refactor: redirect and token

Author: ofr1tz

firebase/functions/src/osm_auth.ts

@@ -38,7 +38,7 @@ const OSM_API_URL = functions.config().osm?.api_url;
  * Configure the `osm.client_id` and `osm.client_secret`
  * Google Cloud environment variables for the values below to exist
  */
-function osmOAuth2Client() {
+function osmOAuth2Client(client_id, client_secret) {
     const credentials = {
         client: {
             id: functions.config().osm?.client_id,
@@ -53,35 +53,15 @@ function osmOAuth2Client() {
     return simpleOAuth2.create(credentials);
 }
 
-/**
- * Creates a configured simple-oauth2 client for OSM for the web app.
- * Configure the `osm.client_id_web` and `osm.client_secret_web`
- * Google Cloud environment variables for the values below to exist
- */
-function osmOAuth2ClientWeb() {
-    const credentials = {
-        client: {
-            id: functions.config().osm?.client_id_web,
-            secret: functions.config().osm?.client_secret_web,
-        },
-        auth: {
-            tokenHost: OSM_API_URL,
-            tokenPath: '/oauth2/token',
-            authorizePath: '/oauth2/authorize',
-        },
-    };
-    return simpleOAuth2.create(credentials);
-}
-
 /**
  * Redirects the User to the OSM authentication consent screen.
  * Also the '__session' cookie is set for later state verification.
  * This function MUST be executed from the user's phone web browser,
  * NOT a webview inside MapSwipe, as this would break the promise of
  * OAuth that we do not touch their OSM credentials
  */
-export const redirect = (req: any, res: any) => {
-    const oauth2 = osmOAuth2Client();
+function redirect2OsmOauth(redirect_uri, client_id, client_secret) {
+    const oauth2 = osmOAuth2Client(client_id, client_secret);
 
     cookieParser()(req, res, () => {
         const state =
@@ -97,43 +77,31 @@ export const redirect = (req: any, res: any) => {
             httpOnly: true,
         });
         const redirectUri = oauth2.authorizationCode.authorizeURL({
-            redirect_uri: OAUTH_REDIRECT_URI,
+            redirect_uri: redirect_uri,
             scope: OAUTH_SCOPES,
             state: state,
         });
         functions.logger.log('Redirecting to:', redirectUri);
         res.redirect(redirectUri);
     });
+}
+
+export const redirect = (req: any, res: any) => {
+    const redirect_uri = OAUTH_REDIRECT_URI;
+    const client_id = functions.config().osm?.client_id;
+    const client_secret = functions.config().osm?.client_secret;
+    redirect2OsmOauth(redirect_uri, client_id, client_secret);
 };
 
 export const redirectweb = (req: any, res: any) => {
-    const oauth2 = osmOAuth2ClientWeb();
-
-    cookieParser()(req, res, () => {
-        const state =
-            req.cookies.state || crypto.randomBytes(20).toString('hex');
-        functions.logger.log('Setting verification state:', state);
-        // the cookie MUST be called __session for hosted functions not to
-        // strip it from incoming requests
-        // (https://firebase.google.com/docs/hosting/manage-cache#using_cookies)
-        res.cookie('__session', state.toString(), {
-            // cookie is valid for 1 hour
-            maxAge: 3600000,
-            secure: true,
-            httpOnly: true,
-        });
-        const redirectUri = oauth2.authorizationCode.authorizeURL({
-            redirect_uri: OAUTH_REDIRECT_URI_WEB,
-            scope: OAUTH_SCOPES,
-            state: state,
-        });
-        functions.logger.log('Redirecting to:', redirectUri);
-        res.redirect(redirectUri);
-    });
+    const redirect_uri = OAUTH_REDIRECT_URI_WEB;
+    const client_id = functions.config().osm?.client_id_web;
+    const client_secret = functions.config().osm?.client_secret_web;
+    redirect2OsmOauth(redirect_uri, client_id, client_secret);
 };
 
 /**
- * The OSM OAuth endpoing does not give us any info about the user,
+ * The OSM OAuth endpoint does not give us any info about the user,
  * so we need to get the user profile from this endpoint
  */
 async function getOSMProfile(accessToken: string) {
@@ -155,8 +123,8 @@ async function getOSMProfile(accessToken: string) {
  * The Firebase custom auth token, display name, photo URL and OSM access
  * token are sent back to the app via a deeplink redirect.
  */
-export const token = async (req: any, res: any, admin: any) => {
-    const oauth2 = osmOAuth2Client();
+function fbToken(redirect_uri, osm_login_link, client_id, client_web) {
+    const oauth2 = osmOAuth2Client(client_id, client_web);
 
     try {
         return cookieParser()(req, res, async () => {
@@ -187,7 +155,7 @@ export const token = async (req: any, res: any, admin: any) => {
                 // this doesn't work
                 results = await oauth2.authorizationCode.getToken({
                     code: req.query.code,
-                    redirect_uri: OAUTH_REDIRECT_URI,
+                    redirect_uri: redirect_uri,
                     scope: OAUTH_SCOPES,
                     state: req.query.state,
                 });
@@ -225,7 +193,7 @@ export const token = async (req: any, res: any, admin: any) => {
             );
             // build a deep link so we can send the token back to the app
             // from the browser
-            const signinUrl = `${APP_OSM_LOGIN_DEEPLINK}?token=${firebaseToken}`;
+            const signinUrl = `${osm_login_link}?token=${firebaseToken}`;
             functions.logger.log('redirecting user to', signinUrl);
             res.redirect(signinUrl);
         });
@@ -235,89 +203,23 @@ export const token = async (req: any, res: any, admin: any) => {
         // back into the app to allow the user to take action
         return res.json({ error: error.toString() });
     }
-};
-
 
-export const tokenweb = async (req: any, res: any, admin: any) => {
-    const oauth2 = osmOAuth2ClientWeb();
-
-    try {
-        return cookieParser()(req, res, async () => {
-            functions.logger.log(
-                'Received verification state:',
-                req.cookies.__session,
-            );
-            functions.logger.log('Received state:', req.query.state);
-            // FIXME: For security, we need to check the cookie that was set
-            // in the /redirectweb function on the user's browser.
-            // However, there seems to be a bug in firebase around this.
-            // https://github.com/firebase/firebase-functions/issues/544
-            // and linked SO question
-            // firebase docs mention the need for a cookie middleware, but there
-            // is no info about it :(
-            // cross site cookies don't seem to be the issue
-            // WE just need to make sure the domain set on the cookies is right
-            if (!req.cookies.__session) {
-                throw new Error('State cookie not set or expired. Maybe you took too long to authorize. Please try again.');
-            } else if (req.cookies.__session !== req.query.state) {
-                throw new Error('State validation failed');
-            }
-            functions.logger.log('Received auth code:', req.query.code);
-            let results;
-
-            try {
-                // TODO: try adding auth data to request headers if
-                // this doesn't work
-                results = await oauth2.authorizationCode.getToken({
-                    code: req.query.code,
-                    redirect_uri: OAUTH_REDIRECT_URI_WEB,
-                    scope: OAUTH_SCOPES,
-                    state: req.query.state,
-                });
-            } catch (error: any) {
-                functions.logger.log('Auth token error', error, error.data.res.req);
-            }
-            // why is token called twice?
-            functions.logger.log(
-                'Auth code exchange result received:',
-                results,
-            );
+}
 
-            // We have an OSM access token and the user identity now.
-            const accessToken = results && results.access_token;
-            if (accessToken === undefined) {
-                throw new Error(
-                    'Could not get an access token from OpenStreetMap',
-                );
-            }
-            // get the OSM user id and display_name
-            const { id, display_name } = await getOSMProfile(accessToken);
-            functions.logger.log('osmuser:', id, display_name);
-            if (id === undefined) {
-                // this should not happen, but help guard against creating
-                // invalid accounts
-                throw new Error('Could not obtain an account id from OSM');
-            }
+export const token = async (req: any, res: any, admin: any) => {
+    const redirect_uri = OAUTH_REDIRECT_URI;
+    const osm_login_link = APP_OSM_LOGIN_DEEPLINK;
+    const client_id = functions.config().osm?.client_id;
+    const client_secret = functions.config().osm?.client_secret;
+    fbToken(redirect_uri, osm_login_link, client_id, client_secret);
+};
 
-            // Create a Firebase account and get the Custom Auth Token.
-            const firebaseToken = await createFirebaseAccount(
-                admin,
-                id,
-                display_name,
-                accessToken,
-            );
-            // build a deep link so we can send the token back to the app
-            // from the browser
-            const signinUrl = `${APP_OSM_LOGIN_DEEPLINK_WEB}?token=${firebaseToken}`;
-            functions.logger.log('redirecting user to', signinUrl);
-            res.redirect(signinUrl);
-        });
-    } catch (error: any) {
-        // FIXME: this should show up in the user's browser as a bit of text
-        // We should figure out the various error codes available and feed them
-        // back into the app to allow the user to take action
-        return res.json({ error: error.toString() });
-    }
+export const tokenweb = async (req: any, res: any, admin: any) => {
+    const redirect_uri = OAUTH_REDIRECT_URI_WEB;
+    const osm_login_link = APP_OSM_LOGIN_DEEPLINK_WEB;
+    const client_id = functions.config().osm?.client_id_web;
+    const client_secret = functions.config().osm?.client_secret_web;
+    fbToken(redirect_uri, osm_login_link, client_id, client_secret);
 };
 
 /**