Change AAD auth routes to use aad in the URL

Azure · Aug 7, 2024 · c2016f6 · c2016f6
1 parent 309304c
commit c2016f6
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 16 deletions.
diff --git a/src/core/constants.ts b/src/core/constants.ts
@@ -48,7 +48,9 @@ export const SWA_RUNTIME_CONFIG_MAX_SIZE_IN_KB = 20; // 20kb
 export const SWA_AUTH_CONTEXT_COOKIE = `StaticWebAppsAuthContextCookie`;
 export const SWA_AUTH_COOKIE = `StaticWebAppsAuthCookie`;
 export const ALLOWED_HTTP_METHODS_FOR_STATIC_CONTENT = ["GET", "HEAD", "OPTIONS"];
-export const SUPPORTED_CUSTOM_AUTH_PROVIDERS = ["google", "github", "azureActiveDirectory"];
+export const SUPPORTED_CUSTOM_AUTH_PROVIDERS = ["google", "github", "aad"];
+// Full name is required in staticwebapp.config.json's schema so we will normalize it to aad
+export const AAD_FULL_NAME = "azureActiveDirectory";
 
 export const AUTH_STATUS = {
   NoAuth: 0,

diff --git a/src/msha/auth/index.ts b/src/msha/auth/index.ts
@@ -10,13 +10,13 @@ function getAuthPaths(isCustomAuth: boolean): Path[] {
     paths.push({
       method: "GET",
       // only match for providers with custom auth support implemented (github, google, aad)
-      route: /^\/\.auth\/login\/(?<provider>github|google|azureActiveDirectory|dummy)\/callback(\?.*)?$/i,
+      route: /^\/\.auth\/login\/(?<provider>github|google|aad|dummy)\/callback(\?.*)?$/i,
       function: "auth-login-provider-callback",
     });
     paths.push({
       method: "GET",
       // only match for providers with custom auth support implemented (github, google, aad)
-      route: /^\/\.auth\/login\/(?<provider>github|google|azureActiveDirectory|dummy)(\?.*)?$/i,
+      route: /^\/\.auth\/login\/(?<provider>github|google|aad|dummy)(\?.*)?$/i,
       function: "auth-login-provider-custom",
     });
     paths.push({

diff --git a/src/msha/auth/routes/auth-login-provider-callback.ts b/src/msha/auth/routes/auth-login-provider-callback.ts
@@ -4,9 +4,10 @@ import * as querystring from "node:querystring";
 
 import { CookiesManager, decodeAuthContextCookie, validateAuthContextCookie } from "../../../core/utils/cookie.js";
 import { parseUrl, response } from "../../../core/utils/net.js";
-import { SUPPORTED_CUSTOM_AUTH_PROVIDERS, SWA_CLI_API_URI, SWA_CLI_APP_PROTOCOL } from "../../../core/constants.js";
+import { AAD_FULL_NAME, SUPPORTED_CUSTOM_AUTH_PROVIDERS, SWA_CLI_API_URI, SWA_CLI_APP_PROTOCOL } from "../../../core/constants.js";
 import { DEFAULT_CONFIG } from "../../../config.js";
 import { encryptAndSign, hashStateGuid, isNonceExpired } from "../../../core/utils/auth.js";
+import { normalizeAuthProvider } from "./auth-login-provider-custom.js";
 
 const getGithubAuthToken = function (codeValue: string, clientId: string, clientSecret: string) {
   const data = querystring.stringify({
@@ -407,7 +408,7 @@ const getAADAuthToken = function (codeValue: string, clientId: string, clientSec
     client_id: clientId,
     client_secret: clientSecret,
     grant_type: "authorization_code",
-    redirect_uri: `${redirectUri}/.auth/login/azureActiveDirectory/callback`,
+    redirect_uri: `${redirectUri}/.auth/login/aad/callback`,
   });
 
   const options = {
@@ -529,7 +530,7 @@ const getRoles = function (clientPrincipal: RolesSourceFunctionRequestBody, role
 };
 
 const httpTrigger = async function (context: Context, request: http.IncomingMessage, customAuth?: SWAConfigFileAuth) {
-  const providerName = context.bindingData?.provider || "";
+  const providerName = normalizeAuthProvider(context.bindingData?.provider);
 
   if (!SUPPORTED_CUSTOM_AUTH_PROVIDERS.includes(providerName)) {
     context.res = response({
@@ -580,7 +581,8 @@ const httpTrigger = async function (context: Context, request: http.IncomingMess
     return;
   }
 
-  const { clientIdSettingName, clientSecretSettingName, openIdIssuer } = customAuth?.identityProviders?.[providerName]?.registration || {};
+  const { clientIdSettingName, clientSecretSettingName, openIdIssuer } =
+    customAuth?.identityProviders?.[providerName == "aad" ? AAD_FULL_NAME : providerName]?.registration || {};
 
   if (!clientIdSettingName) {
     context.res = response({
@@ -602,7 +604,7 @@ const httpTrigger = async function (context: Context, request: http.IncomingMess
     return;
   }
 
-  if (providerName == "azureActiveDirectory" && !openIdIssuer) {
+  if (providerName == "aad" && !openIdIssuer) {
     context.res = response({
       context,
       status: 400,
@@ -644,7 +646,7 @@ const httpTrigger = async function (context: Context, request: http.IncomingMess
     case "google":
       clientPrincipal = await getGoogleClientPrincipal(codeValue!, clientId, clientSecret);
       break;
-    case "azureActiveDirectory":
+    case "aad":
       clientPrincipal = await getAADClientPrincipal(codeValue!, clientId, clientSecret, openIdIssuer!);
       break;
     default:

diff --git a/src/msha/auth/routes/auth-login-provider-custom.ts b/src/msha/auth/routes/auth-login-provider-custom.ts
@@ -1,14 +1,21 @@
 import { IncomingMessage } from "node:http";
 import { CookiesManager } from "../../../core/utils/cookie.js";
 import { response } from "../../../core/utils/net.js";
-import { SUPPORTED_CUSTOM_AUTH_PROVIDERS, SWA_CLI_APP_PROTOCOL } from "../../../core/constants.js";
+import { AAD_FULL_NAME, SUPPORTED_CUSTOM_AUTH_PROVIDERS, SWA_CLI_APP_PROTOCOL } from "../../../core/constants.js";
 import { DEFAULT_CONFIG } from "../../../config.js";
 import { encryptAndSign, extractPostLoginRedirectUri, hashStateGuid, newNonceWithExpiration } from "../../../core/utils/auth.js";
 
+export const normalizeAuthProvider = (providerName?: string) => {
+  if (providerName === AAD_FULL_NAME) {
+    return "aad";
+  }
+  return providerName?.toLowerCase() || "";
+};
+
 const httpTrigger = async function (context: Context, request: IncomingMessage, customAuth?: SWAConfigFileAuth) {
   await Promise.resolve();
 
-  const providerName: string = context.bindingData?.provider || "";
+  const providerName: string = normalizeAuthProvider(context.bindingData?.provider);
 
   if (!SUPPORTED_CUSTOM_AUTH_PROVIDERS.includes(providerName)) {
     context.res = response({
@@ -20,7 +27,8 @@ const httpTrigger = async function (context: Context, request: IncomingMessage,
     return;
   }
 
-  const clientIdSettingName = customAuth?.identityProviders?.[providerName]?.registration?.clientIdSettingName;
+  const clientIdSettingName =
+    customAuth?.identityProviders?.[providerName == "aad" ? AAD_FULL_NAME : providerName]?.registration?.clientIdSettingName;
 
   if (!clientIdSettingName) {
     context.res = response({
@@ -45,8 +53,8 @@ const httpTrigger = async function (context: Context, request: IncomingMessage,
   }
 
   let aadIssuer;
-  if (providerName == "azureActiveDirectory") {
-    aadIssuer = customAuth?.identityProviders?.[providerName]?.registration?.openIdIssuer;
+  if (providerName == "aad") {
+    aadIssuer = customAuth?.identityProviders?.[AAD_FULL_NAME]?.registration?.openIdIssuer;
 
     if (!aadIssuer) {
       context.res = response({
@@ -81,8 +89,8 @@ const httpTrigger = async function (context: Context, request: IncomingMessage,
     case "github":
       location = `https://github.com/login/oauth/authorize?response_type=code&client_id=${clientId}&redirect_uri=${redirectUri}/.auth/login/github/callback&scope=read:user&state=${hashedState}`;
       break;
-    case "azureActiveDirectory":
-      location = `${aadIssuer}/authorize?response_type=code&client_id=${clientId}&redirect_uri=${redirectUri}/.auth/login/azureActiveDirectory/callback&scope=openid&state=${hashedState}`;
+    case "aad":
+      location = `${aadIssuer}/authorize?response_type=code&client_id=${clientId}&redirect_uri=${redirectUri}/.auth/login/aad/callback&scope=openid&state=${hashedState}`;
       break;
     default:
       break;