Merge pull request #260 from auth0/samesite

Updates for Samesite Cookies

.gitignore

@@ -12,3 +12,4 @@ build/extension/bundle-size.json
 server/config.json
 scripts/script-settings.json
 coverage
+build/bundle.js

.nvmrc

@@ -0,0 +1 @@
+8

CHANGELOG.md

@@ -1,3 +1,8 @@
+## [2.7.0] - 2020-01-30
+
+- Add support to work under SameSite cookie restrictions.
+- Fix local development environment.
+
 ## [2.6.5] - 2019-05-22
 
 - Group Members page will display "broken" members and allow to remove them.

README.md

@@ -1,30 +1,71 @@
 # Auth0 Authorization Extension
 
-## Running in Production
+This extension provides authorization features for Auth0 focused on RBAC and user group management.
 
-```bash
-npm install
-npm run client:build
-npm run server:prod
-```
+## Status Update
+
+The Authorization Extension is in maintenance mode. We do not plan on adding new features to the extension as we are working to bring features of the extension into the core Auth0 platform. Bug fixes and security patches will still be made.
+
+## Documentation
+
+We provide documentation on how to install and use the Authorization Extension on the [Auth0 docs website](https://auth0.com/docs/extensions/authorization-extension/v2).
+
+#### How does this compare to the core Authorization features in Auth0?
+
+We have RBAC available in Auth0 as a core feature of the platform, rather than requiring the use of this extension. We plan on supporting user groups in the near future as well.
+
+For a detailed summary of the differences between this extension and the core features of the platform, [check this document](https://auth0.com/docs/authorization/concepts/core-vs-extension).
+
+We advise using the core capabilities *rather than the extension* as they are built to meet the high scalability needs of the Auth0 platform.
+
+#### Why do we rely on a fork of `hapi`?
+
+Due to the SameSite cookie changes in browsers, we needed a version of Hapi that supported the changes. The easiest path forward was to fork Hapi and port the changes needed over, as we are relying on an older version of Hapi that is not receiving the updates required to respect SameSite cookies.
+
+## Development Setup
 
-## Running in Development
+**Requires Node 8** - higher versions not yet supported. If you are using `nvm`, simply run `nvm use` inside the directory to switch to the correct version.
 
-Update the configuration file under `./server/config.json`:
+1. Clone this repo.
+2. Run `npm ci`.
 
-```json
+### Create a local config
+
+To run the extension, you'll need a file in `server/config.json` that specifies how the extension interacts with Auth0. Here is a sample for running the extension with a production tenant:
+
+```
 {
-	"AUTHORIZE_API_KEY": "mysecret",
-	"EXTENSION_SECRET": "mysecret",
-	"AUTH0_DOMAIN": "me.auth0.com",
-	"AUTH0_CLIENT_ID": "myclientid",
-	"AUTH0_CLIENT_SECRET": "myclientsecret"
+	"AUTH0_DOMAIN": "mytenant.auth0.com",
+	"AUTH0_CLIENT_ID": "qwerty123",
+	"AUTH0_CLIENT_SECRET": "longer-secret-value",
+	"EXTENSION_CLIENT_ID": "abcd123",
+	"EXTENSION_SECRET": "longer-secret-value",
+	"WT_URL": "http://localhost:3000",
+	"PUBLIC_WT_URL": "http://localhost:3000",
+	"AUTH0_RTA": "https://auth0.auth0.com"
 }
 ```
 
-Then you can run the extension:
+Copy this config into the file created at `server/config.json` and modify the following values:
 
-```bash
-npm install
-npm run serve:dev
-```
+1. Set your tenant name in the `AUTH0_DOMAIN` option.
+2. Create a client in that tenant. This client should be an SPA (Single Page App).
+3. Enter the client ID and client secret as both the `AUTH0_CLIENT_ID/_SECRET` as well as the `EXTENSION_CLIENT_ID/_SECRET`.
+
+## Running in production mode
+
+1. Build the client: `npm run build`.
+2. Ensure `ngrok` is installed globally (`npm i -g ngrok`).
+3. Start a local ngrok server on port 3000 (`ngrok http 3000`).
+4. Open `server/config.json` and enter the HTTPS ngrok URL into the `WT_URL` and `PUBLIC_WT_URL` options.
+5. Start the server in production mode with `npm run serve:prod`.
+
+You can then open the ngrok URL to use the extension.
+
+## Running in development mode
+
+Run `npm run serve:dev`. Please note that the development mode works only in Chrome.
+
+## Running tests
+
+Run tests with `npm test`.

build/webpack/server.js

@@ -17,15 +17,15 @@ logger.error = function error() {
 };
 
 const options = {
-  publicPath: 'http://localhost:3000/app/',
+  publicPath: 'http://localhost:3001/app/',
   hot: true,
   inline: true,
   historyApiFallback: true,
   proxy: [
     {
       context: () => true,
       target: {
-        port: 3001
+        port: 3000
       }
     }
   ],
@@ -44,12 +44,12 @@ const options = {
 };
 
 new WebpackDevServer(webpack(config), options)
-  .listen(3000, 'localhost',
+  .listen(3001, 'localhost',
     (err) => {
       if (err) {
         logger.error(err);
       } else {
-        logger.info('Webpack proxy listening on: http://localhost:3000');
+        logger.info('Webpack proxy listening on: http://localhost:3001');
 
         // Start the actual webserver.
         require('../../index');

gulpfile.js

@@ -6,37 +6,33 @@ const open = require('open');
 const ngrok = require('ngrok');
 const nodemon = require('gulp-nodemon');
 
-gulp.task('run', () => {
-  ngrok.connect(3000, (ngrokError, url) => {
-    if (ngrokError) {
-      throw ngrokError;
-    }
+gulp.task('run', async () => {
+  const url = await ngrok.connect(3001);
 
-    nodemon({
-      script: './build/webpack/server.js',
-      ext: 'js json',
-      env: {
-        EXTENSION_SECRET: 'a-random-secret',
-        AUTH0_RTA: 'https://auth0.auth0.com',
-        NODE_ENV: 'development',
-        WT_URL: url,
-        PUBLIC_WT_URL: url
-      },
-      ignore: [
-        'assets/app/',
-        'build/webpack',
-        'server/data.json',
-        'client/',
-        'dist/',
-        'tests/',
-        'node_modules/'
-      ]
-    });
-
-    setTimeout(() => {
-      const publicUrl = `${url.replace('https://', 'http://')}/login`;
-      open(publicUrl);
-      util.log('Public Url:', publicUrl);
-    }, 4000);
+  nodemon({
+    script: './build/webpack/server.js',
+    ext: 'js json',
+    env: {
+      EXTENSION_SECRET: 'a-random-secret',
+      AUTH0_RTA: 'https://auth0.auth0.com',
+      NODE_ENV: 'development',
+      WT_URL: url,
+      PUBLIC_WT_URL: url
+    },
+    ignore: [
+      'assets/app/',
+      'build/webpack',
+      'server/data.json',
+      'client/',
+      'dist/',
+      'tests/',
+      'node_modules/'
+    ]
   });
+
+  setTimeout(() => {
+    const publicUrl = `${url}/login`;
+    open(publicUrl);
+    util.log('Public Url:', publicUrl);
+  }, 4000);
 });

index.js

@@ -1,7 +1,5 @@
 const path = require('path');
 const nconf = require('nconf');
-const url = require('url');
-const tools = require('auth0-extension-hapi-tools');
 
 const logger = require('./server/lib/logger');
 
@@ -27,18 +25,6 @@ nconf
     LOG_COLOR: true
   });
 
-
-if (process.env.NODE_ENV !== 'production') {
-  tools.urlHelpers.getBaseUrl = (req) => {
-    const originalUrl = url.parse(req.originalUrl || '').pathname || '';
-    return url.format({
-      protocol: 'http',
-      host: req.headers.host,
-      pathname: originalUrl.replace(req.path, '').replace(/\/$/g, '')
-    });
-  };
-}
-
 // Start the server.
 return require('./server/init')((key) => nconf.get(key), null, (err, hapi) => {
   if (err) {