Merge pull request #43 from microsoftgraph/feature/rich-notifications

Feature/rich notifications

Author: baywet

.gitignore

@@ -123,3 +123,5 @@ typings
 
 # tmp files generated by openssl
 .tmp/
+*.pfx
+*.pem

README.md

@@ -69,6 +69,9 @@ To use the Webhook sample, you need the following:
 
 - [Node.js](https://nodejs.org/) version 10 or 12.
 - A [work or school account](http://dev.office.com/devprogram).
+- [OpenSSL](https://www.openssl.org/source/) when trying change notifications with resource data.
+
+> You can install OpenSSL on windows using [chocolatey](https://chocolatey.org/install) with `choco install openssl -y` (run as administrator).
 
 ## Register the app
 <a name="Register-the-app"></a>
@@ -132,6 +135,7 @@ You'll need the `NGROK_ID` value in the next section.
 
 1. Use a text editor to open `constants.js`.
 1. Replace `ENTER_YOUR_CLIENT_ID` with the client ID of your registered Azure application.
+1. Replace `ENTER_YOUR_TENANT_ID` with the ID of your organization. This information can be found next to the client ID on the application management page.
 1. Replace `ENTER_YOUR_SECRET` with the client secret of your registered Azure application.
 1. Replace `NGROK_ID` with the value in *https public URL* from the previous section.
 ![](const)

constants.js

@@ -2,12 +2,21 @@ exports.adalConfiguration = {
   authority: 'https://login.microsoftonline.com/common',
   clientID: 'ENTER_YOUR_CLIENT_ID',
   clientSecret: 'ENTER_YOUR_SECRET',
+  tenantID: 'ENTER_YOUR_TENANT_ID',
   redirectUri: 'http://localhost:3000/callback'
 };
 
 exports.subscriptionConfiguration = {
   changeType: 'Created',
   notificationUrl: 'https://NGROK_ID.ngrok.io/listen',
   resource: 'me/mailFolders(\'Inbox\')/messages',
-  clientState: 'cLIENTsTATEfORvALIDATION'
+  clientState: 'cLIENTsTATEfORvALIDATION',
+  includeResourceData: false
 };
+
+exports.certificateConfiguration = {
+  certificateId: 'myCertificateId',
+  relativeCertPath: './certificate.pem',
+  relativeKeyPath: './key.pem',
+  password: 'Password123',
+}; // the certificate will be generated during the first subscription creation, production solutions should rely on a certificate store

helpers/certificateHelper.js

@@ -0,0 +1,64 @@
+import pem from 'pem';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+
+function ensureOpenSsl() {
+  if (os.platform() === 'win32') {
+    pem.config({ pathOpenSSL: 'C:/Program Files/OpenSSL-Win64/bin/openssl.exe' });
+  }
+}
+
+export function createSelfSignedCertificateIfNotExists(certPath, keyPath, password) {
+  const certFullPath = path.join(__dirname, certPath);
+  return new Promise((resolve) => {
+    if (!fs.existsSync(certFullPath)) {
+      ensureOpenSsl();
+      pem.createCertificate({ selfSigned: true, serviceKeyPassword: password, days: 365 }, (err, result) => {
+        fs.writeFileSync(certFullPath, result.certificate);
+        fs.writeFileSync(path.join(__dirname, keyPath), result.serviceKey);
+        if (err) {
+          // eslint-disable-next-line no-console
+          console.error(err);
+        }
+        resolve();
+      });
+    } else {
+      resolve();
+    }
+  });
+}
+
+export function getSerializedCertificate(certPath) {
+  const pfx = fs.readFileSync(path.join(__dirname, certPath));
+  const pfxAsString = pfx.toString().replace(/(\r\n|\n|\r|-|BEGIN|END|CERTIFICATE|\s)/gm, '');
+  return pfxAsString;
+}
+
+export function getPrivateKey(keyPath) {
+  const privateKey = fs.readFileSync(path.join(__dirname, keyPath), 'utf8');
+  return privateKey;
+}
+
+export function decryptSymetricKey(base64encodedKey, keyPath) {
+  const asymetricPrivateKey = getPrivateKey(keyPath);
+  const decodedKey = Buffer.from(base64encodedKey, 'base64');
+  const decryptedSymetricKey = crypto.privateDecrypt(asymetricPrivateKey, decodedKey);
+  return decryptedSymetricKey;
+}
+
+export function decryptPayload(base64encodedPayload, decryptedSymetricKey) {
+  const iv = Buffer.alloc(16, 0);
+  decryptedSymetricKey.copy(iv, 0, 0, 16);
+  const decipher = crypto.createDecipheriv('aes-256-cbc', decryptedSymetricKey, iv);
+  let decryptedPayload = decipher.update(base64encodedPayload, 'base64', 'utf8');
+  decryptedPayload += decipher.final('utf8');
+  return decryptedPayload;
+}
+
+export function verifySignature(base64encodedSignature, base64encodedPayload, decryptedSymetricKey) {
+  const hmac = crypto.createHmac('sha256', decryptedSymetricKey);
+  hmac.write(base64encodedPayload, 'base64');
+  return base64encodedSignature === hmac.digest('base64');
+}

helpers/requestHelper.js

@@ -23,7 +23,7 @@ export class SubscriptionManagementService {
 
   async createSubscription(subscriptionCreationInformation) {
     const client = this.getGraphClient();
-    const subscription = await client.api(this.subscriptionPath).create(subscriptionCreationInformation);
+    const subscription = await client.api(this.subscriptionPath).version('beta').create(subscriptionCreationInformation);
     return subscription;
   }
 

helpers/tokenHelper.js

@@ -0,0 +1,31 @@
+import jwt from 'jsonwebtoken';
+import jkwsClient from 'jwks-rsa';
+
+const client = jkwsClient({
+  jwksUri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
+});
+
+export function getKey(header, callback) {
+  client.getSigningKey(header.kid, (err, key) => {
+    var signingKey = key.publicKey || key.rsaPublicKey;
+    callback(null, signingKey);
+  });
+}
+
+export function isTokenValid(token, appId, tenantId) {
+  return new Promise((resolve) => {
+    const options = {
+      audience: [appId],
+      issuer: [`https://sts.windows.net/${tenantId}/`]
+    };
+    jwt.verify(token, getKey, options, (err) => {
+      if (err) {
+        // eslint-disable-next-line no-console
+        console.error(err);
+        resolve(false);
+      } else {
+        resolve(true);
+      }
+    });
+  });
+}

index.js

@@ -8,5 +8,6 @@ createDatabase();
 app.set('port', process.env.PORT || 3000);
 
 const server = app.listen(app.get('port'), () => {
+  // eslint-disable-next-line no-console
   console.log('Express server listening on port ' + server.address().port);
 });