Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Create SetupHttpHandler

Browse Source 
This handler allows users to set up servers with a pod
and without having to enable public access first
This commit is contained in:
Joachim Van Herwegen
2021-09-15 16:52:16 +02:00
parent 02df2905de
commit 4e1a2f5981
11 changed files with 1094 additions and 489 deletions
Download Patch File Download Diff File Expand all files Collapse all files

219
src/identity/interaction/email-password/handler/RegistrationHandler.ts
View File

@@ -1,230 +1,27 @@
import assert from 'assert';
import type { Operation } from '../../../../ldp/operations/Operation';
import type { ResourceIdentifier } from '../../../../ldp/representation/ResourceIdentifier';
import { getLoggerFor } from '../../../../logging/LogUtil';
import type { IdentifierGenerator } from '../../../../pods/generate/IdentifierGenerator';
import type { PodManager } from '../../../../pods/PodManager';
import type { PodSettings } from '../../../../pods/settings/PodSettings';
import { joinUrl } from '../../../../util/PathUtil';
import { readJsonStream } from '../../../../util/StreamUtil';
import type { OwnershipValidator } from '../../../ownership/OwnershipValidator';
import { assertPassword } from '../EmailPasswordUtil';
import type { AccountStore } from '../storage/AccountStore';
import type { RegistrationManager, RegistrationResponse } from '../util/RegistrationManager';
import type { InteractionResponseResult, InteractionHandlerInput } from './InteractionHandler';
import { InteractionHandler } from './InteractionHandler';
const emailRegex = /^[a-zA-Z0-9.!#$%&*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/u;
export interface RegistrationHandlerArgs {
/**
* Used to set the `oidcIssuer` value of newly registered pods.
*/
baseUrl: string;
/**
* Appended to the generated pod identifier to create the corresponding WebID.
*/
webIdSuffix: string;
/**
* Generates identifiers for new pods.
*/
identifierGenerator: IdentifierGenerator;
/**
* Verifies the user is the owner of the WebID they provide.
*/
ownershipValidator: OwnershipValidator;
/**
* Stores all the registered account information.
*/
accountStore: AccountStore;
/**
* Creates the new pods.
*/
podManager: PodManager;
}
/**
* All the parameters that will be parsed from a request.
*/
interface ParsedInput {
email: string;
webId?: string;
password?: string;
podName?: string;
template?: string;
createWebId: boolean;
register: boolean;
createPod: boolean;
}
/**
* The results that will be applied to the response template.
*/
interface RegistrationResponse {
email: string;
webId?: string;
oidcIssuer?: string;
podBaseUrl?: string;
createWebId: boolean;
register: boolean;
createPod: boolean;
}
/**
* This class handles the 3 potential steps of the registration process:
* 1. Generating a new WebID.
* 2. Registering a WebID with the IDP.
* 3. Creating a new pod for a given WebID.
*
* All of these steps are optional and will be determined based on the input parameters of a request,
* with the following considerations:
* * At least one option needs to be chosen.
* * In case a new WebID needs to be created, the other 2 steps are obligatory.
* * Ownership will be verified when the WebID is provided.
* * When registering and creating a pod, the base URL will be used as oidcIssuer value.
* Supports registration based on the `RegistrationManager` behaviour.
*/
export class RegistrationHandler extends InteractionHandler {
protected readonly logger = getLoggerFor(this);
private readonly baseUrl: string;
private readonly webIdSuffix: string;
private readonly identifierGenerator: IdentifierGenerator;
private readonly ownershipValidator: OwnershipValidator;
private readonly accountStore: AccountStore;
private readonly podManager: PodManager;
private readonly registrationManager: RegistrationManager;
public constructor(args: RegistrationHandlerArgs) {
public constructor(registrationManager: RegistrationManager) {
super();
this.baseUrl = args.baseUrl;
this.webIdSuffix = args.webIdSuffix;
this.identifierGenerator = args.identifierGenerator;
this.ownershipValidator = args.ownershipValidator;
this.accountStore = args.accountStore;
this.podManager = args.podManager;
this.registrationManager = registrationManager;
}
public async handle({ operation }: InteractionHandlerInput):
Promise<InteractionResponseResult<RegistrationResponse>> {
const result = await this.parseInput(operation);
const details = await this.register(result);
const data = await readJsonStream(operation.body!.data);
const validated = this.registrationManager.validateInput(data, false);
const details = await this.registrationManager.register(validated, false);
return { type: 'response', details };
}
/**
* Does the full registration and pod creation process,
* with the steps chosen by the values in the `ParseResult`.
*/
private async register(result: ParsedInput): Promise<RegistrationResponse> {
// This is only used when createWebId and/or createPod are true
let podBaseUrl: ResourceIdentifier | undefined;
if (result.createWebId || result.createPod) {
podBaseUrl = this.identifierGenerator.generate(result.podName!);
}
// Create or verify the WebID
if (result.createWebId) {
result.webId = joinUrl(podBaseUrl!.path, this.webIdSuffix);
} else {
await this.ownershipValidator.handleSafe({ webId: result.webId! });
}
// Register the account
if (result.register) {
await this.accountStore.create(result.email, result.webId!, result.password!);
}
// Create the pod
if (result.createPod) {
const podSettings: PodSettings = {
email: result.email,
webId: result.webId!,
template: result.template,
podBaseUrl: podBaseUrl!.path,
};
// Set the OIDC issuer to our server when registering with the IDP
if (result.register) {
podSettings.oidcIssuer = this.baseUrl;
}
try {
await this.podManager.createPod(podBaseUrl!, podSettings);
} catch (error: unknown) {
// In case pod creation errors we don't want to keep the account
if (result.register) {
await this.accountStore.deleteAccount(result.email);
}
throw error;
}
}
// Verify the account
if (result.register) {
// This prevents there being a small timeframe where the account can be used before the pod creation is finished.
// That timeframe could potentially be used by malicious users.
await this.accountStore.verify(result.email);
}
return {
webId: result.webId,
email: result.email,
oidcIssuer: this.baseUrl,
podBaseUrl: podBaseUrl?.path,
createWebId: result.createWebId,
register: result.register,
createPod: result.createPod,
};
}
/**
* Parses the input request into a `ParseResult`.
*/
private async parseInput(operation: Operation): Promise<ParsedInput> {
const parsed = await readJsonStream(operation.body!.data);
const prefilled: Record<string, string> = {};
for (const [ key, value ] of Object.entries(parsed)) {
assert(!Array.isArray(value), `Unexpected multiple values for ${key}.`);
prefilled[key] = typeof value === 'string' ? value.trim() : value;
}
return this.validateInput(prefilled);
}
/**
* Converts the raw input date into a `ParseResult`.
* Verifies that all the data combinations make sense.
*/
private validateInput(parsed: NodeJS.Dict<string>): ParsedInput {
const { email, password, confirmPassword, webId, podName, register, createPod, createWebId, template } = parsed;
// Parse email
assert(typeof email === 'string' && emailRegex.test(email), 'Please enter a valid e-mail address.');
const validated: ParsedInput = {
email,
template,
register: Boolean(register) || Boolean(createWebId),
createPod: Boolean(createPod) || Boolean(createWebId),
createWebId: Boolean(createWebId),
};
assert(validated.register || validated.createPod, 'Please register for a WebID or create a Pod.');
// Parse WebID
if (!validated.createWebId) {
assert(typeof webId === 'string' && /^https?:\/\/[^/]+/u.test(webId), 'Please enter a valid WebID.');
validated.webId = webId;
}
// Parse Pod name
if (validated.createWebId || validated.createPod) {
assert(typeof podName === 'string' && podName.length > 0, 'Please specify a Pod name.');
validated.podName = podName;
}
// Parse account
if (validated.register) {
assertPassword(password, confirmPassword);
validated.password = password;
}
return validated;
}
}

245
src/identity/interaction/email-password/util/RegistrationManager.ts Normal file
View File

@@ -0,0 +1,245 @@
import assert from 'assert';
import type { ResourceIdentifier } from '../../../../ldp/representation/ResourceIdentifier';
import { getLoggerFor } from '../../../../logging/LogUtil';
import type { IdentifierGenerator } from '../../../../pods/generate/IdentifierGenerator';
import type { PodManager } from '../../../../pods/PodManager';
import type { PodSettings } from '../../../../pods/settings/PodSettings';
import { joinUrl } from '../../../../util/PathUtil';
import type { OwnershipValidator } from '../../../ownership/OwnershipValidator';
import { assertPassword } from '../EmailPasswordUtil';
import type { AccountStore } from '../storage/AccountStore';
export interface RegistrationManagerArgs {
/**
* Used to set the `oidcIssuer` value of newly registered pods.
*/
baseUrl: string;
/**
* Appended to the generated pod identifier to create the corresponding WebID.
*/
webIdSuffix: string;
/**
* Generates identifiers for new pods.
*/
identifierGenerator: IdentifierGenerator;
/**
* Verifies the user is the owner of the WebID they provide.
*/
ownershipValidator: OwnershipValidator;
/**
* Stores all the registered account information.
*/
accountStore: AccountStore;
/**
* Creates the new pods.
*/
podManager: PodManager;
}
/**
* The parameters expected for registration.
*/
export interface RegistrationParams {
email: string;
webId?: string;
password?: string;
podName?: string;
template?: string;
createWebId: boolean;
register: boolean;
createPod: boolean;
rootPod: boolean;
}
/**
* The result of a registration action.
*/
export interface RegistrationResponse {
email: string;
webId?: string;
oidcIssuer?: string;
podBaseUrl?: string;
createWebId: boolean;
register: boolean;
createPod: boolean;
}
const emailRegex = /^[a-zA-Z0-9.!#$%&*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/u;
/**
* Supports IDP registration and pod creation based on input parameters.
*
* The above behaviour is combined in the two class functions.
* `validateInput` will make sure all incoming data is correct and makes sense.
* `register` will call all the correct handlers based on the requirements of the validated parameters.
*/
export class RegistrationManager {
protected readonly logger = getLoggerFor(this);
private readonly baseUrl: string;
private readonly webIdSuffix: string;
private readonly identifierGenerator: IdentifierGenerator;
private readonly ownershipValidator: OwnershipValidator;
private readonly accountStore: AccountStore;
private readonly podManager: PodManager;
public constructor(args: RegistrationManagerArgs) {
this.baseUrl = args.baseUrl;
this.webIdSuffix = args.webIdSuffix;
this.identifierGenerator = args.identifierGenerator;
this.ownershipValidator = args.ownershipValidator;
this.accountStore = args.accountStore;
this.podManager = args.podManager;
}
/**
* Trims the input if it is a string, returns `undefined` otherwise.
*/
private trimString(input: unknown): string | undefined {
if (typeof input === 'string') {
return input.trim();
}
}
/**
* Makes sure the input conforms to the following requirements when relevant:
* * At least one option needs to be chosen.
* * In case a new WebID needs to be created, the other 2 steps will be set to true.
* * Valid email/WebID/password/podName when required.
* * Only create a root pod when allowed.
*
* @param input - Input parameters for the registration procedure.
* @param allowRoot - If creating a pod in the root container should be allowed.
*
* @returns A cleaned up version of the input parameters.
* Only (trimmed) parameters that are relevant to the registration procedure will be retained.
*/
public validateInput(input: NodeJS.Dict<unknown>, allowRoot = false): RegistrationParams {
const {
email, password, confirmPassword, webId, podName, register, createPod, createWebId, template, rootPod,
} = input;
// Parse email
const trimmedEmail = this.trimString(email);
assert(trimmedEmail && emailRegex.test(trimmedEmail), 'Please enter a valid e-mail address.');
const validated: RegistrationParams = {
email: trimmedEmail,
register: Boolean(register) || Boolean(createWebId),
createPod: Boolean(createPod) || Boolean(createWebId),
createWebId: Boolean(createWebId),
rootPod: Boolean(rootPod),
};
assert(validated.register || validated.createPod, 'Please register for a WebID or create a Pod.');
assert(allowRoot || !validated.rootPod, 'Creating a root pod is not supported.');
// Parse WebID
if (!validated.createWebId) {
const trimmedWebId = this.trimString(webId);
assert(trimmedWebId && /^https?:\/\/[^/]+/u.test(trimmedWebId), 'Please enter a valid WebID.');
validated.webId = trimmedWebId;
}
// Parse Pod name
if (validated.createPod && !validated.rootPod) {
const trimmedPodName = this.trimString(podName);
assert(trimmedPodName && trimmedPodName.length > 0, 'Please specify a Pod name.');
validated.podName = trimmedPodName;
}
// Parse account
if (validated.register) {
const trimmedPassword = this.trimString(password);
const trimmedConfirmPassword = this.trimString(confirmPassword);
assertPassword(trimmedPassword, trimmedConfirmPassword);
validated.password = trimmedPassword;
}
// Parse template if there is one
if (template) {
validated.template = this.trimString(template);
}
return validated;
}
/**
* Handles the 3 potential steps of the registration process:
* 1. Generating a new WebID.
* 2. Registering a WebID with the IDP.
* 3. Creating a new pod for a given WebID.
*
* All of these steps are optional and will be determined based on the input parameters.
*
* This includes the following steps:
* * Ownership will be verified when the WebID is provided.
* * When registering and creating a pod, the base URL will be used as oidcIssuer value.
*/
public async register(input: RegistrationParams, allowRoot = false): Promise<RegistrationResponse> {
// This is only used when createWebId and/or createPod are true
let podBaseUrl: ResourceIdentifier | undefined;
if (input.createPod) {
if (input.rootPod) {
podBaseUrl = { path: this.baseUrl };
} else {
podBaseUrl = this.identifierGenerator.generate(input.podName!);
}
}
// Create or verify the WebID
if (input.createWebId) {
input.webId = joinUrl(podBaseUrl!.path, this.webIdSuffix);
} else {
await this.ownershipValidator.handleSafe({ webId: input.webId! });
}
// Register the account
if (input.register) {
await this.accountStore.create(input.email, input.webId!, input.password!);
}
// Create the pod
if (input.createPod) {
const podSettings: PodSettings = {
email: input.email,
webId: input.webId!,
template: input.template,
podBaseUrl: podBaseUrl!.path,
};
// Set the OIDC issuer to our server when registering with the IDP
if (input.register) {
podSettings.oidcIssuer = this.baseUrl;
}
try {
// Only allow overwrite for root pods
await this.podManager.createPod(podBaseUrl!, podSettings, allowRoot);
} catch (error: unknown) {
// In case pod creation errors we don't want to keep the account
if (input.register) {
await this.accountStore.deleteAccount(input.email);
}
throw error;
}
}
// Verify the account
if (input.register) {
// This prevents there being a small timeframe where the account can be used before the pod creation is finished.
// That timeframe could potentially be used by malicious users.
await this.accountStore.verify(input.email);
}
return {
webId: input.webId,
email: input.email,
oidcIssuer: this.baseUrl,
podBaseUrl: podBaseUrl?.path,
createWebId: input.createWebId,
register: input.register,
createPod: input.createPod,
};
}
}