Merge pull request #751 from solid/feature/client-login

Always log in through the client

Author: RubenVerborgh

common/js/solid-auth-client.bundle.js

@@ -0,0 +1 @@
+../../node_modules/solid-auth-client/dist-lib/solid-auth-client.bundle.js

common/js/solid-auth-client.bundle.js

@@ -0,0 +1,43 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Log in</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+  <script src="/common/js/solid-auth-client.bundle.js"></script>
+</head>
+<body>
+<div class="container">
+  <div class="jumbotron">
+    <h2>Log in to access this resource</h2>
+    <p>
+      The resource you are trying to access
+      (<code>{{currentUrl}}</code>)
+      requires you to log in.
+    </p>
+    <button class="btn btn-primary" onclick="login()">Log in</button>
+    <button class="btn btn-primary" onclick="register()">Register</button>
+  </div>
+</div>
+<script>
+  async function login() {
+    // Log in through the popup
+    const popupUri = '/common/popup.html'
+    const session = await SolidAuthClient.popupLogin({ popupUri })
+    if (session) {
+      // Make authenticated request to the server to establish a session cookie
+      await SolidAuthClient.fetch(location)
+      // Now that we have a cookie, reload to display the authenticated page
+      location.reload()
+    }
+  }
+
+  function register() {
+    const registration = new URL('/register', location);
+    registration.searchParams.set('returnToUrl', location);
+    location.href = registration;
+  }
+</script>
+</body>
+</html>

common/js/solid-auth-client.bundle.js.map

@@ -0,0 +1,20 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>No permission</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <div class="jumbotron">
+    <h2>No permission to access this resource</h2>
+    <p>
+      You are currently logged in as <code>{{webId}}</code>,
+      but do not have permission to access <code>{{currentUrl}}</code>.
+    </p>
+  </div>
+</div>
+</body>
+</html>

common/js/solid-auth-client.bundle.js.map

@@ -13,8 +13,7 @@ const PasswordChangeRequest = require('../../requests/password-change-request')
 
 const {
   AuthCallbackRequest,
-  LogoutRequest,
-  SelectProviderRequest
+  LogoutRequest
 } = require('oidc-auth-manager').handlers
 
 /**
@@ -67,9 +66,6 @@ function middleware (oidc) {
   const router = express.Router('/')
 
   // User-facing Authentication API
-  router.get('/api/auth/select-provider', SelectProviderRequest.get)
-  router.post('/api/auth/select-provider', bodyParser, SelectProviderRequest.post)
-
   router.get(['/login', '/signin'], LoginRequest.get)
 
   router.post('/login/password', bodyParser, LoginRequest.loginPassword)
@@ -90,6 +86,14 @@ function middleware (oidc) {
   // The relying party callback is called at the end of the OIDC signin process
   router.get('/api/oidc/rp/:issuer_id', AuthCallbackRequest.get)
 
+  // Static assets related to authentication
+  const authAssets = [
+    ['/common/', 'solid-auth-client/dist-popup/popup.html'],
+    ['/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js'],
+    ['/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js.map']
+  ]
+  authAssets.map(([path, file]) => routeResolvedFile(router, path, file))
+
   // Initialize the OIDC Identity Provider routes/api
   // router.get('/.well-known/openid-configuration', discover.bind(provider))
   // router.get('/jwks', jwks.bind(provider))
@@ -174,6 +178,15 @@ function isEmptyToken (req) {
   return false
 }
 
+/**
+ * Adds a route that serves a static file from another Node module
+ */
+function routeResolvedFile (router, path, file) {
+  const fullPath = path + file.match(/[^/]+$/)
+  const fullFile = require.resolve(file)
+  router.get(fullPath, (req, res) => res.sendFile(fullFile))
+}
+
 module.exports = {
   initialize,
   isEmptyToken,

common/popup.html

@@ -3,9 +3,6 @@ const fs = require('fs')
 const util = require('../utils')
 const Auth = require('../api/authn')
 
-// Authentication methods that require a Provider Select page
-const SELECT_PROVIDER_AUTH_METHODS = ['oidc']
-
 /**
  * Serves as a last-stop error handler for all other middleware.
  *
@@ -28,23 +25,21 @@ function handler (err, req, res, next) {
     return ldp.errorHandler(err, req, res, next)
   }
 
-  let statusCode = statusCodeFor(err, req, authMethod)
-
-  if (statusCode === 401) {
-    debug(err, 'error:', err.error, 'desc:', err.error_description)
-    setAuthenticateHeader(req, res, err)
-  }
-
-  if (requiresSelectProvider(authMethod, statusCode, req)) {
-    return redirectToSelectProvider(req, res)
-  }
-
-  // If noErrorPages is set,
-  // then return the response directly
-  if (ldp.noErrorPages) {
-    sendErrorResponse(statusCode, res, err)
-  } else {
-    sendErrorPage(statusCode, res, err, ldp)
+  const statusCode = statusCodeFor(err, req, authMethod)
+  switch (statusCode) {
+    case 401:
+      setAuthenticateHeader(req, res, err)
+      renderLoginRequired(req, res)
+      break
+    case 403:
+      renderNoPermission(req, res)
+      break
+    default:
+      if (ldp.noErrorPages) {
+        sendErrorResponse(statusCode, res, err)
+      } else {
+        sendErrorPage(statusCode, res, err, ldp)
+      }
   }
 }
 
@@ -67,26 +62,6 @@ function statusCodeFor (err, req, authMethod) {
   return statusCode
 }
 
-/**
- * Tests whether a given authentication method requires a Select Provider
- * page redirect for 401 error responses.
- *
- * @param authMethod {string}
- * @param statusCode {number}
- * @param req {IncomingRequest}
- *
- * @returns {boolean}
- */
-function requiresSelectProvider (authMethod, statusCode, req) {
-  if (statusCode !== 401) { return false }
-
-  if (!SELECT_PROVIDER_AUTH_METHODS.includes(authMethod)) { return false }
-
-  if (!req.accepts('text/html')) { return false }
-
-  return true
-}
-
 /**
  * Dispatches the writing of the `WWW-Authenticate` response header (used for
  * 401 Unauthorized responses).
@@ -150,26 +125,30 @@ function sendErrorPage (statusCode, res, err, ldp) {
 }
 
 /**
- * Sends a 401 response with an HTML http-equiv type redirect body, to
- * redirect any users requesting a resource directly in the browser to the
- * Select Provider page and login workflow.
- * Implemented as a 401 + redirect body instead of a 302 to provide a useful
- * 401 response to REST/XHR clients.
+ * Renders a 401 response explaining that a login is required.
  *
  * @param req {IncomingRequest}
  * @param res {ServerResponse}
  */
-function redirectToSelectProvider (req, res) {
+function renderLoginRequired (req, res) {
+  const currentUrl = util.fullUrlForReq(req)
+  debug(`Display login-required for ${currentUrl}`)
   res.status(401)
-  res.header('Content-Type', 'text/html')
+  res.render('auth/login-required', { currentUrl })
+}
 
-  const locals = req.app.locals
+/**
+ * Renders a 403 response explaining that the user has no permission.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ */
+function renderNoPermission (req, res) {
   const currentUrl = util.fullUrlForReq(req)
-  const loginUrl = `${locals.host.serverUri}/api/auth/select-provider?returnToUrl=${encodeURIComponent(currentUrl)}`
-  debug('Redirecting to Select Provider: ' + loginUrl)
-
-  const body = redirectBody(loginUrl)
-  res.send(body)
+  const webId = req.session.userId
+  debug(`Display no-permission for ${currentUrl}`)
+  res.status(403)
+  res.render('auth/no-permission', { currentUrl, webId })
 }
 
 /**
@@ -199,8 +178,6 @@ follow the <a href='${url}'>link to login</a>
 module.exports = {
   handler,
   redirectBody,
-  redirectToSelectProvider,
-  requiresSelectProvider,
   sendErrorPage,
   sendErrorResponse,
   setAuthenticateHeader