Use seperate path to handle oauth callback

This fixes an issue where you'd be taken to an error screen if you refreshed a restricted page while you had a then-invalidated code in your url params

Use seperate path to handle oauth callback
d7cab86b · David Mynors · 16fc81e9 · d7cab86b · d7cab86b · d7cab86b
Commit d7cab86b authored 4 years ago by David Mynors
--- a/lib/auth.js
+++ b/lib/auth.js
+const express = require('express');
+const router = express.Router();
 const axios = require('axios');
 const url = require('url');

-// TODO: logging
-
 let config = require('./config.js');
 const baseUrl = config.theme.urls.base;
 config = config.oauth;

+// TODO: logging, potentially remove false-positive error logs below
+
 const ensureAuthenticated = async (req, res, next) => {
-    const code = req.url.split('?code=')[1];
-    const redirectUri = baseUrl + req.url;
+    const redirectUri = baseUrl + "/auth/login" + req.url;

-    if (!code) {
+    const authenticated = !!req.signedCookies.socialCoopUser
+
+    if (!authenticated) {
        try {
            return res.redirect(
                `${config.instance}/oauth/authorize?client_id=${config.clientId}&scope=read:accounts&redirect_uri=${redirectUri}&response_type=code`
@@ -22,6 +25,14 @@ const ensureAuthenticated = async (req, res, next) => {
        }
    }

+    next();
+};
+
+router.get("/login/:destination", async (req, res) => {
+    const [path, code] = req.url.split('?code=');
+    const redirectUri = baseUrl + "/auth" + path
+    const destinationPath = "/" + req.params.destination
+
    const params = new url.URLSearchParams({
        client_id: config.clientId,
        client_secret: config.clientSecret,
@@ -41,7 +52,6 @@ const ensureAuthenticated = async (req, res, next) => {
        token = tokenResponse.data.access_token;
    } catch (err) {
        console.log('error requesting access token:', err.response.data || err);
-        return res.json("an error ocurred")
    }

    try {
@@ -52,11 +62,14 @@ const ensureAuthenticated = async (req, res, next) => {
            }
        );
        if (profileResponse.status === 200) {
+            const { username } = profileResponse.data
            console.log(
                'successfully logged in',
-                profileResponse.data.username
+                username
            );
-            next();
+            res.cookie("socialCoopUser", username, { signed: true })
+            console.log("redirecting to", destinationPath)
+            res.redirect(destinationPath)
        } else {
            throw new Error(
                `verify_credentials response was ${profileResponse.status}, body: ${profileResponse.data}`
@@ -64,8 +77,7 @@ const ensureAuthenticated = async (req, res, next) => {
        }
    } catch (err) {
        console.log('error verifying credentials:', err.response.data || err);
-        return res.json("an error ocurred")
    }
-};
+})

-module.exports = ensureAuthenticated;
+module.exports = { router, ensureAuthenticated };
--- a/package-lock.json
+++ b/package-lock.json
@@ -197,6 +197,22 @@
      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz",
      "integrity": "sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s="
    },
+    "cookie-parser": {
+      "version": "1.4.5",
+      "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.5.tgz",
+      "integrity": "sha512-f13bPUj/gG/5mDr+xLmSxxDsB9DQiTIfhJS/sqjrmfAWiAN+x2O4i/XguTL9yDZ+/IFDanJ+5x7hC4CXT9Tdzw==",
+      "requires": {
+        "cookie": "0.4.0",
+        "cookie-signature": "1.0.6"
+      },
+      "dependencies": {
+        "cookie": {
+          "version": "0.4.0",
+          "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
+          "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg=="
+        }
+      }
+    },
    "cookie-signature": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",

--- a/package.json
+++ b/package.json
@@ -14,6 +14,7 @@
  "dependencies": {
    "axios": "^0.21.1",
    "body-parser": "^1.18.3",
+    "cookie-parser": "^1.4.5",
    "emailjs": "^2.2.0",
    "express": "^4.15.2",
    "html2plaintext": "^2.1.2",

--- a/serve.js
+++ b/serve.js
 'use strict';
 const express = require('express');
+const cookieParser = require('cookie-parser');
 const fs = require('fs');
-const ensureAuthenticated = require('./lib/auth.js')
+const { router: authRouter, ensureAuthenticated } = require('./lib/auth.js')
 const templates = require('./lib/templates.js');
 const metalsmith = require('./metalsmith.js');
 const email = require('./lib/email.js');
@@ -21,7 +22,6 @@ const send = email(config.email.server);
 const app = express();
 const port = config.port;

-
 var expressOptions = {
    dotfiles: 'ignore',
    etag: false,
@@ -56,6 +56,13 @@ app.set('trust proxy', true); // Assume we're behind a proxy
 app.use(express.static('/', expressOptions));
 app.use(express.json());
 app.use(express.urlencoded({extended: true}));
+app.use(cookieParser(config.cookieSecret, {
+    maxAge: 60 * 60 * 24 * 30, // one month
+    httpOnly: true,
+    secure: true,
+}))
+
+app.use('/auth', authRouter)

 app.all('*', (req, res, next) => {
    next();