feat: Guest email authentication (#1088)

* feat: API endpoints for email signin

* fix: After testing

* Initial signin flow working

* move shared middleware

* feat: Add guest signin toggle, obey on endpoints

* feat: Basic email signin when enabled

* Improve guest signin email
Disable double signin with JWT

* fix: Simple rate limiting

* create placeholder users in db

* fix: Give invited users default avatar
add invited users to people settings

* test

* add transaction

* tmp: test CI

* derp

* md5

* urgh

* again

* test: pass

* test

* fix: Remove usage of data values

* guest signin page

* Visually separator 'Invited' from other people tabs

* fix: Edge case attempting SSO signin for guest email account

* fix: Correctly set email auth method to cookie

* Improve rate limit error display

* lint: cleanup / comments

* Improve invalid token error display

* style tweaks

* pass guest value to subdomain

* Restore copy link option

* feat: Allow invite revoke from people management

* fix: Incorrect users email schema does not allow for user deletion

* lint

* fix: avatarUrl for deleted user failure

* change default to off for guest invites

* fix: Changing security settings wipes subdomain

* fix: user delete permissioning

* test: Add user.invite specs

server/auth/email.js

@@ -0,0 +1,91 @@
+// @flow
+import Router from 'koa-router';
+import mailer from '../mailer';
+import subMinutes from 'date-fns/sub_minutes';
+import { getUserForEmailSigninToken } from '../utils/jwt';
+import { User, Team } from '../models';
+import methodOverride from '../middlewares/methodOverride';
+import validation from '../middlewares/validation';
+import auth from '../middlewares/authentication';
+import { AuthorizationError } from '../errors';
+
+const router = new Router();
+
+router.use(methodOverride());
+router.use(validation());
+
+router.post('email', async ctx => {
+  const { email } = ctx.body;
+
+  ctx.assertEmail(email, 'email is required');
+
+  const user = await User.findOne({
+    where: { email },
+  });
+
+  if (user) {
+    const team = await Team.findByPk(user.teamId);
+
+    // If the user matches an email address associated with an SSO
+    // signin then just forward them directly to that service's
+    // login page
+    if (user.service && user.service !== 'email') {
+      return ctx.redirect(`${team.url}/auth/${user.service}`);
+    }
+
+    if (!team.guestSignin) {
+      throw new AuthorizationError();
+    }
+
+    // basic rate limit of endpoint to prevent send email abuse
+    if (
+      user.lastSigninEmailSentAt &&
+      user.lastSigninEmailSentAt > subMinutes(new Date(), 2)
+    ) {
+      ctx.redirect(`${team.url}?notice=email-auth-ratelimit`);
+      return;
+    }
+
+    // send email to users registered address with a short-lived token
+    mailer.signin({
+      to: user.email,
+      token: user.getEmailSigninToken(),
+      teamUrl: team.url,
+    });
+
+    user.lastSigninEmailSentAt = new Date();
+    await user.save();
+
+    // respond with success regardless of whether an email was sent
+    ctx.redirect(`${team.url}?notice=guest-success`);
+  } else {
+    ctx.redirect(`${process.env.URL}?notice=guest-success`);
+  }
+});
+
+router.get('email.callback', auth({ required: false }), async ctx => {
+  const { token } = ctx.request.query;
+
+  ctx.assertPresent(token, 'token is required');
+
+  try {
+    const user = await getUserForEmailSigninToken(token);
+
+    const team = await Team.findByPk(user.teamId);
+    if (!team.guestSignin) {
+      throw new AuthorizationError();
+    }
+
+    if (!user.service) {
+      user.service = 'email';
+      await user.save();
+    }
+
+    // set cookies on response and redirect to team subdomain
+    ctx.signIn(user, team, 'email', false);
+  } catch (err) {
+    ctx.redirect(`${process.env.URL}?notice=expired-token`);
+  }
+});
+
+export default router;