trusted-setup-server/server/controllers/authorize.js
2020-05-01 13:32:02 +03:00

187 lines
5.4 KiB
JavaScript

/* eslint-disable no-console */
const crypto = require('crypto')
const express = require('express')
const router = express.Router()
const oauth = require('oauth')
const {
TWITTER_CONSUMER_KEY,
TWITTER_CONSUMER_SECRET,
TWITTER_CALLBACK_URL,
GITHUB_CLIEND_ID,
GITHUB_CLIENT_SECRET,
GITHUB_CALLBACK_URL
} = process.env
const providers = ['github', 'twitter']
const signInPages = ['/make-contribution', '/authorize-contribution']
// twitter uses OAuth1
const twitter = new oauth.OAuth(
'https://twitter.com/oauth/request_token',
'https://twitter.com/oauth/access_token',
TWITTER_CONSUMER_KEY,
TWITTER_CONSUMER_SECRET,
'1.0A',
TWITTER_CALLBACK_URL,
'HMAC-SHA1'
)
// github uses OAuth2
const github = new oauth.OAuth2(
GITHUB_CLIEND_ID,
GITHUB_CLIENT_SECRET,
'https://github.com/',
'login/oauth/authorize',
'login/oauth/access_token'
)
github.useAuthorizationHeaderforGET(true)
function validateProvider(req, res, next) {
const { provider } = req.params
if (!providers.includes(provider)) {
res.status(404).send('Wrong provider')
} else {
next()
}
}
function validateRefferer(req, res, next) {
let referrer
try {
referrer = new URL(req.get('Referrer'))
} catch (e) {
res.status(403).send('Access forbidden')
return
}
if (!signInPages.includes(referrer.pathname)) {
res.status(403).send('Access forbidden')
return
}
next()
}
function restrictSymbols(value) {
if (value) {
const regExpression = new RegExp('[^0-9a-zA-Z\\x20]', 'g')
return value.toString().replace(regExpression, '')
} else {
return ''
}
}
router.get('/connect/:provider', validateProvider, validateRefferer, (req, res) => {
const { provider } = req.params
const referrer = new URL(req.get('Referrer'))
req.session.pageToReturn = referrer.pathname // the page a user will be redirected after signIn
if (referrer.pathname === '/authorize-contribution') {
req.session.pageToReturn += referrer.search // to add `token` parameter for authorize-contribution page
}
if (provider === 'github') {
const CSRFToken = crypto.randomBytes(32).toString('hex')
const authorizeUrl = github.getAuthorizeUrl({
redirect_uri: GITHUB_CALLBACK_URL,
scope: [], // 'gist' - https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
state: CSRFToken
})
req.session.CSRFToken = CSRFToken
res.redirect(authorizeUrl)
} else if (provider === 'twitter') {
twitter.getOAuthRequestToken(function(error, oauthToken, oauthTokenSecret) {
if (error) {
res.status(500).send(error)
} else {
req.session.oauthRequestToken = oauthToken
req.session.oauthRequestTokenSecret = oauthTokenSecret
res.redirect(
'https://twitter.com/oauth/authorize?oauth_token=' + req.session.oauthRequestToken
)
}
})
}
})
router.get('/oauth_callback/:provider', validateProvider, (req, res) => {
const { provider } = req.params
if (provider === 'github') {
const { code, state } = req.query
if (state !== req.session.CSRFToken) {
res.status(404).send('Malformed request')
return
}
github.getOAuthAccessToken(code, {}, function(error, accessToken, refreshToken, results) {
if (error || results.error) {
console.error('getOAuthAccessToken error', error || results.error)
res.status(500).send(error || results.error)
} else {
req.session.refreshToken = refreshToken
req.session.accessToken = accessToken
res.redirect(req.session.pageToReturn)
}
})
} else if (provider === 'twitter') {
twitter.getOAuthAccessToken(
req.query.oauth_token,
req.session.oauthRequestTokenSecret,
req.query.oauth_verifier,
(error, oauthAccessToken, oauthAccessTokenSecret) => {
if (error) {
console.error('getOAuthAccessToken error', error)
res.status(500).send(error)
} else {
req.session.oauthAccessToken = oauthAccessToken
req.session.oauthAccessTokenSecret = oauthAccessTokenSecret
res.redirect(req.session.pageToReturn)
}
}
)
}
})
router.get('/user_data/', (req, res) => {
let userData = { name: 'Anonymous' }
if (req.session.accessToken) {
github.get('https://api.github.com/user', req.session.accessToken, function(error, data) {
if (!error) {
userData = JSON.parse(data)
userData.name = restrictSymbols(userData.name)
userData.handle = userData.login
userData.socialType = 'github'
req.session.handle = userData.login
req.session.socialType = 'github'
}
res.json(userData)
})
} else if (req.session.oauthAccessToken && req.session.oauthAccessTokenSecret) {
twitter.get(
'https://api.twitter.com/1.1/account/verify_credentials.json',
req.session.oauthAccessToken,
req.session.oauthAccessTokenSecret,
function(error, data) {
if (!error) {
userData = JSON.parse(data)
userData.name = restrictSymbols(userData.name)
userData.handle = userData.screen_name
userData.socialType = 'twitter'
req.session.handle = userData.screen_name
req.session.socialType = 'twitter'
}
res.json(userData)
}
)
} else {
res.json(userData)
}
})
router.get('/logout', (req, res) => {
req.session.destroy()
res.send('OK')
})
module.exports = router