Implement /auth with IVLE token

.env → .env.example

@@ -2,16 +2,19 @@
 # and building production tarball.
 
 # Host used in development
-export CADET_HOST=0.0.0.0
+CADET_HOST=0.0.0.0
 
 # Hostname of production server
-export CADET_PROD_HOST=https://sourceacademy.comp.nus.edu.sg/
+CADET_PROD_HOST=https://sourceacademy.comp.nus.edu.sg/
 
 # Port which Phoenix should be serving from in development
-export CADET_SERVER_PORT=4000
+CADET_SERVER_PORT=4000
 
 # Port which Webpack should be serving from in development
-export CADET_WEBPACK_PORT=4001
+CADET_WEBPACK_PORT=4001
 
 # Webpack entry filename
-export CADET_WEBPACK_ENTRY=app
+CADET_WEBPACK_ENTRY=app
+
+# IVLE LAPI Key
+IVLE_KEY=your_ivle_lapi_key

README.md

@@ -21,10 +21,17 @@ Install Elixir dependencies
 
     mix deps.get
 
-Initialise Development Database
+Initialise development database
 
     mix ecto.setup
 
+Copy the file `.env.example` as `.env` in the project root, and replace the
+value of `IVLE_KEY` in with your [IVLE LAPI Key](https://ivle.nus.edu.sg/LAPI/default.aspx).
+If you've compiled the application before setting a valid value, you must force
+a recompilation with `mix clean && mix`.
+
+    IVLE_KEY=your_ivle_lapi_key
+
 Run the server in your local machine
 
     mix cadet.server

config/test.exs

@@ -14,6 +14,12 @@ config :pbkdf2_elixir, :rounds, 1
 # Print only warnings and errors during test
 config :logger, level: :warn
 
+# Don't save secret keys in ExVCR cassettes
+config :exvcr,
+  filter_url_params: true,
+  vcr_cassette_library_dir: "test/fixtures/vcr_cassettes",
+  custom_cassette_library_dir: "test/fixtures/custom_cassettes"
+
 # Configure your database
 config :cadet, Cadet.Repo,
   adapter: Ecto.Adapters.Postgres,

lib/cadet/accounts.ex → lib/cadet/accounts/accounts.ex

@@ -4,21 +4,21 @@ defmodule Cadet.Accounts do
   """
   use Cadet, :context
 
-  alias Comeonin.Pbkdf2
-
+  alias Cadet.Accounts.Authorization
+  alias Cadet.Accounts.IVLE
   alias Cadet.Accounts.User
   alias Cadet.Accounts.Query
-  alias Cadet.Accounts.Authorization
   alias Cadet.Accounts.Form.Registration
 
   @doc """
-  Register new User entity using E-mail and Password
-  authentication.
+  Register new User entity using Cadet.Accounts.Form.Registration
+
+  Returns {:ok, user} on success, otherwise {:error, changeset}
   """
   def register(attrs = %{}, role) do
     changeset = Registration.changeset(%Registration{}, attrs)
 
-    if changeset.valid?() do
+    if changeset.valid? do
       registration = apply_changes(changeset)
 
       Repo.transaction(fn ->
@@ -28,9 +28,8 @@ defmodule Cadet.Accounts do
         {:ok, _} =
           create_authorization(
             %{
-              provider: :email,
-              uid: registration.email,
-              token: Pbkdf2.hashpwsalt(registration.password)
+              provider: :nusnet_id,
+              uid: registration.nusnet_id
             },
             user
           )
@@ -69,77 +68,59 @@ defmodule Cadet.Accounts do
   end
 
   @doc """
-  Associate an e-mail address with an existing `%User{}`
-  The user will be able to authenticate using the e-mail
+  Associate NUSTNET_ID with an existing `%User{}`
   """
-  def add_email(user = %User{}, email) do
-    token = get_token(:email, email) || get_random_token()
-
+  def add_nusnet_id(user = %User{}, nusnet_id) do
     changeset =
       %Authorization{}
       |> Authorization.changeset(%{
-        provider: :email,
-        uid: email,
-        token: token
+        provider: :nusnet_id,
+        uid: nusnet_id
       })
       |> put_assoc(:user, user)
 
     Repo.insert(changeset)
   end
 
   @doc """
-  Associate a password to an existing `%User{}`
-  The user will be able to authenticate using any of the e-mail
-  and the password.
+  Associate a NUSNET_ID to an existing `%User{}`
   """
-  def set_password(user = %User{}, password) do
-    token = Pbkdf2.hashpwsalt(password)
-
+  def set_nusnet_id(user = %User{}, nusnet_id) do
     Repo.transaction(fn ->
-      authorizations = Repo.all(Query.user_emails(user.id))
+      authorizations = Repo.all(Query.user_nusnet_ids(user.id))
 
-      for email <- authorizations do
-        email
-        |> change(%{token: token})
+      for authorization <- authorizations do
+        authorization
+        |> change(%{nusnet_id: nusnet_id})
         |> Repo.update!()
       end
     end)
   end
 
   @doc """
-  Sign in using given e-mail and password combination
+  Sign in using given NUSNET_ID
   """
-  def sign_in(email, password) do
-    auth = Repo.one(Query.email(email))
-
-    cond do
-      auth == nil ->
-        {:error, :not_found}
-
-      not Pbkdf2.checkpw(password, auth.token) ->
-        {:error, :invalid_password}
+  def sign_in(nusnet_id, token) do
+    auth = Repo.one(Query.nusnet_id(nusnet_id))
 
-      true ->
-        auth = Repo.preload(auth, :user)
-        {:ok, auth.user}
-    end
-  end
-
-  defp get_token(provider, uid) do
-    auth = Repo.get_by(Authorization, provider: provider, uid: uid)
-
-    if auth == nil do
-      nil
+    if auth do
+      auth = Repo.preload(auth, :user)
+      {:ok, auth.user}
     else
-      auth.token
+      # user is not registered in our database
+      with {:ok, name} <- IVLE.fetch_name(token),
+           {:ok, _} <- register(%{name: name, nusnet_id: nusnet_id}, :student) do
+        sign_in(nusnet_id, token)
+      else
+        {:error, :bad_request} ->
+          # IVLE.fetch_name/1 responds with :bad_request if token is invalid
+          {:error, :bad_request}
+
+        {:error, _} ->
+          # IVLE.fetch_name/1 responds with :internal_server_error if API key is invalid
+          # register/2 returns {:error, changeset} if changeset is invalid
+          {:error, :internal_server_error}
+      end
     end
   end
-
-  defp get_random_token() do
-    length = 64
-
-    :crypto.strong_rand_bytes(length)
-    |> Base.url_encode64()
-    |> binary_part(0, length)
-  end
 end

lib/cadet/accounts/authorization.ex

@@ -1,7 +1,7 @@
 defmodule Cadet.Accounts.Authorization do
   @moduledoc """
   The User entity represents a user.
-  It stores basic information such as first name, last name, and e-mail.
+  It stores basic information such as name, NUSNET ID, and e-mail.
   Each user is associated to one `role` which determines the access level
   of the user.
   """
@@ -13,14 +13,13 @@ defmodule Cadet.Accounts.Authorization do
   schema "authorizations" do
     field(:provider, Provider)
     field(:uid, :string)
-    field(:token, :string)
     field(:refresh_token, :string)
     field(:expires_at, :integer)
 
     belongs_to(:user, User)
   end
 
-  @required_fields ~w(provider uid token)a
+  @required_fields ~w(provider uid)a
   @optional_fields ~w(refresh_token expires_at)a
 
   def changeset(authorization, params \\ %{}) do

lib/cadet/accounts/form/login.ex

@@ -1,18 +1,17 @@
 defmodule Cadet.Accounts.Form.Login do
   @moduledoc """
   The Accounts.Form entity represents an entry from an accounts form.
-  A login form comprises of e-mail and password
+  A login form comprises of an IVLE authentication token.
   """
   use Ecto.Schema
 
   import Ecto.Changeset
 
   embedded_schema do
-    field(:email, :string)
-    field(:password, :string)
+    field(:ivle_token, :string)
   end
 
-  @required_fields ~w(email password)a
+  @required_fields ~w(ivle_token)a
 
   def changeset(login, params \\ %{}) do
     login

lib/cadet/accounts/form/registration.ex

@@ -1,33 +1,24 @@
 defmodule Cadet.Accounts.Form.Registration do
   @moduledoc """
-  The Accounts.Form entity represents an entry from an accounts form.
-  A registration form contains the same information as the User and Authorization
-  entity, including first name, last name, e-mail, password and password
-  confirmation.
+  The Accounts.Form entity represents an entry from a /auth call, where the
+  IVLE authentication token corresponds to a user who has not been registered
+  in our database.
   """
+
   use Ecto.Schema
 
   import Ecto.Changeset
 
   embedded_schema do
-    field(:first_name, :string)
-    field(:last_name, :string)
-    field(:email, :string)
-    field(:password, :string)
-    field(:password_confirmation, :string)
+    field(:name, :string)
+    field(:nusnet_id, :string)
   end
 
-  @required_fields ~w(first_name email password password_confirmation)a
-  @optional_fields ~w(last_name)a
-
-  @email_format ~r/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/
+  @required_fields ~w(name nusnet_id)a
 
   def changeset(registration, params \\ %{}) do
     registration
-    |> cast(params, @required_fields ++ @optional_fields)
+    |> cast(params, @required_fields)
     |> validate_required(@required_fields)
-    |> validate_format(:email, @email_format)
-    |> validate_length(:password, min: 8)
-    |> validate_confirmation(:password)
   end
 end

lib/cadet/accounts/ivle.ex

@@ -0,0 +1,75 @@
+defmodule Cadet.Accounts.IVLE do
+  @moduledoc """
+  Helper functions to IVLE calls. All helper functions are prefixed with fetch
+  to differentiate them from database helpers, or other 'getters'.
+
+  This module relies on the environment variable `IVLE_KEY` being set.
+  `IVLE_KEY` should contain the IVLE Lapi key. Obtain the key from
+  [this link](http://ivle.nus.edu.sg/LAPI/default.aspx).
+  """
+
+  @api_url "https://ivle.nus.edu.sg/api/Lapi.svc"
+  @api_key Dotenv.load().values["IVLE_KEY"]
+
+  @doc """
+  Get the NUSNET ID of the user corresponding to this token.
+
+  returns...
+
+    - {:ok, nusnet_id} - valid token, nusnet_id is a string
+    - {:error, :bad_request} - invalid token
+    - {:error, :internal_server_error} - the ivle_key is invalid
+
+  ## Parameters
+
+    - token: String, the IVLE authentication token
+
+  ## Examples
+
+      iex> Cadet.Accounts.IVLE.fetch_nusnet_id("T0K3N...")
+      {:ok, "e012345"}
+
+  """
+  def fetch_nusnet_id(token), do: api_fetch("UserID_Get", token)
+
+  @doc """
+  Get the full name of the user corresponding to this token.
+
+  returns...
+
+    - {:ok, username} - valid token, username is a string
+    - {:error, :bad_request} - invalid token
+    - {:error, :internal_server_error} - the ivle_key is invalid
+
+  ## Parameters
+
+    - token: String, the IVLE authentication token
+
+  ## Examples
+
+      iex> Cadet.Accounts.IVLE.fetch_name("T0K3N...")
+      {:ok, "LEE NING YUAN"}
+
+  """
+  def fetch_name(token), do: api_fetch("UserName_Get", token)
+
+  defp api_fetch(path, token) do
+    case HTTPoison.get(api_url(path, token)) do
+      {:ok, %{body: body, status_code: 200}} when body != ~s("") ->
+        {:ok, Poison.decode!(body)}
+
+      {:ok, %{status_code: 500}} ->
+        # IVLE responds with 500 if APIKey is invalid
+        {:error, :internal_server_error}
+
+      {:ok, %{body: ~s(""), status_code: 200}} ->
+        # IVLE responsed 200 with body == ~s("") if token is invalid
+        {:error, :bad_request}
+    end
+  end
+
+  defp api_url(path, token) do
+    # construct a valid URL with the module attributes, and given params
+    "#{@api_url}/#{path}?APIKey=#{@api_key}&Token=#{token}"
+  end
+end

lib/cadet/accounts/provider.ex

@@ -1,6 +1,6 @@
 import EctoEnum
 
 defenum(Cadet.Accounts.Provider, :provider, [
-  # Email provides e-mail and password based authorization 
-  :email
+  # An IVLE authentication token provides a NUSNET ID to track user identity
+  :nusnet_id
 ])