feat(auth): allow Auth0 as authentication server, after bulk user import #705

adrienjoly · 2023-09-02T06:40:53Z

Fork of PR #593. May contribute to #669.

What does this PR do / solve?

Make Openwhyd more secure by delegating auth and user management to Auth0.

Overview of changes

When Auth0 env vars are provided, Openwhyd delegates the following features to Auth0:

login/logout
signup
password change (forgotten or not)
...

Otherwise, the legacy auth and user management implementation is used, as currently.

How to test this PR?

Prerequisite

To do once for all:

setup a Auth0 account with a "user-password" auth database, with "usernames" login enabled
paste Auth0 credentials to env-vars-testing.conf
(re)start openwhyd + db in docker: $ docker compose up --build --detach
seed test users: $ make docker-seed

To repeat after each code change:

(re)start openwhyd + db: $ make dev

=> when you're done testing, don't forget to run $ make down.

Bulk user import

copy-paste this token to file: scripts/auth0/.token
run $ scripts/auth0/import-test-users.sh
check that users are imported: Users + Logs

Login+logout

open http://localhost:8080
click on "log in" => you're redirected to auth0's login page
login with admin/admin or dummy/admin
back on openwhyd, logout

Signup

open http://localhost:8080
click on "sign up" => you're redirected to auth0's signup page
submit a username (e.g. adrien), an email address and a password
back on openwhyd, logout
follow the "login+logout" procedure (above), to check that you can login with username or email

Change of email address

Once you're logged in:

open http://localhost:8080/settings
change the email address
click "save changes", ignore the error message
check that the email address was updated, in Auth0's user list

Change of password

Once you're logged in:

open http://localhost:8080/settings
click on the "password" tab
type the same password in the 3 fields (any valid value will do)
click "save changes" => a message tells you that you'll receive an email
logout
open the email, click the link, pick a new password
back on http://localhost:8080, login with your new password

Change of handle/username

Once you're logged in:

open http://localhost:8080/settings
type a username in the "Custom URL" field
click "save changes"
logout
login with your new username+password

Account deletion

Once you're logged in:

open http://localhost:8080/settings
click on "delete your account" and confirm
check that the user is not listed anymore in Auth0's user list

TODO / probably worth doing before meging

import users' Facebook id to Auth0 too, so users can still login to Openwhyd using their Facebook account, after migrating to Auth0 => we could delete all facebook-related code and possibly close migrate Facebook calls to Graph API v≥12.0, before Mid September 2023 #658. => test that it works as expected.

To be done later

forward change of avatar to Auth0

References and resources

Auth0 Application Details
npm package used for auth: express-openid-connect
API reference of npm package used for other operations: node-auth0

codacy-production · 2023-09-02T06:45:40Z

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
Report missing for `6652771`¹	39.55%

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (`6652771`)	Report Missing	Report Missing	Report Missing
Head commit (`ab5811f`)	5043	2983	59.15%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#705)	134	53	39.55%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings Change summary preferences

Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct. ↩

…legacy signup page

app/lib/my-http-wrapper/http/Application.js

cf https://github.com/openwhyd/openwhyd/actions/runs/6071810244/job/16470584204?pr=705#step:5:15

app/lib/my-http-wrapper/http/Application.js

…k with the legacy signup page contributes to #705.

## [1.55.62](v1.55.61...v1.55.62) (2023-09-05) ### Bug Fixes * **auth:** we need to create a /signup route for Auth0 => make it work with the legacy signup page ([d3e2592](d3e2592)), closes [#705](#705)

adrienjoly · 2023-09-07T13:17:59Z

@julien-topcu Te sens pas obligé de faire une full review, mais je suis preneur de ton avis les changements et le mode opératoire que j'ai décris dans la description de cette PR, ainsi que tes réponses éventuelles aux questions ouvertes postées sur Notion, quand tu auras un peu de temps.

Je laisse ce chantier en stand-by d'ici là, histoire d'éviter d'aller trop loin dans une direction potentiellement contre-productive.

- argon2 ^0.31.0 → ^0.31.1, because we're developing an alternative: #705 - connect-mongo ^3.2.0 → ^5.0.0, because we're developing an alternative: #705 - formidable ^2.1.1 → ^3.5.1, because it breaks the build (cf #709 and #665) - mongodb 4.17.0 → 6.0.0, because we're not done yet on migrative callbacks to promises (cf #634 and #665) This partially reverts commit 43a63cf.

`$ npx npm-check-updates -u` Updates: - @applitools/eyes-cypress ^3.37.0 → ^3.38.0 - @cypress/code-coverage ^3.11.0 → ^3.12.0 - @types/node ^20.5.7 → ^20.6.0 - approvals ^6.2.1 → ^6.2.2 - cypress ^12.17.4 → ^13.1.0 - dd-trace ^4.14.0 → ^4.15.0 - eslint ^8.48.0 → ^8.49.0 Skipped updates: - argon2 ^0.31.0 → ^0.31.1, because we're developing an alternative: #705 - connect-mongo ^3.2.0 → ^5.0.0, because we're developing an alternative: #705 - formidable ^2.1.1 → ^3.5.1, because it breaks the build (cf #709 and #665) - mongodb 4.17.0 → 6.0.0, because we're not done yet on migrative callbacks to promises (cf #634 and #665)

cf https://sonarcloud.io/project/issues?resolved=false&types=BUG&pullRequest=705&id=openwhyd_openwhyd&open=AYplUZL8RuKyQxWJJv8P

…y from 16 to the 15 allowed.` cf https://sonarcloud.io/project/issues?resolved=false&types=CODE_SMELL&pullRequest=705&id=openwhyd_openwhyd&open=AYplUZL8RuKyQxWJJv8R

…n was expected` cf https://sonarcloud.io/project/issues?resolved=false&types=BUG&pullRequest=705&id=openwhyd_openwhyd&open=AYqytnS4SyyrZFVlPXfC

# [1.58.0](v1.57.1...v1.58.0) (2023-10-15) ### Features * **auth:** allow Auth0 as authentication server, after bulk user import ([#705](#705)) ([a65723f](a65723f)), closes [#593](#593) [#669](#669) [#658](#658)

adrienjoly · 2023-10-15T12:47:04Z

This PR is now running in production, but without using Auth0 yet.

Follow up of #705. May contribute to #669. Usage, from project root dir: ```sh $ mongoexport -d ${dbname} -c user --type=json --out ./prod-users.json-lines -u ${dbuser} -p ${dbpassword} $ node ./scripts/auth0/prepare-import-batches.js # => create files: `prod-users-*.for-auth0.json` $ ./scripts/auth0/import-prod-users.sh ```

## [1.59.4](v1.59.3...v1.59.4) (2023-12-27) ### Bug Fixes * **auth:** add scripts to import users to auth0 ([#755](#755)) ([d55d0f3](d55d0f3)), closes [#705](#705) [#669](#669)

…e-login everyday follow up for PR #705.

## [1.59.15](v1.59.14...v1.59.15) (2024-03-09) ### Bug Fixes * **auth:** try to refresh auth0 session silently, without having to re-login everyday ([c8fb684](c8fb684)), closes [#705](#705)

(squashed changes from #593)

cb642a5

adrienjoly self-assigned this Sep 2, 2023

adrienjoly added security / privacy experiment / study labels Sep 2, 2023

adrienjoly added 5 commits September 2, 2023 09:17

clean up

145511c

mark mongodb.forEach as deprecated

513fb2c

we need to create a /signup route for Auth0 => make it work with the …

857e9bd

…legacy signup page

make signup work with auth0

878c004

fix TS errors

cd531ef

github-advanced-security bot found potential problems Sep 4, 2023

View reviewed changes

app/lib/my-http-wrapper/http/Application.js Fixed Show fixed Hide fixed

adrienjoly added 10 commits September 4, 2023 14:00

Merge branch 'main' into auth0-after-bulk-user-import

336e781

update deprecated usernames refs counter

7563b87

cf https://github.com/openwhyd/openwhyd/actions/runs/6071810244/job/16470584204?pr=705#step:5:15

fix: don't use full email address as user name

81ceb45

feat: user rename is propagated to Auth0 database

151adf7

check the presence of AUTH0 env vars, if active

3ab9d12

refactor: extract auth0.updateUserName

862ad09

refactor: extract auth0 wrapper with makeExpressAuthMiddleware method

771cf9a

refactor: extract auth0.makeSignupRoute

adef2e7

don't use AUTH0 env vars from everywhere

565bd01

don't use oidc directly everywhere

68c9ffd

github-advanced-security bot found potential problems Sep 4, 2023

View reviewed changes

app/lib/my-http-wrapper/http/Application.js Fixed Show fixed Hide fixed

adrienjoly added 5 commits September 4, 2023 16:55

make oidc user fields explicit + validate in getAuthenticatedUser

b34185b

refactor: extract auth0.mapToOpenwhydUser

9978b09

refactor: turn updateUserName into a method

21e0feb

fix TS errors in api/user.js

e1b2aa2

feat: propagate change of user email to Auth0 database

299c956

adrienjoly added a commit that referenced this pull request Sep 5, 2023

fix(auth): we need to create a /signup route for Auth0 => make it wor…

d3e2592

…k with the legacy signup page contributes to #705.

Merge branch 'main' into auth0-after-bulk-user-import

92de193

adrienjoly added 4 commits September 5, 2023 15:09

refactor: rename setUsername --> setUserHandle

52bedce

refactor: rename setUserFullName --> setUserProfileName

84eb59f

refactor: extract deleteUser feature

dde3420

refactor: move features init to app.js

473ff22

adrienjoly requested a review from julien-topcu September 7, 2023 13:15

adrienjoly marked this pull request as ready for review September 7, 2023 13:18

adrienjoly added the feedback wanted label Sep 7, 2023

adrienjoly mentioned this pull request Sep 9, 2023

feat(security): use Auth0 as authentication server #593

Closed

4 tasks

adrienjoly mentioned this pull request Sep 11, 2023

fix(deps): update most dependencies #729

Merged

adrienjoly added 6 commits September 11, 2023 14:18

Merge branch 'main' into auth0-after-bulk-user-import

f058b80

fix(sonar): Expected non-Promise value in a boolean conditional.

76e2cad

cf https://sonarcloud.io/project/issues?resolved=false&types=BUG&pullRequest=705&id=openwhyd_openwhyd&open=AYplUZL8RuKyQxWJJv8P

fix(sonar): `Refactor this function to reduce its Cognitive Complexit…

3b1aac1

…y from 16 to the 15 allowed.` cf https://sonarcloud.io/project/issues?resolved=false&types=CODE_SMELL&pullRequest=705&id=openwhyd_openwhyd&open=AYplUZL8RuKyQxWJJv8R

fix(sonar): `Promise returned in function argument where a void retur…

4e5102a

…n was expected` cf https://sonarcloud.io/project/issues?resolved=false&types=BUG&pullRequest=705&id=openwhyd_openwhyd&open=AYqytnS4SyyrZFVlPXfC

Merge branch 'main' into auth0-after-bulk-user-import

43f6fe6

Merge branch 'main' into auth0-after-bulk-user-import

ab5811f

adrienjoly changed the title ~~feat(security): use Auth0 as authentication server, after bulk user import~~ feat(auth): allow Auth0 as authentication server, after bulk user import Oct 15, 2023

adrienjoly merged commit a65723f into main Oct 15, 2023
18 of 20 checks passed

adrienjoly deleted the auth0-after-bulk-user-import branch October 15, 2023 12:38

adrienjoly mentioned this pull request Oct 15, 2023

import users' Facebook id to Auth0 too, so users can still login to Openwhyd using their Facebook account, after migrating to Auth0 #749

Open

adrienjoly mentioned this pull request Dec 26, 2023

fix(auth): add scripts to import users to auth0 #755

Merged

adrienjoly added a commit that referenced this pull request Mar 9, 2024

fix(auth): try to refresh auth0 session silently, without having to r…

c8fb684

…e-login everyday follow up for PR #705.

adrienjoly mentioned this pull request Mar 9, 2024

Auth0: don't ask users to re-login everyday #765

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(auth): allow Auth0 as authentication server, after bulk user import #705

feat(auth): allow Auth0 as authentication server, after bulk user import #705

adrienjoly commented Sep 2, 2023 •

edited

codacy-production bot commented Sep 2, 2023 •

edited

adrienjoly commented Sep 7, 2023

adrienjoly commented Oct 15, 2023

feat(auth): allow Auth0 as authentication server, after bulk user import #705

feat(auth): allow Auth0 as authentication server, after bulk user import #705

Conversation

adrienjoly commented Sep 2, 2023 • edited

What does this PR do / solve?

Overview of changes

How to test this PR?

Prerequisite

Bulk user import

Login+logout

Signup

Change of email address

Change of password

Change of handle/username

Account deletion

TODO / probably worth doing before meging

To be done later

References and resources

codacy-production bot commented Sep 2, 2023 • edited

Coverage summary from Codacy

See diff coverage on Codacy

See your quality gate settings Change summary preferences

Footnotes

adrienjoly commented Sep 7, 2023

adrienjoly commented Oct 15, 2023

adrienjoly commented Sep 2, 2023 •

edited

codacy-production bot commented Sep 2, 2023 •

edited