Consent screen structure - everything except rdf

jaxoncreed · jaxoncreed · commit ba11592e8c37 · 2019-05-10T14:22:29.000-04:00
diff --git a/default-views/auth/consent.hbs b/default-views/auth/consent.hbs
@@ -14,18 +14,32 @@
     <h1>Authorize this app to use your data?</h1>
     <p>You will be authorizing <strong>{{app_origin}}</strong> to have access perform the actions indicated below.</p>
     <p>NOTE: This screen is TEMPORARY. Eventually more fine-tuned controls will be available.</p>
+    <p>For more information see the <a href="https://github.com/solid/node-solid-server/blob/master/docs/login-and-grant-access-to-application.md" target="_blank">full explanation</a>.</p>
   </div>
 
   <form method="post" action="/consent">
 
-    <input type="checkbox" name="read" value="access_mode" checked> Read your data<br>
-    <input type="checkbox" name="write" value="access_mode" checked> Write new data<br>
-    <input type="checkbox" name="append" value="access_mode" checked> Add to existing data<br>
-    <input type="checkbox" name="control" value="access_mode"> Control who can access your data<br>
+    <input id="read" type="checkbox" name="access_mode" value="read" checked>
+    <label for="read">Read your data</label>
+    <br>
+
+    <input id="write" type="checkbox" name="access_mode" value="write" checked>
+    <label for="write">Write new data</label>
+    <br>
+
+    <input id="append" type="checkbox" name="access_mode" value="append" checked>
+    <label for="append">Add to existing data</label>
+    <br>
+
+    <input id="control" type="checkbox" name="access_mode" value="control">
+    <label for="control">Control who can access your data</label>
+    <br>
+    <br>
 
     <button type="submit" class="btn btn-primary" name="consent" value="true">Authorize</button>
     <button type="submit" class="btn btn-default" name="cancel" value="true">Cancel</button>
     {{> auth/auth-hidden-fields}}
+    <input type="hidden" name="web_id" id="web_id" value="{{web_id}}" />
   </form>
 </div>
 </body>
diff --git a/lib/api/authn/webid-oidc.js b/lib/api/authn/webid-oidc.js
@@ -85,7 +85,7 @@ function middleware (oidc) {
   router.post('/login/tls', bodyParser, LoginRequest.loginTls)
 
   router.get('/consent', ConsentRequest.get)
-  router.post('/consent', ConsentRequest.giveConsent)
+  router.post('/consent', bodyParser, ConsentRequest.giveConsent)
 
   router.get('/account/password/reset', restrictToTopDomain, PasswordResetEmailRequest.get)
   router.post('/account/password/reset', restrictToTopDomain, bodyParser, PasswordResetEmailRequest.post)
diff --git a/lib/requests/auth-request.js b/lib/requests/auth-request.js
@@ -2,6 +2,7 @@
 
 const url = require('url')
 const debug = require('./../debug').authentication
+const IDToken = require('@solid/oidc-op/src/IDToken')
 
 /**
  * Hidden form fields from the login page that must be passed through to the
@@ -10,7 +11,7 @@ const debug = require('./../debug').authentication
  * @type {Array<string>}
  */
 const AUTH_QUERY_PARAMS = ['response_type', 'display', 'scope',
-  'client_id', 'redirect_uri', 'state', 'nonce', 'request']
+  'client_id', 'redirect_uri', 'state', 'nonce', 'request', 'web_id']
 
 /**
  * Base authentication request (used for login and password reset workflows).
@@ -134,6 +135,11 @@ class AuthRequest {
       extracted[p] = value
     }
 
+    // Special case because solid-auth-client does not include redirect in params
+    if (!extracted['redirect_uri'] && params.request) {
+      extracted['redirect_uri'] = IDToken.decode(params.request).payload.redirect_uri
+    }
+
     return extracted
   }
 
@@ -211,11 +217,14 @@ class AuthRequest {
     return url.format(signupUrl)
   }
 
-  consentUrl () {
+  consentUrl (validUser) {
     let host = this.accountManager.host
     let consentUrl = url.parse(url.resolve(host.serverUri, '/consent'))
 
-    consentUrl.query = this.authQueryParams
+    consentUrl.query = {
+      ...this.authQueryParams,
+      web_id: validUser.webId
+    }
 
     return url.format(consentUrl)
   }
diff --git a/lib/requests/consent-request.js b/lib/requests/consent-request.js
@@ -4,6 +4,8 @@ const debug = require('./../debug').authentication
 
 const AuthRequest = require('./auth-request')
 
+const url = require('url')
+
 /**
  * Models a local Login request
  */
@@ -57,10 +59,18 @@ class ConsentRequest extends AuthRequest {
    * @param req {IncomingRequest}
    * @param res {ServerResponse}
    */
-  static get (req, res) {
+  static async get (req, res) {
     const request = ConsentRequest.fromParams(req, res)
-
-    request.renderForm(null, req)
+    const appOrigin = request.getAppOrigin()
+    // Check if is already registered or is data browser
+    if (
+      appOrigin === req.app.locals.ldp.serverUri ||
+      await request.isAppRegistered(appOrigin, request.authQueryParams.web_id)
+    ) {
+      request.redirectPostConsent()
+    } else {
+      request.renderForm(null, req)
+    }
   }
 
   /**
@@ -72,19 +82,43 @@ class ConsentRequest extends AuthRequest {
    *
    * @return {Promise}
    */
-  static giveConsent (req, res) {
+  static async giveConsent (req, res) {
+    let accessModes = []
+    let consented = false
+    if (req.body) {
+      accessModes = req.body.access_mode
+      consented = req.body.consent
+    }
+
     let request = ConsentRequest.fromParams(req, res)
-    console.log(request.authQueryParams)
-    // debug('Providing consent for app sharing')
-    // return request.authenticator.findValidUser()
+    const appOrigin = request.getAppOrigin()
+    debug('Providing consent for app sharing')
 
-    //   .then(validUser => {
-    //     request.initUserSession(validUser)
+    if (consented) {
+      await request.registerApp(appOrigin, accessModes, request.authQueryParams.web_id)
+    }
 
-    //     request.redirectPostLogin(validUser)
-    //   })
+    // Redirect once that's all done
+    return request.authenticator.findValidUser()
+      .then(validUser => {
+        request.initUserSession(validUser)
+        request.redirectPostConsent(validUser)
+      })
+
+      .catch(error => request.error(error))
+  }
+
+  getAppOrigin () {
+    const parsed = url.parse(this.authQueryParams.redirect_uri)
+    return `${parsed.protocol}//${parsed.host}`
+  }
+
+  async isAppRegistered (appOrigin, webId) {
+    return false
+  }
 
-    //   .catch(error => request.error(error))
+  async registerApp (appOrigin, accessModes, webId) {
+    return
   }
 
   /**
@@ -96,15 +130,15 @@ class ConsentRequest extends AuthRequest {
    *
    * @return {string}
    */
-  postConsentUrl (validUser) {
+  postConsentUrl () {
     return this.authorizeUrl()
   }
 
   /**
    * Redirects the Login request to continue on the OIDC auth workflow.
    */
-  redirectPostLogin (validUser) {
-    let uri = this.postLoginUrl(validUser)
+  redirectPostConsent () {
+    let uri = this.postConsentUrl()
     debug('Login successful, redirecting to ', uri)
     this.response.redirect(uri)
   }
diff --git a/lib/requests/login-request.js b/lib/requests/login-request.js
@@ -159,7 +159,7 @@ class LoginRequest extends AuthRequest {
   postLoginUrl (validUser) {
     // Login request is part of an app's auth flow
     if (/token|code/.test(this.authQueryParams['response_type'])) {
-      return this.consentUrl()
+      return this.consentUrl(validUser)
     // Login request is a user going to /login in browser
     } else if (validUser) {
       return this.authQueryParams['redirect_uri'] || validUser.accountUri
@@ -193,7 +193,6 @@ class LoginRequest extends AuthRequest {
       params.error = error.message
       this.response.status(error.statusCode)
     }
-
     this.response.render('auth/login', params)
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ class LoginRequest extends AuthRequest {`
`159`	`159`	`postLoginUrl (validUser) {`
`160`	`160`	`// Login request is part of an app's auth flow`
`161`	`161`	`if (/token\|code/.test(this.authQueryParams['response_type'])) {`
`162`		`- return this.consentUrl()`
	`162`	`+ return this.consentUrl(validUser)`
`163`	`163`	`// Login request is a user going to /login in browser`
`164`	`164`	`} else if (validUser) {`
`165`	`165`	`return this.authQueryParams['redirect_uri'] \|\| validUser.accountUri`
`@@ -193,7 +193,6 @@ class LoginRequest extends AuthRequest {`
`193`	`193`	`params.error = error.message`
`194`	`194`	`this.response.status(error.statusCode)`
`195`	`195`	`}`
`196`		`-`
`197`	`196`	`this.response.render('auth/login', params)`
`198`	`197`	`}`
`199`	`198`	`}`