- improves certificate generation flow

- adds support for rich notifications E2E
- updates unit test to check for tenant ID

Author: baywet

constants.js

@@ -2,12 +2,21 @@ exports.adalConfiguration = {
   authority: 'https://login.microsoftonline.com/common',
   clientID: 'ENTER_YOUR_CLIENT_ID',
   clientSecret: 'ENTER_YOUR_SECRET',
+  tenantID: 'ENTER_YOUR_TENANT_ID',
   redirectUri: 'http://localhost:3000/callback'
 };
 
 exports.subscriptionConfiguration = {
   changeType: 'Created',
   notificationUrl: 'https://NGROK_ID.ngrok.io/listen',
   resource: 'me/mailFolders(\'Inbox\')/messages',
-  clientState: 'cLIENTsTATEfORvALIDATION'
+  clientState: 'cLIENTsTATEfORvALIDATION',
+  includeResourceData: false
 };
+
+exports.certificateConfiguration = {
+  certificateId: 'myCertificateId',
+  relativeCertPath: './certificate.pem',
+  relativeKeyPath: './key.pem',
+  password: 'Password123',
+}; // the certificate will be generated during the first subscription creation, production solutions should rely on a certificate store

helpers/certificateHelper.js

@@ -10,14 +10,22 @@ function ensureOpenSsl() {
   }
 }
 
-export function createSelfSignedCertificate(certPath, keyPath, password) {
-  ensureOpenSsl();
-  pem.createCertificate({ selfSigned: true, serviceKeyPassword: password, days: 365 }, (err, result) => {
-    fs.writeFileSync(path.join(__dirname, certPath), result.certificate);
-    fs.writeFileSync(path.join(__dirname, keyPath), result.serviceKey);
-    if (err) {
-      // eslint-disable-next-line no-console
-      console.error(err);
+export function createSelfSignedCertificateIfNotExists(certPath, keyPath, password) {
+  const certFullPath = path.join(__dirname, certPath);
+  return new Promise((resolve) => {
+    if (!fs.existsSync(certFullPath)) {
+      ensureOpenSsl();
+      pem.createCertificate({ selfSigned: true, serviceKeyPassword: password, days: 365 }, (err, result) => {
+        fs.writeFileSync(certFullPath, result.certificate);
+        fs.writeFileSync(path.join(__dirname, keyPath), result.serviceKey);
+        if (err) {
+          // eslint-disable-next-line no-console
+          console.error(err);
+        }
+        resolve();
+      });
+    } else {
+      resolve();
     }
   });
 }

routes/auth.js

@@ -3,7 +3,8 @@ import express from 'express';
 import { getSubscription, saveSubscription, deleteSubscription } from '../helpers/dbHelper';
 import { getAuthUrl, getTokenFromCode } from '../helpers/authHelper';
 import { SubscriptionManagementService } from '../helpers/requestHelper';
-import { subscriptionConfiguration } from '../constants';
+import { subscriptionConfiguration, certificateConfiguration } from '../constants';
+import { getSerializedCertificate, createSelfSignedCertificateIfNotExists } from '../helpers/certificateHelper';
 
 export const authRouter = express.Router();
 
@@ -23,12 +24,18 @@ authRouter.get('/signin', (req, res) => {
 authRouter.get('/callback', (req, res, next) => {
   getTokenFromCode(req.query.code, async (authenticationError, token) => {
     if (token) {
-      // Request this subscription to expire one day from now.
-      // Note: 1 day = 86400000 milliseconds
-      subscriptionConfiguration.expirationDateTime = new Date(Date.now() + 86400000).toISOString();
+      // Request this subscription to expire one hour from now.
+      // Note: 1 hour = 3600000 milliseconds
+      subscriptionConfiguration.expirationDateTime = new Date(Date.now() + 3600000).toISOString();
 
       try {
         const subscriptionService = new SubscriptionManagementService(token.accessToken);
+        if (subscriptionConfiguration.includeResourceData) {
+          // we're registering a subscription for notifications with resource data and must attach certificate information to get the data
+          await createSelfSignedCertificateIfNotExists(certificateConfiguration.relativeCertPath, certificateConfiguration.relativeKeyPath, certificateConfiguration.password);
+          subscriptionConfiguration.encryptionCertificate = getSerializedCertificate(certificateConfiguration.relativeCertPath);
+          subscriptionConfiguration.encryptionCertificateId = certificateConfiguration.certificateId;
+        }
         const subscriptionData = await subscriptionService.createSubscription(subscriptionConfiguration);
 
         subscriptionData.userId = token.userId;

routes/listen.js

@@ -4,12 +4,14 @@ import http from 'http';
 import { ioServer } from '../helpers/socketHelper';
 import { SubscriptionManagementService } from '../helpers/requestHelper';
 import { getSubscription } from '../helpers/dbHelper';
-import { subscriptionConfiguration } from '../constants';
+import { subscriptionConfiguration, certificateConfiguration, adalConfiguration } from '../constants';
+import { decryptSymetricKey, decryptPayload, verifySignature } from '../helpers/certificateHelper';
+import { isTokenValid } from '../helpers/tokenHelper';
 
 export const listenRouter = express.Router();
 
 /* Default listen route */
-listenRouter.post('/', (req, res, next) => {
+listenRouter.post('/', async (req, res, next) => {
   let status;
   let clientStatesValid;
 
@@ -37,17 +39,39 @@ listenRouter.post('/', (req, res, next) => {
       }
     }
 
+    // if we're receiving notifications with resource data we have to validate the origin of the request by validating the tokens
+    let areTokensValid = true;
+    if (req.body.validationTokens) {
+      const validationResults = await Promise.all(req.body.validationTokens.map((x) => isTokenValid(x, adalConfiguration.clientID, adalConfiguration.tenantID)));
+      areTokensValid = validationResults.reduce((x, y) => x && y);
+    }
+
     // If all the clientStates are valid, then process the notification
-    if (clientStatesValid) {
+    if (clientStatesValid && areTokensValid) {
       for (let i = 0; i < req.body.value.length; i++) {
         const resource = req.body.value[i].resource;
         const subscriptionId = req.body.value[i].subscriptionId;
-        processNotification(subscriptionId, resource, res, next);
+
+        if (req.body.value[i].encryptedContent) {
+          // we have a notification with resource data, let's decrypt the enclosed data
+          // eslint-disable-next-line no-loop-func
+          const decryptedSymetricKey = decryptSymetricKey(req.body.value[i].encryptedContent.dataKey, certificateConfiguration.relativeKeyPath);
+          const isSignatureValid = verifySignature(req.body.value[i].encryptedContent.dataSignature, req.body.value[i].encryptedContent.data, decryptedSymetricKey);
+          if (isSignatureValid) {
+            // the signature is valid, data hasn't been tampered with. We can proceed to displaying the data
+            const decryptedPayload = decryptPayload(req.body.value[i].encryptedContent.data, decryptedSymetricKey);
+            emitNotification(subscriptionId, decryptedPayload);
+          } // otherwise data is invalid, ignore it
+        } else {
+          // we have a plain notification that doesn't contain data, let's call Microsoft Graph to get the resource data
+          processNotification(subscriptionId, resource, res, next);
+        }
       }
       // Send a status of 'Accepted'
       status = 202;
     } else {
       // Since the clientState field doesn't have the expected value,
+      // or the validation tokens are invalid for notifications with data
       // this request might NOT come from Microsoft Graph.
       // However, you should still return the same status that you'd
       // return to Microsoft Graph to not alert possible impostors
@@ -58,16 +82,20 @@ listenRouter.post('/', (req, res, next) => {
   res.status(status).end(http.STATUS_CODES[status]);
 });
 
+function emitNotification(subscriptionId, data) {
+  ioServer.to(subscriptionId).emit('notification_received', data);
+}
+
 // Get subscription data from the database
-// Retrieve the actual mail message data from Office 365.
+// Retrieve the entity from Microsoft Graph.
 // Send the message data to the socket.
 function processNotification(subscriptionId, resource, res, next) {
   getSubscription(subscriptionId, async (dbError, subscriptionData) => {
     if (subscriptionData) {
       try {
         const subscriptionManagementService = new SubscriptionManagementService(subscriptionData.accessToken);
         const endpointData = await subscriptionManagementService.getData(resource);
-        ioServer.to(subscriptionId).emit('notification_received', endpointData);
+        emitNotification(subscriptionId, endpointData);
       } catch (requestError) {
         res.status(500);
         next(requestError);

tests/confTest.js

@@ -3,11 +3,11 @@ var conf = require('../constants');
 
 describe('ADAL', function () { // eslint-disable-line no-undef
   it( // eslint-disable-line no-undef
-    'Checking clientID and clientSecret in constants.js',
+    'Checking clientID, clientSecret and tenantID in constants.js',
     function () {
       assert(
         isADALConfigured(conf.adalConfiguration),
-        '\nRegister clientID and clientSecret in file constants.js.\n'
+        '\nRegister clientID. clientSecret, tenantID in file constants.js.\n'
         + 'You don\'t have them? Get them by using the Office 365 app registration tool\n'
         + 'http://dev.office.com/app-registration\n'
         + 'App type: Web App\n'
@@ -37,12 +37,16 @@ function isADALConfigured(configuration) {
     && configuration.clientID !== null
     && configuration.clientID !== ''
     && configuration.clientID !== 'ENTER_YOUR_CLIENT_ID';
+  var tenantIDConfigured = typeof (configuration.tenantID) !== 'undefined'
+    && configuration.tenantID !== null
+    && configuration.tenantID !== ''
+    && configuration.tenantID !== 'ENTER_YOUR_TENANT_ID';
   var clientSecretConfigured = typeof (configuration.clientSecret) !== 'undefined'
     && configuration.clientSecret !== null
     && configuration.clientSecret !== ''
     && configuration.clientSecret !== 'ENTER_YOUR_SECRET';
 
-  return clientIDConfigured && clientSecretConfigured;
+  return clientIDConfigured && clientSecretConfigured && tenantIDConfigured;
 }
 
 function isSubscriptionConfigured(configuration) {