136 lines
3.7 KiB
JavaScript
136 lines
3.7 KiB
JavaScript
// @flow
|
|
import * as Sentry from "@sentry/node";
|
|
import { OAuth2Client } from "google-auth-library";
|
|
import invariant from "invariant";
|
|
import Router from "koa-router";
|
|
import { capitalize } from "lodash";
|
|
import Sequelize from "sequelize";
|
|
import teamCreator from "../commands/teamCreator";
|
|
import userCreator from "../commands/userCreator";
|
|
import auth from "../middlewares/authentication";
|
|
import { User } from "../models";
|
|
|
|
const router = new Router();
|
|
const client = new OAuth2Client(
|
|
process.env.GOOGLE_CLIENT_ID,
|
|
process.env.GOOGLE_CLIENT_SECRET,
|
|
`${process.env.URL}/auth/google.callback`
|
|
);
|
|
const allowedDomainsEnv = process.env.GOOGLE_ALLOWED_DOMAINS;
|
|
|
|
// start the oauth process and redirect user to Google
|
|
router.get("google", async (ctx) => {
|
|
// Generate the url that will be used for the consent dialog.
|
|
const authorizeUrl = client.generateAuthUrl({
|
|
access_type: "offline",
|
|
scope: [
|
|
"https://www.googleapis.com/auth/userinfo.profile",
|
|
"https://www.googleapis.com/auth/userinfo.email",
|
|
],
|
|
prompt: "select_account consent",
|
|
});
|
|
ctx.redirect(authorizeUrl);
|
|
});
|
|
|
|
// signin callback from Google
|
|
router.get("google.callback", auth({ required: false }), async (ctx) => {
|
|
const { code } = ctx.request.query;
|
|
ctx.assertPresent(code, "code is required");
|
|
const response = await client.getToken(code);
|
|
client.setCredentials(response.tokens);
|
|
|
|
const profile = await client.request({
|
|
url: "https://www.googleapis.com/oauth2/v1/userinfo",
|
|
});
|
|
|
|
if (!profile.data.hd) {
|
|
ctx.redirect("/?notice=google-hd");
|
|
return;
|
|
}
|
|
|
|
// allow all domains by default if the env is not set
|
|
const allowedDomains = allowedDomainsEnv && allowedDomainsEnv.split(",");
|
|
if (allowedDomains && !allowedDomains.includes(profile.data.hd)) {
|
|
ctx.redirect("/?notice=hd-not-allowed");
|
|
return;
|
|
}
|
|
|
|
const domain = profile.data.hd;
|
|
const subdomain = profile.data.hd.split(".")[0];
|
|
const teamName = capitalize(subdomain);
|
|
|
|
let result;
|
|
try {
|
|
result = await teamCreator({
|
|
name: teamName,
|
|
domain,
|
|
subdomain,
|
|
authenticationProvider: {
|
|
name: "google",
|
|
providerId: domain,
|
|
},
|
|
});
|
|
} catch (err) {
|
|
if (err instanceof Sequelize.UniqueConstraintError) {
|
|
ctx.redirect(`/?notice=auth-error&error=team-exists`);
|
|
return;
|
|
}
|
|
}
|
|
|
|
invariant(result, "Team creator result must exist");
|
|
const { team, isNewTeam, authenticationProvider } = result;
|
|
|
|
try {
|
|
const result = await userCreator({
|
|
name: profile.data.name,
|
|
email: profile.data.email,
|
|
isAdmin: isNewTeam,
|
|
avatarUrl: profile.data.picture,
|
|
teamId: team.id,
|
|
ip: ctx.request.ip,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: profile.data.id,
|
|
accessToken: response.tokens.access_token,
|
|
refreshToken: response.tokens.refresh_token,
|
|
scopes: response.tokens.scope.split(" "),
|
|
},
|
|
});
|
|
|
|
const { user, isNewUser } = result;
|
|
|
|
if (isNewTeam) {
|
|
await team.provisionFirstCollection(user.id);
|
|
}
|
|
|
|
// set cookies on response and redirect to team subdomain
|
|
ctx.signIn(user, team, "google", isNewUser);
|
|
} catch (err) {
|
|
if (err instanceof Sequelize.UniqueConstraintError) {
|
|
const exists = await User.findOne({
|
|
where: {
|
|
email: profile.data.email,
|
|
teamId: team.id,
|
|
},
|
|
});
|
|
|
|
if (exists) {
|
|
ctx.redirect(`${team.url}?notice=email-auth-required`);
|
|
} else {
|
|
if (process.env.SENTRY_DSN) {
|
|
Sentry.captureException(err);
|
|
} else {
|
|
console.error(err);
|
|
}
|
|
ctx.redirect(`${team.url}?notice=auth-error`);
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
throw err;
|
|
}
|
|
});
|
|
|
|
export default router;
|