Merge pull request #892 from solid/feature/link-toc

Enabling POD providers to enforce a Terms & Conditions
Merging after @megoth has made a review of the security implications of snyks complaints.

Author: kjetilk

bin/lib/options.js

@@ -334,6 +334,21 @@ module.exports = [
     name: 'server-logo',
     help: 'A logo that represents you, your brand, or your server (not required)',
     prompt: true
+  },
+  {
+    name: 'enforceToc',
+    help: 'Do you want to enforce Terms & Conditions for your service?',
+    flag: true,
+    prompt: true,
+    default: true,
+    when: answers => answers.multiuser
+  },
+  {
+    name: 'tocUri',
+    help: 'URI to your Terms & Conditions',
+    prompt: true,
+    validate: validUri,
+    when: answers => answers.enforceToc
   }
 ]
 

config.json-default

@@ -14,5 +14,7 @@
     "name": "",
     "description": "",
     "logo": ""
-  }
+  },
+  "enforceToc": true,
+  "tocUri": "https://your-toc"
 }

default-views/account/register-form.hbs

@@ -71,6 +71,17 @@
             </span>
           </div>
 
+          {{#if enforceToc}}
+            {{#if tocUri}}
+              <div class="checkbox">
+                <label>
+                  <input type="checkbox" name="acceptToc">
+                  I agree to the <a href="{{tocUri}}" target="_blank">Terms &amp; Conditions</a> of this service
+                </label>
+              </div>
+            {{/if}}
+          {{/if}}
+
 
           <button type="submit" class="btn btn-primary" id="register">Register</button>
 

lib/create-app.js

@@ -123,6 +123,8 @@ function initAppLocals (app, argv, ldp) {
   app.locals.authMethod = argv.auth
   app.locals.localAuth = argv.localAuth
   app.locals.tokenService = new TokenService()
+  app.locals.enforceToc = argv.enforceToc
+  app.locals.tocUri = argv.tocUri
 
   if (argv.email && argv.email.host) {
     app.locals.emailService = new EmailService(argv.templates.email, argv.email)

lib/requests/auth-request.js

@@ -25,6 +25,8 @@ class AuthRequest {
    * @param [options.returnToUrl] {string}
    * @param [options.authQueryParams] {Object} Key/value hashmap of parsed query
    *   parameters that will be passed through to the /authorize endpoint.
+   * @param [options.enforceToc] {boolean} Whether or not to enforce the service provider's T&C
+   * @param [options.tocUri] {string} URI to the service provider's T&C
    */
   constructor (options) {
     this.response = options.response
@@ -34,6 +36,8 @@ class AuthRequest {
     this.returnToUrl = options.returnToUrl
     this.authQueryParams = options.authQueryParams || {}
     this.localAuth = options.localAuth
+    this.enforceToc = options.enforceToc
+    this.tocUri = options.tocUri
   }
 
   /**
@@ -84,6 +88,7 @@ class AuthRequest {
 
     let authQueryParams = AuthRequest.extractAuthParams(req)
     let returnToUrl = AuthRequest.parseParameter(req, 'returnToUrl')
+    const acceptToc = AuthRequest.parseParameter(req, 'acceptToc') === 'true'
 
     let options = {
       response: res,
@@ -92,7 +97,8 @@ class AuthRequest {
       accountManager,
       returnToUrl,
       authQueryParams,
-      localAuth
+      localAuth,
+      acceptToc
     }
 
     return options

lib/requests/create-account-request.js

@@ -27,12 +27,16 @@ class CreateAccountRequest extends AuthRequest {
    * @param [options.response] {HttpResponse}
    * @param [options.returnToUrl] {string} If present, redirect the agent to
    *   this url on successful account creation
+   * @param [options.enforceToc] {boolean} Whether or not to enforce the service provider's T&C
+   * @param [options.tocUri] {string} URI to the service provider's T&C
+   * @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
    */
   constructor (options) {
     super(options)
 
     this.username = options.username
     this.userAccount = options.userAccount
+    this.acceptToc = options.acceptToc
   }
 
   /**
@@ -46,7 +50,7 @@ class CreateAccountRequest extends AuthRequest {
    *   `userAccountFrom()`), or it encounters an unsupported authentication
    *   scheme.
    *
-   * @return {CreateAccountRequest|CreateTlsAccountRequest}
+   * @return {CreateOidcAccountRequest|CreateTlsAccountRequest}
    */
   static fromParams (req, res) {
     let options = AuthRequest.requestOptions(req, res)
@@ -62,6 +66,9 @@ class CreateAccountRequest extends AuthRequest {
       options.userAccount = accountManager.userAccountFrom(body)
     }
 
+    options.enforceToc = locals.enforceToc
+    options.tocUri = locals.tocUri
+
     switch (authMethod) {
       case 'oidc':
         options.password = body.password
@@ -74,13 +81,15 @@ class CreateAccountRequest extends AuthRequest {
     }
   }
 
-  static post (req, res) {
+  static async post (req, res) {
     let request = CreateAccountRequest.fromParams(req, res)
 
-    return Promise.resolve()
-      .then(() => request.validate())
-      .then(() => request.createAccount())
-      .catch(error => request.error(error))
+    try {
+      request.validate()
+      await request.createAccount()
+    } catch (error) {
+      request.error(error)
+    }
   }
 
   static get (req, res) {
@@ -97,13 +106,14 @@ class CreateAccountRequest extends AuthRequest {
   renderForm (error) {
     let authMethod = this.accountManager.authMethod
 
-    let params = Object.assign({}, this.authQueryParams,
-      {
-        returnToUrl: this.returnToUrl,
-        loginUrl: this.loginUrl(),
-        registerDisabled: authMethod === 'tls',
-        multiuser: this.accountManager.multiuser
-      })
+    let params = Object.assign({}, this.authQueryParams, {
+      enforceToc: this.enforceToc,
+      loginUrl: this.loginUrl(),
+      multiuser: this.accountManager.multiuser,
+      registerDisabled: authMethod === 'tls',
+      returnToUrl: this.returnToUrl,
+      tocUri: this.tocUri
+    })
 
     if (error) {
       params.error = error.message
@@ -244,6 +254,7 @@ class CreateOidcAccountRequest extends CreateAccountRequest {
    *
    * @param [options={}] {Object} See `CreateAccountRequest` constructor docstring
    * @param [options.password] {string} Password, as entered by the user at signup
+   * @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
    */
   constructor (options) {
     super(options)
@@ -271,6 +282,12 @@ class CreateOidcAccountRequest extends CreateAccountRequest {
       error.statusCode = 400
       throw error
     }
+
+    if (this.enforceToc && !this.acceptToc) {
+      error = new Error('Accepting Terms & Conditions is required for this service')
+      error.statusCode = 400
+      throw error
+    }
   }
 
   /**
@@ -310,6 +327,7 @@ class CreateTlsAccountRequest extends CreateAccountRequest {
    *
    * @param [options={}] {Object} See `CreateAccountRequest` constructor docstring
    * @param [options.spkac] {string}
+   * @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
    */
   constructor (options) {
     super(options)
@@ -319,7 +337,7 @@ class CreateTlsAccountRequest extends CreateAccountRequest {
   }
 
   /**
-   * Validates the Login request (makes sure required parameters are present),
+   * Validates the Signup request (makes sure required parameters are present),
    * and throws an error if not.
    *
    * @throws {Error} If missing required params
@@ -332,6 +350,12 @@ class CreateTlsAccountRequest extends CreateAccountRequest {
       error.statusCode = 400
       throw error
     }
+
+    if (this.enforceToc && !this.acceptToc) {
+      error = new Error('Accepting Terms & Conditions is required for this service')
+      error.statusCode = 400
+      throw error
+    }
   }
 
   /**

test/integration/account-creation-oidc-test.js

@@ -8,15 +8,17 @@ const path = require('path')
 const fs = require('fs-extra')
 
 describe('AccountManager (OIDC account creation tests)', function () {
-  var serverUri = 'https://localhost:3457'
-  var host = 'localhost:3457'
-  var ldpHttpsServer
-  let rootPath = path.join(__dirname, '../resources/accounts/')
-  let configPath = path.join(__dirname, '../resources/config')
-  let dbPath = path.join(__dirname, '../resources/accounts/db')
+  const port = 3457
+  const serverUri = `https://localhost:${port}`
+  const host = `localhost:${port}`
+  const root = path.join(__dirname, '../resources/accounts/')
+  const configPath = path.join(__dirname, '../resources/config')
+  const dbPath = path.join(__dirname, '../resources/accounts/db')
+
+  let ldpHttpsServer
 
   var ldp = ldnode.createServer({
-    root: rootPath,
+    root,
     configPath,
     sslKey: path.join(__dirname, '../keys/key.pem'),
     sslCert: path.join(__dirname, '../keys/cert.pem'),
@@ -25,19 +27,20 @@ describe('AccountManager (OIDC account creation tests)', function () {
     multiuser: true,
     strictOrigin: true,
     dbPath,
-    serverUri
+    serverUri,
+    enforceToc: true
   })
 
   before(checkDnsSettings)
 
   before(function (done) {
-    ldpHttpsServer = ldp.listen(3457, done)
+    ldpHttpsServer = ldp.listen(port, done)
   })
 
   after(function () {
     if (ldpHttpsServer) ldpHttpsServer.close()
     fs.removeSync(path.join(dbPath, 'oidc/users/users'))
-    cleanDir(path.join(rootPath, 'localhost'))
+    cleanDir(path.join(root, 'localhost'))
   })
 
   var server = supertest(serverUri)
@@ -93,45 +96,52 @@ describe('AccountManager (OIDC account creation tests)', function () {
     it('should not create a WebID if it already exists', function (done) {
       var subdomain = supertest('https://nicola.' + host)
       subdomain.post('/api/accounts/new')
-        .send('username=nicola&password=12345')
+        .send('username=nicola&password=12345&acceptToc=true')
         .expect(302)
         .end((err, res) => {
           if (err) {
             return done(err)
           }
           subdomain.post('/api/accounts/new')
-            .send('username=nicola&password=12345')
+            .send('username=nicola&password=12345&acceptToc=true')
             .expect(400)
             .end((err) => {
               done(err)
             })
         })
     })
 
+    it('should not create WebID if T&C is not accepted', (done) => {
+      let subdomain = supertest('https://nicola.' + host)
+      subdomain.post('/api/accounts/new')
+        .send('username=nicola&password=12345&acceptToc=false')
+        .expect(400, done)
+    })
+
     it('should create the default folders', function (done) {
       var subdomain = supertest('https://nicola.' + host)
       subdomain.post('/api/accounts/new')
-        .send('username=nicola&password=12345')
+        .send('username=nicola&password=12345&acceptToc=true')
         .expect(302)
         .end(function (err) {
           if (err) {
             return done(err)
           }
           var domain = host.split(':')[0]
           var card = read(path.join('accounts/nicola.' + domain,
-           'profile/card'))
+            'profile/card'))
           var cardAcl = read(path.join('accounts/nicola.' + domain,
-           'profile/card.acl'))
+            'profile/card.acl'))
           var prefs = read(path.join('accounts/nicola.' + domain,
-           'settings/prefs.ttl'))
+            'settings/prefs.ttl'))
           var inboxAcl = read(path.join('accounts/nicola.' + domain,
-           'inbox/.acl'))
+            'inbox/.acl'))
           var rootMeta = read(path.join('accounts/nicola.' + domain, '.meta'))
           var rootMetaAcl = read(path.join('accounts/nicola.' + domain,
-           '.meta.acl'))
+            '.meta.acl'))
 
           if (domain && card && cardAcl && prefs && inboxAcl && rootMeta &&
-             rootMetaAcl) {
+            rootMetaAcl) {
             done()
           } else {
             done(new Error('failed to create default files'))
@@ -142,7 +152,7 @@ describe('AccountManager (OIDC account creation tests)', function () {
     it('should link WebID to the root account', function (done) {
       var subdomain = supertest('https://nicola.' + host)
       subdomain.post('/api/accounts/new')
-        .send('username=nicola&password=12345')
+        .send('username=nicola&password=12345&acceptToc=true')
         .expect(302)
         .end(function (err) {
           if (err) {
@@ -236,3 +246,46 @@ describe('Single User signup page', () => {
       .end(done)
   })
 })
+
+describe('Signup page where Terms & Conditions are not being enforced', () => {
+  const port = 3457
+  const host = `localhost:${port}`
+  const root = path.join(__dirname, '../resources/accounts/')
+  const configPath = path.join(__dirname, '../resources/config')
+  const dbPath = path.join(__dirname, '../resources/accounts/db')
+  const ldp = ldnode.createServer({
+    port,
+    root,
+    configPath,
+    sslKey: path.join(__dirname, '../keys/key.pem'),
+    sslCert: path.join(__dirname, '../keys/cert.pem'),
+    auth: 'oidc',
+    webid: true,
+    multiuser: true,
+    strictOrigin: true,
+    enforceToc: false
+  })
+  let ldpHttpsServer
+
+  before(function (done) {
+    ldpHttpsServer = ldp.listen(port, done)
+  })
+
+  after(function () {
+    if (ldpHttpsServer) ldpHttpsServer.close()
+    fs.removeSync(path.join(dbPath, 'oidc/users/users'))
+    cleanDir(path.join(root, 'localhost'))
+    rm('accounts/nicola.localhost')
+  })
+
+  beforeEach(function () {
+    rm('accounts/nicola.localhost')
+  })
+
+  it('should not enforce T&C upon creating account', function (done) {
+    var subdomain = supertest('https://nicola.' + host)
+    subdomain.post('/api/accounts/new')
+      .send('username=nicola&password=12345')
+      .expect(302, done)
+  })
+})