Use Auth0 hosted login page. #12
Conversation
This should also mean a user logged in other part of the platform will be already logged in (SSO) Ticket: https://trello.com/c/t90fEmBs/647-4-update-rstudio-auth-proxy-to-use-hosted-auth0-login
app/config.js
Outdated
| clientID: process.env.AUTH0_CLIENT_ID, | ||
| clientSecret: process.env.AUTH0_CLIENT_SECRET, | ||
| callbackURL: process.env.AUTH0_CALLBACK_URL || 'http:https://localhost:3000/callback' | ||
| domain: process.env.AUTH0_DOMAIN, | ||
| scope: 'openid profile', |
There was a problem hiding this comment.
Added scope and passReqToCallback here. Sorted the keys.
This module was dealing with authorisation, so it should be named accordingly.
We only use the user nickname to check if it's authorised to access RStudio. This field should come from from the `profile` scope. SEE: https://auth0.com/docs/scopes/current
xoen
force-pushed
the
ag--auth0-hosted-login-page
branch
from
16488d6
to
df308e3
Compare
app/authorisation.js
Outdated
| } else { | ||
| res.sendStatus(403); | ||
| next(new Error('User is not authorized')); | ||
| } | ||
| }; | ||
|
|
||
| function isAuthorized(req) { | ||
| function _isAuthorized(req) { |
There was a problem hiding this comment.
It doesn't make sense to prefix Javascript functions with _ - that is a Python idiom indicating that a function or method is intended to be private.
All functions in Javascript are private to the module unless explicitly exported.
There was a problem hiding this comment.
We don't have eslint running in this project. I'll add the lint task and see what I can savage.
app/authorisation.js
Outdated
| } catch (error) { | ||
| // do nothing | ||
| log.error('Error while checking user nickname: ', error) |
There was a problem hiding this comment.
Does this output anything useful? You might need to do JSON.stringify(error)
There was a problem hiding this comment.
I tested this yesterday by manually throw a weird json-y exception and bole escaped it correctly (which is great). I think log this is not a bad idea as this is kind of a programming error (e.g. the token doesn't include the nickname field).
app/index.js
Outdated
| @@ -25,12 +25,15 @@ nunjucks.configure(path.join(__dirname, 'views'), { | |||
| app.use(require('cookie-parser')()); | |||
| app.use(require('express-session')(config.session)); | |||
|
|
|||
| passport.use(new Auth0Strategy( | |||
| strategy = new Auth0Strategy( | |||
There was a problem hiding this comment.
This sould be const strategy = or at least var strategy =
app/routes.js
Outdated
| @@ -1,36 +1,52 @@ | |||
| var config = require('./config'); | |||
| var ensureLoggedIn = require('connect-ensure-login').ensureLoggedIn; | |||
| var express = require('express'); | |||
| var middleware = require('./middleware'); | |||
| var authorisation = require('./authorisation'); | |||
There was a problem hiding this comment.
This should be spelled authorization. The concept of authorization in technology is abbreviated to "authz", and it is already spelled -ize in existing code in middleware.js.
There was a problem hiding this comment.
This always confused me as in American they use zs but in UK we use ses.
In the company were I used to work they preferred ses because "we're in UK innit?" - should we stick with the American spelling or the British one? (not that I mind either way)
I'll change to the z here then.
There was a problem hiding this comment.
If it was another word, I don't think I would have mentioned it. But authorization is AuthZ (and authentication is AuthN), so I think in this case it's worth being consistent and using the z spelling.
app/routes.js
Outdated
| } | ||
| } else { | ||
| passport.authenticate('auth0-oidc', { | ||
| state: uuidv4(), |
There was a problem hiding this comment.
Does state need to be passed here? If passport does not generate a state value by default, does it check one if supplied? Otherwise, the UUID should be stored in the session and checked in the callback.
There was a problem hiding this comment.
OK, tested without the state and seems to work so I'll remove this and the dependency (hopefully we'll not regret this :D)
app/routes.js
Outdated
| } | ||
|
|
||
| router.get('/logout', logout); | ||
| router.get('/auth-sign-out', logout); |
There was a problem hiding this comment.
Instead of this, you can do
router.get(['/logout', '/auth-sign-out'], (req, res) => {
...
});(also using american spelling consistently)
|
@andyhd I made few changes to address your comments, please have another look, focus particularly on the changes in the last 9 commits (a lot of noise as I linted some of the files). Cheers |
This is necessary as we're starting to use ES6 for some of the code.
What
This should also mean a user logged in other part of the platform
will be already logged in (SSO)
Refactorings (or lack of)
I'm not a great fan of massive refactoring. I focused on adding the feature.
The only thing I tweaked was adding a bit more logging to the
middlewaremodule which I also renamed toauthorisationas that's what it does so it should be named accordingly.Ticket
https://trello.com/c/t90fEmBs/647-4-update-rstudio-auth-proxy-to-use-hosted-auth0-login