).'),
+                    human: $t('509cdb4f-131a-42a6-b3b1-a63cca231e65'),
                     statusCode: 500,
                 });
             }

package/src/helpers/MemberUserSyncer.ts

@@ -5,6 +5,7 @@ import crypto from 'crypto';
 import basex from 'base-x';
 import { AuditLogService } from '../services/AuditLogService';
 import { Formatter } from '@stamhoofd/utility';
+import { QueueHandler } from '@stamhoofd/queues';
 
 const ALPHABET = '123456789ABCDEFGHJKMNPQRSTUVWXYZ'; // Note: we removed 0, O, I and l to make it easier for humans
 const customBase = basex(ALPHABET);
@@ -203,116 +204,119 @@ export class MemberUserSyncerStatic {
     }
 
     async linkUser(email: string, member: MemberWithRegistrations, asParent: boolean, updateNameIfEqual = true) {
-        console.log('Linking user', email, 'to member', member.id, 'as parent', asParent, 'update name if equal', updateNameIfEqual);
-
-        let user = member.users.find(u => u.email.toLocaleLowerCase() === email.toLocaleLowerCase()) ?? await User.getForAuthentication(member.organizationId, email, { allowWithoutAccount: true });
-
-        if (user) {
-            // console.log("Giving an existing user access to a member: " + user.id + ' - ' + member.id)
-            if (!asParent) {
-                if (user.memberId && user.memberId !== member.id) {
-                    console.error('Found conflicting user with multiple members', user.id, 'members', user.memberId, 'to', member.id);
-
-                    const otherMember = await Member.getWithRegistrations(user.memberId);
-
-                    if (otherMember) {
-                        if (otherMember.registrations.length > 0 && member.registrations.length === 0) {
-                            // Choose the other member
-                            // don't make changes
-                            console.error('Resolved to current member - no changes made');
-                            return;
+        // This needs to happen in the queue to prevent creating duplicate users in the database
+        await QueueHandler.schedule('link-user/' + email, async () => {
+            console.log('Linking user', email, 'to member', member.id, 'as parent', asParent, 'update name if equal', updateNameIfEqual);
+
+            let user = member.users.find(u => u.email.toLocaleLowerCase() === email.toLocaleLowerCase()) ?? await User.getForAuthentication(member.organizationId, email, { allowWithoutAccount: true });
+
+            if (user) {
+                // console.log("Giving an existing user access to a member: " + user.id + ' - ' + member.id)
+                if (!asParent) {
+                    if (user.memberId && user.memberId !== member.id) {
+                        console.error('Found conflicting user with multiple members', user.id, 'members', user.memberId, 'to', member.id);
+
+                        const otherMember = await Member.getWithRegistrations(user.memberId);
+
+                        if (otherMember) {
+                            if (otherMember.registrations.length > 0 && member.registrations.length === 0) {
+                                // Choose the other member
+                                // don't make changes
+                                console.error('Resolved to current member - no changes made');
+                                return;
+                            }
+
+                            const responsibilities = await this.getResponsibilitiesForMembers([otherMember.id, member.id]);
+                            const responsibilitiesOther = responsibilities.filter(r => r.memberId === otherMember.id);
+                            const responsibilitiesCurrent = responsibilities.filter(r => r.memberId === member.id);
+
+                            if (responsibilitiesOther.length >= responsibilitiesCurrent.length) {
+                                console.error('Resolved to current member because of more responsibilities - no changes made');
+                                return;
+                            }
                         }
+                    }
 
-                        const responsibilities = await this.getResponsibilitiesForMembers([otherMember.id, member.id]);
-                        const responsibilitiesOther = responsibilities.filter(r => r.memberId === otherMember.id);
-                        const responsibilitiesCurrent = responsibilities.filter(r => r.memberId === member.id);
-
-                        if (responsibilitiesOther.length >= responsibilitiesCurrent.length) {
-                            console.error('Resolved to current member because of more responsibilities - no changes made');
-                            return;
-                        }
+                    if (updateNameIfEqual) {
+                        user.firstName = member.details.firstName;
+                        user.lastName = member.details.lastName;
                     }
+                    user.memberId = member.id;
+                    await this.updateInheritedPermissions(user);
                 }
+                else {
+                    let shouldSave = false;
+
+                    if (!user.firstName && !user.lastName) {
+                        const parents = member.details.parents.filter(p => p.email === email);
+                        if (parents.length === 1) {
+                            if (updateNameIfEqual) {
+                                user.firstName = parents[0].firstName;
+                                user.lastName = parents[0].lastName;
+                            }
+                            shouldSave = true;
+                        }
+                    }
 
-                if (updateNameIfEqual) {
-                    user.firstName = member.details.firstName;
-                    user.lastName = member.details.lastName;
+                    if (user.firstName === member.details.firstName && user.lastName === member.details.lastName) {
+                        user.firstName = null;
+                        user.lastName = null;
+                        shouldSave = true;
+                    }
+
+                    if (user.memberId === member.id) {
+                        // Unlink: parents are never 'equal' to the member
+                        user.memberId = null;
+                        await this.updateInheritedPermissions(user);
+                    }
+                    if (shouldSave) {
+                        await user.save();
+                    }
                 }
-                user.memberId = member.id;
-                await this.updateInheritedPermissions(user);
             }
             else {
-                let shouldSave = false;
+                // Create a new placeholder user
+                user = new User();
+                user.organizationId = member.organizationId;
+                user.email = email;
 
-                if (!user.firstName && !user.lastName) {
+                if (!asParent) {
+                    if (updateNameIfEqual) {
+                        user.firstName = member.details.firstName;
+                        user.lastName = member.details.lastName;
+                    }
+                    user.memberId = member.id;
+                    await this.updateInheritedPermissions(user);
+                }
+                else {
                     const parents = member.details.parents.filter(p => p.email === email);
                     if (parents.length === 1) {
                         if (updateNameIfEqual) {
                             user.firstName = parents[0].firstName;
                             user.lastName = parents[0].lastName;
                         }
-                        shouldSave = true;
                     }
-                }
-
-                if (user.firstName === member.details.firstName && user.lastName === member.details.lastName) {
-                    user.firstName = null;
-                    user.lastName = null;
-                    shouldSave = true;
-                }
 
-                if (user.memberId === member.id) {
-                    // Unlink: parents are never 'equal' to the member
-                    user.memberId = null;
-                    await this.updateInheritedPermissions(user);
-                }
-                if (shouldSave) {
-                    await user.save();
-                }
-            }
-        }
-        else {
-            // Create a new placeholder user
-            user = new User();
-            user.organizationId = member.organizationId;
-            user.email = email;
-
-            if (!asParent) {
-                if (updateNameIfEqual) {
-                    user.firstName = member.details.firstName;
-                    user.lastName = member.details.lastName;
-                }
-                user.memberId = member.id;
-                await this.updateInheritedPermissions(user);
-            }
-            else {
-                const parents = member.details.parents.filter(p => p.email === email);
-                if (parents.length === 1) {
-                    if (updateNameIfEqual) {
-                        user.firstName = parents[0].firstName;
-                        user.lastName = parents[0].lastName;
+                    if (user.firstName === member.details.firstName && user.lastName === member.details.lastName) {
+                        user.firstName = null;
+                        user.lastName = null;
                     }
-                }
 
-                if (user.firstName === member.details.firstName && user.lastName === member.details.lastName) {
-                    user.firstName = null;
-                    user.lastName = null;
+                    await user.save();
                 }
 
-                await user.save();
+                console.log('Created new (placeholder) user that has access to a member: ' + user.id);
             }
 
-            console.log('Created new (placeholder) user that has access to a member: ' + user.id);
-        }
-
-        // Update model relation to correct response
-        if (!member.users.find(u => u.id === user.id)) {
-            await Member.users.reverse('members').link(user, [member]);
-            member.users.push(user);
+            // Update model relation to correct response
+            if (!member.users.find(u => u.id === user.id)) {
+                await Member.users.reverse('members').link(user, [member]);
+                member.users.push(user);
 
-            // Update balance of this user, as it could have changed
-            await this.updateUserBalance(user.id, member.id);
-        }
+                // Update balance of this user, as it could have changed
+                await this.updateUserBalance(user.id, member.id);
+            }
+        });
     }
 
     /**

package/src/services/FileSignService.ts

@@ -175,7 +175,7 @@ export class FileSignService {
                 throw new SimpleError({
                     code: 'invalid_signature',
                     message: 'Invalid signature for file',
-                    human: $t('Je probeert een bestand up te loaden dat niet door ons is gegenereerd. Probeer het opnieuw.'),
+                    human: $t('479684ab-6c50-4ced-82d7-8245f4f475f4'),
                 });
             }
             return;

package/src/services/SSOService.ts

@@ -35,19 +35,71 @@ type SSOSessionContext = {
     userId?: string | null;
 };
 
+export class SSOAuthToken {
+    validUntil: Date;
+    token: string;
+    userId: string;
+}
+
 export class SSOService {
     provider: LoginProviderType;
     platform: Platform;
     organization: Organization | null;
-    user: User | null = null;
 
     static sessionStorage = new Map<string, SSOSessionContext>();
 
-    constructor(data: { provider: LoginProviderType; platform: Platform; organization?: Organization | null; user?: User | null }) {
+    /**
+     * Maps auth token to user id + expiry information
+     */
+    static authTokens = new Map<string, SSOAuthToken>();
+
+    constructor(data: { provider: LoginProviderType; platform: Platform; organization?: Organization | null }) {
         this.provider = data.provider;
         this.platform = data.platform;
         this.organization = data.organization ?? null;
-        this.user = data.user ?? null;
+    }
+
+    static async clearExpiredTokensOrFromUser(userId: string | null = null) {
+        const d = new Date();
+        for (const [key, value] of this.authTokens) {
+            if (value.userId === userId || value.validUntil < d) {
+                this.authTokens.delete(key);
+            }
+        }
+    }
+
+    static async createToken() {
+        if (!Context.user) {
+            throw new SimpleError({
+                code: 'invalid_user',
+                message: 'Not signed in',
+                statusCode: 401,
+            });
+        }
+
+        const token = new SSOAuthToken();
+        token.validUntil = new Date(Date.now() + 1000 * 60 * 5);
+        token.token = (await randomBytes(192)).toString('base64').toUpperCase();
+        token.userId = Context.user.id;
+
+        await this.clearExpiredTokensOrFromUser(token.userId);
+        this.authTokens.set(token.token, token);
+
+        return token.token;
+    }
+
+    static async validateToken(token: string) {
+        const authToken = this.authTokens.get(token);
+        if (!authToken || authToken.validUntil < new Date()) {
+            this.authTokens.delete(token);
+            throw new SimpleError({
+                code: 'invalid_token',
+                message: 'Invalid token',
+                statusCode: 401,
+            });
+        }
+        this.authTokens.delete(token);
+        return authToken;
     }
 
     /**
@@ -80,7 +132,7 @@ export class SSOService {
         const organization = Context.organization;
         const platform = await Platform.getShared();
 
-        const service = new SSOService({ provider, platform, organization, user: Context.user });
+        const service = new SSOService({ provider, platform, organization });
         service.validateConfiguration();
 
         return service;
@@ -144,12 +196,6 @@ export class SSOService {
         const __ = this.loginConfiguration;
     }
 
-    validateUser() {
-        if (this.user) {
-            this.validateEmail(this.user.email);
-        }
-    }
-
     validateEmail(email: string) {
         // Validate configuration
         const loginConfiguration = this.loginConfiguration;
@@ -309,28 +355,77 @@ export class SSOService {
             });
         }
 
-        return await this.startAuthCodeFlow(redirectUri, data.spaState, data.prompt);
+        let user: User | undefined = undefined;
+
+        if (data.authToken) {
+            const token = await SSOService.validateToken(data.authToken);
+            if (token) {
+                user = await User.getByID(token.userId);
+
+                if (!user) {
+                    throw new SimpleError({
+                        code: 'invalid_user',
+                        message: 'User not found',
+                        statusCode: 404,
+                    });
+                }
+
+                this.validateEmail(user.email);
+            }
+        }
+
+        return await this.startAuthCodeFlow(redirectUri, data.spaState, data.prompt, user);
+    }
+
+    validateRedirectUri(uri: string) {
+        let parsed: URL;
+        try {
+            parsed = new URL(uri);
+        }
+        catch (e) {
+            throw new SimpleError({
+                code: 'invalid_redirect_uri',
+                message: 'Invalid redirect uri',
+                field: 'redirectUri',
+                statusCode: 400,
+            });
+        }
+
+        if (parsed.protocol !== 'https:') {
+            throw new SimpleError({
+                code: 'invalid_redirect_uri',
+                message: 'Invalid redirect uri',
+                field: 'redirectUri',
+                statusCode: 400,
+            });
+        }
+
+        if (parsed.host !== STAMHOOFD.domains.dashboard) {
+            throw new SimpleError({
+                code: 'invalid_redirect_uri',
+                message: 'Invalid redirect uri',
+                field: 'redirectUri',
+                statusCode: 400,
+            });
+        }
     }
 
-    async startAuthCodeFlow(redirectUri: string, spaState: string, prompt: string | null = null): Promise<Response<undefined>> {
+    async startAuthCodeFlow(redirectUri: string, spaState: string, prompt: string | null = null, user?: User): Promise<Response<undefined>> {
         const code_verifier = generators.codeVerifier();
-        const state = generators.state();
+        const state = generators.state(); // this is the internal state backend <-> SSO provider
         const nonce = generators.nonce();
         const code_challenge = generators.codeChallenge(code_verifier);
         const expires = new Date(Date.now() + 1000 * 60 * 15);
 
-        // Validate user id
-        this.validateUser();
-
         const session: SSOSessionContext = {
             expires,
             code_verifier,
             state,
             nonce,
             redirectUri,
-            spaState,
+            spaState, // this is the state frontend <-> backend (not backend <-> SSO provider)
             providerType: this.provider,
-            userId: Context.user?.id ?? null,
+            userId: user?.id ?? null,
         };
 
         try {
@@ -355,7 +450,7 @@ export class SSOService {
                 state,
                 nonce,
                 prompt: prompt ?? undefined,
-                login_hint: this.user?.email ?? undefined,
+                login_hint: user?.email ?? undefined,
                 redirect_uri: this.externalRedirectUri,
 
                 // Google has this instead of the offline_access scope