Updates to handle no authentication

applicreation · Sep 5, 2022 · 1f5f898 · 1f5f898
1 parent fbda878
commit 1f5f898
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 24 deletions.
diff --git a/.harmony/core/config/main.yaml b/.harmony/core/config/main.yaml
@@ -1,10 +1,14 @@
 ---
 
 auth:
-  token_secret: ${{AUTH_TOKEN_SECRET}}
-  token_ttl: ${{AUTH_TOKEN_TTL}}
+  token:
+    secret: ${{AUTH_TOKEN_SECRET}}
+    ttl: ${{AUTH_TOKEN_TTL}}
   google:
     client_id: ${{AUTH_GOOGLE_CLIENT_ID}}
+  constraints:
+    domains:
+      - test.com
 github:
   token: ${{GITHUB_TOKEN}}
 modules:

diff --git a/app/src/lib/components/SignIn.svelte b/app/src/lib/components/SignIn.svelte
@@ -1,6 +1,6 @@
 <script>
     import {onMount} from 'svelte'
-    import {invalidate} from '$app/navigation'
+    import {invalidateAll} from '$app/navigation'
 
     export let googleClientId
 
@@ -20,7 +20,7 @@
                     })
                 })
 
-                await invalidate()
+                await invalidateAll()
             },
             client_id: googleClientId,
         })

diff --git a/app/src/lib/config.js b/app/src/lib/config.js
@@ -46,7 +46,8 @@ export async function getConfig() {
 }
 
 function getConfigAuth(auth) {
-    const tokenSecret = auth.token_secret || null
+    const token = auth.token || {}
+    const tokenSecret = token.secret || null
     const googleClientId = (auth.google || {}).client_id || null
     const isAuthenticating = tokenSecret !== null && googleClientId !== null
 

diff --git a/app/src/routes/auth/+server.js b/app/src/routes/auth/+server.js
@@ -21,19 +21,26 @@ export async function GET({request}) {
         throw error(401, 'Token not found')
     }
 
-    try {
-        const tokenSecret = getTokenSecret(config)
-        const response = verify(token, tokenSecret)
+    let tokenDetails
 
-        return json({
-            ...{
-                type: 'user'
-            },
-            ...response,
-        })
+    try {
+        tokenDetails = verify(token, getTokenSecret(config))
     } catch {
         throw error(401, 'Token not verified')
     }
+
+    const domains = getConstraintsDomains(config)
+    const domain = tokenDetails.email.substring(tokenDetails.email.indexOf('@')+1)
+    if (domains.length > 0 && domains.indexOf(domain) < 0) {
+        throw error(403, 'Forbidden')
+    }
+
+    return json({
+        ...{
+            type: 'user'
+        },
+        ...tokenDetails,
+    })
 }
 
 /** @type {import('./$types').RequestHandler} */
@@ -96,12 +103,21 @@ function getGoogleClientId(config) {
 
 function getTokenSecret(config) {
     const configAuth = config.auth || {}
+    const configAuthToken = configAuth.token || {}
 
-    return configAuth.token_secret || null
+    return configAuthToken.secret || null
 }
 
 function getTokenTtl(config) {
     const configAuth = config.auth || {}
+    const configAuthToken = configAuth.token || {}
+
+    return configAuthToken.ttl || null
+}
+
+function getConstraintsDomains(config) {
+    const configAuth = config.auth || {}
+    const configAuthConstraints = configAuth.constraints || {}
 
-    return configAuth.token_ttl || null
+    return configAuthConstraints.domains || []
 }
diff --git a/app/src/routes/modules/+layout.js b/app/src/routes/modules/+layout.js
@@ -14,9 +14,11 @@ export async function load({data, fetch}) {
 
     try {
         const response = await fetch(url, options)
-        isAuthenticated = response.status === 200
+        const json = await response.json()
+
+        isAuthenticated = json.type === 'guest' ? -1 : response.status
     } catch {
-        isAuthenticated = false
+        isAuthenticated = 401
     }
 
     return {

diff --git a/app/src/routes/modules/+layout.svelte b/app/src/routes/modules/+layout.svelte
@@ -1,6 +1,6 @@
 <script>
     import {navigating} from '$app/stores'
-    import {invalidate} from '$app/navigation'
+    import {invalidateAll} from '$app/navigation'
     import SignIn from '$lib/components/SignIn.svelte'
 
     /** @type {import('./$types').PageData} */
@@ -13,7 +13,7 @@
 
         window.google.accounts.id.disableAutoSelect()
 
-        await invalidate()
+        await invalidateAll()
     }
 </script>
 
@@ -33,9 +33,22 @@
     <div class="px-5 m-auto">
         <span class="spinner-border spinner-border-lg" role="status" aria-hidden="true"></span>
     </div>
-{:else if data.isAuthenticated === false}
+{:else if data.isAuthenticated === 401}
     <SignIn googleClientId="{data.googleClientId}"></SignIn>
-{:else if data.isAuthenticated === true}
+{:else if data.isAuthenticated === 403}
+    <div class="px-5 m-auto">
+        <div class="alert alert-warning" role="alert">
+            <h4 class="alert-heading">Forbidden</h4>
+            <p>You do not have access to view this, have you signed in with the correct account?</p>
+            <hr>
+            <p class="mb-0">
+                <a href="#" on:click={signOut} class="btn btn-warning" data-sveltekit-reload>
+                    Sign out
+                </a>
+            </p>
+        </div>
+    </div>
+{:else}
     <div class="flex-grow-1 d-lg-flex">
         <div class="row g-0 w-100">
             <nav id="main-menu" class="col-12 col-lg-2 p-3 bg-light collapse">
@@ -82,9 +95,10 @@
                         {/each}
                     </div>
                 {/if}
-                {#if data.isAuthenticated == true}
+                {#if data.isAuthenticated > 0}
                     <div class="list-group bg-white">
-                        <a sveltekit:reload href="#" on:click={signOut} class="list-group-item list-group-item-action">
+                        <a href="#" on:click={signOut} class="list-group-item list-group-item-action"
+                           data-sveltekit-reload>
                             Sign out
                         </a>
                     </div>