Merge pull request #322 from FlowFuse/user-role-auth

Include user role in profile object when authenticating

Author: hardillb

lib/auth/adminAuth.js

@@ -11,6 +11,7 @@ module.exports = (options) => {
     const clientID = options.clientID
     const clientSecret = options.clientSecret
     const forgeURL = options.forgeURL
+    const teamID = options.teamID
     const baseURL = new URL(options.baseURL)
     let basePath = baseURL.pathname || ''
     if (basePath.endsWith('/')) {
@@ -20,6 +21,7 @@ module.exports = (options) => {
     const authorizationURL = `${forgeURL}/account/authorize`
     const tokenURL = `${forgeURL}/account/token`
     const userInfoURL = `${forgeURL}/api/v1/user`
+    const userTeamRoleURL = `${forgeURL}/api/v1/teams/${teamID}/user`
 
     const oa = new OAuth2(clientID, clientSecret, '', authorizationURL, tokenURL)
 
@@ -61,6 +63,7 @@ module.exports = (options) => {
                 tokenURL,
                 callbackURL,
                 userInfoURL,
+                userTeamRoleURL,
                 scope: `editor-${version}`,
                 clientID,
                 clientSecret,

lib/auth/httpAuthMiddleware.js

@@ -96,13 +96,15 @@ module.exports = {
         const authorizationURL = `${options.forgeURL}/account/authorize`
         const tokenURL = `${options.forgeURL}/account/token`
         const userInfoURL = `${options.forgeURL}/api/v1/user`
+        const userTeamRoleURL = `${options.forgeURL}/api/v1/teams/${options.teamID}/user`
         const version = require('../../package.json').version
 
         passport.use('FlowFuse', new Strategy({
             authorizationURL,
             tokenURL,
             callbackURL,
             userInfoURL,
+            userTeamRoleURL,
             scope: `httpAuth-${version}`,
             clientID: options.clientID,
             clientSecret: options.clientSecret,

lib/auth/strategy.js

@@ -2,6 +2,23 @@ const util = require('util')
 const url = require('url')
 const OAuth2Strategy = require('passport-oauth2')
 
+const Roles = {
+    None: 0,
+    Dashboard: 5,
+    Viewer: 10,
+    Member: 30,
+    Owner: 50,
+    Admin: 99
+}
+const RoleNames = {
+    [Roles.None]: 'none',
+    [Roles.Dashboard]: 'dashboard',
+    [Roles.Viewer]: 'viewer',
+    [Roles.Member]: 'member',
+    [Roles.Owner]: 'owner',
+    [Roles.Admin]: 'admin'
+}
+
 function Strategy (options, verify) {
     this.options = options
     this._base = Object.getPrototypeOf(Strategy.prototype)
@@ -43,25 +60,42 @@ Strategy.prototype.authenticate = function (req, options) {
     return this.__authenticate(req, strategyOptions)
 }
 
-Strategy.prototype.userProfile = function (accessToken, done) {
+Strategy.prototype.sendAPIRequest = function (url, accessToken, done) {
     this._oauth2.useAuthorizationHeaderforGET(true)
-    this._oauth2.get(this.options.userInfoURL, accessToken, (err, body) => {
+    this._oauth2.get(url, accessToken, (err, body) => {
         if (err) {
             return done(err)
         }
         try {
             const json = JSON.parse(body)
-            done(null, {
-                username: json.username,
-                email: json.email,
-                image: json.avatar,
-                name: json.name,
-                userId: json.id
-            })
+            done(null, json)
         } catch (e) {
             done(e)
         }
     })
 }
+Strategy.prototype.userProfile = function (accessToken, done) {
+    this._oauth2.useAuthorizationHeaderforGET(true)
+    this.sendAPIRequest(this.options.userInfoURL, accessToken, (err, userProfile) => {
+        if (err) {
+            console.log('Authentication error:', err)
+            return done(err)
+        }
+        this.sendAPIRequest(this.options.userTeamRoleURL, accessToken, (err, userTeamRole) => {
+            if (err) {
+                console.log('Authentication error:', err)
+                return done(err)
+            }
+            done(null, {
+                username: userProfile.username,
+                email: userProfile.email,
+                image: userProfile.avatar,
+                name: userProfile.name,
+                userId: userProfile.id,
+                role: RoleNames[userTeamRole.role] || ''
+            })
+        })
+    })
+}
 
 module.exports = { Strategy }

lib/runtimeSettings.js

@@ -50,6 +50,7 @@ function getSettingsFile (settings) {
     forgeURL: '${settings.forgeURL}',
     clientID: '${settings.clientID}',
     clientSecret: '${settings.clientSecret}',
+    teamID: '${settings.teamID}',
     projectId: '${settings.projectID}'
 })`
             projectSettings.httpNodeMiddleware = 'httpNodeMiddleware: flowforgeAuthMiddleware,'
@@ -273,6 +274,7 @@ module.exports = {
     adminAuth: require('@flowfuse/nr-launcher/adminAuth')({
         baseURL: '${settings.baseURL}',
         forgeURL: '${settings.forgeURL}',
+        teamID: '${settings.teamID}',
         clientID: '${settings.clientID}',
         clientSecret: '${settings.clientSecret}'
     }),