feat(auth): allow Auth0 as authentication server, after bulk user import

app.js

@@ -143,27 +143,34 @@
     throw new Error(`missing env var: WHYD_SESSION_SECRET`);
 
   const myHttp = require('./app/lib/my-http-wrapper/http');
+
+  // Legacy user auth and session management
   const session = require('express-session');
   const MongoStore = require('connect-mongo')(session);
-  const sessionMiddleware = session({
+  const legacySessionMiddleware = session({
     secret: process.env.WHYD_SESSION_SECRET,
     store: new MongoStore({
       url: makeMongoUrl(dbCreds),
     }),
     cookie: {
       maxAge: 365 * 24 * 60 * 60 * 1000, // cookies expire in 1 year (provided in milliseconds)
       // secure: process.appParams.urlPrefix.startsWith('https://'), // if true, cookie will be accessible only when website if opened over HTTPS
       sameSite: 'strict',
     },
     name: 'whydSid',
     resave: false, // required, cf https://www.npmjs.com/package/express-session#resave
     saveUninitialized: false, // required, cf https://www.npmjs.com/package/express-session#saveuninitialized
   });
+
+  const useAuth0AsIdentityProvider = process.env.AUTH0_ISSUER_BASE_URL;
+
   const serverOptions = {
     urlPrefix: params.urlPrefix,
     port: params.port,
     appDir: __dirname,
-    sessionMiddleware,
+    sessionMiddleware: useAuth0AsIdentityProvider
+      ? null
+      : legacySessionMiddleware,
     errorHandler: function (req, params = {}, response, statusCode) {
       // to render 404 and 401 error pages from server/router
       require('./app/templates/error.js').renderErrorResponse(

app/controllers/invite.js

@@ -8,6 +8,7 @@ const users = require('../models/user.js');
 const invitePage = require('../templates/invitePage.js');
 const inviteFormTemplate = require('../templates/inviteForm.js');
 const templateLoader = require('../templates/templateLoader.js');
+const mainTemplate = require('../templates/mainTemplate.js');
 const makeSignupToken = require('../genuine.js').makeSignupToken;
 
 // genuine signup V1
@@ -88,8 +89,8 @@ exports.renderRegisterPage = function (request, reqParams, response) {
 
   if (reqParams.inviteCode)
     exports.checkInviteCode({ url: request.url }, reqParams, response, render);
-  // signup pop-in
   else if (reqParams.popin) {
+    // signup popin
     templateLoader.loadTemplate(
       'app/templates/popinSignup.html',
       function (template) {
@@ -98,9 +99,26 @@ exports.renderRegisterPage = function (request, reqParams, response) {
       },
     );
   } else {
-    //console.log("inviteCode parameter is required");
-    response.redirect('/#signup');
-    return false;
+    // signup page => render a page with a minimal header
+    const whydHeaderContent = `
+      <div id="headCenter">
+        <a target="_top" class="homeLink" href="/">
+          <img id="logo" src="/images/logo-s.png"/>
+        </a>
+      </div>
+    `;
+    templateLoader.loadTemplate(
+      'app/templates/popinSignup.html',
+      function (template) {
+        response.renderHTML(
+          mainTemplate.renderWhydPage({
+            pageTitle: 'Sign up',
+            whydHeaderContent,
+            content: template.render(reqParams),
+          }),
+        );
+      },
+    );
   }
 };
 

app/controllers/private/register.js

@@ -1,3 +1,5 @@
+// @ts-check
+
 /**
  * register controller (derived from facebookLogin)
  * register new users coming from the /invite form
@@ -43,6 +45,21 @@ function renderError(request, getParams, response, errorMsg) {
   );
 }
 
+async function persistNewUserFromAuth0(oidcUser) {
+  const dbUser = {
+    _id: oidcUser.sub.replace(/^auth0\|/, ''),
+    name: oidcUser.username ?? oidcUser.name, // note: for some reason, the username provided during signup is not included in oidcUser
+    // handle: oidcUser.username, // TODO: check that it complies with our rules, first
+    email: oidcUser.email,
+    img: oidcUser.picture,
+  };
+  const stored = await new Promise((resolve) =>
+    userModel.save(dbUser, resolve),
+  );
+  if (stored) notifEmails.sendRegWelcomeAsync(stored);
+  return stored;
+}
+
 /**
  * called when user submits the form from register.html
  */
@@ -103,7 +120,7 @@ exports.registerInvitedUser = function (request, user, response) {
   if (user.name == 'Your Name' || user.name.trim() == '')
     return error(request, user, response, "Don't you have a name, dude ?");
 
-  if (user.fbId && isNaN('' + user.fbId))
+  if (user.fbId && isNaN(user.fbId))
     return error(request, user, response, 'Invalid Facebook id');
 
   if (user.password == 'password')
@@ -137,7 +154,7 @@ exports.registerInvitedUser = function (request, user, response) {
         name: user.name,
         email: user.email,
         pwd: userModel.md5(user.password),
-        arPwd: argon2.hash(user.password).toString('hex'),
+        arPwd: argon2.hash(user.password).toString(), // should convert to hex first?
         img: '/images/blank_user.gif', //"http://www.gravatar.com/avatar/" + userModel.md5(user.email)
       };
 
@@ -167,16 +184,15 @@ exports.registerInvitedUser = function (request, user, response) {
         'Oops, your registration failed... Please try again!',
       );
 
-    if (user.fbRequest) userModel.removeInviteByFbRequestIds(user.fbRequest);
-    else userModel.removeInvite(user.inviteCode);
+    userModel.removeInvite(user.inviteCode);
 
     function loginAndRedirectTo(url) {
       request.session.whydUid = storedUser.id || storedUser._id; // CREATING SESSION
       if (user.ajax) {
         const json = { redirect: url, uId: '' + storedUser._id };
-        const renderJSON = () => {
+        const renderJSON = (jsonData) => {
           response[user.ajax == 'iframe' ? 'renderWrappedJSON' : 'renderJSON'](
-            json,
+            jsonData,
           );
         };
         if (user.includeUser) {
@@ -215,10 +231,23 @@ exports.registerInvitedUser = function (request, user, response) {
   else registerUser();
 };
 
-exports.controller = function (request, getParams, response) {
+exports.controller = async function (request, getParams, response) {
   request.logToConsole('register.controller', request.method);
   if (request.method.toLowerCase() === 'post')
     // sent by (new) register form
     exports.registerInvitedUser(request, request.body, response);
-  else inviteController.renderRegisterPage(request, getParams, response);
+  else if (!!process.env.AUTH0_SECRET && request.oidc.user) {
+    // finalize user signup from Auth0, by persisting them into our database
+    const storedUser = await persistNewUserFromAuth0(request.oidc.user);
+    if (!storedUser) {
+      renderError(
+        request,
+        storedUser,
+        response,
+        'Oops, your registration failed... Please reach out to contact@openwhyd.org',
+      );
+    } else {
+      response.renderHTML(htmlRedirect('/')); // in reality, this ends up redirecting to the consent request page
+    }
+  } else inviteController.renderRegisterPage(request, getParams, response);
 };

app/lib/my-http-wrapper/http/Application.js

@@ -145,6 +145,55 @@
         });
       });
     }
+
+    const {
+      AUTH0_ISSUER_BASE_URL,
+      AUTH0_SECRET, // to generate with $ openssl rand -hex 32
+      AUTH0_CLIENT_ID,
+    } = process.env;
+
+    if (AUTH0_ISSUER_BASE_URL) {
+      const openId = require('express-openid-connect');
+
+      // auth router attaches /login, /logout, and /callback routes to the baseURL
+      app.use(
+        openId.auth({
+          authRequired: false,
+          auth0Logout: true,
+          secret: AUTH0_SECRET,
+          baseURL: this._urlPrefix,
+          clientID: AUTH0_CLIENT_ID,
+          issuerBaseURL: AUTH0_ISSUER_BASE_URL,
+          // cf https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html#afterCallback
+          // afterCallback: async (req, res, session, decodedState) => {
+          //   const userProfile = await request(
+          //     `${AUTH0_ISSUER_BASE_URL}/userinfo`,
+          //   );
+          //   console.warn('afterCallback', {
+          //     session,
+          //     decodedState,
+          //     userProfile,
+          //   });
+          //   return { ...session, userProfile }; // access using req.appSession.userProfile
+          // },
+        }),
+      );
+
+      // example of route that gets user profile info from auth0
+      // app.get('/profile', openId.requiresAuth(), (req, res) => {
+      //   const user = req.oidc.user; // e.g. {"nickname":"admin","name":"admin","picture":"https://s.gravatar.com/avatar/xxxxxx.png","updated_at":"2023-08-30T15:02:17.071Z","email":"test@openwhyd.org","sub":"auth0|000000000000000000000001","sid":"XXXXXX-XXXXXX-XXXXXX"}
+      //   res.send(JSON.stringify(user));
+      // });
+
+      // redirects to Auth0's sign up dialog
+      app.get('/signup', (req, res) => {
+        res.oidc.login({
+          authorizationParams: { screen_hint: 'signup' },
+          returnTo: '/register', // so we can create the user in our database too
+        });
+      });
+    }
+
     // app.set('view engine', 'hogan'); // TODO: use hogan.js to render "mustache" templates when res.render() is called
     app.use(noCache); // called on all requests
     app.use(express.static(this._publicDir));

app/models/logging.js

@@ -52,17 +52,6 @@
 
 // ========= COOKIE STUFF
 
-/**
- * Generates a user session cookie string
- * that can be supplied to a Set-Cookie HTTP header.
- */
-/*
-exports.makeCookie = function(user) {
-	var date = new Date((new Date()).getTime() + 1000 * 60 * 60 * 24 * 365);
-	return 'whydUid="'+(user.id || '')+'"; Expires=' + date.toGMTString();
-};
-*/
-
 /**
  * Transforms cookies found in the request into an object
  */
@@ -139,35 +128,45 @@
   return this.getFbUid();
 };
 
+const useAuth0AsIdentityProvider = process.env.AUTH0_ISSUER_BASE_URL;
+
 /**
- * Returns the logged in user's uid, from its openwhyd session cookie
+ * Returns the logged in user's uid
  */
-http.IncomingMessage.prototype.getUid = function () {
-  /*
-	var uid = (this.getCookies() || {})["whydUid"];
-	if (uid) uid = uid.replace(/\"/g, "");
-	//if (uid) console.log("found openwhyd session cookie", uid);
-	return uid;
-	*/
-  return (this.session || {}).whydUid;
-};
+http.IncomingMessage.prototype.getUid = useAuth0AsIdentityProvider
+  ? function () {
+      const userId = this.oidc.isAuthenticated()
+        ? this.oidc.user?.sub.replace('auth0|', '')
+        : null;
+      if (userId) {
+        this.session = this.session || {};
+        this.session.whydUid = userId;
+      }
+      return userId;
+    }
+  : function () {
+      return (this.session || {}).whydUid;
+    };
 
 /**
  * Returns the logged in user as an object {_id, id, fbId, name, img}
+ * @deprecated because it relies on a in-memory cache of users, call fetchByUid() instead.
  */
 http.IncomingMessage.prototype.getUser = function () {
   const uid = this.getUid();
-  if (uid) {
-    const user = mongodb.usernames[uid];
-    if (user) user.id = '' + user._id;
-    return user;
-  } else return null;
+  if (!uid) return null;
+  const user = mongodb.usernames[uid];
+  if (!user) console.trace(`logged user ${uid} not found in user cache`);
+  else user.id = '' + user._id;
+  return user ?? null;
 };
 
 //http.IncomingMessage.prototype.getUserFromFbUid = mongodb.getUserFromFbUid;
 
+/** @deprecated because it relies on a in-memory cache of users, call fetchByUid() instead. */
 http.IncomingMessage.prototype.getUserFromId = mongodb.getUserFromId;
 
+/** @deprecated because it relies on a in-memory cache of users, call fetchByUid() instead. */
 http.IncomingMessage.prototype.getUserNameFromId = mongodb.getUserNameFromId;
 
 // ========= LOGIN/SESSION/PRIVILEGES STUFF

app/models/mongodb.js

@@ -99,6 +99,7 @@ exports.cacheUsers = function (callback) {
   );
 };
 
+/** @deprecated because the cursor cannot be released until results are exhausted. */
 exports.forEach = async function (colName, params, handler, cb, cbParam) {
   let q = {};
   params = params || {};

app/models/user.js

@@ -323,7 +323,7 @@ exports.update = function (uid, update, handler) {
 
 /**
  *
- * @param {UserDocument} pUser
+ * @param {Partial<UserDocument> & ({_id: string} | {id: string} | {email: string})} pUser
  * @param {(userDocument:UserDocument) => any} handler
  */
 exports.save = function (pUser, handler) {

docs/login-flow.md

@@ -6,7 +6,7 @@ Here's the login flow:
 - in the case of a successfull login, `renderRedirect()` will indirectly initiate a cookie session, by storing the user id in `request.session`
 - the cookie will be created by `express-session` which is attached to the web framework in the `start()` function of [`/app.js`](/app.js) (main entry point of the web app)
 - the session is stored in the mongodb database by `connect-mongo`
-- the session will be checked in all following HTTP requests received by openwhyd's web app, if they contain the `whydUid` cookie in their headers
+- the session will be checked in all following HTTP requests received by openwhyd's web app, if they contain the `whydUid` cookie in their headers, thru the `getUid()` or `getUser()` methods added by `logging.js` to `IncomingMessage.prototype`
 
 Notes:
 

env-vars-testing.conf

@@ -22,3 +22,9 @@ ALGOLIA_APP_ID=""
 ALGOLIA_API_KEY=""
 DISABLE_DATADOG="true"
 LOG_REQ_THRESHOLD_MS="5000"
+
+# experimental: use Auth0 as indentity provider, instead of checking password hashes ourselves
+AUTH0_ISSUER_BASE_URL=""
+AUTH0_CLIENT_ID=""
+AUTH0_SECRET="" # to generate with $ openssl rand -hex 32
+# dont forget to run $ ngrok tcp 27117, to expose local user accounts to Auth0