Merge branch 'master' into style-manager

Author: Floran05

core/api/authentication.js

@@ -1,5 +1,6 @@
 import makeDebug from 'debug'
 import _ from 'lodash'
+import qs from 'qs'
 import 'winston-daily-rotate-file'
 // import { RateLimiter } from 'limiter'
 import HttpLimiter from 'express-rate-limit'
@@ -32,6 +33,23 @@ export class Authentication extends AuthenticationService {
 }
 
 export class AuthenticationProviderStrategy extends OAuthStrategy {
+  setAuthentication (auth) {
+    super.setAuthentication(auth)
+    const authConfig = this.authentication.configuration
+    const { oauth } = authConfig
+    // Single logout supported ?
+    const { logout_url: logoutUrl, post_logout_url: postLogoutUrl, key } = this.configuration
+    if (logoutUrl && key) {
+      // Cannot use oauth/:provider/logout route as oauth/:provider is already intercepted by feathers and this causes an error
+      this.app.get(`/oauth-logout/${this.name}`, (req, res) => {
+        return res.redirect(logoutUrl + '?' + qs.stringify({
+          post_logout_redirect_uri: postLogoutUrl || oauth.redirect,
+          client_id: key
+        }))
+      })
+    }
+  }
+
   async getEntityData (profile, entity) {
     const createEntity = _.isNil(entity)
     // Add provider Id

core/api/hooks/hooks.authentication.js

@@ -8,64 +8,6 @@ const { discard } = common
 // Make it more easy to access
 export const hashPassword = local.hooks.hashPassword
 
-export async function verifyGuest (hook) {
-  if (hook.type !== 'after') {
-    throw new Error('The \'verifyGuest\' hook should only be used as a \'after\' hook.')
-  }
-  const app = hook.app
-  const user = hook.result.user
-  if (!user) return hook
-  debug('verifyGuest hook called on ', user._id)
-
-  // Check whether the user has been invited. If not, nothing to do
-  if (!user.sponsor) {
-    debug('Logged user is not a guest')
-    return hook
-  }
-
-  // Check whether has been already verified. If yes, nothing to do
-  if (user.isVerified) {
-    debug('Logged guest is already verified')
-    return hook
-  }
-
-  // The user is a guest and need to be verified
-  debug('Verifying logged guest')
-  const userService = app.getService('users')
-  await userService.patch(user._id, { isVerified: true })
-
-  return hook
-}
-
-export async function consentGuest (hook) {
-  if (hook.type !== 'after') {
-    throw new Error('The \'consentGuest\' hook should only be used as a \'after\' hook.')
-  }
-  const app = hook.app
-  const user = hook.result.user
-  if (!user) return hook
-  debug('consentGuest hook called on ', user._id)
-
-  // Check whether the user has been invited. If not, nothing to do
-  if (!user.sponsor) {
-    debug('Logged user is not a guest')
-    return hook
-  }
-
-  // Check whether consent has been already checked. If yes, nothing to do
-  if (user.consentTerms) {
-    debug('Logged guest is already verified')
-    return hook
-  }
-
-  // The user is a guest and need to be consent
-  debug('Consenting logged guest')
-  const userService = app.getService('users')
-  await userService.patch(user._id, { consentTerms: true, expireAt: null })
-
-  return hook
-}
-
 export function discardAuthenticationProviders (hook) {
   const providers = hook.app.authenticationProviders || []
 

core/api/hooks/hooks.authorisations.js

@@ -8,7 +8,6 @@ import {
   hasServiceAbilities, hasResourceAbilities, getQueryForAbilities,
   Roles, RoleNames, countSubjectsForResource
 } from '../../common/permissions.js'
-import { isTagEqual } from '../utils.js'
 
 const { getItems, replaceItems } = common
 const { Forbidden } = errors
@@ -289,98 +288,3 @@ export function updateAbilities (options = {}) {
   }
 }
 
-export function preventRemovingLastOwner (resourceScope) {
-  return async function (hook) {
-    // By pass check ?
-    if (hook.params.force) return hook
-    const params = hook.params
-    const data = hook.data || {}
-    const query = params.query || {}
-    const scope = data.scope || query.scope
-    const grantedPermissions = data.permissions || query.permissions
-    const grantedRole = (grantedPermissions ? Roles[grantedPermissions] : undefined)
-    const resource = hook.params.resource
-    const subjects = hook.params.subjects
-    const subjectService = hook.params.subjectsService
-    // On create check if we try to downgrade permissions otherwise let pass through
-    if (!_.isUndefined(grantedRole) && (grantedRole === Roles.owner)) return hook
-
-    if ((scope === resourceScope) && resource && resource._id) {
-      // Count existing owners
-      const owners = await countSubjectsForResource(subjectService, resourceScope, resource._id, Roles.owner)
-      // Now count owners we change/remove permissions on
-      const removedOwners = subjects.reduce((count, subject) => {
-        const resources = _.get(subject, resourceScope, [])
-        const ownedResource = _.find(resources, { _id: resource._id, permissions: RoleNames[Roles.owner] })
-        return (ownedResource ? count + 1 : count)
-      }, 0)
-      // If none remains stop
-      if (removedOwners >= owners.total) {
-        debug('Cannot remove the last owner of resource ', resource)
-        const resourceName = resource.name ? resource.name : resource._id.toString()
-        throw new Forbidden('You are not allowed to remove the last owner of resource ' + resourceName, {
-          translation: {
-            key: 'CANNOT_REMOVE_LAST_OWNER',
-            params: { resource: resourceName }
-          }
-        })
-      }
-    }
-    return hook
-  }
-}
-
-export async function removeOrganisationGroupsAuthorisations (hook) {
-  const app = hook.app
-  const authorisationService = app.getService('authorisations')
-  const org = hook.params.resource
-  const user = hook.params.user
-  // Unset membership for the all org groups
-  const orgGroupService = app.getService('groups', org)
-  const groups = await orgGroupService.find({ paginate: false })
-  await Promise.all(groups.map(group => {
-  // Unset membership on group for the all org users
-    return authorisationService.remove(group._id.toString(), {
-      query: {
-        scope: 'groups'
-      },
-      user,
-      force: hook.params.force,
-      // Because we already have resource set it as objects to avoid populating
-      // Moreover used as an after hook the resource might not already exist anymore
-      subjects: hook.params.subjects,
-      subjectsService: hook.params.subjectsService,
-      resource: group,
-      resourcesService: orgGroupService
-    })
-  }))
-  debug('Authorisations unset on groups for organisation ' + org._id)
-  return hook
-}
-
-export async function removeOrganisationTagsAuthorisations (hook) {
-  const app = hook.app
-  const org = hook.params.resource
-  const subjectService = hook.params.subjectsService
-  const orgTagsService = app.getService('tags', org)
-  const subjects = hook.params.subjects || []
-  if (subjects.length === 0) return hook
-  // Retrieve org tags
-  const orgTags = await orgTagsService.find({ paginate: false })
-  const promises = []
-  subjects.forEach(subject => {
-    const tags = subject.tags || []
-    // Find tags from org
-    const fromOrg = _.intersectionWith(tags, orgTags, isTagEqual)
-    // Clear removed tags
-    const notFromOrg = _.differenceWith(tags, orgTags, isTagEqual)
-    // Update subject if required
-    if (fromOrg.length > 0) {
-      promises.push(subjectService.patch(subject._id.toString(), { tags: notFromOrg }))
-    }
-  })
-  // Perform subject updates in parallel
-  await Promise.all(promises)
-  debug(`Tags unset on ${promises.length} subjects for organisation ` + org._id)
-  return hook
-}