Enforce usage of specific callback uri instead of allowing any (#193)

Author: Wardormeur

config/config.js

@@ -65,8 +65,10 @@ module.exports = function () {
     },
     oauth2: {
       clients: {
-        coderdojoadultforums: process.env.CODERDOJO_ADULT_FORUMS_SECRET || 'ilikecode',
-        coderdojoyouthforums: process.env.CODERDOJO_YOUTH_FORUMS_SECRET || 'ilikecode'
+        coderdojoadultforums: { code: process.env.CODERDOJO_ADULT_FORUMS_SECRET || 'ilikecode',
+          baseUrl: process.env.ADULT_FORUM + '/auth/CoderDojo/callback'},
+        coderdojoyouthforums: { code: process.env.CODERDOJO_YOUTH_FORUMS_SECRET || 'ilikecode',
+        baseUrl: process.env.YOUTH_FORUM + '/auth/CoderDojo/callback'}
       }
     },
     nodebb: {

oauth2.js

@@ -13,15 +13,24 @@ module.exports = function (options) {
   seneca.add({role: plugin, cmd: 'token'}, cmd_token);
   seneca.add({role: plugin, cmd: 'profile'}, cmd_profile);
 
-  // Note: currently got from the config, this may be moved to the database in the near future..
+  // NOTE: currently got from the config, this may be moved to the database in the near future..
   function _verifyClientId (clientId, cb) {
-    setImmediate(function () {
-      if (!options.clients[clientId]) return cb('Invalid client_id: ' + clientId);
-      return cb();
+    if (!options.clients[clientId]) return cb('Invalid client_id: ' + clientId);
+    return cb();
+  }
+
+  function _verifyCallbackUrl (callback, cb) {
+    var allowed = _.map(options.clients, 'baseUrl');
+    var valid = _.some(allowed, function (url) {
+      //  We can't use _.includes as it match for partials which is insecure
+      return _.isEqual(url, callback);
     });
+    if (!valid) return cb('Invalid callback_url: ' + callback);
+    return cb();
   }
 
   function _getAccessCodeForUser (user, cb) {
+    //  NOTE : maybe use load for security sake ??????!!
     seneca.make$(OAUTH2_ENTITY).list$({userid: user.id}, function (err, auths) {
       if (err) return cb(err);
       if (auths.length > 0) return cb(null, auths[0].code);
@@ -63,18 +72,19 @@ module.exports = function (options) {
     }
 
     function getUser (auths, done) {
+      //  Why.
       var userEntity = seneca.make('sys/user');
       userEntity.load$(auths[0].userid, done);
     }
 
     function checkPermissions (user, done) {
-      seneca.act({role: 'cd-profiles', cmd: 'list', query: {userId: user.id}}, function (err, profiles) {
+      seneca.act({role: 'cd-profiles', cmd: 'load_user_profile', userId: user.id}, function (err, userProfile) {
         if (err) return done(err);
-        var userProfile = profiles[0];
         user.profileId = userProfile.id;
         if (userProfile.userType === 'champion') user.isChampion = true;
         if (userProfile.userType === 'attendee-o13') user.isYouthOver13 = true;
         if (userProfile.userType === 'mentor') user.isMentor = true;
+        if (userProfile.userType === 'parent-guardian') user.isParent = true;
 
         seneca.act({role: 'cd-dojos', cmd: 'load_usersdojos', query: {userId: user.id}}, function (err, usersDojos) {
           if (err) return done(err);
@@ -87,9 +97,11 @@ module.exports = function (options) {
           var mentorTypeFound = _.find(usersDojos, function (userDojo) {
             return _.contains(userDojo.userTypes, 'mentor');
           });
+          var verifyFound = _.any(usersDojos, 'backgroundChecked');
           if (championTypeFound) user.isChampion = true;
           if (youthOver13TypeFound) user.isYouthOver13 = true;
           if (mentorTypeFound) user.isMentor = true;
+          if (verifyFound) user.isVerified = true;
           return done(null, user);
         });
       });
@@ -100,31 +112,54 @@ module.exports = function (options) {
     if (args.response_type !== 'code') {
       return done(null, {error: 'Only authorization code auth supported!'});
     }
-
-    _verifyClientId(args.client_id, function (err) {
-      if (err) return done(null, {error: err});
-
-      if (!args.user) {
-        return done(null, {
-          http$: {
-            redirect: '/login?redirect=' + args['redirect_uri']
+    async.waterfall([
+      function (waterfallCb) {
+        if (args.redirect_uri) {
+          _verifyCallbackUrl(args.redirect_uri, function (err) {
+            if (err) {
+              return done(null, {
+                error: err,
+                http$: {
+                  status: 403
+                }
+              });
+            } else {
+              waterfallCb();
+            }
+          });
+        } else {
+          return done(null, {error: 'Missing callback_url', http$: {status: 422}});
+        }
+      },
+      function (waterfallCb) {
+        _verifyClientId(args.client_id, function (err) {
+          if (err) return done(null, {error: err});
+          if (!args.user) {
+            return done(null, {
+              http$: {
+                redirect: '/login?redirect=' + args.redirect_uri
+              }
+            });
+          } else {
+            waterfallCb();
           }
         });
-      }
-
-      _getAccessCodeForUser(args.user, function (err, code) {
-        if (err) return done(null, {error: err, http$: {status: 500}});
-
-        done(null, {
-          http$: {
-            redirect: args['redirect_uri'] + '?code=' + code
-          }
+      },
+      function (waterfallCb) {
+        _getAccessCodeForUser(args.user, function (err, code) {
+          if (err) return done(null, {error: err, http$: {status: 500}});
+          done(null, {
+            http$: {
+              redirect: args.redirect_uri + '?code=' + code
+            }
+          });
         });
-      });
-    });
+      }
+    ]);
   }
 
   function cmd_token (args, done) {
+    //  TODO : check if code exists maybe ?
     _getAccessTokenForAccessCode(args.code, function (err, access_token) {
       if (err) return done(null, {error: err, http$: {status: 500}});
 
@@ -146,6 +181,8 @@ module.exports = function (options) {
         isChampion: user.isChampion,
         isYouthOver13: user.isYouthOver13,
         isMentor: user.isMentor,
+        isParent: user.isParent,
+        isVerified: user.isVerified,
         profileId: user.profileId
       };
       return done(null, profile);

service.js

@@ -27,7 +27,7 @@ require('./migrate-psql-db.js')(function (err) {
   seneca.use(require('./email-notifications.js'));
   seneca.use(require('./agreements.js'));
   seneca.use(require('./profiles.js'), { postgresql: config['postgresql-store'] });
-  seneca.use(require('./oauth2.js'), config.oauth2);
+  seneca.use(require('./oauth2.js'), {clients: config.oauth2.clients});
   seneca.use('user');
   seneca.use('auth');
   seneca.use(require('./users.js'),