Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add serverless fn NUS auth user endpoint #3644

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion website/api/nus/auth/login.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { authenticate } from '../../../src/serverless/nus-auth';
import { authenticate, isCallbackUrlValid } from '../../../src/serverless/nus-auth';
import {
createRouteHandler,
defaultFallback,
Expand All @@ -9,6 +9,7 @@ import {

const errors = {
noRelayState: 'ERR_NO_RELAY_STATE',
invalidRelayState: 'ERR_INVALID_RELAY_STATE',
};

const handlePost: Handler = async (req, res) => {
Expand All @@ -18,6 +19,9 @@ const handlePost: Handler = async (req, res) => {
throw new Error(errors.noRelayState);
}

if (!isCallbackUrlValid(relayState)) {
throw new Error(errors.invalidRelayState);
}
const userURL = new URL(relayState);
userURL.searchParams.append('token', token);

Expand All @@ -27,6 +31,10 @@ const handlePost: Handler = async (req, res) => {
res.json({
message: 'Relay state not found in request',
});
} else if (err.message === errors.invalidRelayState) {
res.json({
message: 'Invalid relay state given. URL must be from a valid domain.',
});
} else {
throw err;
}
Expand Down
11 changes: 10 additions & 1 deletion website/api/nus/auth/sso.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { createLoginURL } from '../../../src/serverless/nus-auth';
import { createLoginURL, isCallbackUrlValid } from '../../../src/serverless/nus-auth';
import {
createRouteHandler,
defaultFallback,
Expand All @@ -9,6 +9,7 @@ import {

const errors = {
noCallbackUrl: 'ERR_NO_REFERER',
invalidCallbackUrl: 'ERR_INVALID_REFERER',
};

function getCallbackUrl(callback: string | string[] | undefined) {
Expand All @@ -24,12 +25,20 @@ const handleGet: Handler = async (req, res) => {
throw new Error(errors.noCallbackUrl);
}

if (!isCallbackUrlValid(callback)) {
throw new Error(errors.invalidCallbackUrl);
}

res.send(createLoginURL(callback));
} catch (err) {
if (err.message === errors.noCallbackUrl) {
res.json({
message: 'Request needs a referer',
});
} else if (err.message === errors.invalidCallbackUrl) {
res.json({
message: 'Invalid referer given. URL must be from a valid domain.',
});
} else {
throw err;
}
Expand Down
19 changes: 19 additions & 0 deletions website/api/nus/auth/user.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
import { authenticate } from '../../../src/serverless/nus-auth';
import {
createRouteHandler,
defaultFallback,
defaultRescue,
Handler,
MethodHandlers,
} from '../../../src/serverless/handler';

const handleGet: Handler = async (req, res) => {
const { user } = await authenticate(req);
res.json(user);
};

const methodHandlers: MethodHandlers = {
GET: handleGet,
};

export default createRouteHandler(methodHandlers, defaultFallback, defaultRescue(true));
25 changes: 25 additions & 0 deletions website/src/serverless/nus-auth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
noTokenSupplied: 'ERR_NO_TOKEN_SUPPLIED',
};

// Domains allowed as callback URLs
const allowedDomains = ['nusmods.com', 'nuscourses.com', 'modsn.us', 'localhost'];

Check warning on line 19 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L19

Added line #L19 was not covered by tests

export type User = {
accountName: string;
upn: string;
Expand Down Expand Up @@ -45,6 +48,28 @@
return ssoLoginURL.toString();
};

export const isCallbackUrlValid = (callbackUrl: string): boolean => {
try {
const url = new URL(callbackUrl);

Check warning on line 53 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L51-L53

Added lines #L51 - L53 were not covered by tests

const validMatch = allowedDomains.some(

Check warning on line 55 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L55

Added line #L55 was not covered by tests
(allowedDomain) =>
url.hostname.endsWith(`.${allowedDomain}`) || url.hostname === allowedDomain,

Check warning on line 57 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L57

Added line #L57 was not covered by tests
);

if (!validMatch) {

Check warning on line 60 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L60

Added line #L60 was not covered by tests
// eslint-disable-next-line no-console
console.error('Invalid callback URL given by user:', callbackUrl);

Check warning on line 62 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L62

Added line #L62 was not covered by tests
}

return validMatch;

Check warning on line 65 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L65

Added line #L65 was not covered by tests
} catch (error) {
// eslint-disable-next-line no-console
console.error('Invalid callback URL:', error);
return false;

Check warning on line 69 in website/src/serverless/nus-auth.ts

View check run for this annotation

Codecov / codecov/patch

website/src/serverless/nus-auth.ts#L68-L69

Added lines #L68 - L69 were not covered by tests
}
};

export const authenticate = async (req: Request) => {
const tokenProvided = req.headers.authorization || (req.body && req.body.SAMLResponse);
if (!tokenProvided) {
Expand Down