microsoft · cwhitten · Nov 9, 2020 · Oct 22, 2020 · Nov 2, 2020 · Oct 30, 2020
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -85,7 +85,8 @@
       "args": ["${workspaceRoot}/Composer/packages/electron-server"],
       "env": {
         "NODE_ENV": "development",
-        "DEBUG": "composer*"
+        "DEBUG": "composer*",
+        "COMPOSER_ENABLE_ONEAUTH": "false"
       },
       "outputCapture": "std"
     },

diff --git a/Composer/babel.l10n.config.js b/Composer/babel.l10n.config.js
@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+module.exports = {
+  presets: ['@babel/react', ['@babel/typescript', { allowNamespaces: true }]],
+  plugins: ['@babel/plugin-proposal-class-properties'],
+  ignore: [
+    'packages/electron-server',
+    'packages/**/__tests__',
+    'packages/**/node_modules',
+    'packages/**/build/**/*.js',
+  ],
+};
diff --git a/Composer/package.json b/Composer/package.json
@@ -67,7 +67,7 @@
     "l10n:extract": "cross-env NODE_ENV=production format-message extract -g underscored_crc32 -o packages/server/src/locales/en-US.json l10ntemp/**/*.js",
     "l10n:extractJson": "node scripts/l10n-extractJson.js",
     "l10n:transform": "node scripts/l10n-transform.js",
-    "l10n:babel": "babel ./packages --extensions \".ts,.tsx,.jsx,.js\" --out-dir l10ntemp --presets=@babel/react,@babel/typescript --plugins=@babel/plugin-proposal-class-properties --ignore \"packages/electron-server\",\"packages/**/__tests__\",\"packages/**/node_modules\",\"packages/**/build/**/*.js\"",
+    "l10n:babel": "babel --config-file ./babel.l10n.config.js --extensions \"ts,.tsx,.jsx,.js\" --out-dir l10ntemp ./packages",
     "l10n": "yarn l10n:babel && yarn l10n:extract && yarn l10n:transform packages/server/src/locales/en-US.json && yarn l10n:extractJson packages/server/schemas"
   },
   "husky": {

diff --git a/Composer/packages/client/public/index.html b/Composer/packages/client/public/index.html
@@ -41,6 +41,12 @@
         </script>
       <? } ?>
     <% } %>
+    <!-- embed csrf token into window object -->
+    <? if (__csrf__) { ?>
+      <script>
+        window.__csrf__ = "<?= __csrf__ ?>";
+      </script>
+    <? } ?>
   </head>
   <body>
     <noscript>You need to enable JavaScript to run this app.</noscript>

diff --git a/Composer/packages/client/src/plugins/api.ts b/Composer/packages/client/src/plugins/api.ts
@@ -1,7 +1,9 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-import { OAuthClient, OAuthOptions } from '../utils/oauthClient';
+import { AuthParameters } from '@botframework-composer/types';
+
+import { AuthClient } from '../utils/authClient';
 
 interface IAPI {
   auth: AuthAPI;
@@ -15,8 +17,7 @@ interface PublishConfig {
 }
 
 interface AuthAPI {
-  login: (options: OAuthOptions) => Promise<string>; // returns an id token
-  getAccessToken: (options: OAuthOptions) => Promise<string>; // returns an access token
+  getAccessToken: (options: AuthParameters) => Promise<string>; // returns an access token
 }
 
 interface PublishAPI {
@@ -31,13 +32,8 @@ class API implements IAPI {
 
   constructor() {
     this.auth = {
-      login: (options: OAuthOptions) => {
-        const client = new OAuthClient(options);
-        return client.login();
-      },
-      getAccessToken: (options: OAuthOptions) => {
-        const client = new OAuthClient(options);
-        return client.getTokenSilently();
+      getAccessToken: (params: AuthParameters) => {
+        return AuthClient.getAccessToken(params);
       },
     };
     this.publish = {

diff --git a/Composer/packages/client/src/types/window.d.ts b/Composer/packages/client/src/types/window.d.ts
@@ -29,5 +29,10 @@ declare global {
 
     ExtensionClient: typeof ExtensionClient;
     Fabric: typeof Fabric;
+
+    /**
+     * Token generated by the server, and sent with certain auth-related requests to the server to be verified and prevent CSRF attacks.
+     */
+    __csrf__?: string;
   }
 }
diff --git a/Composer/packages/client/src/utils/authClient.ts b/Composer/packages/client/src/utils/authClient.ts
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+import { AuthParameters } from '@botframework-composer/types';
+
+async function getAccessToken(options: AuthParameters): Promise<string> {
+  try {
+    const { clientId = '', targetResource = '', scopes = [] } = options;
+    const { __csrf__ = '' } = window;
+
+    let url = '/api/auth/getAccessToken?';
+    const params = new URLSearchParams();
+    if (clientId) {
+      params.append('clientId', clientId);
+    }
+    if (scopes.length) {
+      params.append('scopes', JSON.stringify(scopes));
+    }
+    if (targetResource) {
+      params.append('targetResource', targetResource);
+    }
+    url += params.toString();
+
+    const result = await fetch(url, { method: 'GET', headers: { 'X-CSRF-Token': __csrf__ } });
+    const { accessToken = '' } = await result.json();
+    return accessToken;
+  } catch (e) {
+    // error handling
+    console.error('Did not receive an access token back from the server: ', e);
+    return '';
+  }
+}
+
+export const AuthClient = {
+  getAccessToken,
+};
diff --git a/Composer/packages/client/src/utils/oauthClient.ts b/Composer/packages/client/src/utils/oauthClient.ts
diff --git a/Composer/packages/electron-server/.eslintrc.js b/Composer/packages/electron-server/.eslintrc.js
@@ -7,4 +7,12 @@ module.exports = {
   rules: {
     'security/detect-non-literal-fs-filename': 'off',
   },
+  overrides: [
+    {
+      files: ['scripts/*'],
+      rules: {
+        '@typescript-eslint/no-var-requires': 'off',
+      },
+    },
+  ],
 };
diff --git a/Composer/packages/electron-server/.gitignore b/Composer/packages/electron-server/.gitignore
@@ -2,3 +2,4 @@ build/
 dist/
 locales/en-US-pseudo.json
 l10ntemp/
+oneauth-temp
diff --git a/Composer/packages/electron-server/AUTH.md b/Composer/packages/electron-server/AUTH.md
@@ -0,0 +1,31 @@
+# Enabling Authentication via OneAuth
+
+## Summary
+
+Authentication in Composer is done using the OneAuth native node library.
+
+This library leverages APIs within the user's OS to store and retrieve credentials in a compliant fashion, and allows Composer to get access tokens on behalf of the user once the user signs in.
+
+We disable this authentication flow by default in the development environment. To use the flow in a dev environment, please follow the steps below to leverage the OneAuth library.
+
+## Requirements
+
+**NOTE:** Authentication on Linux is not (yet) supported. We plan to support this in the future.
+
+When building Composer from source, in order to leverage the OneAuth library you will need to:
+
+- Set the `COMPOSER_ENABLE_ONEAUTH` environment variable to `true` in whatever process you use to start the `electron-server` package
+- Install the `oneauth-win64` or `oneauth-mac` NodeJS module either manually from the private registry, or by downloading it via script
+
+## Installing the OneAuth module
+
+Depending on your OS (Mac vs. Windows), you will need to install the `oneauth-mac` or `oneauth-win64` modules respectively.
+
+### Using the `installOneAuth.js` script
+
+1. Set `npm_config_registry` to `https://office.pkgs.visualstudio.com/_packaging/OneAuth/npm/registry/`
+1. Set `npm_config_username` to anything other than an empty string
+1. Set `npm_config__password` (note the double "_") to a base64-encoded [Personal Access Token you created in Azure DevOps](https://office.visualstudio.com/_usersSettings/tokens) for the Office org that has the Packaging (read) scope enabled
+1. Run `node scripts/installOneAuth.js` from `/electron-server/`
+
+There should now be a `/electron-server/oneauth-temp/` directory containing the contents of the OneAuth module which will be called by Composer assuming you set the `COMPOSER_ENABLE_ONEAUTH` environment variable.