From 5aeeddba17dabcc1e97317e44e3e7e4a9b261549 Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Sun, 19 Sep 2021 20:17:58 +0200
Subject: [PATCH] Migrate login to OpenID Connect / Ory Hydra

---
 .env.example |  1 +
 express.js   | 47 +++++++++++++++++++++++++----------------------
 package.json |  2 +-
 yarn.lock    | 52 +++++++++++++++++++++++++++++++++-------------------
 4 files changed, 60 insertions(+), 42 deletions(-)

diff --git a/.env.example b/.env.example
index 97826149..515b8b53 100755
--- a/.env.example
+++ b/.env.example
@@ -8,6 +8,7 @@ CHALLONGE_USERNAME=joe
 CHALLONGE_APIKEY=12345
 PORT=3000
 API_URL=http://localhost:8010
+OAUTH_URL=https://hydra.test.faforever.com
 OAUTH_CLIENT_ID=faf-website
 OAUTH_CLIENT_SECRET=banana
 HOST=http://localhost:3000
diff --git a/express.js b/express.js
index f92e9cc1..264bd3d7 100644
--- a/express.js
+++ b/express.js
@@ -8,7 +8,7 @@ let middleware = require('./routes/middleware');
 
 let bodyParser = require('body-parser');
 let passport = require('passport');
-let OAuth2Strategy = require('passport-oauth2');
+let OidcStrategy = require('passport-openidconnect');
 
 const cors = require('cors');
 const showdown = require('showdown');
@@ -25,6 +25,7 @@ process.env.WP_NEWSHUBARCHIVE_CATEGORYID = process.env.WP_NEWSHUBARCHIVE_CATEGOR
 process.env.CHALLONGE_USERNAME = process.env.CHALLONGE_USERNAME || 'joe';
 process.env.CHALLONGE_APIKEY = process.env.CHALLONGE_APIKEY || '12345';
 process.env.PORT = process.env.PORT || '4000';
+process.env.OAUTH_URL = process.env.OAUTH_URL || 'https://hydra.test.faforever.com';
 process.env.API_URL = process.env.API_URL || 'https://api.test.faforever.com';
 process.env.OAUTH_CLIENT_ID = process.env.OAUTH_CLIENT_ID || '12345';
 process.env.OAUTH_CLIENT_SECRET = process.env.OAUTH_CLIENT_SECRET || '12345';
@@ -208,27 +209,29 @@ app.get('/login', passport.authenticate('faforever', {
     res.redirect('/');
 });
 
-passport.use('faforever', new OAuth2Strategy({
-        tokenURL: process.env.API_URL + '/oauth/token',
-        authorizationURL: process.env.API_URL + '/oauth/authorize',
-        clientID: process.env.OAUTH_CLIENT_ID,
-        clientSecret: process.env.OAUTH_CLIENT_SECRET,
-        callbackURL: process.env.HOST + '/callback',
-        scope: ['write_account_data', 'public_profile']
-    },
-    function (accessToken, refreshToken, profile, done) {
-        let request = require('request');
-        request.get(
-            {url: process.env.API_URL + '/me', headers: {'Authorization': 'Bearer ' + accessToken}},
-            function (e, r, body) {
-                if (r.statusCode != 200) {
-                    return done(null);
-                }
-                let user = JSON.parse(body);
-                user.data.attributes.token = accessToken;
-                user.data.id = user.data.attributes.userId;
-                return done(null, user);
-            }
+passport.use('faforever', new OidcStrategy({
+    issuer: process.env.OAUTH_URL + '/',
+    tokenURL: process.env.OAUTH_URL + '/oauth2/token',
+    authorizationURL: process.env.OAUTH_URL + '/oauth2/auth',
+    userInfoURL: process.env.OAUTH_URL + '/userinfo?schema=openid',
+    clientID: process.env.OAUTH_CLIENT_ID,
+    clientSecret: process.env.OAUTH_CLIENT_SECRET,
+    callbackURL: process.env.HOST + '/callback',
+    scope: ['openid', 'public_profile', 'write_account_data']
+  },
+  function (iss, sub, profile, jwtClaims, accessToken, refreshToken, params, verified) {
+    let request = require('request');
+    request.get(
+      {url: process.env.API_URL + '/me', headers: {'Authorization': 'Bearer ' + accessToken}},
+      function (e, r, body) {
+        if (r.statusCode !== 200) {
+          return verified(null);
+        }
+        let user = JSON.parse(body);
+        user.data.attributes.token = accessToken;
+        user.data.id = user.data.attributes.userId;
+        return verified(null, user);
+      }
         );
     }
 ));
diff --git a/package.json b/package.json
index 9cc8326a..7c4db88a 100644
--- a/package.json
+++ b/package.json
@@ -27,7 +27,7 @@
     "moment": "2.29.1",
     "moment-timezone": "0.5.33",
     "passport": "0.4.1",
-    "passport-oauth2": "1.6.0",
+    "passport-openidconnect": "^0.0.2",
     "pug": "3.0.2",
     "request": "2.88.2",
     "showdown": "1.9.1",
diff --git a/yarn.lock b/yarn.lock
index 8c61fb53..e5b2519f 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -348,11 +348,6 @@ balanced-match@^1.0.0:
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee"
   integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==
 
-base64url@3.x.x:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/base64url/-/base64url-3.0.1.tgz#6399d572e2bc3f90a9a8b22d5dbb0a32d33f788d"
-  integrity sha512-ir1UPr3dkwexU7FdV8qBBbNDRUhMmIekYMFZfi+C/sLNnRESKPl23nB9b2pltqfOQNnGzsDdId90AEtG5tCx4A==
-
 base@^0.11.1:
   version "0.11.2"
   resolved "https://registry.yarnpkg.com/base/-/base-0.11.2.tgz#7bde5ced145b6d551a90db87f83c558b4eb48a8f"
@@ -3525,16 +3520,15 @@ pascalcase@^0.1.1:
   resolved "https://registry.yarnpkg.com/pascalcase/-/pascalcase-0.1.1.tgz#b363e55e8006ca6fe21784d2db22bd15d7917f14"
   integrity sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=
 
-passport-oauth2@1.6.0:
-  version "1.6.0"
-  resolved "https://registry.yarnpkg.com/passport-oauth2/-/passport-oauth2-1.6.0.tgz#5f599735e0ea40ea3027643785f81a3a9b4feb50"
-  integrity sha512-emXPLqLcVEcLFR/QvQXZcwLmfK8e9CqvMgmOFJxcNT3okSFMtUbRRKpY20x5euD+01uHsjjCa07DYboEeLXYiw==
+passport-openidconnect@^0.0.2:
+  version "0.0.2"
+  resolved "https://registry.yarnpkg.com/passport-openidconnect/-/passport-openidconnect-0.0.2.tgz#e488f8bdb386c9a9fd39c91d5ab8c880156e8153"
+  integrity sha1-5Ij4vbOGyan9OckdWrjIgBVugVM=
   dependencies:
-    base64url "3.x.x"
     oauth "0.9.x"
     passport-strategy "1.x.x"
-    uid2 "0.0.x"
-    utils-merge "1.x.x"
+    request "^2.75.0"
+    webfinger "0.4.x"
 
 passport-strategy@1.x.x:
   version "1.0.0"
@@ -4133,7 +4127,7 @@ repeating@^2.0.0:
   dependencies:
     is-finite "^1.0.0"
 
-request@2.88.2, request@^2.87.0, request@^2.88.0, request@^2.88.2:
+request@2.88.2, request@^2.75.0, request@^2.87.0, request@^2.88.0, request@^2.88.2:
   version "2.88.2"
   resolved "https://registry.yarnpkg.com/request/-/request-2.88.2.tgz#d73c918731cb5a87da047e207234146f664d12b3"
   integrity sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==
@@ -4270,6 +4264,11 @@ sass-graph@2.2.5:
     scss-tokenizer "^0.2.3"
     yargs "^13.3.2"
 
+sax@>=0.1.1:
+  version "1.2.4"
+  resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.4.tgz#2816234e2378bddc4e5354fab5caa895df7100d9"
+  integrity sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==
+
 scss-tokenizer@^0.2.3:
   version "0.2.3"
   resolved "https://registry.yarnpkg.com/scss-tokenizer/-/scss-tokenizer-0.2.3.tgz#8eb06db9a9723333824d3f5530641149847ce5d1"
@@ -4575,6 +4574,11 @@ stdout-stream@^1.4.0:
   dependencies:
     readable-stream "^2.0.1"
 
+step@0.0.x:
+  version "0.0.6"
+  resolved "https://registry.yarnpkg.com/step/-/step-0.0.6.tgz#143e7849a5d7d3f4a088fe29af94915216eeede2"
+  integrity sha1-FD54SaXX0/SgiP4pr5SRUhbu7eI=
+
 stream-shift@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/stream-shift/-/stream-shift-1.0.1.tgz#d7088281559ab2778424279b0877da3c392d5a3d"
@@ -4969,11 +4973,6 @@ uid-safe@~2.1.5:
   dependencies:
     random-bytes "~1.0.0"
 
-uid2@0.0.x:
-  version "0.0.4"
-  resolved "https://registry.yarnpkg.com/uid2/-/uid2-0.0.4.tgz#033f3b1d5d32505f5ce5f888b9f3b667123c0a44"
-  integrity sha512-IevTus0SbGwQzYh3+fRsAMTVVPOoIVufzacXcHPmdlle1jUpq7BRL+mw3dgeLanvGZdwwbWhRV6XrcFNdBmjWA==
-
 unc-path-regex@^0.1.2:
   version "0.1.2"
   resolved "https://registry.yarnpkg.com/unc-path-regex/-/unc-path-regex-0.1.2.tgz#e73dd3d7b0d7c5ed86fbac6b0ae7d8c6a69d50fa"
@@ -5094,7 +5093,7 @@ util-deprecate@^1.0.1, util-deprecate@^1.0.2, util-deprecate@~1.0.1:
   resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
   integrity sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=
 
-utils-merge@1.0.1, utils-merge@1.x.x:
+utils-merge@1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.1.tgz#9f95710f50a267947b2ccc124741c1028427e713"
   integrity sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM=
@@ -5143,6 +5142,14 @@ void-elements@^3.1.0:
   resolved "https://registry.yarnpkg.com/void-elements/-/void-elements-3.1.0.tgz#614f7fbf8d801f0bb5f0661f5b2f5785750e4f09"
   integrity sha1-YU9/v42AHwu18GYfWy9XhXUOTwk=
 
+webfinger@0.4.x:
+  version "0.4.2"
+  resolved "https://registry.yarnpkg.com/webfinger/-/webfinger-0.4.2.tgz#3477a6d97799461896039fcffc650b73468ee76d"
+  integrity sha1-NHem2XeZRhiWA5/P/GULc0aO520=
+  dependencies:
+    step "0.0.x"
+    xml2js "0.1.x"
+
 websocket-driver@>=0.5.1:
   version "0.7.4"
   resolved "https://registry.yarnpkg.com/websocket-driver/-/websocket-driver-0.7.4.tgz#89ad5295bbf64b480abcba31e4953aca706f5760"
@@ -5238,6 +5245,13 @@ xdg-basedir@^3.0.0:
   resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-3.0.0.tgz#496b2cc109eca8dbacfe2dc72b603c17c5870ad4"
   integrity sha1-SWsswQnsqNus/i3HK2A8F8WHCtQ=
 
+xml2js@0.1.x:
+  version "0.1.14"
+  resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.1.14.tgz#5274e67f5a64c5f92974cd85139e0332adc6b90c"
+  integrity sha1-UnTmf1pkxfkpdM2FE54DMq3GuQw=
+  dependencies:
+    sax ">=0.1.1"
+
 xtend@~4.0.1:
   version "4.0.2"
   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"