Rocket.Chat/packages/rocketchat-custom-oauth/server/custom_oauth_server.js

/*globals OAuth*/

const logger = new Logger('CustomOAuth');

const Services = {};
const BeforeUpdateOrCreateUserFromExternalService = [];

export class CustomOAuth {
	constructor(name, options) {
		logger.debug('Init CustomOAuth', name, options);

		this.name = name;
		if (!Match.test(this.name, String)) {
			throw new Meteor.Error('CustomOAuth: Name is required and must be String');
		}

		if (Services[this.name]) {
			Services[this.name].configure(options);
			return;
		}

		Services[this.name] = this;

		this.configure(options);

		this.userAgent = 'Meteor';
		if (Meteor.release) {
			this.userAgent += `/${ Meteor.release }`;
		}

		Accounts.oauth.registerService(this.name);
		this.registerService();
		this.addHookToProcessUser();
	}

	configure(options) {
		if (!Match.test(options, Object)) {
			throw new Meteor.Error('CustomOAuth: Options is required and must be Object');
		}

		if (!Match.test(options.serverURL, String)) {
			throw new Meteor.Error('CustomOAuth: Options.serverURL is required and must be String');
		}

		if (!Match.test(options.tokenPath, String)) {
			options.tokenPath = '/oauth/token';
		}

		if (!Match.test(options.identityPath, String)) {
			options.identityPath = '/me';
		}

		this.serverURL = options.serverURL;
		this.tokenPath = options.tokenPath;
		this.identityPath = options.identityPath;
		this.tokenSentVia = options.tokenSentVia;
		this.usernameField = (options.usernameField || '').trim();
		this.mergeUsers = options.mergeUsers;

		if (!/^https?:\/\/.+/.test(this.tokenPath)) {
			this.tokenPath = this.serverURL + this.tokenPath;
		}

		if (!/^https?:\/\/.+/.test(this.identityPath)) {
			this.identityPath = this.serverURL + this.identityPath;
		}

		if (Match.test(options.addAutopublishFields, Object)) {
			Accounts.addAutopublishFields(options.addAutopublishFields);
		}
	}

	getAccessToken(query) {
		const config = ServiceConfiguration.configurations.findOne({service: this.name});
		if (!config) {
			throw new ServiceConfiguration.ConfigError();
		}

		let response = undefined;

		const allOptions = {
			headers: {
				'User-Agent': this.userAgent, // http://doc.gitlab.com/ce/api/users.html#Current-user
				Accept: 'application/json'
			},
			params: {
				code: query.code,
				redirect_uri: OAuth._redirectUri(this.name, config),
				grant_type: 'authorization_code',
				state: query.state
			}
		};

		// Only send clientID / secret once on header or payload.
		if (this.tokenSentVia === 'header') {
			allOptions['auth'] = `${ config.clientId }:${ OAuth.openSecret(config.secret) }`;
		} else {
			allOptions['params']['client_secret'] = OAuth.openSecret(config.secret);
			allOptions['params']['client_id'] = config.clientId;
		}

		try {
			response = HTTP.post(this.tokenPath, allOptions);
		} catch (err) {
			const error = new Error(`Failed to complete OAuth handshake with ${ this.name } at ${ this.tokenPath }. ${ err.message }`);
			throw _.extend(error, {response: err.response});
		}

		let data;
		if (response.data) {
			data = response.data;
		} else {
			data = JSON.parse(response.content);
		}

		if (data.error) { //if the http response was a json object with an error attribute
			throw new Error(`Failed to complete OAuth handshake with ${ this.name } at ${ this.tokenPath }. ${ data.error }`);
		} else {
			return data.access_token;
		}
	}

	getIdentity(accessToken) {
		const params = {};
		const headers = {
			'User-Agent': this.userAgent // http://doc.gitlab.com/ce/api/users.html#Current-user
		};

		if (this.tokenSentVia === 'header') {
			headers['Authorization'] = `Bearer ${ accessToken }`;
		} else {
			params['access_token'] = accessToken;
		}

		try {
			const response = HTTP.get(this.identityPath, {
				headers,
				params
			});

			let data;

			if (response.data) {
				data = response.data;
			} else {
				data = JSON.parse(response.content);
			}

			logger.debug('Identity response', JSON.stringify(data, null, 2));

			return data;
		} catch (err) {
			const error = new Error(`Failed to fetch identity from ${ this.name } at ${ this.identityPath }. ${ err.message }`);
			throw _.extend(error, {response: err.response});
		}
	}

	registerService() {
		const self = this;
		OAuth.registerService(this.name, 2, null, (query) => {
			const accessToken = self.getAccessToken(query);
			// console.log 'at:', accessToken

			let identity = self.getIdentity(accessToken);

			if (identity) {
				// Set 'id' to '_id' for any sources that provide it
				if (identity._id && !identity.id) {
					identity.id = identity._id;
				}

				// Fix for Reddit
				if (identity.result) {
					identity = identity.result;
				}

				// Fix WordPress-like identities having 'ID' instead of 'id'
				if (identity.ID && !identity.id) {
					identity.id = identity.ID;
				}

				// Fix Auth0-like identities having 'user_id' instead of 'id'
				if (identity.user_id && !identity.id) {
					identity.id = identity.user_id;
				}

				if (identity.CharacterID && !identity.id) {
					identity.id = identity.CharacterID;
				}

				// Fix Dataporten having 'user.userid' instead of 'id'
				if (identity.user && identity.user.userid && !identity.id) {
					identity.id = identity.user.userid;
					identity.email = identity.user.email;
				}

				// Fix general 'phid' instead of 'id' from phabricator
				if (identity.phid && !identity.id) {
					identity.id = identity.phid;
				}

				// Fix Keycloak-like identities having 'sub' instead of 'id'
				if (identity.sub && !identity.id) {
					identity.id = identity.sub;
				}

				// Fix general 'userid' instead of 'id' from provider
				if (identity.userid && !identity.id) {
					identity.id = identity.userid;
				}
			}

			// console.log 'id:', JSON.stringify identity, null, '  '

			const serviceData = {
				_OAuthCustom: true,
				accessToken
			};

			_.extend(serviceData, identity);

			const data = {
				serviceData,
				options: {
					profile: {
						name: identity.name || identity.username || identity.nickname || identity.CharacterName || identity.userName || identity.preferred_username || (identity.user && identity.user.name)
					}
				}
			};

			// console.log data

			return data;
		});
	}

	retrieveCredential(credentialToken, credentialSecret) {
		return OAuth.retrieveCredential(credentialToken, credentialSecret);
	}

	getUsername(data) {
		let username = '';

		if (this.usernameField.indexOf('#{') > -1) {
			username = this.usernameField.replace(/#{(.+?)}/g, function(match, field) {
				if (!data[field]) {
					throw new Meteor.Error('field_not_found', `Username template item "${ field }" not found in data`, data);
				}
				return data[field];
			});
		} else {
			username = data[this.usernameField];
			if (!username) {
				throw new Meteor.Error('field_not_found', `Username field "${ this.usernameField }" not found in data`, data);
			}
		}

		return username;
	}

	addHookToProcessUser() {
		BeforeUpdateOrCreateUserFromExternalService.push((serviceName, serviceData/*, options*/) => {
			if (serviceName !== this.name) {
				return;
			}

			if (this.usernameField) {
				const username = this.getUsername(serviceData);

				const user = RocketChat.models.Users.findOneByUsername(username);
				if (!user) {
					return;
				}

				// User already created or merged
				if (user.services && user.services[serviceName] && user.services[serviceName].id === serviceData.id) {
					return;
				}

				if (this.mergeUsers !== true) {
					throw new Meteor.Error('CustomOAuth', `User with username ${ user.username } already exists`);
				}

				const serviceIdKey = `services.${ serviceName }.id`;
				const update = {
					$set: {
						[serviceIdKey]: serviceData.id
					}
				};

				RocketChat.models.Users.update({_id: user._id}, update);
			}
		});

		Accounts.validateNewUser((user) => {
			if (!user.services || !user.services[this.name] || !user.services[this.name].id) {
				return true;
			}

			if (this.usernameField) {
				user.username = this.getUsername(user.services[this.name]);
			}

			return true;
		});

	}
}


const updateOrCreateUserFromExternalService = Accounts.updateOrCreateUserFromExternalService;
Accounts.updateOrCreateUserFromExternalService = function(/*serviceName, serviceData, options*/) {
	for (const hook of BeforeUpdateOrCreateUserFromExternalService) {
		hook.apply(this, arguments);
	}

	return updateOrCreateUserFromExternalService.apply(this, arguments);
};
Convert CustomOAuth to JS 9 years ago			`/globals OAuth/`

Add CustomOAuth logger 9 years ago			`const logger = new Logger('CustomOAuth');`

Convert CustomOAuth to JS 9 years ago			`const Services = {};`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`const BeforeUpdateOrCreateUserFromExternalService = [];`
Convert CustomOAuth to JS 9 years ago
			`export class CustomOAuth {`
			`constructor(name, options) {`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`logger.debug('Init CustomOAuth', name, options);`

Convert CustomOAuth to JS 9 years ago			`this.name = name;`
			`if (!Match.test(this.name, String)) {`
			`throw new Meteor.Error('CustomOAuth: Name is required and must be String');`
			`}`

			`if (Services[this.name]) {`
			`Services[this.name].configure(options);`
			`return;`
			`}`

			`Services[this.name] = this;`

			`this.configure(options);`

			`this.userAgent = 'Meteor';`
			`if (Meteor.release) {`
Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			this.userAgent += `/${ Meteor.release }`;
Convert CustomOAuth to JS 9 years ago			`}`

			`Accounts.oauth.registerService(this.name);`
			`this.registerService();`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`this.addHookToProcessUser();`
Convert CustomOAuth to JS 9 years ago			`}`

			`configure(options) {`
			`if (!Match.test(options, Object)) {`
			`throw new Meteor.Error('CustomOAuth: Options is required and must be Object');`
			`}`

			`if (!Match.test(options.serverURL, String)) {`
			`throw new Meteor.Error('CustomOAuth: Options.serverURL is required and must be String');`
			`}`

			`if (!Match.test(options.tokenPath, String)) {`
			`options.tokenPath = '/oauth/token';`
			`}`

			`if (!Match.test(options.identityPath, String)) {`
			`options.identityPath = '/me';`
			`}`

			`this.serverURL = options.serverURL;`
			`this.tokenPath = options.tokenPath;`
			`this.identityPath = options.identityPath;`
			`this.tokenSentVia = options.tokenSentVia;`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`this.usernameField = (options.usernameField \|\| '').trim();`
			`this.mergeUsers = options.mergeUsers;`
Convert CustomOAuth to JS 9 years ago
			`if (!/^https?:\/\/.+/.test(this.tokenPath)) {`
			`this.tokenPath = this.serverURL + this.tokenPath;`
			`}`

			`if (!/^https?:\/\/.+/.test(this.identityPath)) {`
			`this.identityPath = this.serverURL + this.identityPath;`
			`}`

			`if (Match.test(options.addAutopublishFields, Object)) {`
			`Accounts.addAutopublishFields(options.addAutopublishFields);`
			`}`
			`}`

			`getAccessToken(query) {`
			`const config = ServiceConfiguration.configurations.findOne({service: this.name});`
			`if (!config) {`
			`throw new ServiceConfiguration.ConfigError();`
			`}`

			`let response = undefined;`
Use tokenSentVia parameter to select the way sent clientid/secret to token endpoint 8 years ago
			`const allOptions = {`
			`headers: {`
			`'User-Agent': this.userAgent, // http://doc.gitlab.com/ce/api/users.html#Current-user`
			`Accept: 'application/json'`
			`},`
			`params: {`
			`code: query.code,`
			`redirect_uri: OAuth._redirectUri(this.name, config),`
			`grant_type: 'authorization_code',`
			`state: query.state`
			`}`
			`};`

			`// Only send clientID / secret once on header or payload.`
			`if (this.tokenSentVia === 'header') {`
			allOptions['auth'] = `${ config.clientId }:${ OAuth.openSecret(config.secret) }`;
			`} else {`
			`allOptions['params']['client_secret'] = OAuth.openSecret(config.secret);`
			`allOptions['params']['client_id'] = config.clientId;`
			`}`

Convert CustomOAuth to JS 9 years ago			`try {`
Use tokenSentVia parameter to select the way sent clientid/secret to token endpoint 8 years ago			`response = HTTP.post(this.tokenPath, allOptions);`
Convert CustomOAuth to JS 9 years ago			`} catch (err) {`
Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			const error = new Error(`Failed to complete OAuth handshake with ${ this.name } at ${ this.tokenPath }. ${ err.message }`);
Convert CustomOAuth to JS 9 years ago			`throw _.extend(error, {response: err.response});`
			`}`

Fix can not get access_token when using custom oauth 8 years ago			`let data;`
Format bad code 8 years ago			`if (response.data) {`
Fix can not get access_token when using custom oauth 8 years ago			`data = response.data;`
Convert CustomOAuth to JS 9 years ago			`} else {`
Fix can not get access_token when using custom oauth 8 years ago			`data = JSON.parse(response.content);`
			`}`

			`if (data.error) { //if the http response was a json object with an error attribute`
Format bad code 8 years ago			throw new Error(`Failed to complete OAuth handshake with ${ this.name } at ${ this.tokenPath }. ${ data.error }`);
Fix can not get access_token when using custom oauth 8 years ago			`} else {`
			`return data.access_token;`
Convert CustomOAuth to JS 9 years ago			`}`
			`}`

			`getIdentity(accessToken) {`
			`const params = {};`
			`const headers = {`
			`'User-Agent': this.userAgent // http://doc.gitlab.com/ce/api/users.html#Current-user`
			`};`

			`if (this.tokenSentVia === 'header') {`
Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			headers['Authorization'] = `Bearer ${ accessToken }`;
Convert CustomOAuth to JS 9 years ago			`} else {`
			`params['access_token'] = accessToken;`
			`}`

			`try {`
			`const response = HTTP.get(this.identityPath, {`
Add ESLint rule `object-shorthand` (#6457) * ESLint add rule `object-shorthand` * ESLint rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			`headers,`
			`params`
Convert CustomOAuth to JS 9 years ago			`});`

Add CustomOAuth logger 9 years ago			`let data;`

Convert CustomOAuth to JS 9 years ago			`if (response.data) {`
Add CustomOAuth logger 9 years ago			`data = response.data;`
Convert CustomOAuth to JS 9 years ago			`} else {`
Add CustomOAuth logger 9 years ago			`data = JSON.parse(response.content);`
Convert CustomOAuth to JS 9 years ago			`}`
Add CustomOAuth logger 9 years ago
			`logger.debug('Identity response', JSON.stringify(data, null, 2));`

			`return data;`
Convert CustomOAuth to JS 9 years ago			`} catch (err) {`
Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			const error = new Error(`Failed to fetch identity from ${ this.name } at ${ this.identityPath }. ${ err.message }`);
Convert CustomOAuth to JS 9 years ago			`throw _.extend(error, {response: err.response});`
			`}`
			`}`

			`registerService() {`
			`const self = this;`
			`OAuth.registerService(this.name, 2, null, (query) => {`
			`const accessToken = self.getAccessToken(query);`
			`// console.log 'at:', accessToken`

			`let identity = self.getIdentity(accessToken);`

			`if (identity) {`
Set serviceData id based on Rocket.Chat _id 8 years ago			`// Set 'id' to '_id' for any sources that provide it`
			`if (identity._id && !identity.id) {`
			`identity.id = identity._id;`
			`}`

Convert CustomOAuth to JS 9 years ago			`// Fix for Reddit`
			`if (identity.result) {`
			`identity = identity.result;`
			`}`

			`// Fix WordPress-like identities having 'ID' instead of 'id'`
			`if (identity.ID && !identity.id) {`
			`identity.id = identity.ID;`
			`}`

			`// Fix Auth0-like identities having 'user_id' instead of 'id'`
			`if (identity.user_id && !identity.id) {`
			`identity.id = identity.user_id;`
			`}`

			`if (identity.CharacterID && !identity.id) {`
			`identity.id = identity.CharacterID;`
			`}`

			`// Fix Dataporten having 'user.userid' instead of 'id'`
			`if (identity.user && identity.user.userid && !identity.id) {`
			`identity.id = identity.user.userid;`
			`identity.email = identity.user.email;`
			`}`

			`// Fix general 'phid' instead of 'id' from phabricator`
			`if (identity.phid && !identity.id) {`
			`identity.id = identity.phid;`
			`}`

			`// Fix Keycloak-like identities having 'sub' instead of 'id'`
			`if (identity.sub && !identity.id) {`
			`identity.id = identity.sub;`
			`}`

			`// Fix general 'userid' instead of 'id' from provider`
			`if (identity.userid && !identity.id) {`
			`identity.id = identity.userid;`
			`}`
			`}`

			`// console.log 'id:', JSON.stringify identity, null, ' '`

			`const serviceData = {`
			`_OAuthCustom: true,`
Add ESLint rule `object-shorthand` (#6457) * ESLint add rule `object-shorthand` * ESLint rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			`accessToken`
Convert CustomOAuth to JS 9 years ago			`};`

			`_.extend(serviceData, identity);`

			`const data = {`
Add ESLint rule `object-shorthand` (#6457) * ESLint add rule `object-shorthand` * ESLint rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			`serviceData,`
Convert CustomOAuth to JS 9 years ago			`options: {`
			`profile: {`
			`name: identity.name \|\| identity.username \|\| identity.nickname \|\| identity.CharacterName \|\| identity.userName \|\| identity.preferred_username \|\| (identity.user && identity.user.name)`
			`}`
			`}`
			`};`

			`// console.log data`

			`return data;`
			`});`
			`}`

			`retrieveCredential(credentialToken, credentialSecret) {`
			`return OAuth.retrieveCredential(credentialToken, credentialSecret);`
			`}`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago
Set username automaticaly 9 years ago			`getUsername(data) {`
			`let username = '';`

			`if (this.usernameField.indexOf('#{') > -1) {`
			`username = this.usernameField.replace(/#{(.+?)}/g, function(match, field) {`
			`if (!data[field]) {`
Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			throw new Meteor.Error('field_not_found', `Username template item "${ field }" not found in data`, data);
Set username automaticaly 9 years ago			`}`
			`return data[field];`
			`});`
			`} else {`
			`username = data[this.usernameField];`
			`if (!username) {`
Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			throw new Meteor.Error('field_not_found', `Username field "${ this.usernameField }" not found in data`, data);
Set username automaticaly 9 years ago			`}`
			`}`

			`return username;`
			`}`

Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`addHookToProcessUser() {`
			`BeforeUpdateOrCreateUserFromExternalService.push((serviceName, serviceData/, options/) => {`
			`if (serviceName !== this.name) {`
			`return;`
			`}`

			`if (this.usernameField) {`
Set username automaticaly 9 years ago			`const username = this.getUsername(serviceData);`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago
Support username template in CustomOAuth 9 years ago			`const user = RocketChat.models.Users.findOneByUsername(username);`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`if (!user) {`
Fix issue creating users with username from OAuth Closes #5222 9 years ago			`return;`
			`}`

			`// User already created or merged`
			`if (user.services && user.services[serviceName] && user.services[serviceName].id === serviceData.id) {`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`return;`
			`}`

			`if (this.mergeUsers !== true) {`
Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			throw new Meteor.Error('CustomOAuth', `User with username ${ user.username } already exists`);
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`}`

Add ESLint rules `prefer-template` and `template-curly-spacing` (#6456) * Add ESLint rule `prefer-template` * Add ESLint rule `template-curly-spacing ` * ESLint ignore rocketchat-livechat/assets/rocket-livechat.js * Add ecmascript package to all packages * Use ecmascript package for server and client on saml package * Fix compilation 8 years ago			const serviceIdKey = `services.${ serviceName }.id`;
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`const update = {`
			`$set: {`
			`[serviceIdKey]: serviceData.id`
			`}`
			`};`

Fix user update 9 years ago			`RocketChat.models.Users.update({_id: user._id}, update);`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`}`
			`});`
Set username automaticaly 9 years ago
			`Accounts.validateNewUser((user) => {`
			`if (!user.services \|\| !user.services[this.name] \|\| !user.services[this.name].id) {`
			`return true;`
			`}`

			`if (this.usernameField) {`
			`user.username = this.getUsername(user.services[this.name]);`
			`}`

			`return true;`
			`});`

Add new options (username-field and merge-users) to CustomOAuth 9 years ago			`}`
Convert CustomOAuth to JS 9 years ago			`}`
Add new options (username-field and merge-users) to CustomOAuth 9 years ago

			`const updateOrCreateUserFromExternalService = Accounts.updateOrCreateUserFromExternalService;`
			`Accounts.updateOrCreateUserFromExternalService = function(/serviceName, serviceData, options/) {`
			`for (const hook of BeforeUpdateOrCreateUserFromExternalService) {`
			`hook.apply(this, arguments);`
			`}`

			`return updateOrCreateUserFromExternalService.apply(this, arguments);`
			`};`