feat(sso): introduce authentication with SAML

2023-07-06 11:05:28 +00:00
parent 5176b8c322
commit a7104c41a2
28 changed files with 720 additions and 9 deletions
--- a/packages/backend/src/helpers/authentication.ts
+++ b/packages/backend/src/helpers/authentication.ts
@@ -33,6 +33,7 @@ const authentication = shield(
    Query: {
      '*': isAuthenticated,
      getAutomatischInfo: allow,
+      getSamlAuthProviders: allow,
      healthcheck: allow,
    },
    Mutation: {
--- a/packages/backend/src/helpers/create-auth-token-by-user-id.ts
+++ b/packages/backend/src/helpers/create-auth-token-by-user-id.ts
@@ -0,0 +1,14 @@
+import jwt from 'jsonwebtoken';
+import appConfig from '../config/app';
+
+const TOKEN_EXPIRES_IN = '14d';
+
+const createAuthTokenByUserId = (userId: string) => {
+  const token = jwt.sign({ userId }, appConfig.appSecretKey, {
+    expiresIn: TOKEN_EXPIRES_IN,
+  });
+
+  return token;
+};
+
+export default createAuthTokenByUserId;
--- a/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
+++ b/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
@@ -0,0 +1,48 @@
+import SamlAuthProvider from '../models/saml-auth-provider.ee';
+import User from '../models/user';
+import Identity from '../models/identity.ee';
+
+const getUser = (user: Record<string, unknown>, providerConfig: SamlAuthProvider) => ({
+  name: user[providerConfig.firstnameAttributeName],
+  surname: user[providerConfig.surnameAttributeName],
+  id: user.nameID,
+  email: user[providerConfig.emailAttributeName],
+  role: user[providerConfig.roleAttributeName],
+})
+
+const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unknown>, samlAuthProvider: SamlAuthProvider) => {
+  const mappedUser = getUser(userIdentity, samlAuthProvider);
+  const identity = await Identity.query().findOne({
+    remote_id: mappedUser.id,
+  });
+
+  if (identity) {
+    const user = await identity.$relatedQuery('user');
+
+    return user;
+  }
+
+  const createdUser = await User.query().insertGraphAndFetch({
+    fullName: [
+      mappedUser.name,
+      mappedUser.surname
+    ]
+      .filter(Boolean)
+      .join(' '),
+    email: mappedUser.email as string,
+    roleId: samlAuthProvider.defaultRoleId,
+    identities: [
+      {
+        remoteId: mappedUser.id as string,
+        providerId: samlAuthProvider.id,
+        providerType: 'saml'
+      }
+    ]
+  }, {
+    relate: ['identities']
+  });
+
+  return createdUser;
+};
+
+export default findOrCreateUserBySamlIdentity;
--- a/packages/backend/src/helpers/passport.ts
+++ b/packages/backend/src/helpers/passport.ts
@@ -0,0 +1,84 @@
+import { URL } from 'node:url';
+import { IRequest } from '@automatisch/types';
+import { MultiSamlStrategy } from '@node-saml/passport-saml';
+import { Express } from 'express';
+import passport from 'passport';
+
+import appConfig from '../config/app';
+import createAuthTokenByUserId from '../helpers/create-auth-token-by-user-id';
+import SamlAuthProvider from '../models/saml-auth-provider.ee';
+import findOrCreateUserBySamlIdentity from './find-or-create-user-by-saml-identity.ee'
+
+export default function configurePassport(app: Express) {
+  app.use(passport.initialize({
+    userProperty: 'currentUser',
+  }));
+
+  passport.use(new MultiSamlStrategy(
+    {
+      passReqToCallback: true,
+      getSamlOptions: async function (request, done) {
+        const { issuer } = request.params;
+        const notFoundIssuer = new Error('Issuer cannot be found!');
+
+        if (!issuer) return done(notFoundIssuer);
+
+        const authProvider = await SamlAuthProvider.query().findOne({
+          issuer: request.params.issuer as string,
+        });
+
+        if (!authProvider) {
+          return done(notFoundIssuer);
+        }
+
+        return done(null, authProvider.config);
+      },
+    },
+    async function (request, user: Record<string, unknown>, done) {
+      const { issuer } = request.params;
+      const notFoundIssuer = new Error('Issuer cannot be found!');
+
+      if (!issuer) return done(notFoundIssuer);
+
+      const authProvider = await SamlAuthProvider.query().findOne({
+        issuer: request.params.issuer as string,
+      });
+
+      if (!authProvider) {
+        return done(notFoundIssuer);
+      }
+
+      const foundUserWithIdentity = await findOrCreateUserBySamlIdentity(user, authProvider);
+      return done(null, foundUserWithIdentity as unknown as Record<string, unknown>);
+    },
+    function (request, user: Record<string, unknown>, done: (error: any, user: Record<string, unknown>) => void) {
+      return done(null, null);
+    }
+  ));
+
+  app.get('/login/saml/:issuer',
+    passport.authenticate('saml',
+      {
+        session: false,
+        successRedirect: '/',
+      })
+  );
+
+  app.post(
+    '/login/saml/:issuer/callback',
+    passport.authenticate('saml', {
+      session: false,
+      failureRedirect: '/',
+      failureFlash: true,
+    }),
+    (req: IRequest, res) => {
+      const token = createAuthTokenByUserId(req.currentUser.id);
+
+      const redirectUrl = new URL(
+        `/login/callback?token=${token}`,
+        appConfig.webAppUrl,
+      ).toString();
+      res.redirect(redirectUrl);
+    }
+  );
+};