Skip to content
This repository was archived by the owner on Dec 18, 2020. It is now read-only.

Allow limiting authentication to members of a specific GitHub org #14

Merged
merged 4 commits into from
Feb 19, 2015
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions authenticator.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ function AuthenticateGithub(opts) {
debug: true,
githubHost: config.githubHost,
githubPathPrefix: '/api/v3',
githubOrg: config.githubOrg,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know it's been a while, but would it be possible to extend it in order to support multiple organizations? Really don't want to come up with a fork of this repo just because of this restriction.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

master...nathan7:multiple-github-orgs this would do the trick — any opinion on this, @bcoe?

// label the token that we generate.
note: 'npm on premises solution',
noteUrl: 'https://www.npmjs.org'
Expand Down Expand Up @@ -82,6 +83,22 @@ AuthenticateGithub.prototype.getAuthorizationToken = function(username, password
if (err) reject(err);
else resolve(res.token);
});
}).then(this.githubOrg && function(token) {
return new Promise(function(resolve, reject) {
github.orgs.getMember({ user: username, org: _this.githubOrg }, function(err, res) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

based on this logic, I gather an error is returned if a user is not a member of the organization? You've confirmed this behavior hitting the live API?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have confirmed this behaviour on the live API, yes.
These two authenticating as me, a member of npm:

 ~ ⮀ curl -siLn https://api.github.com/orgs/npm/members/nathan7 | grep '^HTTP'     
HTTP/1.1 204 No Content
 ~ ⮀ curl -siLn https://api.github.com/orgs/npm/members/itzmjauz | grep '^HTTP'
HTTP/1.1 404 Not Found

These two unauthenticated:

 ~ ⮀ curl -siL https://api.github.com/orgs/npm/members/nathan7 | grep '^HTTP' 
HTTP/1.1 302 Found
HTTP/1.1 204 No Content
 ~ ⮀ curl -siL https://api.github.com/orgs/npm/members/itzmjauz | grep '^HTTP' 
HTTP/1.1 302 Found
HTTP/1.1 404 Not Found

The GitHub API client you're using handles the redirect — all "not a member" paths return a 404.

if (err) reject(err);
else resolve(token);
});
}).catch(function(err) {
if (err.code === 404) {
err.code = 401;
err.message = 'unauthorized';
} else if (err.code === 500) {
err.message = 'GitHub enterprise unavailable';
}
// this is an error state
throw err;
});
});
};

Expand Down
68 changes: 68 additions & 0 deletions test/authenticate-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,74 @@ Lab.experiment('getAuthorizationToken', function() {
done();
}).done();
});

Lab.it("returns authorization token if username and password are valid, and user is a member of the org", function(done) {
var authenticateGithub = new AuthenticateGithub({
githubHost: 'https://github.example.com',
githubOrg: 'acme',
timestamp: function() {
return 0;
},
debug: false
});

var packageApi = nock('https://github.example.com', {
// we should populate the auth headers with appropriate
// username and password.
reqheaders: {
'authorization': 'Basic YmNvZS10ZXN0OmZvb2Jhcg=='
}
})
.post('/api/v3/authorizations', {
scopes: ["user","public_repo","repo","repo:status","gist"],
note: 'npm on premises solution (0)',
note_url: 'https://www.npmjs.org'
})
.reply(200, fs.readFileSync('./test/fixtures/authenticate-success.json'))
.get('/api/v3/orgs/acme/members/bcoe-test')
.reply(204);

authenticateGithub.getAuthorizationToken('bcoe-test', 'foobar').nodeify(function(err, token) {
Code.expect(!!err).to.equal(false);
Code.expect(token).to.deep.equal('cc84252fd8061b232beb5e345f33b13d120c236c');
packageApi.done();
done();
});
});

Lab.it("executes callback with an error if user is not a member of the org", function(done) {
var authenticateGithub = new AuthenticateGithub({
githubHost: 'https://github.example.com',
githubOrg: 'acme',
timestamp: function() {
return 0;
},
debug: false
});

var packageApi = nock('https://github.example.com', {
// we should populate the auth headers with appropriate
// username and password.
reqheaders: {
'authorization': 'Basic YmNvZS10ZXN0OmZvb2Jhcg=='
}
})
.post('/api/v3/authorizations', {
scopes: ["user","public_repo","repo","repo:status","gist"],
note: 'npm on premises solution (0)',
note_url: 'https://www.npmjs.org'
})
.reply(200, fs.readFileSync('./test/fixtures/authenticate-success.json'))
.get('/api/v3/orgs/acme/members/bcoe-test')
.reply(404);

authenticateGithub.getAuthorizationToken('bcoe-test', 'foobar').nodeify(function(err, token) {
Code.expect(err.code).to.equal(401);
Code.expect(!!token).to.equal(false);
packageApi.done();
done();
});
});
});

Lab.experiment('authenticate', function() {
Expand Down