Generate SSO scaffold

Author: mraerino

README.md

@@ -3,7 +3,3 @@ Netlify Build plugin identity-sso - Protect a site with SSO via identity.
 # Install
 
 Please install this plugin from the Netlify app.
-
-# Configuration
-
-The following `inputs` options are available.

manifest.yml

@@ -1,7 +1 @@
-name: 'netlify-plugin-{{name}}'
-inputs: []
-# Example inputs:
-#  - name: example
-#    description: Example description
-#    default: 5
-#    required: false
+name: 'netlify-plugin-identity-sso'

package-lock.json

@@ -30,7 +30,9 @@
     "ava": "cross-env FORCE_COLOR=1 ava --verbose",
     "release": "release-it"
   },
-  "dependencies": {},
+  "dependencies": {
+    "@iarna/toml": "^2.2.5"
+  },
   "devDependencies": {
     "@netlify/build": "^4.7.2",
     "ava": "^3.13.0",

package.json

@@ -1,3 +1,99 @@
+const fs = require('fs').promises
+const path = require('path')
+const toml = require('@iarna/toml')
+
+/**
+ @typedef {{
+  from: string,
+  to: string,
+  conditions?: {
+    Role?: string[],
+  },
+  status?: number,
+  force?: boolean,
+}} NetlifyRedirect
+*/
+
+/**
+@typedef {{
+   build: {
+     publish: string,
+     functions?: string,
+   },
+   redirects: NetlifyRedirect[],
+ }} NetlifyConfig
+*/
+
+const loginPage = '/_netlify-sso'
+const authFunc = 'sso-auth'
+
+/**
+ * @param {{ config: NetlifyConfig, functionsDir?: string, publishDir?: string }} params
+ */
+async function generateSSO({
+  config /* &mut */,
+  functionsDir = '_netlify_sso_functions',
+  publishDir = '_netlify_sso_publish',
+}) {
+  config.build = {
+    ...config.build,
+    functions: functionsDir,
+    publish: publishDir,
+  }
+
+  await fs.mkdir(functionsDir, { recursive: true })
+  await fs.mkdir(publishDir, { recursive: true })
+
+  const staticFileDir = path.resolve(__dirname, '../static')
+  await fs.copyFile(
+    path.join(staticFileDir, 'sso-login.html'),
+    path.join(publishDir, `${loginPage}.html`),
+  )
+  await fs.copyFile(
+    path.join(staticFileDir, 'sso-auth-function.js'),
+    path.join(functionsDir, `${authFunc}.js`),
+  )
+
+  /** @type {NetlifyRedirect[]} */
+  const gatedRedirects = config.redirects.map((redirect) => ({
+    ...redirect,
+    conditions: {
+      Role: ['netlify'],
+    },
+  }))
+
+  /** @type {NetlifyRedirect[]} */
+  const additionalRedirects = [
+    // Serve content when logged in
+    {
+      from: '/*',
+      to: '/:splat',
+      conditions: {
+        Role: ['netlify'],
+      },
+      // will be set to 200 when there is content
+      // since we don't set `force`
+      status: 404,
+    },
+    // Serve login page on root
+    {
+      from: '/',
+      to: loginPage,
+      status: 401,
+      force: true,
+    },
+    // Redirect to login page otherwise
+    {
+      from: '/*',
+      to: '/',
+      status: 302,
+      force: true,
+    },
+  ]
+
+  config.redirects = [...gatedRedirects, ...additionalRedirects]
+}
+
 module.exports = {
   // The plugin main logic uses `on...` event handlers that are triggered on
   // each new Netlify Build.
@@ -8,35 +104,19 @@ module.exports = {
     // Whole configuration file. For example, content of `netlify.toml`
     netlifyConfig,
     // Build constants
-    constants: {
-      // Directory that contains the deploy-ready HTML files and assets
-      // generated by the build. Its value is always defined, but the target
-      // might not have been created yet.
-      PUBLISH_DIR,
-      // The directory where function source code lives.
-      // `undefined` if not specified by the user.
-      FUNCTIONS_SRC,
-    },
-
-    // Core utilities
-    utils: {
-      // Utility to report errors.
-      // See https://github.com/netlify/build#error-reporting
-      build,
-      // Utility to display information in the deploy summary.
-      // See https://github.com/netlify/build#logging
-      status,
-      // Utility for caching files.
-      // See https://github.com/netlify/build/blob/master/packages/cache-utils/README.md
-      cache,
-      // Utility for running commands.
-      // See https://github.com/netlify/build/blob/master/packages/run-utils/README.md
-      run,
-      // Utility for dealing with modified, created, deleted files since a git commit.
-      // See https://github.com/netlify/build/blob/master/packages/git-utils/README.md
-      git,
-    },
+    constants: { PUBLISH_DIR, FUNCTIONS_SRC },
   }) {
-    
+    console.log('Copying static assets...')
+
+    await generateSSO({
+      config: netlifyConfig,
+      functionsDir: FUNCTIONS_SRC,
+      publishDir: PUBLISH_DIR,
+    })
+    const config_out = toml.stringify(netlifyConfig)
+    await fs.writeFile(
+      path.join(netlifyConfig.build.publish, 'netlify.toml'),
+      config_out,
+    )
   },
 }

src/index.js

@@ -0,0 +1,91 @@
+//@ts-check
+'use strict'
+
+const crypto = require('crypto')
+
+/**
+ * @param {string} base64
+ */
+function cleanupBase64(base64) {
+  return base64.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')
+}
+
+/**
+ * @param {string} token
+ * @param {string} secret
+ * @returns {boolean}
+ */
+function verifyJWS(token, secret) {
+  /** @type {string[]} */
+  const [params, payload, signature] = token.split('.')
+  if (!params || !payload || !signature) {
+    return false
+  }
+
+  // extract first two elements of JWT and sign
+  let signedPayload = [params, payload].join('.')
+  const hmac = crypto.createHmac('sha256', secret)
+  hmac.update(signedPayload)
+  const expected = cleanupBase64(hmac.digest('base64'))
+
+  return expected == signature
+}
+
+/**
+ * @param {{ headers: { [x: string]: any; }; body: string; }} event
+ */
+async function handler(event) {
+  if ('WEBHOOK_SECRET' in process.env) {
+    const signature = event.headers['x-webhook-signature']
+    if (!verifyJWS(signature, process.env.WEBHOOK_SECRET)) {
+      console.log('Webhook signature invalid:', signature)
+      return {
+        statusCode: 401,
+      }
+    }
+  }
+
+  /** @type {{user: { email: string, app_metadata: { roles?: string[]}}}} */
+  let payload = null
+  try {
+    payload = JSON.parse(event.body)
+  } catch (e) {
+    return {
+      statusCode: 400,
+    }
+  }
+  const {
+    user: { email, app_metadata },
+  } = payload
+
+  // User is part of Netlify and already has role
+  const found =
+    app_metadata.roles &&
+    app_metadata.roles.find((r) => r == 'netlify') !== undefined
+
+  if (found) {
+    return {
+      statusCode: 200,
+    }
+  }
+
+  if (email && email.endsWith('@netlify.com')) {
+    console.log('User is part of Netlify without role. assigning...')
+    const roles = (app_metadata && app_metadata.roles) || []
+    const metadata = {
+      ...app_metadata,
+      roles: [...roles, 'netlify'],
+    }
+    return {
+      statusCode: 200,
+      body: JSON.stringify({ app_metadata: metadata }),
+    }
+  }
+
+  console.log('User is not part of Netlify.')
+  return {
+    statusCode: 401,
+  }
+}
+
+exports.handler = handler

static/sso-auth-function.js

@@ -0,0 +1,89 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+
+    <meta property="og:title" content="Netlify Rust Docs" />
+    <meta property="og:description" content="Documentation for x" />
+    <meta property="og:type" content="website" />
+
+    <meta
+      name="viewport"
+      content="width=device-width, initial-scale=1, shrink-to-fit=no, user-scalable=no, viewport-fit=cover"
+    />
+    <meta name="distribution" content="Global" />
+    <meta name="rating" content="General" />
+
+    <title>Netlify Rust Docs</title>
+  </head>
+
+  <body style="margin: 0; width: 100vw; height: 100vh">
+    <div
+      style="
+        display: flex;
+        flex-direction: column;
+        justify-content: center;
+        align-items: center;
+        width: 100%;
+        height: 100%;
+      "
+    >
+      <p>This page is protected. Login below to access it.</p>
+      <button id="login">Login with Google</button>
+      <p id="error-msg"></p>
+    </div>
+
+    <script
+      type="text/javascript"
+      src="https://identity.netlify.com/v1/netlify-identity-widget.js"
+    ></script>
+    <script>
+      const loginBtn = document.querySelector('#login')
+      loginBtn.addEventListener('click', () => {
+        const url = netlifyIdentity.gotrue.loginExternalUrl('google')
+        window.open(url, '_self')
+      })
+
+      const errorMessage = document.getElementById('error-msg')
+      const checkToken = () => {
+        const user = netlifyIdentity.gotrue.currentUser() // refresh user object
+        const d = Date.now()
+        const exp = user.token.expires_at
+        if (d > exp) {
+          console.log(
+            "Your identity session has expired and the token couldn't be refreshed!",
+          )
+          errorMessage.textContent =
+            'Your session has expired. Please login again'
+          user.logout()
+          return
+        }
+
+        console.log('the token is valid')
+        window.open('/', '_self')
+      }
+      const ensureFreshToken = (user) => {
+        user
+          .jwt()
+          .then(() => {
+            setTimeout(checkToken, 100)
+          })
+          .catch((err) => {
+            user.logout()
+            console.error(err)
+          })
+      }
+
+      netlifyIdentity.on('login', (user) => {
+        console.log(user)
+        if (
+          user &&
+          user.app_metadata.roles &&
+          user.app_metadata.roles.includes('netlify')
+        ) {
+          ensureFreshToken(user)
+        }
+      })
+    </script>
+  </body>
+</html>