wiki-security-passportjs 0.4.8 → 0.6.0

package/AUTHORS.txt

@@ -4,3 +4,4 @@ Paul Rodwell <paul.rodwell@btinternet.com>
 Ward Cunningham <ward@c2.com>
 Marc-Antoine Parent <maparent@acm.org>
 Ian Goodacre <Ian.Goodacre@entrain.nz>
+3wc <3wc.github@doesthisthing.work>

package/Gruntfile.js

@@ -2,7 +2,6 @@ module.exports = function (grunt) {
   grunt.loadNpmTasks('grunt-browserify');
   grunt.loadNpmTasks('grunt-contrib-watch');
   grunt.loadNpmTasks('grunt-git-authors');
-  grunt.loadNpmTasks('grunt-retire');
 
   grunt.initConfig({
 
@@ -24,16 +23,10 @@ module.exports = function (grunt) {
         files: ['client/*.coffee'],
         tasks: ['build']
       }
-    },
 
-    retire: {
-      node: ['.'],
-      options: {packageOnly: true}
     }
-
   });
 
-  grunt.registerTask('check', ['retire']);
   grunt.registerTask('build', ['browserify']);
   grunt.registerTask('default', ['build']);
 

package/client/security.js

@@ -272,7 +272,7 @@ window.plugins.security = {setup, claim_wiki, update_footer};
 
 
 },{"es6-promise":2,"whatwg-fetch":4}],2:[function(require,module,exports){
-(function (process,global){
+(function (process,global){(function (){
 /*!
  * @overview es6-promise - a tiny implementation of Promises/A+.
  * @copyright Copyright (c) 2014 Yehuda Katz, Tom Dale, Stefan Penner and contributors (Conversion to ES6 API by Jake Archibald)
@@ -1448,7 +1448,7 @@ return Promise$1;
 
 
 
-}).call(this,require('_process'),typeof global !== "undefined" ? global : typeof self !== "undefined" ? self : typeof window !== "undefined" ? window : {})
+}).call(this)}).call(this,require('_process'),typeof global !== "undefined" ? global : typeof self !== "undefined" ? self : typeof window !== "undefined" ? window : {})
 },{"_process":3}],3:[function(require,module,exports){
 // shim for using process in browser
 var process = module.exports = {};
@@ -1640,12 +1640,13 @@ process.umask = function() { return 0; };
   typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
   typeof define === 'function' && define.amd ? define(['exports'], factory) :
   (factory((global.WHATWGFetch = {})));
-}(this, (function (exports) {
+}(this, (function (exports) { 'use strict';
+
+  var global =
+    (typeof globalThis !== 'undefined' && globalThis) ||
+    (typeof self !== 'undefined' && self) ||
+    (typeof global !== 'undefined' && global);
 
-  var global = (function(self) {
-    return self
-    // eslint-disable-next-line no-invalid-this
-  })(typeof self !== 'undefined' ? self : this);
   var support = {
     searchParams: 'URLSearchParams' in global,
     iterable: 'Symbol' in global && 'iterator' in Symbol,
@@ -1693,7 +1694,7 @@ process.umask = function() { return 0; };
       name = String(name);
     }
     if (/[^a-z0-9\-#$%&'*+.^_`|~!]/i.test(name) || name === '') {
-      throw new TypeError('Invalid character in header field name')
+      throw new TypeError('Invalid character in header field name: "' + name + '"')
     }
     return name.toLowerCase()
   }
@@ -1920,7 +1921,20 @@ process.umask = function() { return 0; };
 
       this.arrayBuffer = function() {
         if (this._bodyArrayBuffer) {
-          return consumed(this) || Promise.resolve(this._bodyArrayBuffer)
+          var isConsumed = consumed(this);
+          if (isConsumed) {
+            return isConsumed
+          }
+          if (ArrayBuffer.isView(this._bodyArrayBuffer)) {
+            return Promise.resolve(
+              this._bodyArrayBuffer.buffer.slice(
+                this._bodyArrayBuffer.byteOffset,
+                this._bodyArrayBuffer.byteOffset + this._bodyArrayBuffer.byteLength
+              )
+            )
+          } else {
+            return Promise.resolve(this._bodyArrayBuffer)
+          }
         } else {
           return this.blob().then(readBlobAsArrayBuffer)
         }
@@ -1966,6 +1980,10 @@ process.umask = function() { return 0; };
   }
 
   function Request(input, options) {
+    if (!(this instanceof Request)) {
+      throw new TypeError('Please use the "new" operator, this DOM object constructor cannot be called as a function.')
+    }
+
     options = options || {};
     var body = options.body;
 
@@ -2044,20 +2062,31 @@ process.umask = function() { return 0; };
     // Replace instances of \r\n and \n followed by at least one space or horizontal tab with a space
     // https://tools.ietf.org/html/rfc7230#section-3.2
     var preProcessedHeaders = rawHeaders.replace(/\r?\n[\t ]+/g, ' ');
-    preProcessedHeaders.split(/\r?\n/).forEach(function(line) {
-      var parts = line.split(':');
-      var key = parts.shift().trim();
-      if (key) {
-        var value = parts.join(':').trim();
-        headers.append(key, value);
-      }
-    });
+    // Avoiding split via regex to work around a common IE11 bug with the core-js 3.6.0 regex polyfill
+    // https://github.com/github/fetch/issues/748
+    // https://github.com/zloirock/core-js/issues/751
+    preProcessedHeaders
+      .split('\r')
+      .map(function(header) {
+        return header.indexOf('\n') === 0 ? header.substr(1, header.length) : header
+      })
+      .forEach(function(line) {
+        var parts = line.split(':');
+        var key = parts.shift().trim();
+        if (key) {
+          var value = parts.join(':').trim();
+          headers.append(key, value);
+        }
+      });
     return headers
   }
 
   Body.call(Request.prototype);
 
   function Response(bodyInit, options) {
+    if (!(this instanceof Response)) {
+      throw new TypeError('Please use the "new" operator, this DOM object constructor cannot be called as a function.')
+    }
     if (!options) {
       options = {};
     }
@@ -2065,7 +2094,7 @@ process.umask = function() { return 0; };
     this.type = 'default';
     this.status = options.status === undefined ? 200 : options.status;
     this.ok = this.status >= 200 && this.status < 300;
-    this.statusText = 'statusText' in options ? options.statusText : '';
+    this.statusText = options.statusText === undefined ? '' : '' + options.statusText;
     this.headers = new Headers(options.headers);
     this.url = options.url || '';
     this._initBody(bodyInit);
@@ -2099,8 +2128,9 @@ process.umask = function() { return 0; };
   };
 
   exports.DOMException = global.DOMException;
-
-  if (typeof exports.DOMException !== 'function') {
+  try {
+    new exports.DOMException();
+  } catch (err) {
     exports.DOMException = function(message, name) {
       this.message = message;
       this.name = name;
@@ -2184,9 +2214,15 @@ process.umask = function() { return 0; };
         }
       }
 
-      request.headers.forEach(function(value, name) {
-        xhr.setRequestHeader(name, value);
-      });
+      if (init && typeof init.headers === 'object' && !(init.headers instanceof Headers)) {
+        Object.getOwnPropertyNames(init.headers).forEach(function(name) {
+          xhr.setRequestHeader(name, normalizeValue(init.headers[name]));
+        });
+      } else {
+        request.headers.forEach(function(value, name) {
+          xhr.setRequestHeader(name, value);
+        });
+      }
 
       if (request.signal) {
         request.signal.addEventListener('abort', abortXhr);

package/docs/config-oauth2.md

@@ -0,0 +1,59 @@
+## Generic OAuth 2
+
+### Login provider set-up
+
+Like the other PassportJS login providers, we'll need a separate "OAuth2 Client"
+(others call it an "app", a "product" etc.) for our Federated Wiki instance.
+
+How to do this varies slightly for each provider.
+
+### `config.json`
+
+In general, you will need to specify:
+* `oauth2_clientID` -- some systems generate this for you, others allow you to
+    specify it
+* `oauth2_clientSecret` -- secure key (keep this secret!)
+* `oauth2_AuthorizationURL` and `oauth2_TokenURL` -- from your login provider's documentation
+
+You will also need to specify a callback URL. For some providers, you can add
+this when making a new "OAuth Client" for your wiki, for others you will need to
+specify it with `oauth2_CallbackURL`.
+
+You might also need to tell Federated Wiki how to look up usernames:
+* `oauth2_UserInfoURL` -- from login provider's documentation
+* `oauth2_IdField`, `oauth2_DisplayNameField`, `oauth2_UsernameField` -- starting with 
+  * `params` for information returned in the original token request, or
+  * `profile` for data returned from `oauth2_UserInfoURL`, if you provided it.
+
+Sometimes, you'll be able to look up the URLs by visiting your provider's
+`/.well-known/openid-configuration` URL in a web browser.
+
+### Examples
+
+#### Nextcloud
+
+```JSON
+{
+  "farm": true,
+  "security_type": "passportjs",
+  "oauth2_clientID": "CLIENT ID",
+  "oauth2_clientSecret": "CLIENT SECRET",
+  "oauth2_AuthorizationURL": "https://auth.example.com/oauth2/authorize",
+  "oauth2_TokenURL": "https://auth.example.com/oauth2/token",
+}
+```
+
+#### Keycloak
+
+```JSON
+{
+  "farm": true,
+  "security_type": "passportjs",
+  "oauth2_clientID": "CLIENT ID",
+  "oauth2_clientSecret": "CLIENT SECRET",
+  "oauth2_AuthorizationURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/auth",
+  "oauth2_TokenURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/token",
+  "oauth2_UserInfoURL": "https://auth.example.com/auth/realms/Wiki.Cafe/protocol/openid-connect/userinfo",
+  "oauth2_UsernameField": "profile.preferred_username"
+}
+```

package/docs/configuration.md

@@ -17,3 +17,4 @@ See, depending on which identity provider you choose to use:
 * [GitHub](./config-github.md)
 * [Google](./config-google.md)
 * [Twitter](./config-twitter.md)
+* [Generic OAuth](./config-oauth2.md)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wiki-security-passportjs",
-  "version": "0.4.8",
+  "version": "0.6.0",
   "description": "Security plugin for Federated Wiki, using passport.js",
   "author": "Paul Rodwell <paul.rodwell@btinternet.com> (http://rodwell.me)",
   "license": "MIT",
@@ -9,9 +9,10 @@
     "es6-promise": "^4.2.8",
     "lodash": "^4.17.19",
     "passport": "^0.3.2",
-    "passport-github": "github:FedWiki/passport-github#70fe99ba7e66422092a19d89f4b1ab1a23eac644",
+    "passport-github2": "^0.1.12",
     "passport-google-oauth20": "^2.0.0",
-    "passport-twitter": "^1.0.4",
+    "passport-oauth2": "^1.6.1",
+    "passport-twitter": "github:paul90/passport-twitter#48b52556f48e4e8f7c55288baaf3ba3076eeba16",
     "persona-pass": "^0.2.1",
     "qs": "^6.7.0",
     "whatwg-fetch": "^3.2.0"
@@ -19,10 +20,9 @@
   "devDependencies": {
     "coffeeify": "^3.0.1",
     "grunt": "^1.2.1",
-    "grunt-browserify": "^5.2.0",
+    "grunt-browserify": "^6.0.0",
     "grunt-contrib-watch": "^1.0.0",
-    "grunt-git-authors": "^3.2.0",
-    "grunt-retire": "^1.0.8"
+    "grunt-git-authors": "^3.2.0"
   },
   "repository": {
     "type": "git",

package/server/social.coffee

@@ -135,7 +135,7 @@ module.exports = exports = (log, loga, argv) ->
         idProvider = _.head(_.keys(req.session.passport.user))
         console.log 'idProvider: ', idProvider
         switch idProvider
-          when 'github', 'google', 'twitter'
+          when 'github', 'google', 'twitter', 'oauth2'
             if _.isEqual(owner[idProvider].id, req.session.passport.user[idProvider].id)
               return true
             else
@@ -165,7 +165,7 @@ module.exports = exports = (log, loga, argv) ->
       return false
 
     switch idProvider
-      when "github", "google", "twitter"
+      when "github", "google", "twitter", 'oauth2'
         if _.isEqual(admin[idProvider], req.session.passport.user[idProvider].id)
           return true
         else
@@ -194,10 +194,79 @@ module.exports = exports = (log, loga, argv) ->
     passport.deserializeUser = (obj, req, done) ->
       done(null, obj)
 
+    # OAuth Strategy
+    if argv.oauth2_clientID? and argv.oauth2_clientSecret?
+      ids.push('oauth2')
+      OAuth2Strategy = require('passport-oauth2').Strategy
+
+      oauth2StrategyName = callbackHost + 'OAuth'
+
+      if argv.oauth2_UserInfoURL?
+        OAuth2Strategy::userProfile = (accesstoken, done) -> 
+          console.log "hello"
+          console.log accesstoken
+          @_oauth2._request "GET", argv.oauth2_UserInfoURL, null, null, accesstoken, (err, data) ->
+            if err
+              return done err 
+            try
+              data = JSON.parse data 
+            catch e
+              return done e
+            done(null, data)
+
+      passport.use(oauth2StrategyName, new OAuth2Strategy({
+        clientID: argv.oauth2_clientID
+        clientSecret: argv.oauth2_clientSecret
+        authorizationURL: argv.oauth2_AuthorizationURL
+        tokenURL: argv.oauth2_TokenURL,
+        # not all providers have a way of specifying the callback URL
+        callbackURL: callbackProtocol + '//' + callbackHost + '/auth/oauth2/callback',
+        userInfoURL: argv.oauth2_UserInfoURL
+        }, (accessToken, refreshToken, params, profile, cb) ->
+
+          extractUserInfo = (uiParam, uiDef) ->
+            uiPath = ''
+            if typeof uiParam == 'undefined' then (uiPath = uiDef) else (uiPath = uiParam)
+            console.log('extractUI', uiParam, uiDef, uiPath)
+            sParts = uiPath.split('.')
+            sFrom = sParts.shift()
+            switch sFrom
+              when "params"
+                obj = params
+              when "profile"
+                obj = profile
+              else
+                console.error('*** source of user info not recognised', uiPath)
+                obj = {}
+            
+            while (sParts.length)
+              obj = obj[sParts.shift()]
+            return obj
+
+          console.log("accessToken", accessToken)
+          console.log("refreshToken", refreshToken)
+          console.log("params", params)
+          console.log("profile", profile)
+          if argv.oauth2_UsernameField?
+            username_query = argv.oauth2_UsernameField 
+          else 
+            username_query = 'params.user_id'
+
+          try
+            user.oauth2 = {
+              id: extractUserInfo(argv.oauth2_IdField, 'params.user_id')
+              username: extractUserInfo(argv.oauth2_UsernameField, 'params.user_id')
+              displayName: extractUserInfo(argv.oauth2_DisplayNameField, 'params.user_id')
+            }
+          catch e
+            console.error('*** Error extracting user info:', e)
+          console.log user.oauth2
+          cb(null, user)))
+
     # Github Strategy
     if argv.github_clientID? and argv.github_clientSecret?
       ids.push('github')
-      GithubStrategy = require('passport-github').Strategy
+      GithubStrategy = require('passport-github2').Strategy
 
       githubStrategyName = callbackHost + 'Github'
 
@@ -275,6 +344,11 @@ module.exports = exports = (log, loga, argv) ->
     app.use(passport.initialize())
     app.use(passport.session())
 
+    # OAuth2
+    app.get('/auth/oauth2', passport.authenticate(oauth2StrategyName), (req, res) -> )
+    app.get('/auth/oauth2/callback',
+      passport.authenticate(oauth2StrategyName, { successRedirect: '/auth/loginDone', failureRedirect: '/auth/loginDialog'}))
+
     # Github
     app.get('/auth/github', passport.authenticate(githubStrategyName, {scope: 'user:email'}), (req, res) -> )
     app.get('/auth/github/callback',
@@ -317,6 +391,7 @@ module.exports = exports = (log, loga, argv) ->
       schemeButtons = []
       _(ids).forEach (scheme) ->
         switch scheme
+          when "oauth2" then schemeButtons.push({button: "<a href='/auth/oauth2' class='scheme-button oauth2-button'><span>OAuth2</span></a>"})
           when "twitter" then schemeButtons.push({button: "<a href='/auth/twitter' class='scheme-button twitter-button'><span>Twitter</span></a>"})
           when "github" then schemeButtons.push({button: "<a href='/auth/github' class='scheme-button github-button'><span>Github</span></a>"})
           when "google"
@@ -504,6 +579,13 @@ module.exports = exports = (log, loga, argv) ->
       userIds = {}
       idProviders.forEach (idProvider) ->
         id = switch idProvider
+          when "oauth2" then {
+            name: user.oauth2.displayName
+            oauth2: {
+              id: user.oauth2.id
+              username: user.oauth2.username
+            }
+          }
           when "twitter" then {
             name: user.twitter.displayName
             twitter: {
@@ -580,6 +662,13 @@ module.exports = exports = (log, loga, argv) ->
         id = {}
         idProviders.forEach (idProvider) ->
           id = switch idProvider
+            when "oauth2" then {
+              name: user.oauth2.displayName
+              oauth2: {
+                id: user.oauth2.id
+                username: user.oauth2.username
+              }
+            }
             when "twitter" then {
               name: user.twitter.displayName
               twitter: {