freeCodeCamp/server/boot/authentication.js

import _ from 'lodash';
import { Observable } from 'rx';
import dedent from 'dedent';
// import debugFactory from 'debug';
import { isEmail } from 'validator';
import { check, validationResult } from 'express-validator/check';

import { ifUserRedirectTo } from '../utils/middleware';
import {
  wrapHandledError,
  createValidatorErrorFormatter
} from '../utils/create-handled-error.js';

const isSignUpDisabled = !!process.env.DISABLE_SIGNUP;
// const debug = debugFactory('fcc:boot:auth');
if (isSignUpDisabled) {
  console.log('fcc:boot:auth - Sign up is disabled');
}

module.exports = function enableAuthentication(app) {
  // enable loopback access control authentication. see:
  //  loopback.io/doc/en/lb2/Authentication-authorization-and-permissions.html
  app.enableAuth();
  const ifUserRedirect = ifUserRedirectTo();
  const router = app.loopback.Router();
  const api = app.loopback.Router();
  const { AuthToken, User } = app.models;

  router.get('/login', (req, res) => res.redirect(301, '/signin'));
  router.get('/logout', (req, res) => res.redirect(301, '/signout'));

  function getEmailSignin(req, res) {
    if (isSignUpDisabled) {
      return res.render('account/beta', {
        title: 'New sign ups are disabled'
      });
    }
    return res.render('account/email-signin', {
      title: 'Sign in to freeCodeCamp using your Email Address'
    });
  }

  router.get('/signup', ifUserRedirect, getEmailSignin);
  router.get('/signin', ifUserRedirect, getEmailSignin);
  router.get('/email-signin', ifUserRedirect, getEmailSignin);

  router.get('/signout', (req, res) => {
    req.logout();
    res.redirect('/');
  });


  router.get(
    '/deprecated-signin',
    ifUserRedirect,
    (req, res) => res.render('account/deprecated-signin', {
      title: 'Sign in to freeCodeCamp using a Deprecated Login'
    })
  );

  const defaultErrorMsg = dedent`
    Oops, something is not right,
    please request a fresh link to sign in / sign up.
  `;

  const passwordlessGetValidators = [
    check('email')
      .isBase64()
      .withMessage('Email should be a base64 encoded string.'),
    check('token')
      .exists()
      .withMessage('Token should exist.')
      // based on strongloop/loopback/common/models/access-token.js#L15
      .isLength({ min: 64, max: 64 })
      .withMessage('Token is not the right length.')
  ];

  function getPasswordlessAuth(req, res, next) {
    const {
      query: {
        email: encodedEmail,
        token: authTokenId
      } = {}
    } = req;
    const validation = validationResult(req)
      .formatWith(createValidatorErrorFormatter('errors', '/email-signup'));

    if (!validation.isEmpty()) {
      const errors = validation.array();
      return next(errors.pop());
    }

    const email = User.decodeEmail(encodedEmail);
    if (!isEmail(email)) {
      return next(wrapHandledError(
        new TypeError('decoded email is invalid'),
        {
          type: 'info',
          message: 'The email encoded in the link is incorrectly formatted',
          redirectTo: '/email-sign'
        }
      ));
    }
    // first find
    return AuthToken.findOne$({ where: { id: authTokenId } })
      .flatMap(authToken => {
        if (!authToken) {
          throw wrapHandledError(
            new Error(`no token found for id: ${authTokenId}`),
            {
              type: 'info',
              message: defaultErrorMsg,
              redirectTo: '/email-signin'
            }
          );
        }
        // find user then validate and destroy email validation token
        // finally retun user instance
        return User.findOne$({ where: { id: authToken.userId } })
          .flatMap(user => {
            if (!user) {
              throw wrapHandledError(
                new Error(`no user found for token: ${authTokenId}`),
                {
                  type: 'info',
                  message: defaultErrorMsg,
                  redirectTo: '/email-signin'
                }
              );
            }
            if (user.email !== email) {
              throw wrapHandledError(
                new Error('user email does not match'),
                {
                  type: 'info',
                  message: defaultErrorMsg,
                  redirectTo: '/email-signin'
                }
              );
            }
            return authToken.validate$()
              .map(isValid => {
                if (!isValid) {
                  throw wrapHandledError(
                    new Error('token is invalid'),
                    {
                      type: 'info',
                      message: `
                        Looks like the link you clicked has expired,
                        please request a fresh link, to sign in.
                      `,
                      redirectTo: '/email-signin'
                    }
                  );
                }
                return authToken.destroy$();
              })
              .map(() => user);
          });
      })
      // at this point token has been validated and destroyed
      // update user and log them in
      .map(user => user.loginByRequest(req, res))
      .do(() => {
        let redirectTo = '/';

        if (
          req.session &&
          req.session.returnTo
        ) {
          redirectTo = req.session.returnTo;
        }

        req.flash(
          'success',
          'Success! You have signed in to your account. Happy Coding!'
        );

        return res.redirect(redirectTo);
      })
      .subscribe(
        () => {},
        next
      );
  }

  router.get(
    '/passwordless-auth',
    ifUserRedirect,
    passwordlessGetValidators,
    getPasswordlessAuth
  );

  const passwordlessPostValidators = [
    check('email')
      .isEmail()
      .withMessage('Email is not a valid email address.')
  ];
  function postPasswordlessAuth(req, res, next) {
    const { body: { email } = {} } = req;
    const validation = validationResult(req)
      .formatWith(createValidatorErrorFormatter('errors', '/email-signup'));
    if (!validation.isEmpty()) {
      const errors = validation.array();
      return next(errors.pop());
    }

    return User.findOne$({ where: { email } })
      .flatMap(_user => Observable.if(
          // if no user found create new user and save to db
          _.constant(_user),
          Observable.of(_user),
          User.create$({ email })
        )
        .flatMap(user => user.requestAuthEmail(!_user))
      )
      .do(msg => res.status(200).send({ message: msg }))
      .subscribe(_.noop, next);
  }

  api.post(
    '/passwordless-auth',
    ifUserRedirect,
    passwordlessPostValidators,
    postPasswordlessAuth
  );

  app.use('/:lang', router);
  app.use(api);
};
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`import _ from 'lodash';`
			`import { Observable } from 'rx';`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`import dedent from 'dedent';`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`// import debugFactory from 'debug';`
			`import { isEmail } from 'validator';`
fix(boot/auth): Fix typo 2017-12-27 12:16:47 -08:00			`import { check, validationResult } from 'express-validator/check';`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00
			`import { ifUserRedirectTo } from '../utils/middleware';`
			`import {`
			`wrapHandledError,`
			`createValidatorErrorFormatter`
			`} from '../utils/create-handled-error.js';`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
			`const isSignUpDisabled = !!process.env.DISABLE_SIGNUP;`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`// const debug = debugFactory('fcc:boot:auth');`
feat(boot/auth): Add signup disabled debug info 2018-01-01 15:01:50 -08:00			`if (isSignUpDisabled) {`
			`console.log('fcc:boot:auth - Sign up is disabled');`
			`}`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
use app instead of server in boot directories 2015-06-03 12:26:11 -07:00			`module.exports = function enableAuthentication(app) {`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`// enable loopback access control authentication. see:`
			`// loopback.io/doc/en/lb2/Authentication-authorization-and-permissions.html`
use app instead of server in boot directories 2015-06-03 12:26:11 -07:00			`app.enableAuth();`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`const ifUserRedirect = ifUserRedirectTo();`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`const router = app.loopback.Router();`
			`const api = app.loopback.Router();`
feat(User/Auth): Use stand alone auth token 2017-12-29 09:59:27 -08:00			`const { AuthToken, User } = app.models;`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`router.get('/login', (req, res) => res.redirect(301, '/signin'));`
			`router.get('/logout', (req, res) => res.redirect(301, '/signout'));`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
			`function getEmailSignin(req, res) {`
			`if (isSignUpDisabled) {`
			`return res.render('account/beta', {`
			`title: 'New sign ups are disabled'`
			`});`
			`}`
			`return res.render('account/email-signin', {`
			`title: 'Sign in to freeCodeCamp using your Email Address'`
			`});`
			`}`

fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`router.get('/signup', ifUserRedirect, getEmailSignin);`
			`router.get('/signin', ifUserRedirect, getEmailSignin);`
			`router.get('/email-signin', ifUserRedirect, getEmailSignin);`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`router.get('/signout', (req, res) => {`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`req.logout();`
			`res.redirect('/');`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`});`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00

fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`router.get(`
			`'/deprecated-signin',`
			`ifUserRedirect,`
			`(req, res) => res.render('account/deprecated-signin', {`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`title: 'Sign in to freeCodeCamp using a Deprecated Login'`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`})`
			`);`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
			const defaultErrorMsg = dedent`
			`Oops, something is not right,`
			`please request a fresh link to sign in / sign up.`
			`;

fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`const passwordlessGetValidators = [`
			`check('email')`
			`.isBase64()`
fix(Auth): Error type in json payload 2018-01-01 15:39:14 -08:00			`.withMessage('Email should be a base64 encoded string.'),`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`check('token')`
			`.exists()`
fix(Auth): Error type in json payload 2018-01-01 15:39:14 -08:00			`.withMessage('Token should exist.')`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`// based on strongloop/loopback/common/models/access-token.js#L15`
			`.isLength({ min: 64, max: 64 })`
fix(Auth): Error type in json payload 2018-01-01 15:39:14 -08:00			`.withMessage('Token is not the right length.')`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`];`

refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`function getPasswordlessAuth(req, res, next) {`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`const {`
			`query: {`
			`email: encodedEmail,`
			`token: authTokenId`
			`} = {}`
			`} = req;`
fix(boot/auth): Fix typo 2017-12-27 12:16:47 -08:00			`const validation = validationResult(req)`
fix(Auth): Error type in json payload 2018-01-01 15:39:14 -08:00			`.formatWith(createValidatorErrorFormatter('errors', '/email-signup'));`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00
			`if (!validation.isEmpty()) {`
			`const errors = validation.array();`
			`return next(errors.pop());`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`}`

fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`const email = User.decodeEmail(encodedEmail);`
			`if (!isEmail(email)) {`
			`return next(wrapHandledError(`
			`new TypeError('decoded email is invalid'),`
			`{`
			`type: 'info',`
			`message: 'The email encoded in the link is incorrectly formatted',`
			`redirectTo: '/email-sign'`
			`}`
			`));`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`}`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`// first find`
feat(User/Auth): Use stand alone auth token 2017-12-29 09:59:27 -08:00			`return AuthToken.findOne$({ where: { id: authTokenId } })`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`.flatMap(authToken => {`
fix(User): Fix typos 2017-12-27 17:35:21 -08:00			`if (!authToken) {`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`throw wrapHandledError(`
			new Error(`no token found for id: ${authTokenId}`),
			`{`
			`type: 'info',`
			`message: defaultErrorMsg,`
			`redirectTo: '/email-signin'`
			`}`
			`);`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`}`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`// find user then validate and destroy email validation token`
			`// finally retun user instance`
fix(User): Fix typos 2017-12-27 17:35:21 -08:00			`return User.findOne$({ where: { id: authToken.userId } })`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`.flatMap(user => {`
			`if (!user) {`
			`throw wrapHandledError(`
			new Error(`no user found for token: ${authTokenId}`),
			`{`
			`type: 'info',`
			`message: defaultErrorMsg,`
			`redirectTo: '/email-signin'`
			`}`
			`);`
			`}`
			`if (user.email !== email) {`
			`throw wrapHandledError(`
			`new Error('user email does not match'),`
			`{`
			`type: 'info',`
			`message: defaultErrorMsg,`
			`redirectTo: '/email-signin'`
			`}`
			`);`
			`}`
fix(AuthToken): Namespace observable methods This prevents methods that use the regular methods internally from clashing 2018-01-22 11:59:24 -08:00			`return authToken.validate$()`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`.map(isValid => {`
			`if (!isValid) {`
			`throw wrapHandledError(`
			`new Error('token is invalid'),`
			`{`
			`type: 'info',`
			message: `
			`Looks like the link you clicked has expired,`
			`please request a fresh link, to sign in.`
			`,
			`redirectTo: '/email-signin'`
			`}`
			`);`
			`}`
fix(AuthToken): Namespace observable methods This prevents methods that use the regular methods internally from clashing 2018-01-22 11:59:24 -08:00			`return authToken.destroy$();`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`})`
			`.map(() => user);`
			`});`
			`})`
			`// at this point token has been validated and destroyed`
			`// update user and log them in`
fix(User): Move login logic into user model 2017-12-29 11:28:42 -08:00			`.map(user => user.loginByRequest(req, res))`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`.do(() => {`
			`let redirectTo = '/';`

			`if (`
			`req.session &&`
			`req.session.returnTo`
			`) {`
			`redirectTo = req.session.returnTo;`
			`}`

fix(server/flash): Api to match documentation This fixes duplication issues and normalize our use with everyone else 2018-01-12 14:16:33 -08:00			`req.flash(`
			`'success',`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`'Success! You have signed in to your account. Happy Coding!'`
fix(server/flash): Api to match documentation This fixes duplication issues and normalize our use with everyone else 2018-01-12 14:16:33 -08:00			`);`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`return res.redirect(redirectTo);`
			`})`
			`.subscribe(`
			`() => {},`
			`next`
			`);`
			`}`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`router.get(`
			`'/passwordless-auth',`
			`ifUserRedirect,`
			`passwordlessGetValidators,`
			`getPasswordlessAuth`
			`);`

			`const passwordlessPostValidators = [`
			`check('email')`
			`.isEmail()`
fix(Auth): Error type in json payload 2018-01-01 15:39:14 -08:00			`.withMessage('Email is not a valid email address.')`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`];`
			`function postPasswordlessAuth(req, res, next) {`
			`const { body: { email } = {} } = req;`
fix(boot/auth): Fix typo 2017-12-27 12:16:47 -08:00			`const validation = validationResult(req)`
fix(Auth): Error type in json payload 2018-01-01 15:39:14 -08:00			`.formatWith(createValidatorErrorFormatter('errors', '/email-signup'));`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`if (!validation.isEmpty()) {`
			`const errors = validation.array();`
			`return next(errors.pop());`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`}`

fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`return User.findOne$({ where: { email } })`
fix(User): Add isSignUp logic emailVerfied field no longer indicates a new user. 2017-12-28 20:38:16 -08:00			`.flatMap(_user => Observable.if(`
			`// if no user found create new user and save to db`
			`_.constant(_user),`
			`Observable.of(_user),`
			`User.create$({ email })`
			`)`
			`.flatMap(user => user.requestAuthEmail(!_user))`
			`)`
fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`.do(msg => res.status(200).send({ message: msg }))`
			`.subscribe(_.noop, next);`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00			`}`

fix(passwordless): Reduce db calls, run in parallel Adds validations, reduces the number of database calls, separates concers. reduces logic 2017-12-27 10:11:17 -08:00			`api.post(`
			`'/passwordless-auth',`
			`ifUserRedirect,`
			`passwordlessPostValidators,`
			`postPasswordlessAuth`
			`);`
refactor(server/authenticate): Move auth api into own boot script separate from user account/display methods 2017-12-26 13:20:03 -08:00
			`app.use('/:lang', router);`
			`app.use(api);`
initial move to loopback server 2015-06-02 17:27:02 -07:00			`};`