[server/iam/oidc] find/create User in OIDC flows

Author: AlexTugarev

components/server/src/iam/iam-oidc-create-session-payload.ts

@@ -0,0 +1,61 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+export namespace OIDCCreateSessionPayload {
+    export function is(payload: any): payload is OIDCCreateSessionPayload {
+        return (
+            typeof payload === "object" &&
+            "idToken" in payload &&
+            "claims" in payload &&
+            "iss" in payload.claims &&
+            "sub" in payload.claims &&
+            "name" in payload.claims &&
+            "email" in payload.claims
+        );
+    }
+
+    export function validate(payload: OIDCCreateSessionPayload) {
+        if (isEmpty(payload.claims.iss)) {
+            throw new Error("Issuer is missing");
+        }
+        if (isEmpty(payload.claims.sub)) {
+            throw new Error("Subject is missing");
+        }
+        if (isEmpty(payload.claims.name)) {
+            throw new Error("Name is missing");
+        }
+        if (isEmpty(payload.claims.email)) {
+            throw new Error("Email is missing");
+        }
+    }
+
+    function isEmpty(attribute: any) {
+        return typeof attribute !== "string" || attribute.length < 1;
+    }
+}
+
+export interface OIDCCreateSessionPayload {
+    idToken: {
+        Issuer: string; // "https://accounts.google.com",
+        Audience: string[];
+        Subject: string; // "1234567890",
+        Expiry: string; // "2023-01-10T12:00:00Z",
+        IssuedAt: string; // "2023-01-01T12:00:00Z",
+    };
+    claims: {
+        aud: string;
+        email: string;
+        email_verified: true;
+        family_name: string;
+        given_name: string;
+        hd?: string; // accepted domain, e.g. "gitpod.io"
+        iss: string; // "https://accounts.google.com"
+        locale: string; // e.g. "de"
+        name: string;
+        picture: string; // URL of avatar
+        sub: string; // "1234567890"
+    };
+}

components/server/src/iam/iam-session-app.spec.ts

@@ -18,6 +18,7 @@ import * as session from "express-session";
 import * as request from "supertest";
 
 import * as chai from "chai";
+import { OIDCCreateSessionPayload } from "./iam-oidc-create-session-payload";
 const expect = chai.expect;
 
 @suite(timeout(10000))
@@ -27,6 +28,38 @@ class TestIamSessionApp {
 
     protected cookieName = "test-session-name";
 
+    protected knownSub = "111";
+
+    protected userServiceMock: Partial<UserService> = {
+        createUser: (params) => {
+            return { id: "id-new-user" } as any;
+        },
+
+        findUserForLogin: (params) => {
+            if (params.candidate?.authId === this.knownSub) {
+                return { id: "id-known-user" } as any;
+            }
+            return undefined;
+        },
+    };
+
+    protected payload: OIDCCreateSessionPayload = {
+        idToken: {} as any,
+        claims: {
+            aud: "1234",
+            email: "[email protected]",
+            email_verified: true,
+            family_name: "User",
+            given_name: "Test",
+            iss: "https://accounts.get.net",
+            locale: "de",
+            name: "Test User",
+            picture: "https://cdn.get.net/users/abc23",
+            sub: "1234567890",
+            hd: "test.net",
+        },
+    };
+
     public before() {
         const container = new Container();
         container.load(
@@ -35,11 +68,7 @@ class TestIamSessionApp {
                 bind(IamSessionApp).toSelf().inSingletonScope();
                 bind(Authenticator).toConstantValue(<any>{}); // unused
                 bind(Config).toConstantValue(<any>{}); // unused
-                bind(UserService).toConstantValue(<any>{
-                    createUser: () => ({
-                        id: "C0FFEE",
-                    }),
-                });
+                bind(UserService).toConstantValue(this.userServiceMock as any);
             }),
         );
         this.app = container.get(IamSessionApp);
@@ -72,22 +101,56 @@ class TestIamSessionApp {
         await request(this.app.create())
             .post("/session")
             .set("Content-Type", "application/json")
-            .send(JSON.stringify(this.idToken));
+            .send(JSON.stringify(this.payload));
 
         expect(count, "sessions added").to.equal(1);
     }
 
-    @test public async testSessionRequestResponsesWithSetCookie() {
+    @test public async testSessionRequestResponsesWithSetCookie_createUser() {
         const result = await request(this.app.create())
             .post("/session")
             .set("Content-Type", "application/json")
-            .send(JSON.stringify(this.idToken));
+            .send(JSON.stringify(this.payload));
 
-        expect(result.statusCode).to.equal(200);
+        expect(result.statusCode, JSON.stringify(result.body)).to.equal(200);
+        expect(result.body?.userId).to.equal("id-new-user");
         expect(JSON.stringify(result.get("Set-Cookie"))).to.contain(this.cookieName);
     }
 
-    idToken = {};
+    @test public async testSessionRequestResponsesWithSetCookie_knownUser() {
+        const payload = { ...this.payload };
+        payload.claims.sub = this.knownSub;
+        const result = await request(this.app.create())
+            .post("/session")
+            .set("Content-Type", "application/json")
+            .send(JSON.stringify(payload));
+
+        expect(result.statusCode, JSON.stringify(result.body)).to.equal(200);
+        expect(result.body?.userId).to.equal("id-known-user");
+        expect(JSON.stringify(result.get("Set-Cookie"))).to.contain(this.cookieName);
+    }
+
+    @test public async testInvalidPayload() {
+        const cases = [
+            { claims: { sub: "" }, expectedMessage: "Subject is missing" },
+            { claims: { iss: "" }, expectedMessage: "Issuer is missing" },
+            { claims: { email: "" }, expectedMessage: "Email is missing" },
+            { claims: { name: "" }, expectedMessage: "Name is missing" },
+        ];
+        for (const c of cases) {
+            const payload = { ...this.payload };
+            payload.claims = { ...payload.claims, ...c.claims };
+
+            const sr = request(this.app.create());
+            const result = await sr
+                .post("/session")
+                .set("Content-Type", "application/json")
+                .send(JSON.stringify(payload));
+
+            expect(result.statusCode, JSON.stringify(result.body)).to.equal(400);
+            expect(result.body?.message).to.equal(c.expectedMessage);
+        }
+    }
 }
 
 module.exports = new TestIamSessionApp();

components/server/src/iam/iam-session-app.ts

@@ -9,6 +9,7 @@ import * as express from "express";
 import { SessionHandlerProvider } from "../session-handler";
 import { Authenticator } from "../auth/authenticator";
 import { UserService } from "../user/user-service";
+import { OIDCCreateSessionPayload } from "./iam-oidc-create-session-payload";
 
 @injectable()
 export class IamSessionApp {
@@ -31,34 +32,46 @@ export class IamSessionApp {
 
         app.post("/session", async (req: express.Request, res: express.Response) => {
             try {
-                await this.doCreateSession(req);
-                res.status(200).json();
+                const result = await this.doCreateSession(req);
+                res.status(200).json(result);
             } catch (error) {
-                res.status(500).json({ error, message: error.message });
+                // we treat all errors as bad request here and forward the error message to the caller
+                res.status(400).json({ error, message: error.message });
             }
         });
 
         return app;
     }
 
     protected async doCreateSession(req: express.Request) {
-        // We need an account to sign in, which is done by calling `req.login` below.
-        // As proper account creation/selection will be added in later on, we're creating a
-        // dummy account on each attempt.
-        //
-        const user = await this.userService.createUser({
-            identity: {
-                authId: "fake-id-" + Date.now(),
-                authName: "FakeUser",
-                authProviderId: "oidc1",
-                primaryEmail: "[email protected]",
-            },
-            userUpdate: (user) => {
-                user.name = "FakeUser";
-                user.fullName = "Fake User";
-                user.avatarUrl = "https://github.com/github.png";
+        if (!OIDCCreateSessionPayload.is(req.body)) {
+            throw new Error("Unexpected payload.");
+        }
+        const payload = req.body;
+        OIDCCreateSessionPayload.validate(payload);
+        const claims = payload.claims;
+
+        const existingUser = await this.userService.findUserForLogin({
+            candidate: {
+                authId: claims.sub,
+                authProviderId: claims.iss,
+                authName: claims.name,
             },
         });
+        const user =
+            existingUser ||
+            (await this.userService.createUser({
+                identity: {
+                    authId: claims.sub,
+                    authProviderId: claims.iss,
+                    authName: claims.name,
+                    primaryEmail: claims.email,
+                },
+                userUpdate: (user) => {
+                    user.name = claims.name;
+                    user.avatarUrl = claims.picture;
+                },
+            }));
 
         await new Promise<void>((resolve, reject) => {
             req.login(user, (err) => {
@@ -69,5 +82,9 @@ export class IamSessionApp {
                 }
             });
         });
+        return {
+            sessionId: req.sessionID,
+            userId: user.id,
+        };
     }
 }