adapt-authoring-auth 0.0.1

package/.eslintignore

@@ -0,0 +1 @@
+node_modules

package/.eslintrc

@@ -0,0 +1,14 @@
+{
+  "env": {
+      "browser": false,
+      "node": true,
+      "commonjs": false,
+      "es2020": true
+  },
+  "extends": [
+      "standard"
+  ],
+  "parserOptions": {
+      "ecmaVersion": 2020
+  }
+}

package/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,55 @@
+name: Bug Report
+description: File a bug report
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: Please describe the issue
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behaviour
+      description: Tell us what should have happened
+  - type: textarea
+    id: repro-steps
+    attributes:
+      label: Steps to reproduce
+      description: Tell us how to reproduce the issue
+    validations:
+      required: true
+  - type: input
+    id: aat-version
+    attributes:
+      label: Authoring tool version
+      description: What version of the Adapt authoring tool are you running?
+    validations:
+      required: true
+  - type: input
+    id: fw-version
+    attributes:
+      label: Framework version
+      description: What version of the Adapt framework are you running?
+  - type: dropdown
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+      multiple: true
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: sh

package/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

package/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,22 @@
+name: Feature request
+description: Request a new feature
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to request a new feature in the Adapt authoring tool! The Adapt team will consider all new feature requests, but unfortunately cannot commit to every one.
+  - type: textarea
+    id: description
+    attributes:
+      label: Feature description
+      description: Please describe your feature request
+    validations:
+      required: true
+  - type: checkboxes
+    id: contribute
+    attributes:
+      label: Can you work on this feature?
+      description: If you are able to commit your own time to work on this feature, it will greatly increase the liklihood of it being implemented by the core dev team. Otherwise, it will be triaged and prioritised alongside the core team's current priorities.
+      options:
+        - label: I can contribute

package/.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

package/.github/pull_request_template.md

@@ -0,0 +1,25 @@
+[//]: # (Please title your PR according to eslint commit conventions)
+[//]: # (See https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-changelog-eslint#eslint-convention for details)
+
+[//]: # (Add a link to the original issue)
+
+[//]: # (Delete as appropriate)
+### Fix
+* A sentence describing each fix
+
+### Update
+* A sentence describing each udpate
+
+### New
+* A sentence describing each new feature
+
+### Breaking
+* A sentence describing each breaking change
+
+[//]: # (List appropriate steps for testing if needed)
+### Testing
+1. Steps for testing
+
+[//]: # (Mention any other dependencies)
+
+

package/.github/workflows/labelled_prs.yml

@@ -0,0 +1,16 @@
+name: Add labelled PRs to project
+
+on:
+  pull_request:
+    types: [ labeled ]
+
+jobs:
+  add-to-project:
+    if: ${{ github.event.label.name == 'dependencies' }}
+    name: Add to main project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v0.1.0
+        with:
+          project-url: https://github.com/orgs/adapt-security/projects/5
+          github-token: ${{ secrets.PROJECTS_SECRET }}

package/.github/workflows/new.yml

@@ -0,0 +1,19 @@
+name: Add to main project
+
+on:
+  issues:
+    types:
+      - opened
+  pull_request:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add to main project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v0.1.0
+        with:
+          project-url: https://github.com/orgs/adapt-security/projects/5
+          github-token: ${{ secrets.PROJECTS_SECRET }}

package/adapt-authoring.json

@@ -0,0 +1,5 @@
+{
+  "documentation": {
+    "enable": true
+  }
+}

package/conf/config.schema.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "object",
+  "properties": {
+    "isEnabled": {
+      "description": "Enables auth (note: this has no effect in production environments)",
+      "type": "boolean",
+      "default": true
+    },
+    "defaultTokenLifespan": {
+      "description": "How long a token should remain valid for",
+      "type": "string",
+      "default": "7d"
+    },
+    "logMissingPermissions": {
+      "description": "In enabled, a warning is logged on app start for any routes with missing permissions (note: any routes without defined permissions are inaccessible)",
+      "type": "boolean",
+      "default": true
+    },
+    "secureTokenGeneration": {
+      "description": "Whether a user must be authenticated to generate an API auth token",
+      "type": "boolean",
+      "default": true
+    },
+    "tokenSecret": {
+      "description": "A secret used to encode/decode Json Web Tokens",
+      "type": "string",
+      "minLength": 10,
+      "_adapt": { 
+        "isSecret": true 
+      }
+    },
+    "tokenIssuer": {
+      "description": "The identity of the issuer of the token",
+      "type": "string",
+      "default": "adapt"
+    }
+  },
+  "required": ["tokenSecret"]
+}

package/errors/errors.json

@@ -0,0 +1,77 @@
+{
+  "ACCOUNT_DISABLED": {
+    "description": "Account has been disabled",
+    "statusCode": 403
+  },
+  "AUTH_HEADER_UNSUPPORTED": {
+    "data": {
+      "type": "Authorisation type provided"
+    },
+    "description": "Authorization header type is unsupported by the API",
+    "statusCode": 401
+  },
+  "AUTH_PLUGIN_INVALID_CLASS": {
+    "description": "Auth plugin must extend AbstractAuthPlugin",
+    "statusCode": 500
+  },
+  "AUTH_TOKEN_EXPIRED": {
+    "description": "Auth token has expired, a new one must be created",
+    "statusCode": 401
+  },
+  "AUTH_TOKEN_INVALID": {
+    "data": {
+      "error": "The error message"
+    },
+    "description": "Auth token is not valid",
+    "statusCode": 401
+  },
+  "AUTH_TOKEN_NOT_BEFORE": {
+    "data": {
+      "error": "The error message"
+    },
+    "description": "The auth token nbf is after the current time, and the token is therefore not valid",
+    "statusCode": 401
+  },
+  "AUTH_TYPE_DEF_MISSING": {
+    "description": "Auth type is not defined",
+    "statusCode": 500
+  },
+  "DUPL_AUTH_PLUGIN_REG": {
+    "description": "An auth plugin is already registered with the same name",
+    "statusCode": 500
+  },
+  "INVALID_LOGIN_DETAILS": {
+    "description": "Invalid login details were provided",
+    "statusCode": 401
+  },
+  "MISSING_AUTH_HEADER": {
+    "description": "Authorization headers are missing from request",
+    "statusCode": 401
+  },
+  "UNAUTHENTICATED": {
+    "description": "Request is not authenticated for access to the API",
+    "statusCode": 401
+  },
+  "UNAUTHORISED": {
+    "data": {
+      "method": "The request HTTP method",
+      "url": "The request URL"
+    },
+    "description": "Request is not authorised to perform the required operation",
+    "statusCode": 403
+  },
+  "UNKNOWN_AUTH_TYPE": {
+    "data": {
+      "authType": "Authentication type"
+    },
+    "description": "Request is attempting to use an unknown authentication type",
+    "statusCode": 401
+  },
+  "USER_REG_FAILED": {
+    "data": {
+      "error": "The error"
+    },
+    "description": "User registration failed",
+    "statusCode": 400
+  }
+}

package/index.js

@@ -0,0 +1,8 @@
+/**
+ * Authentication
+ * @namespace auth
+ */
+export { default as AbstractAuthModule } from './lib/AbstractAuthModule.js'
+export { default as AuthToken } from './lib/AuthToken.js'
+export { default as AuthUtils } from './lib/AuthUtils.js'
+export { default } from './lib/AuthModule.js'

package/lib/AbstractAuthModule.js

@@ -0,0 +1,208 @@
+import { AbstractModule, Hook } from 'adapt-authoring-core'
+import apidefs from './apidefs.js'
+import AuthToken from './AuthToken.js'
+/**
+ * Abstract module to be overridden by specific auth implementations
+ * @memberof auth
+ * @extends {AbstractModule}
+ */
+class AbstractAuthModule extends AbstractModule {
+  /**
+   * Initialises the module
+   * @return {Promise}
+   */
+  async init () {
+    await this.setValues()
+    if (!this.type) {
+      throw this.app.errors.AUTH_TYPE_DEF_MISSING
+    }
+    const [auth, users] = await this.app.waitForModule('auth', 'users')
+    /**
+     * Cached reference to the auth module
+     * @type {AuthModule}
+     */
+    this.auth = auth
+    /**
+     * Cached reference to the auth module
+     * @type {UsersModule}
+     */
+    this.users = users
+    /**
+     * The router instance
+     * @type {Router}
+     */
+    this.router = this.auth.router.createChildRouter(this.type)
+    this.router.addRoute({
+      route: '/',
+      handlers: { post: this.authenticateHandler.bind(this) }
+    }, {
+      route: '/register',
+      handlers: { post: this.registerHandler.bind(this) }
+    }, {
+      route: '/enable',
+      handlers: { post: this.enableHandler.bind(this) },
+      meta: apidefs.enable
+    }, {
+      route: '/disable',
+      handlers: { post: this.enableHandler.bind(this) },
+      meta: apidefs.disable
+    }, ...(this.routes || []))
+
+    this.secureRoute('/register', 'post', ['register:users'])
+    this.secureRoute('/enable', 'post', ['write:users'])
+    this.secureRoute('/disable', 'post', ['write:users'])
+    this.unsecureRoute('/', 'post')
+    /**
+     * Hook which is invoked when a new user is registered in the system
+     * @type {Hook}
+     */
+    this.registerHook = new Hook({ mutable: true })
+
+    this.auth.authentication.registerPlugin(this.type, this)
+  }
+
+  /**
+   * Sets initial module values (set during initialisation), can be called by subclasses
+   * @return {Promise}
+   */
+  async setValues () {
+    /**
+     * Identifier for the auth type
+     * @type {String}
+     */
+    this.type = undefined
+    /**
+      * Custom endpoints for the auth type
+      * @type {Array<Route>}
+      */
+    this.routes = undefined
+    /**
+      * Name of the schema to use when validating a user using this auth type
+      * @type {String}
+      */
+    this.userSchema = 'user'
+  }
+
+  /**
+   * Locks a route to only users with the passed permissions scopes
+   * @param {String} route The route
+   * @param {String} method The HTTP method
+   * @param {Array<String>} scopes Permissions scopes
+   */
+  secureRoute (route, method, scopes) {
+    this.auth.secureRoute(`${this.router.path}${route}`, method, scopes)
+  }
+
+  /**
+   * Removes auth checks from a single route {@link Auth#unsecureRoute}
+   * @param {String} route The route
+   * @param {String} method The HTTP method
+   */
+  unsecureRoute (route, method) {
+    this.auth.unsecureRoute(`${this.router.path}${route}`, method)
+  }
+
+  /**
+   * Registers a new user
+   * @param {Object} data Data to be used for doc creation
+   * @return {Promise} Resolves with the new user's data
+   */
+  async register (data) {
+    return this.auth.authentication.registerUser(this.type, data)
+  }
+
+  /**
+   * Sets the appropriate attributes to enable/disable user
+   * @param {Object} user User DB document
+   * @param {boolean} isEnabled Whether the user should be enabled
+   * @return {Promise}
+   */
+  async setUserEnabled (user, isEnabled) {
+    await this.users.update({ _id: user._id }, { isEnabled })
+  }
+
+  /**
+   * A convenience function for accessing Authentication#disavowUser
+   * @param {object} query Search query
+   * @return {Promise}
+   */
+  async disavowUser (query) {
+    return this.auth.authentication.disavowUser(query)
+  }
+
+  /**
+   * Checks whether a user is allowed access to the APIs and performs any related auth type specific actions
+   * @param {Object} user The user record
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @return {Promise} Resolves on success
+   */
+  async authenticate (user, req, res) {
+    throw this.app.errors.FUNC_NOT_OVERRIDDEN.setData({ name: `${this.constructor.name}#authenticate` })
+  }
+
+  /**
+   * Handles authentication requests
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async authenticateHandler (req, res, next) {
+    const { email, persistSession } = req.body
+    const [user] = await this.users.find({ email })
+    if (!user) {
+      return res.sendError(this.app.errors.INVALID_LOGIN_DETAILS)
+    }
+    try {
+      await this.authenticate(user, req, res)
+
+      if (req.session) {
+        if (persistSession !== true) req.session.cookie.maxAge = null
+        else this.log('debug', 'NEW_SESSION', user._id)
+
+        req.session.token = await AuthToken.generate(this.type, user)
+      }
+      res.status(204).json()
+    } catch (e) {
+      this.log('debug', 'FAILED_LOGIN', !user ? 'INVALID_USER' : user?._id?.toString(), this.app.lang.translate(undefined, e))
+      res.sendError(e)
+    }
+  }
+
+  /**
+   * Handles user enable/disable requests
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async enableHandler (req, res, next) {
+    try {
+      const [user] = await this.users.find({ _id: req.body._id })
+      const isEnable = req.url === '/enable'
+      await this.setUserEnabled(user, isEnable)
+      this.log('debug', isEnable ? 'USER_ENABLE' : 'USER_DISABLE', user._id, req?.auth?.user?._id?.toString())
+      res.status(204).json()
+    } catch (e) {
+      return next(e)
+    }
+  }
+
+  /**
+   * Handles user registration requests
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async registerHandler (req, res, next) {
+    try {
+      await this.registerHook.invoke(req)
+      const user = await this.register(req.body)
+      this.log('debug', 'USER_REG', user._id, req?.auth?.user?._id?.toString())
+      res.json(user)
+    } catch (e) {
+      return next(this.app.errors.USER_REG_FAILED.setData({ error: req.translate(e) }))
+    }
+  }
+}
+
+export default AbstractAuthModule

package/lib/AuthModule.js

@@ -0,0 +1,127 @@
+import { AbstractModule } from 'adapt-authoring-core'
+import Authentication from './Authentication.js'
+import AuthToken from './AuthToken.js'
+import AuthUtils from './AuthUtils.js'
+import Permissions from './Permissions.js'
+/**
+ * Adds authentication + authorisation to the server
+ * @memberof auth
+ * @extends {AbstractModule}
+ */
+class AuthModule extends AbstractModule {
+  /** @override */
+  async init () {
+    /**
+     * All routes to ignore auth
+     * @type {RouteStore}
+     * @example
+     * {
+     *   post: { "/api/test": true }
+     * }
+     */
+    this.unsecuredRoutes = AuthUtils.createEmptyStore()
+    /**
+     * Whether auth should be enabled
+     * @type {Boolean}
+     */
+    this.isEnabled = this.getConfig('isEnabled')
+
+    if (!this.isEnabled) {
+      if (this.app.config.getConfig('env.NODE_ENV') !== 'production') {
+        this.log('info', 'auth disabled')
+      } else {
+        this.log('warn', 'cannot disable auth for production environments')
+        this.isEnabled = true
+      }
+    }
+    const server = await this.app.waitForModule('server')
+    /**
+     * Reference to the Express router
+     * @type {Router}
+     */
+    this.router = server.api.createChildRouter('auth')
+
+    server.root.addHandlerMiddleware(this.rootMiddleware.bind(this))
+    server.api.addHandlerMiddleware(this.apiMiddleware.bind(this))
+    /**
+     * The permission-checking unit
+     * @type {Permissions}
+     */
+    this.permissions = await Permissions.init(this)
+    /**
+     * The authentication unit
+     * @type {Authentication}
+     */
+    this.authentication = await Authentication.init(this)
+  }
+
+  /**
+   * Locks a route to only users with the passed permissions scopes
+   * @param {String} route The route
+   * @param {String} method The HTTP method
+   * @param {Array<String>} scopes Permissions scopes
+   */
+  secureRoute (route, method, scopes) {
+    this.permissions.secureRoute(route, method, scopes)
+  }
+
+  /**
+   * Allows unconditional access to a specific route
+   * @type {Function}
+   * @param {String} route The route/endpoint
+   * @param {String} method HTTP method to allow
+   */
+  unsecureRoute (route, method) {
+    this.unsecuredRoutes[method.toLowerCase()][route] = true
+    this.log('debug', 'UNSECURED_ROUTE', method.toUpperCase(), route)
+  }
+
+  /**
+   * Processes and parses incoming auth data
+   * @param {external:ExpressRequest} req
+   */
+  async initAuthData (req) {
+    await AuthUtils.initAuthData(req)
+    if (this.isEnabled) await AuthToken.initRequestData(req)
+  }
+
+  /**
+   * Initialises auth data for root requests
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  rootMiddleware (req, res, next) {
+    this.initAuthData(req).then(next, () => next())
+  }
+
+  /**
+   * Initialises auth data for root requests
+   * @param {external:ExpressRequest} req
+   * @param {external:ExpressResponse} res
+   * @param {Function} next
+   */
+  async apiMiddleware (req, res, next) {
+    let initError
+    try {
+      await this.initAuthData(req)
+    } catch (e) {
+      initError = e
+    }
+    const method = req.method.toLowerCase()
+    const route = `${req.baseUrl}${req.route.path}`
+    const shortRoute = route.slice(0, route.lastIndexOf('/'))
+    const isUnsecured = this.unsecuredRoutes[method][route] || this.unsecuredRoutes[method][shortRoute]
+
+    if (initError && !isUnsecured) {
+      this.log('debug', 'BLOCK_REQUEST', req.originalUrl, initError.statusCode, req?.auth?.user?._id)
+      return res.sendError(initError)
+    }
+    if (!isUnsecured) {
+      await this.permissions.check(req)
+    }
+    next()
+  }
+}
+
+export default AuthModule