chore: remove errant login logging

api/admin/passport.js

@@ -31,24 +31,12 @@ const uaaOptions = {
 
 const verify = async (req, accessToken, refreshToken, profile, callback) => {
   try {
-    const supportUser = await verifyUAAUser(accessToken, refreshToken, profile, [
-      'pages.support',
-    ]);
+    const { user, role } = await verifyUAAUser(accessToken, refreshToken, profile);
 
-    if (supportUser) {
+    if (user && role) {
       return callback(null, {
-        ...supportUser.dataValues,
-        role: 'pages.support',
-      });
-    }
-
-    const adminUser = await verifyUAAUser(accessToken, refreshToken, profile, [
-      'pages.admin',
-    ]);
-    if (adminUser) {
-      return callback(null, {
-        ...adminUser.dataValues,
-        role: 'pages.admin',
+        ...user.dataValues,
+        role,
       });
     }
 

api/services/passport.js

@@ -76,11 +76,7 @@ const uaaOptions = {
 
 const verifyUAA = async (accessToken, refreshToken, profile, callback) => {
   try {
-    const user = await verifyUAAUser(accessToken, refreshToken, profile, [
-      'pages.user',
-      'pages.support',
-      'pages.admin',
-    ]);
+    const { user } = await verifyUAAUser(accessToken, refreshToken, profile);
 
     if (!user) return callback(null, false, flashMessage);
 

api/services/uaaStrategy.js

@@ -34,12 +34,18 @@ function createUAAStrategy(options, verify) {
   return strategy;
 }
 
-async function verifyUAAUser(accessToken, refreshToken, profile, uaaGroups) {
+async function verifyUAAUser(accessToken, refreshToken, profile) {
   const { user_id: uaaId, email } = profile;
   const client = new UAAClient();
-  const isVerified = await client.verifyUserGroup(uaaId, uaaGroups);
 
-  if (!isVerified) {
+  const clientToken = await client.fetchClientToken();
+  const { groups, origin, verified } = await client.fetchUser(uaaId, clientToken);
+  const userGroups = groups.map((g) => g.display).filter((g) => g.startsWith('pages'));
+
+  // the profile isn't verified if:
+  // unverified and cloud.gov origin OR
+  // no pages group membership
+  if ((origin === 'cloud.gov' && !verified) || !userGroups.length) {
     EventCreator.audit(
       Event.labels.AUTHENTICATION,
       null,
@@ -49,7 +55,7 @@ async function verifyUAAUser(accessToken, refreshToken, profile, uaaGroups) {
       },
     );
 
-    return null;
+    return { user: null, role: null };
   }
 
   const identity = await UAAIdentity.findOne({
@@ -70,7 +76,7 @@ async function verifyUAAUser(accessToken, refreshToken, profile, uaaGroups) {
         profile,
       },
     );
-    return null;
+    return { user: null, role: null };
   }
 
   if (!identity.User) {
@@ -83,7 +89,7 @@ async function verifyUAAUser(accessToken, refreshToken, profile, uaaGroups) {
         identity,
       },
     );
-    return null;
+    return { user: null, role: null };
   }
 
   await identity.update({
@@ -92,7 +98,11 @@ async function verifyUAAUser(accessToken, refreshToken, profile, uaaGroups) {
     refreshToken,
   });
 
-  return identity.User;
+  // add role based on highest permissioned user group
+  const ordereredRoles = ['pages.admin', 'pages.support', 'pages.user'];
+  const role = ordereredRoles.find((or) => userGroups.includes(or));
+
+  return { user: identity.User, role };
 }
 
 module.exports = {

test/api/unit/services/uaaStrategy.test.js

@@ -45,7 +45,7 @@ describe('verifyUAAUser', () => {
       uaaId,
       groups: [
         {
-          display: 'group.one',
+          display: 'pages.user',
         },
         {
           display: 'group.two',
@@ -63,12 +63,15 @@ describe('verifyUAAUser', () => {
     expect(identity.accessToken).to.be.null;
     expect(identity.refreshToken).to.be.null;
 
-    const verifiedUser = await verifyUAAUser(accessToken, refreshToken, uaaUserProfile, [
-      'group.one',
-    ]);
+    const { user: verifiedUser, role } = await verifyUAAUser(
+      accessToken,
+      refreshToken,
+      uaaUserProfile,
+    );
 
     await identity.reload();
 
+    expect(role).to.be.equal('pages.user');
     expect(verifiedUser.dataValues).to.deep.equal(user.dataValues);
     expect(identity.accessToken).to.equal(accessToken);
     expect(identity.refreshToken).to.equal(refreshToken);
@@ -99,11 +102,14 @@ describe('verifyUAAUser', () => {
 
     cfUAANock.mockVerifyUserGroup(uaaId, uaaUserResponse);
 
-    const result = await verifyUAAUser(accessToken, refreshToken, uaaUserProfile, [
-      'group.three',
-    ]);
+    const { user: result, role } = await verifyUAAUser(
+      accessToken,
+      refreshToken,
+      uaaUserProfile,
+    );
 
     expect(eventAuditStub.called).to.equal(true);
+    expect(role).to.be.null;
     return expect(result).to.be.null;
   });
 
@@ -131,11 +137,14 @@ describe('verifyUAAUser', () => {
 
     cfUAANock.mockVerifyUserGroup(uaaId, uaaUserResponse);
 
-    const result = await verifyUAAUser(accessToken, refreshToken, uaaUserProfile, [
-      'group.three',
-    ]);
+    const { user: result, role } = await verifyUAAUser(
+      accessToken,
+      refreshToken,
+      uaaUserProfile,
+    );
 
     expect(eventAuditStub.called).to.equal(true);
+    expect(role).to.be.null;
     return expect(result).to.be.null;
   });
 
@@ -149,7 +158,7 @@ describe('verifyUAAUser', () => {
       uaaId,
       groups: [
         {
-          display: 'group.one',
+          display: 'pages.user',
         },
         {
           display: 'group.two',
@@ -166,11 +175,14 @@ describe('verifyUAAUser', () => {
 
     await user.destroy();
 
-    const result = await verifyUAAUser(accessToken, refreshToken, uaaUserProfile, [
-      'group.one',
-    ]);
+    const { user: result, role } = await verifyUAAUser(
+      accessToken,
+      refreshToken,
+      uaaUserProfile,
+    );
 
     expect(eventAuditStub.called).to.equal(true);
+    expect(role).to.be.null;
     return expect(result).to.be.null;
   });
 });