device-agent/lib/plugins/node_modules/@flowfuse/flowfuse-auth/strategy.js at dc83292df545dcd688da1823b91ecd37ecd1f3a2 · FlowFuse/device-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
const util = require('util')
const OAuth2Strategy = require('passport-oauth2')

const Roles = {
    None: 0,
    Dashboard: 5,
    Viewer: 10,
    Member: 30,
    Owner: 50,
    Admin: 99
}
const RoleNames = {
    [Roles.None]: 'none',
    [Roles.Dashboard]: 'dashboard',
    [Roles.Viewer]: 'viewer',
    [Roles.Member]: 'member',
    [Roles.Owner]: 'owner',
    [Roles.Admin]: 'admin'
}

function Strategy (options, verify) {
    this.options = options
    this._base = Object.getPrototypeOf(Strategy.prototype)
    this._base.constructor.call(this, this.options, verify)
    this.name = 'FlowFuse'
    this.isSecure = /^https:/.test(options.authorizationURL)
    this.isRelativeCallback = !/^https?:/.test(options.callbackURL)
}

util.inherits(Strategy, OAuth2Strategy)

/**
 * KEY DIFFERENCE BETWEEN Instance and Device versions of this:
 *  - for Instances, we patch the authenticate function so we can do per-request generation of the
 *    callback uri to get the http/https choice correct. This is because when running inside
 *    k8s, internal requests may be http, but need to be considered as https when generating the
 *    external callback url
 *  - for Devices, we don't need to do that - so the code is gone.
 *
 * IF we attempt to DRY the auth handler between device and launcher, this difference
 * MUST be considered
 */

Strategy.prototype.sendAPIRequest = function (url, accessToken, done) {
    this._oauth2.useAuthorizationHeaderforGET(true)
    this._oauth2.get(url, accessToken, (err, body) => {
        if (err) {
            return done(err)
        }
        try {
            const json = JSON.parse(body)
            done(null, json)
        } catch (e) {
            done(e)
        }
    })
}
Strategy.prototype.userProfile = function (accessToken, done) {
    this._oauth2.useAuthorizationHeaderforGET(true)
    this.sendAPIRequest(this.options.userInfoURL, accessToken, (err, userProfile) => {
        if (err) {
            // eslint-disable-next-line no-console
            console.log('Authentication error:', err)
            return done(err)
        }
        this.sendAPIRequest(this.options.userTeamRoleURL, accessToken, (err, userTeamRole) => {
            if (err) {
                // eslint-disable-next-line no-console
                console.log('Authentication error:', err)
                return done(err)
            }
            done(null, {
                username: userProfile.username,
                email: userProfile.email,
                image: userProfile.avatar,
                name: userProfile.name,
                userId: userProfile.id,
                role: RoleNames[userTeamRole.role] || ''
            })
        })
    })
}

module.exports = { Strategy }