@yahoo/uds 1.3.4 → 1.4.0

package/cli/preload.ts

@@ -51,6 +51,7 @@ mock.module('googleapis', () => ({
       OAuth2: mock(() => {}).mockImplementation(() => ({
         getToken: () => Promise.resolve({ tokens: 'test' }),
         setCredentials: mock(() => {}),
+        generateAuthUrl: mock(() => 'https://accounts.google.com/o/oauth2/v2/auth'),
       })),
     },
     oauth2: () => ({

package/cli/utils/auth.test.ts

@@ -6,11 +6,15 @@ import http from 'http';
 import httpMocks from 'node-mocks-http';
 
 import {
+  configuratorUrlOrigin,
   getAuthenticatedUser,
+  getAuthorizeUrl,
   isYahooEmployee,
   login,
+  type LoginProvider,
   logout,
-  onRequestHandler,
+  onGETHandler,
+  onPostHandler,
   type User,
 } from './auth';
 
@@ -29,6 +33,22 @@ describe('auth', () => {
     });
   });
 
+  describe('getAuthorizeUrl', () => {
+    it('uses configurator by default', () => {
+      expect(getAuthorizeUrl()).toEqual(
+        `${configuratorUrlOrigin}/login?continue=http://localhost:3000/oauth2callback`,
+      );
+    });
+
+    it('generates the google auth url for other providers', () => {
+      (['google', 'firebase'] as LoginProvider[]).forEach((provider) => {
+        expect(getAuthorizeUrl(provider)).toStartWith(
+          `https://accounts.google.com/o/oauth2/v2/auth`,
+        );
+      });
+    });
+  });
+
   describe('getAuthenticatedUser', () => {
     it('does not return a user on first use', async () => {
       expect(await getAuthenticatedUser(__dirname)).toBeUndefined();
@@ -72,7 +92,7 @@ describe('auth', () => {
 
       const request = httpMocks.createRequest({ method: 'GET', url: '/oauth2callback' });
       const response = httpMocks.createResponse();
-      await onRequestHandler.bind(mockServer)(request, response, resolve, reject);
+      await onGETHandler.bind(mockServer)(request, response, resolve, reject);
       expect(response._getData()).toInclude('no code parameter');
     });
 
@@ -82,13 +102,75 @@ describe('auth', () => {
 
       const request = httpMocks.createRequest({ method: 'GET', url: '/oauth2callback?code=123' });
       const response = httpMocks.createResponse();
-      await onRequestHandler.bind(mockServer)(request, response, resolve, reject);
+      await onGETHandler.bind(mockServer)(request, response, resolve, reject);
       expect(response._getData()).toInclude('Authentication successful! Please close this window.');
       expect(resolve).toHaveBeenCalledWith(mockUser);
       expect(reject).not.toHaveBeenCalled();
     });
   });
 
+  describe('onPostHandler', () => {
+    const mockServer = Object.assign(Object.create(http.Server.prototype), {
+      listen: mock(),
+      on: mock(),
+      close: mock(),
+    });
+
+    it('ignores non-POST requests', () => {
+      const req = httpMocks.createRequest({ method: 'GET' });
+      const resp = httpMocks.createResponse();
+      onPostHandler.bind(mockServer)(req, resp, mock(), mock());
+      expect(resp._getStatusCode()).toBe(405);
+      expect(resp._getData()).toInclude('Method Not Allowed');
+    });
+
+    it('rejects requests from 3rd party origins', () => {
+      const req = httpMocks.createRequest({
+        method: 'POST',
+        headers: { origin: 'https://bad.com' },
+      });
+      const resp = httpMocks.createResponse();
+      const reject = mock();
+      onPostHandler.bind(mockServer)(req, resp, mock(), reject);
+      expect(reject).toHaveBeenCalledWith('Request origin not allowed.');
+    });
+
+    it('sets CORS headers', () => {
+      const req = httpMocks.createRequest({
+        method: 'POST',
+        headers: { origin: configuratorUrlOrigin },
+        // body: JSON.stringify({ email: ''}),
+      });
+      const resp = httpMocks.createResponse();
+      const resolve = mock();
+      const reject = mock();
+      onPostHandler.bind(mockServer)(req, resp, resolve, reject);
+      expect(resp.getHeaders()).toEqual({
+        'access-control-allow-origin': configuratorUrlOrigin,
+        'access-control-allow-methods': 'OPTIONS, GET, POST',
+      });
+    });
+
+    it('sends a user obj', async () => {
+      const mockUser = { email: 'foo@yahooinc.com', displayName: 'Foo' };
+
+      const req = httpMocks.createRequest({
+        method: 'POST',
+        headers: { origin: configuratorUrlOrigin },
+      });
+      const resp = httpMocks.createResponse({
+        eventEmitter: (await import('events')).EventEmitter,
+      });
+      const resolve = mock();
+      const reject = mock();
+      onPostHandler.bind(mockServer)(req, resp, resolve, reject);
+      req.send(mockUser);
+      expect(resp._getData()).toInclude('Authentication successful! Please close this window.');
+      expect(reject).not.toHaveBeenCalled();
+      expect(resolve).toHaveBeenCalledWith(mockUser);
+    });
+  });
+
   describe('logout', () => {
     it('removes the user cache', async () => {
       await writeCache(filepath, { email: 'user@yahooinc.com', name: 'User' });

package/cli/utils/auth.ts

@@ -17,15 +17,23 @@ import open from 'open';
 
 import clientSecrets from './client_secrets.json';
 
+type User = oauth2_v2.Schema$Userinfo | FirebaseUser;
+type LoginProvider = 'google' | 'firebase' | 'configurator';
+
+const LOGIN_PROVIDER: LoginProvider =
+  (process.env.LOGIN_PROVIDER as LoginProvider) ?? 'configurator';
+
 const REDIRECT_URL = clientSecrets.web.redirect_uris[0];
-const { port: PORT, origin: BASE_URL } = new URL(REDIRECT_URL);
+const { port: PORT, origin: SERVER_ORIGIN } = new URL(REDIRECT_URL);
+
+const configuratorUrlOrigin =
+  process.env.NODE_ENV === 'production' ? 'https://config.uds.build' : 'http://localhost:4001';
 
 const CACHE_FILEPATH = '.uds/user.json';
 const DEFAULT_CLI_PATH = path.resolve(import.meta.dir, '..');
 const CACHED_USER_FILE = path.resolve(DEFAULT_CLI_PATH, CACHE_FILEPATH);
 
 const isEmulator = process.env.EMULATOR || process.env.NEXT_PUBLIC_EMULATOR;
-const loginProvider = process.env.LOGIN_PROVIDER ?? 'firebase';
 
 // TODO: consolidate with the firebase config and setup in database/firebase.ts
 const firebaseConfig = !isEmulator
@@ -50,13 +58,72 @@ const oauth2Client = new google.auth.OAuth2(
   REDIRECT_URL,
 );
 
-type User = oauth2_v2.Schema$Userinfo | FirebaseUser;
-
 function isYahooEmployee(user?: User) {
   return user?.email?.endsWith('@yahooinc.com');
 }
 
-async function onRequestHandler(
+function getAuthorizeUrl(loginProvider = LOGIN_PROVIDER) {
+  if (loginProvider === 'configurator') {
+    return `${configuratorUrlOrigin}/login?continue=${REDIRECT_URL}`;
+  }
+
+  return oauth2Client.generateAuthUrl({
+    access_type: 'offline',
+    scope: [
+      'https://www.googleapis.com/auth/userinfo.profile',
+      'https://www.googleapis.com/auth/userinfo.email',
+    ].join(' '),
+    hd: 'yahooinc.com',
+    include_granted_scopes: true,
+  });
+}
+
+function onPostHandler(
+  this: http.Server,
+  req: http.IncomingMessage,
+  res: http.ServerResponse,
+  resolve: (user: User) => void,
+  reject: (reason?: unknown) => void,
+) {
+  if (req.method !== 'POST') {
+    res.writeHead(405, { Allow: 'POST' }); // Set the 405 status and Allow header
+    res.end('Method Not Allowed');
+    reject('Method Not Allowed');
+    return;
+  }
+
+  if (req.headers.origin !== configuratorUrlOrigin) {
+    reject(`Request origin not allowed.`);
+    return;
+  }
+
+  res.setHeader('Access-Control-Allow-Origin', configuratorUrlOrigin);
+  res.setHeader('Access-Control-Allow-Methods', 'OPTIONS, GET, POST');
+
+  let data = '';
+
+  req.on('data', (chunk) => {
+    data += chunk.toString();
+  });
+
+  req.on('error', (err: NodeJS.ErrnoException) => {
+    reject(err);
+  });
+
+  req.on('end', () => {
+    try {
+      const user: FirebaseUser = JSON.parse(data);
+      res.end('Authentication successful! Please close this window.');
+      resolve(user);
+    } catch (err) {
+      reject(err);
+    } finally {
+      this.close();
+    }
+  });
+}
+
+async function onGETHandler(
   this: http.Server,
   req: http.IncomingMessage,
   res: http.ServerResponse,
@@ -64,7 +131,7 @@ async function onRequestHandler(
   reject: (reason?: unknown) => void,
 ) {
   try {
-    const code = new URL(req.url || '', BASE_URL).searchParams.get('code');
+    const code = new URL(req.url || '', SERVER_ORIGIN).searchParams.get('code');
     if (!code) {
       res.end('There was no code parameter on the url.');
       this.close();
@@ -72,7 +139,6 @@ async function onRequestHandler(
     }
 
     res.end('Authentication successful! Please close this window.');
-
     this.close();
 
     const { tokens } = await oauth2Client.getToken(code);
@@ -80,7 +146,7 @@ async function onRequestHandler(
 
     let user: User;
 
-    if (loginProvider === 'firebase') {
+    if (LOGIN_PROVIDER === 'firebase') {
       // Build Firebase credential using the Google ID token.
       const credential = GoogleAuthProvider.credential(tokens.id_token);
       user = (await signInWithCredential(auth, credential)).user;
@@ -102,34 +168,39 @@ async function onRequestHandler(
  */
 async function authenticateUser(): Promise<User> {
   return new Promise((resolve, reject) => {
-    const authorizeUrl = oauth2Client.generateAuthUrl({
-      access_type: 'offline',
-      scope: [
-        'https://www.googleapis.com/auth/userinfo.profile',
-        'https://www.googleapis.com/auth/userinfo.email',
-      ].join(' '),
-      hd: 'yahooinc.com',
-      include_granted_scopes: true,
-    });
-
     // TODO: If port (3000) is already in use, this will fail.
     // Setup https://www.npmjs.com/package/find-free-ports, but that won't
     // play well with the pre-configured redirect_uris in the Google Cloud Console.
-    const server = http
-      .createServer()
-      .listen(PORT, async () => {
-        const childProcess = await open(authorizeUrl, { wait: false });
-        childProcess.unref();
-      })
-      .on('request', (req, res) => onRequestHandler.call(server, req, res, resolve, reject))
-      .on('error', (err: NodeJS.ErrnoException) => {
-        if (err.code && err.code.includes('EADDRINUSE')) {
-          print(
-            red(`🚨 Port ${PORT} already in use. Cannot start local server to handle OAuth flow.`),
-          );
-          server.close();
-        }
+    const server = http.createServer();
+
+    server.listen(PORT, async () => {
+      const authorizeUrl = getAuthorizeUrl();
+
+      print(`Please visit the following URL if it didn't open automatically:\n${authorizeUrl}`);
+
+      const childProcess = await open(authorizeUrl, { wait: false });
+      childProcess.unref();
+
+      process.on('SIGINT', () => {
+        server.close();
+        reject('Received SIGINT.');
       });
+    });
+
+    server.on('error', (err: NodeJS.ErrnoException) => {
+      if (err.code && err.code.includes('EADDRINUSE')) {
+        print(
+          red(`🚨 Port ${PORT} already in use. Cannot start local server to handle OAuth flow.`),
+        );
+        server.close();
+      }
+    });
+
+    if (LOGIN_PROVIDER === 'configurator') {
+      server.on('request', (req, res) => onPostHandler.call(server, req, res, resolve, reject));
+    } else {
+      server.on('request', (req, res) => onGETHandler.call(server, req, res, resolve, reject));
+    }
   });
 }
 
@@ -157,6 +228,7 @@ async function login() {
       await Bun.write(CACHED_USER_FILE, JSON.stringify(user, null, 2));
     } catch (err) {
       console.error('Error:', err);
+      throw err;
     }
   }
 
@@ -193,10 +265,14 @@ async function getAuthenticatedUser(cliPath = DEFAULT_CLI_PATH): Promise<User |
 
 export {
   authenticateUser,
+  configuratorUrlOrigin,
   getAuthenticatedUser,
+  getAuthorizeUrl,
   isYahooEmployee,
   login,
+  type LoginProvider,
   logout,
-  onRequestHandler,
+  onGETHandler,
+  onPostHandler,
   type User,
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@yahoo/uds",
   "description": "Yahoo Universal System",
-  "version": "1.3.4",
+  "version": "1.4.0",
   "type": "module",
   "bin": {
     "uds": "./cli/uds-cli"