feat(jsbattle-server): add OAuth to admin services

Author: jamro

packages/jsbattle-docs/docs/_sidebar.md

@@ -2,6 +2,7 @@
 
 - [**Home**](./README.md)
 - [**Installation**](./installation.md)
+- [**Configuration**](./configuration.md)
 - [**Getting Started**](./getting_started.md)
 - [**Manual**](./manual/README.md)
     - [Battle Anatomy](./manual/battle_anatomy.md)

packages/jsbattle-docs/docs/configuration.md

@@ -0,0 +1,103 @@
+# Configuration
+
+## CLI
+
+You can configure JsBattle by providing shell arguments on startup. To get more information run
+
+```bash
+./jsbattle.js --help
+```
+
+## Configuration file
+Most of the configuration is done via a configuration file.
+
+```bash
+./jsbattle.js start --config jsbattle.config.json
+```
+
+When the config file is not provided, the default configuration is applied. If any value is missing in the config file, default settings are used. CLI arguments have a higher priority than settings from the config file.  
+
+## Full configuration file
+List of all settings of JsBattle:
+
+```js
+{
+  // supported log levels: "error", "warn", "info", "debug", "trace"
+  "loglevel": "info",
+
+  // data persistence settings
+  "data": {
+
+    // path to directory where the data is stored. When not provided, an in-memory DB is used
+    "path": "./jsbattle-data"
+  },
+
+  // configuration of web server
+  "web": {
+
+    // path to static files. In most cases you do not need to change that
+    "webroot": path.resolve(__dirname, "./public"),
+
+    // host where web server will bind to
+    "host": "127.0.0.1",
+
+    // port where web server will bind to
+    "port": "8080",
+
+    // url where JsBattle is available. Required to generate URL links properly (e.g. oAth callback)
+    "baseUrl": "http://localhost:8080",
+
+    // Google Analytics code (stats are disabled when not provided)
+    "gaCode": ""
+  },
+
+  // authorization settings
+  "auth": {
+
+    // if auth is disabled, login will not be required. It is not recommended for production
+    // since it will result in exposing admin panel to public. Some features may be disabled
+    // when auth is turned off
+    "enabled": true,
+
+    // list of users that will be granted administration permissions (admin role)
+    "admins": [
+      {
+        "provider": "github",
+        "username": "thejack6318"
+      }
+    ],
+
+    // list of OAuth providers. For each providers there are two routes created:
+    // - /auth/{provider_name} - redirects to provider login page
+    // - /auth/{provider_name}/callback - retrieve oAuth token from provider
+    "providers": [
+
+      // define each provider as separate object
+      {
+        // name of provider. Supported values are: github, facebook, google, twitter, linkedin, slack
+        // authStrategies['github'] = require("passport-github2");
+        "name": 'github',
+
+        // client ID generated by OAuth provider
+        "clientID": "XXXXXXXXXXXXXXXXXXXX",
+        // client secret generated by OAuth provider
+        "clientSecret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+      }
+    ]
+  }
+}
+```
+
+## Environment variables
+
+Part of the configuration could be provided as env vars.
+
+### OAuth providers
+To configure OAuth provider set up following env vars
+
+```bash
+OAUTH_{PROVIDER_NAME}_CLIENT_ID=XXXXXXXXXXXXXXXXXXXX
+OAUTH_{PROVIDER_NAME}_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+```
+
+Where `{PROVIDER_NAME}` is one of supported providers (upper case)

packages/jsbattle-server/.eslintrc.js

@@ -168,7 +168,7 @@ module.exports = {
         "no-param-reassign": "off",
         "no-path-concat": "off",
         "no-plusplus": "error",
-        "no-process-env": "error",
+        "no-process-env": "off",
         "no-process-exit": "error",
         "no-prototype-builtins": "error",
         "no-restricted-globals": "error",

packages/jsbattle-server/app/Gateway.js

@@ -1,6 +1,7 @@
 const { ServiceBroker } = require("moleculer");
 const path = require('path')
 const _ = require('lodash')
+require('dotenv').config();
 
 class Gateway {
 
@@ -14,17 +15,36 @@ class Gateway {
         "web": {
           "webroot": path.resolve(__dirname, "./public"),
           "host": "127.0.0.1",
+          "baseUrl": "http://localhost:8080",
           "port": "8080",
           "gaCode": ""
+        },
+        "auth": {
+          "enabled": true,
+          "admins": [],
+          "providers": []
         }
       };
+
+      // add auth strategioes defined in env vars
+      let authStrategies = Object.keys(process.env)
+        .filter((keyName) => (/^OAUTH_([A-Z_\-0-9]*)_CLIENT_(SECRET|ID)$/).test(keyName))
+        .map((keyName) => keyName.replace(/^OAUTH_([A-Z_\-0-9]*)_CLIENT_(SECRET|ID)$/, "$1"))
+      authStrategies = _.uniq(authStrategies);
+      authStrategies.forEach((strategyName) => {
+        defaultOptions.auth.providers.push({
+          name: strategyName.toLowerCase(),
+          clientID: process.env[`OAUTH_${strategyName.toUpperCase()}_CLIENT_ID`],
+          clientSecret: process.env[`OAUTH_${strategyName.toUpperCase()}_CLIENT_SECRET`]
+        });
+      });
+
       options = _.defaultsDeep(options, defaultOptions)
       this.broker = new ServiceBroker({
         namespace: 'jsbattle',
         logLevel: options.loglevel
       });
       this.broker.serviceConfig = options;
-
       this.broker.loadServices(path.resolve(__dirname, 'services'), '*.service.js');
       resolve();
     });

packages/jsbattle-server/app/public/index.html

@@ -5,5 +5,6 @@
   <body>
     <h1>JsBattle</h1>
     <!-- GA Tracking code: GA:XX-XXXXXXXXX-X -->
+    <a href="/auth/github">Github Login</a> | <a href="/auth/logout">Log out</a>
   </body>
 </html>

packages/jsbattle-server/app/runner.js

@@ -1,19 +1,29 @@
 #!/usr/bin/env node
 
-const Gateway = require('./Gateway.js')
+const Gateway = require('./Gateway.js');
 const path = require('path');
 
 let gateway = new Gateway();
-gateway.init({
-  "loglevel": "info",
+let config = {
+  "loglevel": "debug",
   "data": {
     "path": path.join(__dirname, 'jsbattle-data')
   },
   "web": {
     "webroot": path.join(__dirname, 'public'),
     "host": "127.0.0.1",
+    "baseUrl": "http://localhost:9000",
     "port": "9000",
     "gaCode": "AB-123456789-Z"
+  },
+  "auth": {
+    "admins": [
+      {
+        provider: 'github',
+        username: 'jamro'
+      }
+    ]
   }
-}).then(() => gateway.start())
+};
+gateway.init(config).then(() => gateway.start())
 .catch(console.error);

packages/jsbattle-server/app/services/ApiGateway.service.js

@@ -1,9 +1,11 @@
 const Service = require("moleculer").Service;
 const ApiService = require("moleculer-web");
 const express = require('express');
+const cookieParser = require('cookie-parser');
 const path = require('path');
 const stringReplace = require('../lib/stringReplaceMiddleware.js');
-const { UnAuthorizedError, ERR_NO_TOKEN, ERR_INVALID_TOKEN } = require("moleculer-web").Errors;
+const authorize = require('./apiGateway/authorize.js');
+const configPassport = require('./apiGateway/configPassport.js');
 
 class ApiGatewayService extends Service {
 
@@ -18,11 +20,13 @@ class ApiGatewayService extends Service {
           settings: {
             routes: [
               {
-                authorization: true,
+                authorization: broker.serviceConfig.auth.enabled,
                 path: '/admin',
                 mappingPolicy: 'restrict',
+                use: [cookieParser()],
                 aliases: {
                   "GET allBattleReplays": "battleStore.listAll",
+                  "GET whoami": "auth.whoami"
                 },
                 bodyParsers: {
                   json: true,
@@ -32,10 +36,10 @@ class ApiGatewayService extends Service {
               {
                 path: '/',
                 mappingPolicy: 'restrict',
+                use: [cookieParser()],
                 aliases: {
                   "GET battleReplay": "battleStore.getReplay",
-                  "POST battleReplay": "battleStore.publish",
-                  "POST login": "auth.login"
+                  "POST battleReplay": "battleStore.publish"
                 },
                 bodyParsers: {
                   json: true,
@@ -50,20 +54,7 @@ class ApiGatewayService extends Service {
             }
           },
           methods: {
-            async authorize(ctx, route, req) {
-              let auth = req.headers["authorization"];
-              if (auth && auth.startsWith("Bearer ")) {
-                let token = auth.slice(7);
-                try {
-                  let user = await ctx.call('auth.resolveToken', {token});
-                  ctx.meta.user = user; // eslint-disable-line require-atomic-updates
-                } catch (err) {
-                  return Promise.reject(new UnAuthorizedError(ERR_INVALID_TOKEN));
-                }
-              } else {
-                return Promise.reject(new UnAuthorizedError(ERR_NO_TOKEN));
-              }
-            }
+            authorize: authorize(['admin'])
           },
           started() {
             // do not start listening since its an express middleware
@@ -85,6 +76,15 @@ class ApiGatewayService extends Service {
           { maxAge: 12*60*60*1000, etag: true }
         ));
         this.app.use("/api", svc.express());
+
+        this.app.use(cookieParser());
+
+        if(broker.serviceConfig.auth.enabled == false) {
+          this.logger.warn('Auth is disabled. Everyone can access admin panel. The configuration is not recommended for production purposes');
+        } else {
+          configPassport(this.app, this.logger, broker);
+        }
+
         let port = broker.serviceConfig.web.port || 8080;
         let host = broker.serviceConfig.web.host || '127.0.0.1';
         this.app.listen(
@@ -98,12 +98,6 @@ class ApiGatewayService extends Service {
     });
   }
 
-  started() {
-    this.app = express();
-    this.app.use("/api", this.express());
-    this.app.listen(3000);
-  }
-
 }
 
 module.exports = ApiGatewayService;

packages/jsbattle-server/app/services/Auth.service.js

@@ -1,11 +1,15 @@
 const Service = require("moleculer").Service;
 const { ValidationError } = require("moleculer").Errors;
-const { MoleculerClientError } = require("moleculer").Errors;
 const jsonwebtoken = require("jsonwebtoken");
-const _ = require('lodash')
+const _ = require('lodash');
 const crypto = require('crypto');
 
 const JWT_SECRET = crypto.randomBytes(256).toString('base64');
+const JWT_FIELDS = [
+  'userId',
+  'username',
+  'role'
+];
 
 class AuthService extends Service {
 
@@ -15,28 +19,32 @@ class AuthService extends Service {
     this.parseServiceSchema({
       name: "auth",
       actions: {
-        login: this.login,
-        resolveToken: this.resolveToken
+        authorize: this.authorize,
+        resolveToken: this.resolveToken,
+        whoami: this.whoami
+      },
+      events: {
+        "user.login": async (userId) => {
+          await broker.call("userStore.update", {id: userId, lastLoginAt: new Date()});
+        }
       }
     });
   }
 
-  login(ctx) {
-    if(!ctx.params.username) {
-      throw new ValidationError('username parameter is required', 400);
-    }
-    if(!ctx.params.password) {
-      throw new ValidationError('password parameter is required', 400);
-    }
-    if(ctx.params.username !== 'admin' || ctx.params.password !== 'secret' ) {
-      throw new MoleculerClientError('Forbidden', 403);
+  whoami(ctx) {
+    let userId = ctx.meta.user.userId;
+    let user = ctx.call('userStore.get', {id: userId});
+    return user;
+  }
+
+  authorize(ctx) {
+    if(!ctx.params.user) {
+      throw new ValidationError('user parameter is required', 400);
     }
+    let user = _.pick(ctx.params.user, JWT_FIELDS)
     return {
       token: jsonwebtoken.sign(
-        {
-          username: ctx.params.username,
-          role: 'admin'
-        },
+        user,
         JWT_SECRET,
         {
           expiresIn: '1d'
@@ -46,11 +54,11 @@ class AuthService extends Service {
   }
 
   resolveToken(ctx) {
+    if(!ctx.params.token) {
+      throw new ValidationError('token parameter is required', 400);
+    }
     let user = jsonwebtoken.verify(ctx.params.token, JWT_SECRET);
-    return _.pick(user, [
-      'username',
-      'role'
-    ]);
+    return _.pick(user, JWT_FIELDS);
   }
 
 }