-
Notifications
You must be signed in to change notification settings - Fork 2
Conversation
This should also mean a user logged in other part of the platform will be already logged in (SSO) Ticket: https://trello.com/c/t90fEmBs/647-4-update-rstudio-auth-proxy-to-use-hosted-auth0-login
app/config.js
Outdated
clientID: process.env.AUTH0_CLIENT_ID, | ||
clientSecret: process.env.AUTH0_CLIENT_SECRET, | ||
callbackURL: process.env.AUTH0_CALLBACK_URL || 'http:https://localhost:3000/callback' | ||
domain: process.env.AUTH0_DOMAIN, | ||
scope: 'openid profile', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added scope
and passReqToCallback
here. Sorted the keys.
This module was dealing with authorisation, so it should be named accordingly.
We only use the user nickname to check if it's authorised to access RStudio. This field should come from from the `profile` scope. SEE: https://auth0.com/docs/scopes/current
16488d6
to
df308e3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just minor comments
app/authorisation.js
Outdated
} else { | ||
res.sendStatus(403); | ||
next(new Error('User is not authorized')); | ||
} | ||
}; | ||
|
||
function isAuthorized(req) { | ||
function _isAuthorized(req) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't make sense to prefix Javascript functions with _
- that is a Python idiom indicating that a function or method is intended to be private.
All functions in Javascript are private to the module unless explicitly exported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this pass eslint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't have eslint running in this project. I'll add the lint
task and see what I can savage.
app/authorisation.js
Outdated
} catch (error) { | ||
// do nothing | ||
log.error('Error while checking user nickname: ', error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing semicolon
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this output anything useful? You might need to do JSON.stringify(error)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this yesterday by manually throw
a weird json-y exception and bole
escaped it correctly (which is great). I think log this is not a bad idea as this is kind of a programming error (e.g. the token doesn't include the nickname
field).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
app/index.js
Outdated
@@ -25,12 +25,15 @@ nunjucks.configure(path.join(__dirname, 'views'), { | |||
app.use(require('cookie-parser')()); | |||
app.use(require('express-session')(config.session)); | |||
|
|||
passport.use(new Auth0Strategy( | |||
strategy = new Auth0Strategy( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sould be const strategy =
or at least var strategy =
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point 👍
app/routes.js
Outdated
@@ -1,36 +1,52 @@ | |||
var config = require('./config'); | |||
var ensureLoggedIn = require('connect-ensure-login').ensureLoggedIn; | |||
var express = require('express'); | |||
var middleware = require('./middleware'); | |||
var authorisation = require('./authorisation'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be spelled authorization
. The concept of authorization in technology is abbreviated to "authz", and it is already spelled -ize in existing code in middleware.js
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This always confused me as in American they use z
s but in UK we use s
es.
In the company were I used to work they preferred s
es because "we're in UK innit?" - should we stick with the American spelling or the British one? (not that I mind either way)
I'll change to the z
here then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it was another word, I don't think I would have mentioned it. But authorization is AuthZ (and authentication is AuthN), so I think in this case it's worth being consistent and using the z spelling.
app/routes.js
Outdated
} | ||
} else { | ||
passport.authenticate('auth0-oidc', { | ||
state: uuidv4(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does state
need to be passed here? If passport does not generate a state
value by default, does it check one if supplied? Otherwise, the UUID should be stored in the session and checked in the callback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, tested without the state
and seems to work so I'll remove this and the dependency (hopefully we'll not regret this :D)
app/routes.js
Outdated
} | ||
|
||
router.get('/logout', logout); | ||
router.get('/auth-sign-out', logout); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of this, you can do
router.get(['/logout', '/auth-sign-out'], (req, res) => {
...
});
(also using american spelling consistently)
@andyhd I made few changes to address your comments, please have another look, focus particularly on the changes in the last 9 commits (a lot of noise as I linted some of the files). Cheers |
This is necessary as we're starting to use ES6 for some of the code.
What
This should also mean a user logged in other part of the platform
will be already logged in (SSO)
Refactorings (or lack of)
I'm not a great fan of massive refactoring. I focused on adding the feature.
The only thing I tweaked was adding a bit more logging to the
middleware
module which I also renamed toauthorisation
as that's what it does so it should be named accordingly.Ticket
https://trello.com/c/t90fEmBs/647-4-update-rstudio-auth-proxy-to-use-hosted-auth0-login