WIP

Author: dmitrizagidulin

lib/create-app.js

@@ -10,6 +10,9 @@ var proxy = require('./handlers/proxy')
 var IdentityProvider = require('./identity-provider')
 var vhost = require('vhost')
 var path = require('path')
+var AnvilConnect = require('./handlers/auth-oidc')
+var bodyParser = require('body-parser')
+
 var corsSettings = cors({
   methods: [
     'OPTIONS', 'HEAD', 'GET', 'PATCH', 'POST', 'PUT', 'DELETE'
@@ -75,6 +78,13 @@ function createApp (argv) {
     app.use('/', corsSettings, idp.get.bind(idp))
   }
 
+  ldp.oidc = true
+  if (ldp.oidc) {
+    var oidc = OidcProvider()
+    app.use('/', oidc.authenticate())
+    app.use('/api/oidc', oidc.middleware(corsSettings))
+  }
+
   if (ldp.idp) {
     app.use(vhost('*', LdpMiddleware(corsSettings)))
   }

lib/handlers/auth-oidc.js

@@ -0,0 +1,190 @@
+/**
+ * Module dependencies
+ */
+
+var AnvilConnect = require('anvil-connect-nodejs')
+var UnauthorizedError = AnvilConnect.UnauthorizedError
+var debug = require('debug')('ldnode:auth-oidc')
+
+/**
+ * Constructor
+ */
+
+function AnvilConnectExpress (options) {
+  options = options || {}
+  this.client = new AnvilConnect(options)
+  this.respond = options.respond || true
+}
+
+/**
+ * Next
+ */
+
+function handler (req, res, next) {
+  var self = this
+
+  return function (err) {
+    var statusCode = err.statusCode || 400
+
+    if (self.respond) {
+      res.status(statusCode).json({
+        error: err.error,
+        error_description: err.error_description
+      })
+    } else {
+      next(err)
+    }
+  }
+}
+
+AnvilConnectExpress.prototype.handler = handler
+
+/**
+ * Verify Middleware
+ */
+
+function verifier (options) {
+  var self = this
+
+  return function (req, res, next) {
+    var accessToken
+    var nexter = self.handler(req, res, next)
+
+    // Check for an access token in the Authorization header
+    if (req.headers && req.headers.authorization) {
+      var components = req.headers.authorization.split(' ')
+      var scheme = components[0]
+      var credentials = components[1]
+
+      if (components.length !== 2) {
+        return nexter(new UnauthorizedError({
+          error: 'invalid_request',
+          error_description: 'Invalid authorization header',
+          statusCode: 400
+        }))
+      }
+
+      if (scheme !== 'Bearer') {
+        return nexter(new UnauthorizedError({
+          error: 'invalid_request',
+          error_description: 'Invalid authorization scheme',
+          statusCode: 400
+        }))
+      }
+
+      accessToken = credentials
+    }
+
+    // Check for an access token in the request URI
+    if (req.query && req.query.access_token) {
+      if (accessToken) {
+        return nexter(new UnauthorizedError({
+          error: 'invalid_request',
+          error_description: 'Multiple authentication methods',
+          statusCode: 400
+        }))
+      }
+
+      accessToken = req.query.access_token
+    }
+
+    // Check for an access token in the request body
+    if (req.body && req.body.access_token) {
+      if (accessToken) {
+        return nexter(new UnauthorizedError({
+          error: 'invalid_request',
+          error_description: 'Multiple authentication methods',
+          statusCode: 400
+        }))
+      }
+
+      if (req.headers &&
+        req.headers['content-type'] !== 'application/x-www-form-urlencoded') {
+        return nexter(new UnauthorizedError({
+          error: 'invalid_request',
+          error_description: 'Invalid content-type',
+          statusCode: 400
+        }))
+      }
+
+      accessToken = req.body.access_token
+    }
+
+    function invokeVerification () {
+      self.client.verify(accessToken, options)
+        .then(function (accessTokenClaims) {
+          req.accessToken = accessToken
+          req.accessTokenClaims = accessTokenClaims
+          return self.client.userInfo({token: accessToken})
+        })
+        .then(function (userInfo) {
+          req.userInfo = userInfo
+          req.session.userId = userInfo.profile
+          req.session.identified = true
+          next()
+        })
+        .catch(function (err) {
+          nexter(err)
+        })
+    }
+
+    // Missing access token
+    if (!accessToken) {
+      debug('No authentication token!')
+      next()
+      // return nexter(new UnauthorizedError({
+      //   realm: 'user',
+      //   error: 'invalid_request',
+      //   error_description: 'An access token is required',
+      //   statusCode: 400
+      // }))
+
+      // Access token found
+    } else {
+      // If JWKs are not set, attempt to retrieve them first
+      if (!self.client.jwks) {
+        self.client.discover().then(function () {
+            return self.client.getJWKs()
+          })
+          // then verify the token and carry on
+          .then(invokeVerification)
+          .catch(function (err) {
+            nexter(err)
+          })
+        // otherwise, verify the token right away
+      } else {
+        invokeVerification()
+      }
+    }
+  }
+}
+AnvilConnectExpress.prototype.verifier = verifier
+
+var url = require('url')
+function fullUrl(req) {
+  return url.format({
+    protocol: req.protocol,
+    host: req.get('host'),
+    pathname: req.originalUrl
+  })
+}
+
+function urlForLogin (req) {
+  // return 'https://anvil.local/authorize?stuff'
+  var loginUrl = this.client.authorizationUri({
+    endpoint: 'signin',
+    nonce: '123',
+    response_mode: 'query',
+    response_type: 'token id_token',
+    redirect_uri: 'https://ldnode.local:8443/rp'
+  })
+  return loginUrl
+}
+AnvilConnectExpress.prototype.urlForLogin = urlForLogin
+
+
+/**
+ * Export
+ */
+
+module.exports = AnvilConnectExpress

lib/handlers/auth-rp.js

@@ -0,0 +1,7 @@
+module.exports = handler
+
+function handler (req, res, next) {
+  if (req.session.returnToUrl) {
+    res.redirect(302, req.session.returnToUrl)
+  }
+}

lib/handlers/error-pages.js

@@ -2,6 +2,7 @@ module.exports = handler
 
 var debug = require('../debug').server
 var fs = require('fs')
+var util = require('../utils')
 
 function handler (err, req, res, next) {
   debug('Error page because of ' + err.message)
@@ -17,9 +18,17 @@ function handler (err, req, res, next) {
   // If noErrorPages is set,
   // then use built-in express default error handler
   if (ldp.noErrorPages) {
-    return res
+
+    if (err.status === 401 && req.accepts('text/html')) {
+      res.status(err.status)
+      redirectToLogin(err, req, res, next)
+      return
+    }
+
+    res
       .status(err.status)
       .send(err.message + '\n' || '')
+    return
   }
 
   // Check if error page exists
@@ -36,3 +45,28 @@ function handler (err, req, res, next) {
     res.send(text)
   })
 }
+
+function redirectBody (url) {
+  return `<!DOCTYPE HTML>
+<meta charset="UTF-8">
+<script>
+  window.location.href = "${url}"
+</script>
+<noscript>
+  <meta http-equiv="refresh" content="0; url=${url}">
+</noscript>
+<title>Redirecting...</title>
+If you are not redirected automatically, follow the <a href='${url}'>link to login</a>
+`
+}
+
+function redirectToLogin (err, req, res, next) {
+  res.header('Content-Type', 'text/html')
+  var loginUrl = req.app.locals.oidcClient.urlForLogin(req)
+  debug('Redirecting to login: ' + loginUrl)
+  var currentUrl = util.fullUrlForReq(req)
+  req.session.returnToUrl = currentUrl
+
+  var body = redirectBody(loginUrl)
+  res.send(body)
+}

lib/ldp-middleware.js

@@ -21,7 +21,7 @@ function LdpMiddleware (corsSettings) {
     router.use(corsSettings)
   }
 
-  router.use('/*', authentication)
+  // router.use('/*', authentication)
   router.get('/*', index, acl.allow('Read'), get)
   router.post('/*', acl.allow('Append'), post)
   router.patch('/*', acl.allow('Append'), patch)

lib/oidc-provider.js

@@ -0,0 +1,80 @@
+// Configure a client for the local OpenID Connect Provider service
+// var oidc =
+// app.locals.oidcClient = oidc
+// oidc.client.discover()
+
+const bodyParser = require('body-parser')
+const Store = require('abstract-oidc-store')
+const authRp = require('./handlers/auth-rp')
+
+module.exports = Provider
+// path.join(
+var rpPath = '/api/oidc/rp'
+
+function getIssuer (token) {
+  const claims = jwtDecode(token)
+  if (!claims) return claims.iss
+  return false
+}
+
+class Provider {
+  constructor (options = {}) {
+    this.clients = options.store || new Store()
+    this.registration = options.registration
+  }
+
+  authenticate (req, res, next) {
+    const token = getToken(req)
+    // get issuer from token
+    const issuer = getIssuer(token)
+    // retrieve it from store
+    this.clients.get(issuer)
+      .then((client) => {
+        if (client) {
+          return client
+        }
+        var client = new AnvilConnect({
+          issuer: issuer,
+          redirect_uri: redirectUri,
+          scope: 'openid profile'
+        })
+
+        return client.discover()
+          .then(() => client.register(this.registration))
+          .then(() => this.clients.put(client))
+          .then(() => client)
+      })
+      .then((client) => client.verify()(req, res, next))
+  }
+
+  middleware (corsSetting) {
+    const router = express().Router('/')
+
+    if (corsSettings) {
+      router.use(corsSettings)
+    }
+
+    router.use('/oidc', express.static(path.join(__dirname, '../static/oidc')))
+    router.post('/oidc/signin', bodyParser.urlencoded({extended: false}),
+      (req, res, next) => {
+        const userServer = req.body.oidcServer
+      })
+    router.get('/rp', oidc.verifier(), authRp)
+    router.get('/signout', (req, res, next) => {
+      req.session.userId = null
+      req.session.identified = false
+      res.send('signed out...')
+    })
+
+    return router
+  }
+}
+
+var oidcMap = {
+  'ldnode.local': new AnvilConnect({
+    issuer: 'https://anvil.local',
+    client_id: 'cfe8d9a7-e1f6-4b88-9d55-0be004a62870',
+    client_secret: '62b0bc1698ff97bdc7c7',
+    redirect_uri: 'https://ldnode.local:8443/api/oidc/rp'
+  })
+}

lib/utils.js

@@ -11,12 +11,22 @@ exports.serialize = serialize
 exports.translate = translate
 exports.stringToStream = stringToStream
 exports.reqToPath = reqToPath
+exports.fullUrlForReq = fullUrlForReq
 
 var fs = require('fs')
 var path = require('path')
 var S = require('string')
 var $rdf = require('rdflib')
 var from = require('from2')
+var url = require('url')
+
+function fullUrlForReq(req) {
+  return url.format({
+    protocol: req.protocol,
+    host: req.get('host'),
+    pathname: req.originalUrl
+  })
+}
 
 function uriToFilename (uri, base) {
   uri = decodeURIComponent(uri)