Add redirectURL params in github/login route (#937)

* feat: add redirectURL params in github/loign route

* Fix tests

* chore:fix-test

* chore: add new test coverage

* fix endswith edgecase

Author: prakashchoudhary07

controllers/auth.js

@@ -4,18 +4,45 @@ const QrCodeAuthModel = require("../models/qrCodeAuth");
 const authService = require("../services/authService");
 const { SOMETHING_WENT_WRONG, DATA_ADDED_SUCCESSFULLY, BAD_REQUEST } = require("../constants/errorMessages");
 
+/**
+ * Makes authentication call to GitHub statergy
+ *
+ * @param req {Object} - Express request object
+ * @param res {Object} - Express response object
+ * @param next {Function} - Express middleware function
+ */
+const githubAuthLogin = (req, res, next) => {
+  const redirectURL = req.query.redirectURL;
+  return passport.authenticate("github", {
+    scope: ["user:email"],
+    state: redirectURL,
+  })(req, res, next);
+};
+
 /**
  * Fetches the user info from GitHub and authenticates User
  *
  * @param req {Object} - Express request object
  * @param res {Object} - Express response object
  * @param next {Function} - Express middleware function
  */
-const githubAuth = (req, res, next) => {
+const githubAuthCallback = (req, res, next) => {
   let userData;
   const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl"));
-  let authRedirectionUrl = req.query.state ?? rdsUiUrl;
-
+  let authRedirectionUrl = rdsUiUrl;
+  if ("state" in req.query) {
+    try {
+      const redirectUrl = new URL(req.query.state);
+      if (`.${redirectUrl.hostname}`.endsWith(`.${rdsUiUrl.hostname}`)) {
+        // Matching *.realdevsquad.com
+        authRedirectionUrl = redirectUrl;
+      } else {
+        logger.error(`Malicious redirect URL provided URL: ${redirectUrl}, Will redirect to RDS`);
+      }
+    } catch (error) {
+      logger.error("Invalid redirect URL provided", error);
+    }
+  }
   try {
     return passport.authenticate("github", { session: false }, async (err, accessToken, user) => {
       if (err) {
@@ -137,7 +164,8 @@ const fetchUserDeviceInfo = async (req, res) => {
 };
 
 module.exports = {
-  githubAuth,
+  githubAuthLogin,
+  githubAuthCallback,
   signout,
   storeUserDeviceInfo,
   updateAuthStatus,

routes/auth.js

@@ -1,14 +1,13 @@
 const express = require("express");
-const passport = require("passport");
 const router = express.Router();
 const auth = require("../controllers/auth");
 const authenticate = require("../middlewares/authenticate");
 const userDeviceInfoValidator = require("../middlewares/validators/qrCodeAuth");
 const qrCodeAuthValidator = require("../middlewares/validators/qrCodeAuth");
 
-router.get("/github/login", passport.authenticate("github", { scope: ["user:email"] }));
+router.get("/github/login", auth.githubAuthLogin);
 
-router.get("/github/callback", auth.githubAuth);
+router.get("/github/callback", auth.githubAuthCallback);
 
 router.get("/signout", auth.signout);
 

test/integration/auth.test.js

@@ -5,6 +5,7 @@ const chaiHttp = require("chai-http");
 const passport = require("passport");
 const app = require("../../server");
 const cleanDb = require("../utils/cleanDb");
+const { generateGithubAuthRedirectUrl } = require("..//utils/github");
 const { addUserToDBForTest } = require("../../utils/users");
 const userData = require("../fixtures/user/user")();
 
@@ -20,6 +21,25 @@ describe("auth", function () {
     sinon.restore();
   });
 
+  it("should return github call back URL", async function () {
+    const githubOauthURL = generateGithubAuthRedirectUrl({});
+    const res = await chai.request(app).get("/auth/github/login").redirects(0);
+    expect(res).to.have.status(302);
+    expect(res.headers.location).to.equal(githubOauthURL);
+  });
+
+  it("should return github call back URL with redirectUrl", async function () {
+    const RDS_MEMBERS_SITE_URL = "https://members.realdevsquad.com";
+    const githubOauthURL = generateGithubAuthRedirectUrl({ state: RDS_MEMBERS_SITE_URL });
+    const res = await chai
+      .request(app)
+      .get("/auth/github/login")
+      .query({ redirectURL: RDS_MEMBERS_SITE_URL })
+      .redirects(0);
+    expect(res).to.have.status(302);
+    expect(res.headers.location).to.equal(githubOauthURL);
+  });
+
   it("should redirect the user to new sign up flow if they are have incomplte user details true", async function () {
     const redirectURL = "https://my.realdevsquad.com/new-signup";
     sinon.stub(passport, "authenticate").callsFake((strategy, options, callback) => {
@@ -38,8 +58,7 @@ describe("auth", function () {
   // same data should be return from github and same data should be added there
   it("should redirect the request to the goto page on successful login, if user has incomplete user details false", async function () {
     await addUserToDBForTest(userData[0]);
-    const rdsUiUrl = config.get("services.rdsUi.baseUrl");
-
+    const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl")).href;
     sinon.stub(passport, "authenticate").callsFake((strategy, options, callback) => {
       callback(null, "accessToken", githubUserInfo[0]);
       return (req, res, next) => {};
@@ -54,6 +73,59 @@ describe("auth", function () {
     expect(res.headers.location).to.equal(rdsUiUrl);
   });
 
+  it("should redirect the request to the redirect URL provided on successful login, if user has incomplete user details false", async function () {
+    await addUserToDBForTest(userData[0]);
+    const rdsUrl = new URL("https://dashboard.realdevsquad.com").href;
+    sinon.stub(passport, "authenticate").callsFake((strategy, options, callback) => {
+      callback(null, "accessToken", githubUserInfo[0]);
+      return (req, res, next) => {};
+    });
+
+    const res = await chai
+      .request(app)
+      .get(`/auth/github/callback`)
+      .query({ code: "codeReturnedByGithub", state: rdsUrl })
+      .redirects(0);
+    expect(res).to.have.status(302);
+    expect(res.headers.location).to.equal(rdsUrl);
+  });
+
+  it("should redirect the realdevsquad.com if non RDS URL provided, any url that is other than *.realdevsqud.com is invalid", async function () {
+    await addUserToDBForTest(userData[0]);
+    const invalidRedirectUrl = new URL("https://google.com").href;
+    const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl")).href;
+    sinon.stub(passport, "authenticate").callsFake((strategy, options, callback) => {
+      callback(null, "accessToken", githubUserInfo[0]);
+      return (req, res, next) => {};
+    });
+
+    const res = await chai
+      .request(app)
+      .get(`/auth/github/callback`)
+      .query({ code: "codeReturnedByGithub", state: invalidRedirectUrl })
+      .redirects(0);
+    expect(res).to.have.status(302);
+    expect(res.headers.location).to.equal(rdsUiUrl);
+  });
+
+  it("should redirect the realdevsquad.com if invalid redirect URL provided", async function () {
+    await addUserToDBForTest(userData[0]);
+    const invalidRedirectUrl = "invalidURL";
+    const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl")).href;
+    sinon.stub(passport, "authenticate").callsFake((strategy, options, callback) => {
+      callback(null, "accessToken", githubUserInfo[0]);
+      return (req, res, next) => {};
+    });
+
+    const res = await chai
+      .request(app)
+      .get(`/auth/github/callback`)
+      .query({ code: "codeReturnedByGithub", state: invalidRedirectUrl })
+      .redirects(0);
+    expect(res).to.have.status(302);
+    expect(res.headers.location).to.equal(rdsUiUrl);
+  });
+
   it("should send a cookie with JWT in the response", function (done) {
     const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl"));
 

test/utils/github.js

@@ -0,0 +1,21 @@
+const defaultClientId = config.get("githubOauth.clientId");
+
+const generateGithubAuthRedirectUrl = function ({
+  baseUrl = "https://github.com/login/oauth/authorize",
+  responseType = "code",
+  redirectUri = "http://localhost:3000/auth/github/callback",
+  scope = "user:email",
+  state = "",
+  clientId = defaultClientId,
+}) {
+  const encodedBaseUrl = encodeURI(baseUrl);
+  const encodedRedirectUri = encodeURIComponent(redirectUri);
+  const encodedScope = encodeURIComponent(scope);
+  let encodedUrl = `${encodedBaseUrl}?response_type=${responseType}&redirect_uri=${encodedRedirectUri}&scope=${encodedScope}`;
+  if (state) {
+    encodedUrl += `&state=${encodeURIComponent(state)}`;
+  }
+  return `${encodedUrl}&client_id=${clientId}`;
+};
+
+module.exports = { generateGithubAuthRedirectUrl };