Portal for visualization of data, for the overview and individual profiles.
- You must already have a valid Azure AD Tenant (the default one along with the default Directory provided with your Azure Subscription will do).
- You must create a group in that directory, I suggest using the name
MCSC-Portal-Users
- Save the Group's id (aka the Object ID) for later
- Assign one or more users to this group, these will be the users that will be authorized to log into the portal.
- Note: You can add guest users so they can reuse existing account (e.g. @outlook, @contoso.com, etc.)
Current Dev/DevProd environment uses an application registered under
admin.mcsc@strutcreative.com
If you have not yet created a "Converged Application" (aka Azure AD v2.0 endpoint for AAD sign on) you will need to follow these steps:
- Navigate to https://apps.dev.microsoft.com/?deeplink=/appList
- Click
New application registration
- NOTE:
- Be sure to log in with a user that was created in the above Directory that you wish to have this created in.
- The reason for this is the app is created in the DEFAULT directory of the logged in user, so this is an easy way to ensure the correct Directory is associated to this application.
- DO NOT use a personal account (outlook, hotmail etc.)
- I suggest creating an administrative user specific for the tenant and uses those credentials
- E.g. "admin@<your_tenant>.onmicrosoft.com"
- Use the naming convention:
MSCS Portal - <DEV/TEST/PROD>
- NOTE:
- Click
Generate new password
and store it, you will be prompted to change this upon first login.- If you wish to change this right away, open a new InPrivate/InCognito browser, navigate to porta.azure.com and login with the new user, you will be prompted to change the password.
- Click
Add Platform
- For
Redirect URLs
addhttp://localhost:3000/auth/openid/return
- If this is for production, change localhost to the actual domain/subdomain being used.
- For
Logout URL
addhttp://localhost:3000/logout
- If this is for production, change localhost to the actual domain/subdomain being used.
- For
- Click
Save
-
Clone this repo locally
git clone https://github.com/Missing-Children-Society-Canada/portal-node.git
-
Configure environment variables below
- This project uses dotenv so you can place your personal development environemnt variables in a
.env
file in the root (it will not be checked in as it is excluded in.gitignore
).
- This project uses dotenv so you can place your personal development environemnt variables in a
-
To run
node server.js
-
Navigate to http://localhost:3000
Use the below variables in your .env
file or in your Azure Web Application's App Settings.
IdentityMetadata=
ClientID=
ClientSecret=
RedirectUrl=
DestroySessionUrl=
DocDbHost=
DocDbAuthKey=
NotifyPoliceUrl=
ValidateTokenUrl=
RequiredAADGroupId=
CookieEncryptionKey=
CookieEncryptionIv=
AppInsightsInstrumentationKey=
More details for the AAD Passport specific settings can be found in the AAD Passport GitHub page.
The metadata endpoint provided by the Microsoft Identity Portal that provides the keys and other important information at runtime. Example: https://login.microsoftonline.com/<YOUR_AAD_TENANT_NAME>.onmicrosoft.com/v2.0/.well-known/openid-configuration
The client ID of your application in AAD (Azure Active Directory). Can be located here: https://apps.dev.microsoft.com/#/appList
The openid return URL to continue the authentication process. For development use http://localhost:3000/auth/openid/return
, however for production this should be https
and point to the production applications domain.
When you create an application in the Application Registration Portal you are provided the ability to create a Password
(Found under Application Secrets).
This is the URL for your DocumentDB instance where the profile data is queried. The portal expects a database called reporting
and a collection called events
.
A Read-Write Access key for the above Document DB host.
The secure Azure Function URL for the NotifyPolice
API which allows for the emailing of profiles.
The secure Azure Function URL for the ValidateToken
API which allows for authorization validation to view a profile by token ID (instead of standard Passport login authentication).
The AAD Directory Group id which the authenticated user must be a member of to pass authorization checks. If the user is authenticated (can log in), but is not a member of the configured group then they will be denied access (Status: 401).
NOTE: When a user is added to the group it can take a few minutes before this information propagates. It's common to still be directed to
/unauthorized
shortly after adding them to the group.
A 32 character string used for the encryption key for the aes-256-gcm cookie encryption. For more information see the AAD Passport documentation.
You can get a randomly generated
key
&iv
via this Azure Function: TDESGenerate.
A 12 character string used for the IV (Initialization vector ) for the aes-256-gcm cookie encryption. For more information see the AAD Passport documentation.
You can get a randomly generated
key
&iv
via this Azure Function: TDESGenerate (.NET source code).
The Application Insights instrumentation key for analytics.