huanld/speckle-server
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
bde148f2864f59731ae0aa2a8ede25d0a348b9f8
speckle-server/packages/server/modules/auth/strategies/google.ts
T
Kristaps Fabians Geikins bde148f286 chore(server): migrating fully to ESM (#5042) 
* wip

* some extra fixes

* stuff kinda works?

* need to figure out mocks

* need to figure out mocks

* fix db listener

* gqlgen fix

* minor gqlgen watch adjustment

* lint fixes

* delete old codegen file

* converting migrations to ESM

* getModuleDIrectory

* vitest sort of works

* added back ts-vitest

* resolve gql double load

* fixing test timeout configs

* TSC lint fix

* fix automate tests

* moar debugging

* debugging

* more debugging

* codegen update

* server works

* yargs migrated

* chore(server): getting rid of global mocks for Server ESM (#5046)

* got rid of email mock

* got rid of comment mocks

* got rid of multi region mocks

* got rid of stripe mock

* admin override mock updated

* removed final mock

* fixing import.meta.resolve calls

* another import.meta.resolve fix

* added requested test

* nyc ESM fix

* removed unneeded deps + linting

* yarn lock forgot to commit

* tryna fix flakyness

* email capture util fix

* sendEmail fix

* fix TSX check

* sender transporter fix + CR comments

* merge main fix

* test fixx

* circleci fix

* gqlgen bigint fix

* error formatter fix

* more error formatting improvements

* esmloader added to Dockerfile

* more dockerfile fixes

* bg jobs fix
2025-07-14 10:26:19 +03:00

216 lines
7.7 KiB
TypeScript
Raw Blame History

/* istanbul ignore file */
import passport from 'passport'
import { Strategy as GoogleStrategy } from 'passport-google-oauth20'
import {
UserInputError,
UnverifiedEmailSSOLoginError
} from '@/modules/core/errors/userinput'
import { ServerInviteResourceType } from '@/modules/serverinvites/domain/constants'
import { getResourceTypeRole } from '@/modules/serverinvites/helpers/core'
import { AuthStrategyMetadata, AuthStrategyBuilder } from '@/modules/auth/helpers/types'
import {
getGoogleClientId,
getGoogleClientSecret
} from '@/modules/shared/helpers/envHelper'
import { ensureError, Optional } from '@speckle/shared'
import { ServerInviteRecord } from '@/modules/serverinvites/domain/types'
import {
FinalizeInvitedServerRegistration,
ResolveAuthRedirectPath,
ValidateServerInvite
} from '@/modules/serverinvites/services/operations'
import { PassportAuthenticateHandlerBuilder } from '@/modules/auth/domain/operations'
import {
FindOrCreateValidatedUser,
LegacyGetUserByEmail
} from '@/modules/core/domain/users/operations'
import { GetServerInfo } from '@/modules/core/domain/server/operations'
import { EnvironmentResourceError } from '@/modules/shared/errors'
import { ExpectedAuthFailure } from '@/modules/auth/domain/const'
import { ServerNoAccessError } from '@speckle/shared/authz'
const googleStrategyBuilderFactory =
(deps: {
getServerInfo: GetServerInfo
getUserByEmail: LegacyGetUserByEmail
findOrCreateUser: FindOrCreateValidatedUser
validateServerInvite: ValidateServerInvite
finalizeInvitedServerRegistration: FinalizeInvitedServerRegistration
resolveAuthRedirectPath: ResolveAuthRedirectPath
passportAuthenticateHandlerBuilder: PassportAuthenticateHandlerBuilder
}): AuthStrategyBuilder =>
async (
app,
sessionMiddleware,
moveAuthParamsToSessionMiddleware,
finalizeAuthMiddleware
) => {
const strategy: AuthStrategyMetadata & { callbackUrl: string } = {
id: 'google',
name: 'Google',
icon: 'mdi-google',
color: 'red darken-3',
url: '/auth/goog',
callbackUrl: '/auth/goog/callback'
}
const myStrategy = new GoogleStrategy(
{
clientID: getGoogleClientId(),
clientSecret: getGoogleClientSecret(),
callbackURL: strategy.callbackUrl,
scope: ['profile', 'email'],
passReqToCallback: true
},
async (req, _accessToken, _refreshToken, profile, done) => {
const serverInfo = await deps.getServerInfo()
const logger = req.log.child({
authStrategy: 'google',
profileId: profile.id,
serverVersion: serverInfo.version
})
try {
// seems very weird that the Google strategy is not parsing 'error' query params
// and generating a thrown error for us, but here we are.
if ('error' in req.query) {
switch (req.query.error) {
case 'access_denied':
logger.info('User was denied access by Google')
return done(null, false, {
message: 'Access to Google account denied by Google',
failureType: ExpectedAuthFailure.UserInputError
})
default:
const errMessage = `Unexpected error from Google strategy: ${req.query.error}`
logger.error(errMessage)
return done(new ServerNoAccessError(errMessage), false, {
message: errMessage
})
}
}
const email = profile.emails?.[0].value
if (!email) {
throw new EnvironmentResourceError('No email provided by Google')
}
const name = profile.displayName
const user = { email, name, avatar: profile._json.picture }
const existingUser = await deps.getUserByEmail({ email: user.email })
if (existingUser && !existingUser.verified) {
throw new UnverifiedEmailSSOLoginError(undefined, {
info: {
email: user.email
}
})
}
// if there is an existing user, go ahead and log them in (regardless of
// whether the server is invite only or not).
if (existingUser) {
const myUser = await deps.findOrCreateUser({ user })
return done(null, myUser)
}
// if the server is invite only and we have no invite id, throw.
if (serverInfo.inviteOnly && !req.session.token) {
throw new UserInputError(
'This server is invite only. The invite link may have expired or the invite may have been revoked. Please authenticate yourself through a valid invite link.'
)
}
// validate the invite, if any
let invite: Optional<ServerInviteRecord> = undefined
if (req.session.token) {
invite = await deps.validateServerInvite(user.email, req.session.token)
}
// create the user
const myUser = await deps.findOrCreateUser({
user: {
...user,
role: invite
? getResourceTypeRole(invite.resource, ServerInviteResourceType)
: undefined,
verified: !!invite,
signUpContext: {
req,
isInvite: !!invite,
newsletterConsent: !!req.session.newsletterConsent
}
}
})
// use the invite
await deps.finalizeInvitedServerRegistration(user.email, myUser.id)
// Resolve redirect path
req.authRedirectPath = deps.resolveAuthRedirectPath(invite)
// return to the auth flow
return done(null, {
...myUser,
isInvite: !!invite
})
} catch (err) {
const e = ensureError(
err,
'Unexpected issue occured while authenticating with Google'
)
switch (e.constructor.name) {
case ExpectedAuthFailure.UserInputError:
case ExpectedAuthFailure.InviteNotFoundError:
logger.info({ err: e }, 'Auth error for Google strategy')
// note; passportjs suggests err should be null for user input errors.
// We also need to pass the error type in the info parameter
// so `passportAuthenticationCallbackFactory` can handle redirects appropriately
return done(null, false, {
message: e.message,
failureType: e.constructor.name as ExpectedAuthFailure
})
case ExpectedAuthFailure.UnverifiedEmailSSOLoginError:
logger.info({ err: e }, 'Auth error for Google strategy')
// note; passportjs suggests err should be null for user input errors.
// We also need to pass the error type in the info parameter
// so `passportAuthenticationCallbackFactory` can handle redirects appropriately
return done(null, false, {
message: e.message,
failureType: e.constructor.name as ExpectedAuthFailure,
email: (e as UnverifiedEmailSSOLoginError).info().email
})
default:
logger.error({ err: e }, 'Auth error for Google strategy')
return done(e, false, { message: e.message })
}
}
}
)
passport.use(myStrategy)
// 1. Init Auth
app.get(
strategy.url,
sessionMiddleware,
moveAuthParamsToSessionMiddleware,
deps.passportAuthenticateHandlerBuilder('google')
)
// 2. Auth callback
app.get(
strategy.callbackUrl,
sessionMiddleware,
deps.passportAuthenticateHandlerBuilder('google'),
finalizeAuthMiddleware
)
return strategy
}
export default googleStrategyBuilderFactory
Reference in New Issue View Git Blame Copy Permalink