Added notes to oauth code for future improvements

no issue
2025-02-10 23:36:14 -05:00 · 2021-05-14 12:10:27 +02:00 · 2021-05-14 12:10:27 +02:00 · 14cae4b154
commit 14cae4b154
parent 02ea81fdda
1 changed files with 22 additions and 0 deletions
--- a/core/server/web/oauth/app.js
+++ b/core/server/web/oauth/app.js
@ -25,27 +25,45 @@ module.exports = function setupOAuthApp() {
    // send 503 json response in case of maintenance
    oauthApp.use(shared.middlewares.maintenance);

+    /**
+     * Configure the passport.authenticate middleware
+     * We need to configure it on each request because clientId and secret
+     * will change (when the Owner is changing these settings)
+     */
    function googleOAuthMiddleware(clientId, secret) {
        return (req, res, next) => {
+            // TODO: use url config instead of the string /ghost
+
+            //Create the callback url to be sent to Google
            const callbackUrl = new URL(urlUtils.getSiteUrl());
            callbackUrl.pathname = '/ghost/oauth/google/callback';
+
            passport.authenticate(new GoogleStrategy({
                clientID: clientId,
                clientSecret: secret,
                callbackURL: callbackUrl.href
            }, async function (accessToken, refreshToken, profile) {
+                // This is the verify function that checks that a Google-authenticated user
+                // is matching one of our users (or invite).
+
                if (req.user) {
+                    // CASE: the user already has an active Ghost session
                    const emails = profile.emails.filter(email => email.verified === true).map(email => email.value);

                    if (!emails.includes(req.user.get('email'))) {
                        return res.redirect('/ghost/#/staff/?message=oauth-linking-failed');
                    }

+                    // TODO: configure the oauth data for this user (row in the oauth table)
+
                    //Associate logged-in user with oauth account
                    req.user.set('password', randomPassword());
                    await req.user.save();
                } else {
+                    // CASE: the user is logging-in or accepting an invite
+
                    //Find user in DB and log-in
+                    //TODO: instead find the oauth row with the email use the provider id
                    const emails = profile.emails.filter(email => email.verified === true);
                    if (emails.length < 1) {
                        return res.redirect('/ghost/#/signin?message=login-failed');
@ -57,6 +75,8 @@ module.exports = function setupOAuthApp() {
                    });

                    if (!user) {
+                        // CASE: the user is accepting an invite
+                        // TODO: move this code in the invitations service
                        const options = {context: {internal: true}};
                        let invite = await models.Invite.findOne({email, status: 'sent'}, options);

@ -73,6 +93,8 @@ module.exports = function setupOAuthApp() {
                        }, options);

                        await invite.destroy(options);
+
+                        // TODO: create an oauth model link to user
                    }

                    req.user = user;