server/web/passport.js

   1 'use strict';
   2
   3 var passport = require('passport');
   4 var ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy;
   5 var BearerStrategy = require('gitter-passport-http-bearer').Strategy;
   6 var userService = require('gitter-web-users');
   7 var oauthService = require('gitter-web-oauth');
   8
   9 const env = require('gitter-web-env');
  10 const config = env.config;
  11 const logger = env.logger;
  12
  13 function installApi() {
  14   /**
  15    * BearerStrategy
  16    *
  17    * This strategy is used to authenticate users based on an access token (aka a
  18    * bearer token).  The user must have previously authorized a client
  19    * application, which is issued an access token to make requests on behalf of
  20    * the authorizing user.
  21    */
  22
  23   /* This is ONLY used to API clients, not WEB clients!! */
  24   passport.use(
  25     new BearerStrategy(function(accessToken, done) {
  26       return oauthService
  27         .validateAccessTokenAndClient(accessToken)
  28         .then(function(tokenInfo) {
  29           // Token not found
  30           if (!tokenInfo) return;
  31
  32           var user = tokenInfo.user;
  33           var client = tokenInfo.client;
  34
  35           if (!client) return;
  36
  37           if (!user || user.isRemoved()) {
  38             /* This will be converted to null in auth-api.js */
  39             user = { _anonymous: true };
  40           }
  41
  42           return [user, { client: client, accessToken: accessToken }];
  43         })
  44         .asCallback(done, { spread: true });
  45     })
  46   );
  47 }
  48
  49 function install() {
  50   passport.serializeUser(function(user, done) {
  51     var serializedId = user.id || (user._id && user._id.toHexString());
  52     done(null, serializedId);
  53   });
  54
  55   passport.deserializeUser(function deserializeUserCallback(id, done) {
  56     return userService
  57       .findById(id)
  58       .then(function(user) {
  59         if (user && (user.state === 'DISABLED' || user.isRemoved())) {
  60           return null;
  61         }
  62
  63         return user;
  64       })
  65       .asCallback(done);
  66   });
  67
  68   /* OAuth Strategies */
  69
  70   /**
  71    * BasicStrategy & ClientPasswordStrategy
  72    *
  73    * These strategies are used to authenticate registered OAuth clients.  They are
  74    * employed to protect the `token` endpoint, which consumers use to obtain
  75    * access tokens.  The OAuth 2.0 specification suggests that clients use the
  76    * HTTP Basic scheme to authenticate.  Use of the client password strategy
  77    * allows clients to send the same credentials in the request body (as opposed
  78    * to the `Authorization` header).  While this approach is not recommended by
  79    * the specification, in practice it is quite common.
  80    */
  81
  82   passport.use(
  83     new ClientPasswordStrategy(function(clientKey, clientSecret, done) {
  84       return oauthService
  85         .findClientByClientKey(clientKey)
  86         .then(function(client) {
  87           if (!client) return false;
  88           if (client.clientSecret !== clientSecret) return false;
  89
  90           return client;
  91         })
  92         .asCallback(done);
  93     })
  94   );
  95
  96   /* Install the API OAuth strategy too */
  97   installApi();
  98
  99   // generalizing based on a single config, in the future we might want to allow more granular passport initialization
 100   const githubOAuthConfigured = Boolean(config.get('github:user_client_id'));
 101   const isDev = process.env.NODE_ENV === 'dev';
 102   // in other words we allow skipping setting up the external strategies if we are running the webapp locally and secrets are missing
 103   if (isDev && !githubOAuthConfigured) {
 104     logger.warn(
 105       'Your OAuthSecrets are not set. Skipping OAuth setup for local development.',
 106       'Follow readme instructions to set your OAuth https://gitlab.com/gitterHQ/webapp#configure-oauth-and-service-secrets'
 107     );
 108     return;
 109   }
 110   var githubUserStrategy = require('./strategies/github-user');
 111   var githubUpgradeStrategy = require('./strategies/github-upgrade');
 112   var gitlabStrategy = require('./strategies/gitlab');
 113   var twitterStrategy = require('./strategies/twitter');
 114   passport.use(githubUserStrategy);
 115   passport.use(githubUpgradeStrategy);
 116   passport.use(gitlabStrategy);
 117   passport.use(twitterStrategy);
 118 }
 119
 120 module.exports = {
 121   installApi: installApi,
 122   install: install
 123 };