yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-09-27 01:09:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20634 from strapi/enh/u-p-provider-registration

Browse Source 
enhancement: add a way to register a u&p provider
This commit is contained in:
Alexandre BODIN 2024-07-02 09:39:34 +02:00 committed by GitHub
commit d1acea1041
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 495 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
packages/plugins/users-permissions/server/bootstrap/grant-config.js
View File

@ -1,140 +0,0 @@
'use strict';
module.exports = (baseURL) => ({
email: {
enabled: true,
icon: 'envelope',
},
discord: {
enabled: false,
icon: 'discord',
key: '',
secret: '',
callback: `${baseURL}/discord/callback`,
scope: ['identify', 'email'],
},
facebook: {
enabled: false,
icon: 'facebook-square',
key: '',
secret: '',
callback: `${baseURL}/facebook/callback`,
scope: ['email'],
},
google: {
enabled: false,
icon: 'google',
key: '',
secret: '',
callback: `${baseURL}/google/callback`,
scope: ['email'],
},
github: {
enabled: false,
icon: 'github',
key: '',
secret: '',
callback: `${baseURL}/github/callback`,
scope: ['user', 'user:email'],
},
microsoft: {
enabled: false,
icon: 'windows',
key: '',
secret: '',
callback: `${baseURL}/microsoft/callback`,
scope: ['user.read'],
},
twitter: {
enabled: false,
icon: 'twitter',
key: '',
secret: '',
callback: `${baseURL}/twitter/callback`,
},
instagram: {
enabled: false,
icon: 'instagram',
key: '',
secret: '',
callback: `${baseURL}/instagram/callback`,
scope: ['user_profile'],
},
vk: {
enabled: false,
icon: 'vk',
key: '',
secret: '',
callback: `${baseURL}/vk/callback`,
scope: ['email'],
},
twitch: {
enabled: false,
icon: 'twitch',
key: '',
secret: '',
callback: `${baseURL}/twitch/callback`,
scope: ['user:read:email'],
},
linkedin: {
enabled: false,
icon: 'linkedin',
key: '',
secret: '',
callback: `${baseURL}/linkedin/callback`,
scope: ['r_liteprofile', 'r_emailaddress'],
},
cognito: {
enabled: false,
icon: 'aws',
key: '',
secret: '',
subdomain: 'my.subdomain.com',
callback: `${baseURL}/cognito/callback`,
scope: ['email', 'openid', 'profile'],
},
reddit: {
enabled: false,
icon: 'reddit',
key: '',
secret: '',
state: true,
callback: `${baseURL}/reddit/callback`,
scope: ['identity'],
},
auth0: {
enabled: false,
icon: '',
key: '',
secret: '',
subdomain: 'my-tenant.eu',
callback: `${baseURL}/auth0/callback`,
scope: ['openid', 'email', 'profile'],
},
cas: {
enabled: false,
icon: 'book',
key: '',
secret: '',
callback: `${baseURL}/cas/callback`,
scope: ['openid email'], // scopes should be space delimited
subdomain: 'my.subdomain.com/cas',
},
patreon: {
enabled: false,
icon: '',
key: '',
secret: '',
callback: `${baseURL}/patreon/callback`,
scope: ['identity', 'identity[email]'],
},
keycloak: {
enabled: false,
icon: '',
key: '',
secret: '',
subdomain: 'myKeycloakProvider.com/realms/myrealm',
callback: `${baseURL}/keycloak/callback`,
scope: ['openid', 'email', 'profile'],
},
});

22
packages/plugins/users-permissions/server/bootstrap/index.js
View File

@ -9,22 +9,26 @@
*/ */
const crypto = require('crypto'); const crypto = require('crypto');
const _ = require('lodash'); const _ = require('lodash');
const urljoin = require('url-join');
const { getService } = require('../utils'); const { getService } = require('../utils');
const getGrantConfig = require('./grant-config');
const usersPermissionsActions = require('./users-permissions-actions'); const usersPermissionsActions = require('./users-permissions-actions');
const initGrant = async (pluginStore) => { const initGrant = async (pluginStore) => {
const apiPrefix = strapi.config.get('api.rest.prefix'); const allProviders = getService('providers-registry').getAll();
const baseURL = urljoin(strapi.config.server.url, apiPrefix, 'auth');
const grantConfig = getGrantConfig(baseURL); const grantConfig = Object.entries(allProviders).reduce((acc, [name, provider]) => {
const { icon, enabled, grantConfig } = provider;
acc[name] = {
icon,
enabled,
...grantConfig,
};
return acc;
}, {});
const prevGrantConfig = (await pluginStore.get({ key: 'grant' })) || {}; const prevGrantConfig = (await pluginStore.get({ key: 'grant' })) || {};
// store grant auth config to db
// when plugin_users-permissions_grant is not existed in db if (!prevGrantConfig || !_.isEqual(prevGrantConfig, grantConfig)) {
// or we have added/deleted provider here.
if (!prevGrantConfig || !_.isEqual(_.keys(prevGrantConfig), _.keys(grantConfig))) {
// merge with the previous provider config. // merge with the previous provider config.
_.keys(grantConfig).forEach((key) => { _.keys(grantConfig).forEach((key) => {
if (key in prevGrantConfig) { if (key in prevGrantConfig) {

770
packages/plugins/users-permissions/server/services/providers-registry.js
View File

@ -2,6 +2,7 @@
const { strict: assert } = require('assert'); const { strict: assert } = require('assert');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const urljoin = require('url-join');
const jwkToPem = require('jwk-to-pem'); const jwkToPem = require('jwk-to-pem');
const getCognitoPayload = async ({ idToken, jwksUrl, purest }) => { const getCognitoPayload = async ({ idToken, jwksUrl, purest }) => {
@ -45,330 +46,519 @@ const getCognitoPayload = async ({ idToken, jwksUrl, purest }) => {
} }
}; };
const getInitialProviders = ({ purest }) => ({ const initProviders = ({ baseURL, purest }) => ({
async discord({ accessToken }) { email: {
const discord = purest({ provider: 'discord' }); enabled: true,
icon: 'envelope',
grantConfig: {},
},
discord: {
enabled: false,
icon: 'discord',
grantConfig: {
key: '',
secret: '',
callbackUrl: `${baseURL}/discord/callback`,
scope: ['identify', 'email'],
},
async authCallback({ accessToken }) {
const discord = purest({ provider: 'discord' });
return discord return discord
.get('users/@me') .get('users/@me')
.auth(accessToken) .auth(accessToken)
.request() .request()
.then(({ body }) => { .then(({ body }) => {
// Combine username and discriminator because discord username is not unique // Combine username and discriminator because discord username is not unique
const username = `${body.username}#${body.discriminator}`; const username = `${body.username}#${body.discriminator}`;
return { return {
username, username,
email: body.email,
};
});
},
},
facebook: {
enabled: false,
icon: 'facebook-square',
grantConfig: {
key: '',
secret: '',
callbackUrl: `${baseURL}/facebook/callback`,
scope: ['email'],
},
async authCallback({ accessToken }) {
const facebook = purest({ provider: 'facebook' });
return facebook
.get('me')
.auth(accessToken)
.qs({ fields: 'name,email' })
.request()
.then(({ body }) => ({
username: body.name,
email: body.email, email: body.email,
}; }));
}); },
}, },
async cognito({ query, providers }) { google: {
const jwksUrl = new URL(providers.cognito.jwksurl); enabled: false,
const idToken = query.id_token; icon: 'google',
const tokenPayload = await getCognitoPayload({ idToken, jwksUrl, purest }); grantConfig: {
return { key: '',
username: tokenPayload['cognito:username'], secret: '',
email: tokenPayload.email, callbackUrl: `${baseURL}/google/callback`,
}; scope: ['email'],
}, },
async facebook({ accessToken }) { async authCallback({ accessToken }) {
const facebook = purest({ provider: 'facebook' }); const google = purest({ provider: 'google' });
return facebook return google
.get('me') .query('oauth')
.auth(accessToken) .get('tokeninfo')
.qs({ fields: 'name,email' }) .qs({ accessToken })
.request() .request()
.then(({ body }) => ({ .then(({ body }) => ({
username: body.name, username: body.email.split('@')[0],
email: body.email, email: body.email,
})); }));
},
}, },
async google({ accessToken }) { github: {
const google = purest({ provider: 'google' }); enabled: false,
icon: 'github',
return google grantConfig: {
.query('oauth') key: '',
.get('tokeninfo') secret: '',
.qs({ accessToken }) callbackUrl: `${baseURL}/github/callback`,
.request() scope: ['user', 'user:email'],
.then(({ body }) => ({ },
username: body.email.split('@')[0], async authCallback({ accessToken }) {
email: body.email, const github = purest({
})); provider: 'github',
}, defaults: {
async github({ accessToken }) { headers: {
const github = purest({ 'user-agent': 'strapi',
provider: 'github', },
defaults: {
headers: {
'user-agent': 'strapi',
}, },
}, });
});
const { body: userBody } = await github.get('user').auth(accessToken).request(); const { body: userBody } = await github.get('user').auth(accessToken).request();
// This is the public email on the github profile
if (userBody.email) {
return {
username: userBody.login,
email: userBody.email,
};
}
// Get the email with Github's user/emails API
const { body: emailBody } = await github.get('user/emails').auth(accessToken).request();
// This is the public email on the github profile
if (userBody.email) {
return { return {
username: userBody.login, username: userBody.login,
email: userBody.email, email: Array.isArray(emailBody)
? emailBody.find((email) => email.primary === true).email
: null,
}; };
} },
// Get the email with Github's user/emails API
const { body: emailBody } = await github.get('user/emails').auth(accessToken).request();
return {
username: userBody.login,
email: Array.isArray(emailBody)
? emailBody.find((email) => email.primary === true).email
: null,
};
}, },
async microsoft({ accessToken }) { microsoft: {
const microsoft = purest({ provider: 'microsoft' }); enabled: false,
icon: 'windows',
grantConfig: {
key: '',
secret: '',
callbackUrl: `${baseURL}/microsoft/callback`,
scope: ['user.read'],
},
async authCallback({ accessToken }) {
const microsoft = purest({ provider: 'microsoft' });
return microsoft return microsoft
.get('me') .get('me')
.auth(accessToken) .auth(accessToken)
.request() .request()
.then(({ body }) => ({ .then(({ body }) => ({
username: body.userPrincipalName, username: body.userPrincipalName,
email: body.userPrincipalName, email: body.userPrincipalName,
})); }));
},
}, },
async twitter({ accessToken, query, providers }) {
const twitter = purest({
provider: 'twitter',
defaults: {
oauth: {
consumer_key: providers.twitter.key,
consumer_secret: providers.twitter.secret,
},
},
});
return twitter twitter: {
.get('account/verify_credentials') enabled: false,
.auth(accessToken, query.access_secret) icon: 'twitter',
.qs({ screen_name: query['raw[screen_name]'], include_email: 'true' }) grantConfig: {
.request() key: '',
.then(({ body }) => ({ secret: '',
username: body.screen_name, callbackUrl: `${baseURL}/twitter/callback`,
email: body.email, },
})); async authCallback({ accessToken, query, providers }) {
}, const twitter = purest({
async instagram({ accessToken }) { provider: 'twitter',
const instagram = purest({ provider: 'instagram' }); defaults: {
oauth: {
return instagram consumer_key: providers.twitter.key,
.get('me') consumer_secret: providers.twitter.secret,
.auth(accessToken)
.qs({ fields: 'id,username' })
.request()
.then(({ body }) => ({
username: body.username,
email: `${body.username}@strapi.io`, // dummy email as Instagram does not provide user email
}));
},
async vk({ accessToken, query }) {
const vk = purest({ provider: 'vk' });
return vk
.get('users')
.auth(accessToken)
.qs({ id: query.raw.user_id, v: '5.122' })
.request()
.then(({ body }) => ({
username: `${body.response[0].last_name} ${body.response[0].first_name}`,
email: query.raw.email,
}));
},
async twitch({ accessToken, providers }) {
const twitch = purest({
provider: 'twitch',
config: {
twitch: {
default: {
origin: 'https://api.twitch.tv',
path: 'helix/{path}',
headers: {
Authorization: 'Bearer {auth}',
'Client-Id': '{auth}',
},
}, },
}, },
},
});
return twitch
.get('users')
.auth(accessToken, providers.twitch.key)
.request()
.then(({ body }) => ({
username: body.data[0].login,
email: body.data[0].email,
}));
},
async linkedin({ accessToken }) {
const linkedIn = purest({ provider: 'linkedin' });
const {
body: { localizedFirstName },
} = await linkedIn.get('me').auth(accessToken).request();
const {
body: { elements },
} = await linkedIn
.get('emailAddress?q=members&projection=(elements*(handle~))')
.auth(accessToken)
.request();
const email = elements[0]['handle~'];
return {
username: localizedFirstName,
email: email.emailAddress,
};
},
async reddit({ accessToken }) {
const reddit = purest({
provider: 'reddit',
config: {
reddit: {
default: {
origin: 'https://oauth.reddit.com',
path: 'api/{version}/{path}',
version: 'v1',
headers: {
Authorization: 'Bearer {auth}',
'user-agent': 'strapi',
},
},
},
},
});
return reddit
.get('me')
.auth(accessToken)
.request()
.then(({ body }) => ({
username: body.name,
email: `${body.name}@strapi.io`, // dummy email as Reddit does not provide user email
}));
},
async auth0({ accessToken, providers }) {
const auth0 = purest({ provider: 'auth0' });
return auth0
.get('userinfo')
.subdomain(providers.auth0.subdomain)
.auth(accessToken)
.request()
.then(({ body }) => {
const username = body.username || body.nickname || body.name || body.email.split('@')[0];
const email = body.email || `${username.replace(/\s+/g, '.')}@strapi.io`;
return {
username,
email,
};
}); });
},
async cas({ accessToken, providers }) {
const cas = purest({ provider: 'cas' });
return cas return twitter
.get('oidc/profile') .get('account/verify_credentials')
.subdomain(providers.cas.subdomain) .auth(accessToken, query.access_secret)
.auth(accessToken) .qs({ screen_name: query['raw[screen_name]'], include_email: 'true' })
.request() .request()
.then(({ body }) => { .then(({ body }) => ({
// CAS attribute may be in body.attributes or "FLAT", depending on CAS config username: body.screen_name,
const username = body.attributes
? body.attributes.strapiusername || body.id || body.sub
: body.strapiusername || body.id || body.sub;
const email = body.attributes
? body.attributes.strapiemail || body.attributes.email
: body.strapiemail || body.email;
if (!username || !email) {
strapi.log.warn(
`CAS Response Body did not contain required attributes: ${JSON.stringify(body)}`
);
}
return {
username,
email,
};
});
},
async patreon({ accessToken }) {
const patreon = purest({
provider: 'patreon',
config: {
patreon: {
default: {
origin: 'https://www.patreon.com',
path: 'api/oauth2/{path}',
headers: {
authorization: 'Bearer {auth}',
},
},
},
},
});
return patreon
.get('v2/identity')
.auth(accessToken)
.qs(new URLSearchParams({ 'fields[user]': 'full_name,email' }).toString())
.request()
.then(({ body }) => {
const patreonData = body.data.attributes;
return {
username: patreonData.full_name,
email: patreonData.email,
};
});
},
async keycloak({ accessToken, providers }) {
const keycloak = purest({ provider: 'keycloak' });
return keycloak
.subdomain(providers.keycloak.subdomain)
.get('protocol/openid-connect/userinfo')
.auth(accessToken)
.request()
.then(({ body }) => {
return {
username: body.preferred_username,
email: body.email, email: body.email,
}; }));
},
},
instagram: {
enabled: false,
icon: 'instagram',
grantConfig: {
key: '',
secret: '',
callbackUrl: `${baseURL}/instagram/callback`,
scope: ['user_profile'],
},
async authCallback({ accessToken }) {
const instagram = purest({ provider: 'instagram' });
return instagram
.get('me')
.auth(accessToken)
.qs({ fields: 'id,username' })
.request()
.then(({ body }) => ({
username: body.username,
email: `${body.username}@strapi.io`, // dummy email as Instagram does not provide user email
}));
},
},
vk: {
enabled: false,
icon: 'vk',
grantConfig: {
key: '',
secret: '',
callbackUrl: `${baseURL}/vk/callback`,
scope: ['email'],
},
async authCallback({ accessToken, query }) {
const vk = purest({ provider: 'vk' });
return vk
.get('users')
.auth(accessToken)
.qs({ id: query.raw.user_id, v: '5.122' })
.request()
.then(({ body }) => ({
username: `${body.response[0].last_name} ${body.response[0].first_name}`,
email: query.raw.email,
}));
},
},
twitch: {
enabled: false,
icon: 'twitch',
grantConfig: {
key: '',
secret: '',
callbackUrl: `${baseURL}/twitch/callback`,
scope: ['user:read:email'],
},
async authCallback({ accessToken, providers }) {
const twitch = purest({
provider: 'twitch',
config: {
twitch: {
default: {
origin: 'https://api.twitch.tv',
path: 'helix/{path}',
headers: {
Authorization: 'Bearer {auth}',
'Client-Id': '{auth}',
},
},
},
},
}); });
return twitch
.get('users')
.auth(accessToken, providers.twitch.key)
.request()
.then(({ body }) => ({
username: body.data[0].login,
email: body.data[0].email,
}));
},
},
linkedin: {
enabled: false,
icon: 'linkedin',
grantConfig: {
key: '',
secret: '',
callbackUrl: `${baseURL}/linkedin/callback`,
scope: ['r_liteprofile', 'r_emailaddress'],
},
async authCallback({ accessToken }) {
const linkedIn = purest({ provider: 'linkedin' });
const {
body: { localizedFirstName },
} = await linkedIn.get('me').auth(accessToken).request();
const {
body: { elements },
} = await linkedIn
.get('emailAddress?q=members&projection=(elements*(handle~))')
.auth(accessToken)
.request();
const email = elements[0]['handle~'];
return {
username: localizedFirstName,
email: email.emailAddress,
};
},
},
cognito: {
enabled: false,
icon: 'aws',
grantConfig: {
key: '',
secret: '',
subdomain: 'my.subdomain.com',
callback: `${baseURL}/cognito/callback`,
scope: ['email', 'openid', 'profile'],
},
async authCallback({ query, providers }) {
const jwksUrl = new URL(providers.cognito.jwksurl);
const idToken = query.id_token;
const tokenPayload = await getCognitoPayload({ idToken, jwksUrl, purest });
return {
username: tokenPayload['cognito:username'],
email: tokenPayload.email,
};
},
},
reddit: {
enabled: false,
icon: 'reddit',
grantConfig: {
key: '',
secret: '',
callback: `${baseURL}/reddit/callback`,
scope: ['identity'],
},
async authCallback({ accessToken }) {
const reddit = purest({
provider: 'reddit',
config: {
reddit: {
default: {
origin: 'https://oauth.reddit.com',
path: 'api/{version}/{path}',
version: 'v1',
headers: {
Authorization: 'Bearer {auth}',
'user-agent': 'strapi',
},
},
},
},
});
return reddit
.get('me')
.auth(accessToken)
.request()
.then(({ body }) => ({
username: body.name,
email: `${body.name}@strapi.io`, // dummy email as Reddit does not provide user email
}));
},
},
auth0: {
enabled: false,
icon: '',
grantConfig: {
key: '',
secret: '',
subdomain: 'my-tenant.eu',
callback: `${baseURL}/auth0/callback`,
scope: ['openid', 'email', 'profile'],
},
async authCallback({ accessToken, providers }) {
const auth0 = purest({ provider: 'auth0' });
return auth0
.get('userinfo')
.subdomain(providers.auth0.subdomain)
.auth(accessToken)
.request()
.then(({ body }) => {
const username = body.username || body.nickname || body.name || body.email.split('@')[0];
const email = body.email || `${username.replace(/\s+/g, '.')}@strapi.io`;
return {
username,
email,
};
});
},
},
cas: {
enabled: false,
icon: 'book',
grantConfig: {
key: '',
secret: '',
callback: `${baseURL}/cas/callback`,
scope: ['openid email'], // scopes should be space delimited
subdomain: 'my.subdomain.com/cas',
},
async authCallback({ accessToken, providers }) {
const cas = purest({ provider: 'cas' });
return cas
.get('oidc/profile')
.subdomain(providers.cas.subdomain)
.auth(accessToken)
.request()
.then(({ body }) => {
// CAS attribute may be in body.attributes or "FLAT", depending on CAS config
const username = body.attributes
? body.attributes.strapiusername || body.id || body.sub
: body.strapiusername || body.id || body.sub;
const email = body.attributes
? body.attributes.strapiemail || body.attributes.email
: body.strapiemail || body.email;
if (!username || !email) {
strapi.log.warn(
`CAS Response Body did not contain required attributes: ${JSON.stringify(body)}`
);
}
return {
username,
email,
};
});
},
},
patreon: {
enabled: false,
icon: '',
grantConfig: {
key: '',
secret: '',
callback: `${baseURL}/patreon/callback`,
scope: ['identity', 'identity[email]'],
},
async authCallback({ accessToken }) {
const patreon = purest({
provider: 'patreon',
config: {
patreon: {
default: {
origin: 'https://www.patreon.com',
path: 'api/oauth2/{path}',
headers: {
authorization: 'Bearer {auth}',
},
},
},
},
});
return patreon
.get('v2/identity')
.auth(accessToken)
.qs(new URLSearchParams({ 'fields[user]': 'full_name,email' }).toString())
.request()
.then(({ body }) => {
const patreonData = body.data.attributes;
return {
username: patreonData.full_name,
email: patreonData.email,
};
});
},
},
keycloack: {
enabled: false,
icon: '',
grantConfig: {
key: '',
secret: '',
subdomain: 'myKeycloakProvider.com/realms/myrealm',
callback: `${baseURL}/keycloak/callback`,
scope: ['openid', 'email', 'profile'],
},
async authCallback({ accessToken, providers }) {
const keycloak = purest({ provider: 'keycloak' });
return keycloak
.subdomain(providers.keycloak.subdomain)
.get('protocol/openid-connect/userinfo')
.auth(accessToken)
.request()
.then(({ body }) => {
return {
username: body.preferred_username,
email: body.email,
};
});
},
}, },
}); });
module.exports = () => { module.exports = () => {
const purest = require('purest'); const purest = require('purest');
const providersCallbacks = getInitialProviders({ purest }); const apiPrefix = strapi.config.get('api.rest.prefix');
const baseURL = urljoin(strapi.config.server.url, apiPrefix, 'auth');
const authProviders = initProviders({ baseURL, purest });
/**
* @public
*/
return { return {
register(providerName, provider) { getAll() {
assert(typeof providerName === 'string', 'Provider name must be a string'); return authProviders;
assert(typeof provider === 'function', 'Provider callback must be a function'); },
get(name) {
providersCallbacks[providerName] = provider({ purest }); return authProviders[name];
},
add(name, config) {
authProviders[name] = config;
},
remove(name) {
delete authProviders[name];
}, },
/**
* @internal
*/
async run({ provider, accessToken, query, providers }) { async run({ provider, accessToken, query, providers }) {
if (!providersCallbacks[provider]) { const authProvider = authProviders[provider];
throw new Error('Unknown provider.');
}
const providerCb = providersCallbacks[provider]; assert(authProvider, 'Unknown auth provider');
return providerCb({ accessToken, query, providers }); return authProvider.authCallback({ accessToken, query, providers, purest });
}, },
}; };
}; };

3
packages/plugins/users-permissions/server/utils/index.d.ts vendored
View File

@ -3,6 +3,7 @@ import * as user from '../services/user';
import * as role from '../services/role'; import * as role from '../services/role';
import * as jwt from '../services/jwt'; import * as jwt from '../services/jwt';
import * as providers from '../services/providers'; import * as providers from '../services/providers';
import * as providersRegistry from '../services/providers-registry';
import * as permission from '../services/permission'; import * as permission from '../services/permission';
type S = { type S = {
@ -11,7 +12,7 @@ type S = {
user: typeof user; user: typeof user;
jwt: typeof jwt; jwt: typeof jwt;
providers: typeof providers; providers: typeof providers;
['providers-registry']: typeof providers; ['providers-registry']: typeof providersRegistry;
permission: typeof permission; permission: typeof permission;
}; };