chore: Migrate authentication to new tables (#1929)

This work provides a foundation for a more pluggable authentication system such as the one outlined in #1317.

closes #1317

server/commands/teamCreator.js

@@ -0,0 +1,95 @@
+// @flow
+import debug from "debug";
+import { Team, AuthenticationProvider } from "../models";
+import { sequelize } from "../sequelize";
+import { generateAvatarUrl } from "../utils/avatars";
+
+const log = debug("server");
+
+type TeamCreatorResult = {|
+  team: Team,
+  authenticationProvider: AuthenticationProvider,
+  isNewTeam: boolean,
+|};
+
+export default async function teamCreator({
+  name,
+  domain,
+  subdomain,
+  avatarUrl,
+  authenticationProvider,
+}: {|
+  name: string,
+  domain?: string,
+  subdomain: string,
+  avatarUrl?: string,
+  authenticationProvider: {|
+    name: string,
+    providerId: string,
+  |},
+|}): Promise<TeamCreatorResult> {
+  const authP = await AuthenticationProvider.findOne({
+    where: authenticationProvider,
+    include: [
+      {
+        model: Team,
+        as: "team",
+        required: true,
+      },
+    ],
+  });
+
+  // This authentication provider already exists which means we have a team and
+  // there is nothing left to do but return the existing credentials
+  if (authP) {
+    return {
+      authenticationProvider: authP,
+      team: authP.team,
+      isNewTeam: false,
+    };
+  }
+
+  // If the service did not provide a logo/avatar then we attempt to generate
+  // one via ClearBit, or fallback to colored initials in worst case scenario
+  if (!avatarUrl) {
+    avatarUrl = await generateAvatarUrl({
+      name,
+      domain,
+      id: subdomain,
+    });
+  }
+
+  // This team has never been seen before, time to create all the new stuff
+  let transaction = await sequelize.transaction();
+  let team;
+  try {
+    team = await Team.create(
+      {
+        name,
+        avatarUrl,
+        authenticationProviders: [authenticationProvider],
+      },
+      {
+        include: "authenticationProviders",
+        transaction,
+      }
+    );
+
+    await transaction.commit();
+  } catch (err) {
+    await transaction.rollback();
+    throw err;
+  }
+
+  try {
+    await team.provisionSubdomain(subdomain);
+  } catch (err) {
+    log(`Provisioning subdomain failed: ${err.message}`);
+  }
+
+  return {
+    team,
+    authenticationProvider: team.authenticationProviders[0],
+    isNewTeam: true,
+  };
+}

server/commands/teamCreator.test.js

@@ -0,0 +1,61 @@
+// @flow
+import { buildTeam } from "../test/factories";
+import { flushdb } from "../test/support";
+import teamCreator from "./teamCreator";
+
+jest.mock("aws-sdk", () => {
+  const mS3 = { putObject: jest.fn().mockReturnThis(), promise: jest.fn() };
+  return {
+    S3: jest.fn(() => mS3),
+    Endpoint: jest.fn(),
+  };
+});
+
+beforeEach(() => flushdb());
+
+describe("teamCreator", () => {
+  it("should create team and authentication provider", async () => {
+    const result = await teamCreator({
+      name: "Test team",
+      subdomain: "example",
+      avatarUrl: "http://example.com/logo.png",
+      authenticationProvider: {
+        name: "google",
+        providerId: "example.com",
+      },
+    });
+
+    const { team, authenticationProvider, isNewTeam } = result;
+
+    expect(authenticationProvider.name).toEqual("google");
+    expect(authenticationProvider.providerId).toEqual("example.com");
+    expect(team.name).toEqual("Test team");
+    expect(team.subdomain).toEqual("example");
+    expect(isNewTeam).toEqual(true);
+  });
+
+  it("should return exising team", async () => {
+    const authenticationProvider = {
+      name: "google",
+      providerId: "example.com",
+    };
+
+    const existing = await buildTeam({
+      subdomain: "example",
+      authenticationProviders: [authenticationProvider],
+    });
+
+    const result = await teamCreator({
+      name: "Updated name",
+      subdomain: "example",
+      authenticationProvider,
+    });
+
+    const { team, isNewTeam } = result;
+
+    expect(team.id).toEqual(existing.id);
+    expect(team.name).toEqual(existing.name);
+    expect(team.subdomain).toEqual("example");
+    expect(isNewTeam).toEqual(false);
+  });
+});

server/commands/userCreator.js

@@ -0,0 +1,151 @@
+// @flow
+import Sequelize from "sequelize";
+import { Event, User, UserAuthentication } from "../models";
+import { sequelize } from "../sequelize";
+
+const Op = Sequelize.Op;
+
+type UserCreatorResult = {|
+  user: User,
+  isNewUser: boolean,
+  authentication: UserAuthentication,
+|};
+
+export default async function userCreator({
+  name,
+  email,
+  isAdmin,
+  avatarUrl,
+  teamId,
+  authentication,
+  ip,
+}: {|
+  name: string,
+  email: string,
+  isAdmin?: boolean,
+  avatarUrl?: string,
+  teamId: string,
+  ip: string,
+  authentication: {|
+    authenticationProviderId: string,
+    providerId: string,
+    scopes: string[],
+    accessToken?: string,
+    refreshToken?: string,
+  |},
+|}): Promise<UserCreatorResult> {
+  const { authenticationProviderId, providerId, ...rest } = authentication;
+  const auth = await UserAuthentication.findOne({
+    where: {
+      authenticationProviderId,
+      providerId,
+    },
+    include: [
+      {
+        model: User,
+        as: "user",
+      },
+    ],
+  });
+
+  // Someone has signed in with this authentication before, we just
+  // want to update the details instead of creating a new record
+  if (auth) {
+    const { user } = auth;
+
+    await user.update({ email });
+    await auth.update(rest);
+
+    return { user, authentication: auth, isNewUser: false };
+  }
+
+  // A `user` record might exist in the form of an invite even if there is no
+  // existing authentication record that matches. In Outline an invite is a
+  // shell user record.
+  const invite = await User.findOne({
+    where: {
+      email,
+      teamId,
+      lastActiveAt: {
+        [Op.eq]: null,
+      },
+    },
+    include: [
+      {
+        model: UserAuthentication,
+        as: "authentications",
+        required: false,
+      },
+    ],
+  });
+
+  // We have an existing invite for his user, so we need to update it with our
+  // new details and link up the authentication method
+  if (invite && !invite.authentications.length) {
+    let transaction = await sequelize.transaction();
+    let auth;
+    try {
+      await invite.update(
+        {
+          name,
+          avatarUrl,
+        },
+        { transaction }
+      );
+      auth = await invite.createAuthentication(authentication, {
+        transaction,
+      });
+      await transaction.commit();
+    } catch (err) {
+      await transaction.rollback();
+      throw err;
+    }
+
+    return { user: invite, authentication: auth, isNewUser: false };
+  }
+
+  // No auth, no user – this is an entirely new sign in.
+  let transaction = await sequelize.transaction();
+
+  try {
+    const user = await User.create(
+      {
+        name,
+        email,
+        isAdmin,
+        teamId,
+        avatarUrl,
+        service: null,
+        authentications: [authentication],
+      },
+      {
+        include: "authentications",
+        transaction,
+      }
+    );
+    await Event.create(
+      {
+        name: "users.create",
+        actorId: user.id,
+        userId: user.id,
+        teamId: user.teamId,
+        data: {
+          name: user.name,
+        },
+        ip,
+      },
+      {
+        transaction,
+      }
+    );
+    await transaction.commit();
+    return {
+      user,
+      authentication: user.authentications[0],
+      isNewUser: true,
+    };
+  } catch (err) {
+    await transaction.rollback();
+    throw err;
+  }
+}

server/commands/userCreator.test.js

@@ -0,0 +1,94 @@
+// @flow
+import { buildUser, buildTeam, buildInvite } from "../test/factories";
+import { flushdb } from "../test/support";
+import userCreator from "./userCreator";
+
+beforeEach(() => flushdb());
+
+describe("userCreator", () => {
+  const ip = "127.0.0.1";
+
+  it("should update exising user and authentication", async () => {
+    const existing = await buildUser();
+    const authentications = await existing.getAuthentications();
+    const existingAuth = authentications[0];
+    const newEmail = "test@example.com";
+
+    const result = await userCreator({
+      name: existing.name,
+      email: newEmail,
+      avatarUrl: existing.avatarUrl,
+      teamId: existing.teamId,
+      ip,
+      authentication: {
+        authenticationProviderId: existingAuth.authenticationProviderId,
+        providerId: existingAuth.providerId,
+        accessToken: "123",
+        scopes: ["read"],
+      },
+    });
+
+    const { user, authentication, isNewUser } = result;
+
+    expect(authentication.accessToken).toEqual("123");
+    expect(authentication.scopes.length).toEqual(1);
+    expect(authentication.scopes[0]).toEqual("read");
+    expect(user.email).toEqual(newEmail);
+    expect(isNewUser).toEqual(false);
+  });
+
+  it("should create a new user", async () => {
+    const team = await buildTeam();
+    const authenticationProviders = await team.getAuthenticationProviders();
+    const authenticationProvider = authenticationProviders[0];
+
+    const result = await userCreator({
+      name: "Test Name",
+      email: "test@example.com",
+      teamId: team.id,
+      ip,
+      authentication: {
+        authenticationProviderId: authenticationProvider.id,
+        providerId: "fake-service-id",
+        accessToken: "123",
+        scopes: ["read"],
+      },
+    });
+
+    const { user, authentication, isNewUser } = result;
+
+    expect(authentication.accessToken).toEqual("123");
+    expect(authentication.scopes.length).toEqual(1);
+    expect(authentication.scopes[0]).toEqual("read");
+    expect(user.email).toEqual("test@example.com");
+    expect(isNewUser).toEqual(true);
+  });
+
+  it("should create a user from an invited user", async () => {
+    const team = await buildTeam();
+    const invite = await buildInvite({ teamId: team.id });
+    const authenticationProviders = await team.getAuthenticationProviders();
+    const authenticationProvider = authenticationProviders[0];
+
+    const result = await userCreator({
+      name: invite.name,
+      email: invite.email,
+      teamId: invite.teamId,
+      ip,
+      authentication: {
+        authenticationProviderId: authenticationProvider.id,
+        providerId: "fake-service-id",
+        accessToken: "123",
+        scopes: ["read"],
+      },
+    });
+
+    const { user, authentication, isNewUser } = result;
+
+    expect(authentication.accessToken).toEqual("123");
+    expect(authentication.scopes.length).toEqual(1);
+    expect(authentication.scopes[0]).toEqual("read");
+    expect(user.email).toEqual(invite.email);
+    expect(isNewUser).toEqual(false);
+  });
+});