-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
18 changed files
with
629 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
REACT_APP_AUTH_ENABLED={FLAG} | ||
REACT_APP_AUTH_ENV={ENV_NAME} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Auth0 Integration | ||
|
||
This application uses Auth0 as its authentication and authorization service. Auth0 provides a number | ||
of configuration options and can integrate with apps in a variety of ways. | ||
|
||
If you are so inclined to set up an Auth0 tenant, either in the event of disaster recovery or to | ||
support a new environment, these instructions should help. | ||
|
||
## Initial Setup | ||
|
||
Follow the initial setup instructions provided by Auth0 for creating a new account, or creating a | ||
new tenant within an existing account. Specifically, follow the quickstart for React apps | ||
[here](https://auth0.com/docs/quickstart/spa/react). Whether you are doing this only to test the | ||
app in full auth mode or for production purposes, you should at least start by configuring all of | ||
the various urls in that quickstart with the set of localhost urls, e.g. `http://localhost:3000` for | ||
the callback urls and logout urls. | ||
|
||
When going through the quickstart, you do not need to perform any of the coding-related steps. | ||
However, it would still be wise to read these steps to understand how the system works as a whole. | ||
|
||
### Connections | ||
|
||
At present, the app uses only the _Database_ connection, which provides basic username-password | ||
credential authentication. Other connections may be added in the future. | ||
|
||
## Rules and Hooks | ||
|
||
Auth0 has a system of [rules](https://auth0.com/docs/rules) and [hooks](https://auth0.com/docs/hooks) | ||
for expanding functionality. The names, order, and actual code for rules and hooks are configured in | ||
the Auth0 dashboard itself. However, for the sake of tracking updates, we commit those same rules | ||
and hooks in `auth0/`, even though the files therein _are not_ used by the app in any way. | ||
|
||
### Usage | ||
|
||
For each file in `auth0/rules/`, create a new rule. The name does not matter beyond reminding | ||
you what is in each rule at a glance. Copy and paste the full content of the file into the rule's | ||
code and save it. Order the rules in the same order they are in within the `/rules/` folder. | ||
|
||
Do the same thing for `auth0/hooks`, but creating a new hook for each file instead of a new | ||
rule. There are different kinds of hooks that execute at different points in the authentication | ||
workflow. Each hook file should have a suffix indicating which type of hook it should be created as. | ||
|
||
## Logging | ||
|
||
Auth0 maintains good logging for all interactions with Auth0 APIs. For compliance reasons, | ||
specifically the need to store authentication logs for longer retention periods, we copy Auth0 logs | ||
to segment. You can set this up by creating an Auth0 [extension](https://auth0.com/docs/extensions). | ||
If you are in a situation where you need to do this for Recidiviz, speak to someone internally about | ||
how to configure this. |
51 changes: 51 additions & 0 deletions
51
spotlight-client/auth0/hooks/01-domain-whitelist-pre-registration.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
// Recidiviz - a data platform for criminal justice reform | ||
// Copyright (C) 2020 Recidiviz, Inc. | ||
// | ||
// This program is free software: you can redistribute it and/or modify | ||
// it under the terms of the GNU General Public License as published by | ||
// the Free Software Foundation, either version 3 of the License, or | ||
// (at your option) any later version. | ||
// | ||
// This program is distributed in the hope that it will be useful, | ||
// but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
// GNU General Public License for more details. | ||
// | ||
// You should have received a copy of the GNU General Public License | ||
// along with this program. If not, see <https://www.gnu.org/licenses/>. | ||
// ============================================================================= | ||
|
||
/** | ||
@param {object} user - The user being created | ||
@param {string} user.tenant - Auth0 tenant name | ||
@param {string} user.username - user name | ||
@param {string} user.password - user's password | ||
@param {string} user.email - email | ||
@param {boolean} user.emailVerified - is e-mail verified? | ||
@param {string} user.phoneNumber - phone number | ||
@param {boolean} user.phoneNumberVerified - is phone number verified? | ||
@param {object} context - Auth0 connection and other context info | ||
@param {string} context.requestLanguage - language of the client agent | ||
@param {object} context.connection - information about the Auth0 connection | ||
@param {object} context.connection.id - connection id | ||
@param {object} context.connection.name - connection name | ||
@param {object} context.connection.tenant - connection tenant | ||
@param {object} context.webtask - webtask context | ||
@param {function} cb - function (error, response) | ||
*/ | ||
module.exports = function (user, context, cb) { | ||
const response = {}; | ||
|
||
const whitelist = []; // add authorized domains here | ||
const userHasAccess = whitelist.some(function (domain) { | ||
const emailSplit = user.email.split("@"); | ||
return emailSplit[emailSplit.length - 1].toLowerCase() === domain; | ||
}); | ||
|
||
if (userHasAccess) { | ||
response.user = user; | ||
cb(null, response); | ||
} else { | ||
cb("Access denied.", null); | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.