-
Notifications
You must be signed in to change notification settings - Fork 94
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: split authentication methods and org access check
- Loading branch information
Geoffroy Empain
committed
Dec 3, 2020
1 parent
a9f166b
commit 8877034
Showing
27 changed files
with
275 additions
and
243 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export const authMethods: string[] = []; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
import { env } from '../../env'; | ||
import passport from 'passport'; | ||
import { Gitea } from './providers/gitea/gitea'; | ||
import { PassportUser } from '../create-or-update-user'; | ||
import chalk from 'chalk'; | ||
import OAuth2Strategy from 'passport-oauth2'; | ||
import { Logger } from '../../commons/logger/logger'; | ||
import { authMethods } from './auth-methods'; | ||
|
||
const logger = new Logger('meli.server.passport:gitea'); | ||
|
||
export const gitea_redirect = '/auth/gitea'; | ||
export const gitea_callback = '/auth/gitea/callback'; | ||
|
||
const allowedOrgs = new Set(env.MELI_GITEA_ORGS); | ||
|
||
if ( | ||
env.MELI_GITEA_URL | ||
&& env.MELI_GITEA_CLIENT_ID | ||
&& env.MELI_GITEA_CLIENT_SECRET | ||
) { | ||
const oauthCallbackUrl = `${env.MELI_HOST}${gitea_callback}`; | ||
logger.debug('Enabling gitea auth', oauthCallbackUrl); | ||
|
||
passport.use('gitea', new OAuth2Strategy( | ||
{ | ||
authorizationURL: `${env.MELI_GITEA_URL}/login/oauth/authorize`, | ||
tokenURL: `${env.MELI_GITEA_URL}/login/oauth/access_token`, | ||
clientID: env.MELI_GITEA_CLIENT_ID, | ||
clientSecret: env.MELI_GITEA_CLIENT_SECRET, | ||
callbackURL: oauthCallbackUrl, | ||
passReqToCallback: true, | ||
}, | ||
(req, accessToken, refreshToken, params, profile, cb) => { | ||
const gitea = new Gitea(accessToken, env.MELI_GITEA_URL); | ||
gitea | ||
.getUser() | ||
.then(giteaUser => { | ||
if (giteaUser.orgs.some(org => allowedOrgs.has(org))) { | ||
cb(undefined, <PassportUser>{ | ||
...giteaUser, | ||
authProvider: 'gitea', | ||
}); | ||
} else { | ||
logger.warn(`User ${giteaUser.name} tried to login but is not a member of orgs ${allowedOrgs}`); | ||
cb(); | ||
} | ||
}) | ||
.catch(cb); | ||
}, | ||
)); | ||
|
||
logger.info(`Enabled ${chalk.blue('gitea')} auth`); | ||
authMethods.push('gitea'); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
import { env } from '../../env'; | ||
import passport from 'passport'; | ||
import { Github } from './providers/github/github'; | ||
import { PassportUser } from '../create-or-update-user'; | ||
import chalk from 'chalk'; | ||
import OAuth2Strategy from 'passport-oauth2'; | ||
import { Logger } from '../../commons/logger/logger'; | ||
import { authMethods } from './auth-methods'; | ||
|
||
const logger = new Logger('meli.server.passport:github'); | ||
|
||
export const github_redirect = '/auth/github'; | ||
export const github_callback = '/auth/github/callback'; | ||
|
||
const allowedOrgs = new Set(env.MELI_GITHUB_ORGS); | ||
|
||
if ( | ||
env.MELI_GITHUB_URL | ||
&& env.MELI_GITHUB_CLIENT_ID | ||
&& env.MELI_GITHUB_CLIENT_SECRET | ||
) { | ||
const oauthCallbackUrl = `${env.MELI_HOST}${github_callback}`; | ||
logger.debug('Enabling github auth', oauthCallbackUrl); | ||
|
||
passport.use('github', new OAuth2Strategy( | ||
{ | ||
authorizationURL: `${env.MELI_GITHUB_URL}/login/oauth/authorize`, | ||
tokenURL: `${env.MELI_GITHUB_URL}/login/oauth/access_token`, | ||
clientID: env.MELI_GITHUB_CLIENT_ID, | ||
clientSecret: env.MELI_GITHUB_CLIENT_SECRET, | ||
callbackURL: oauthCallbackUrl, | ||
scope: 'read:user,user:email,read:org', | ||
passReqToCallback: true, | ||
}, | ||
(req, accessToken, refreshToken, params, profile, cb) => { | ||
const github = new Github(accessToken, env.MELI_GITHUB_URL); | ||
github | ||
.getUser() | ||
.then(githubUser => { | ||
if (githubUser.orgs.some(org => allowedOrgs.has(org))) { | ||
cb(undefined, <PassportUser>{ | ||
...githubUser, | ||
authProvider: 'github', | ||
}); | ||
} else { | ||
logger.warn(`User ${githubUser.name} tried to login but is not a member of orgs ${allowedOrgs}`); | ||
cb(); | ||
} | ||
}) | ||
.catch(cb); | ||
}, | ||
)); | ||
|
||
logger.info(`Enabled ${chalk.blue('github')} auth`); | ||
authMethods.push('github'); | ||
} |
Oops, something went wrong.