[api] add Microsoft strategy to auth module (single sign-on) #3453
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Removed vultr server and associated DNS entries |
freemvmt
force-pushed
the
api-add-microsoft-sso-strategy-2
branch
3 times, most recently
from
8ffa211
to
ac7a60e
Compare
freemvmt
force-pushed
the
api-add-microsoft-sso-strategy-2
branch
from
ac7a60e
to
d9f76ad
Compare
freemvmt
changed the base branch from
main
to
implement-verbatim-module-syntax
|
Rebased this PR onto #3528 - full explanation given in that PR description. |
freemvmt
changed the base branch from
implement-verbatim-module-syntax
to
main
freemvmt
force-pushed
the
api-add-microsoft-sso-strategy-2
branch
from
380c91c
to
64b37d2
Compare
freemvmt
force-pushed
the
api-add-microsoft-sso-strategy-2
branch
from
d67e62f
to
92013f2
Compare
clean up code: add comments, remove logs, improve naming etc add exemplar Microsoft auth environment variables add Microsoft URLs to CORS allow list
freemvmt
force-pushed
the
api-add-microsoft-sso-strategy-2
branch
from
630caed
to
9f08497
Compare
freemvmt
changed the title
freemvmt
force-pushed
the
api-add-microsoft-sso-strategy-2
branch
from
9f08497
to
a918020
Compare
| const customPassport = new passport.Passport(); | ||
|
|
||
| // instantiate Microsoft OIDC client, and use it to build the related strategy | ||
| const microsoftIssuer = await Issuer.discover(MICROSOFT_OPENID_CONFIG_URL); |
There was a problem hiding this comment.
Fetches config from Microsoft's .well-known address
| import * as Middleware from "./middleware.js"; | ||
| import * as Controller from "./controller.js"; | ||
|
|
||
| const router = Router(); | ||
| export default (passport: Authenticator): Router => { |
There was a problem hiding this comment.
We have to pass the passport instance through to the middleware for these routes, since they rely on it already being instantiated, which in turn is a blocking process, so instead export a factory function as default.
| return { | ||
| client_id, | ||
| client_secret: process.env.MICROSOFT_CLIENT_SECRET!, | ||
| redirect_uris: [`${process.env.API_URL_EXT}/auth/microsoft/callback`], |
There was a problem hiding this comment.
this has to match one of the redirect URI configured in the PlanX Azure application
i.e. https://api.editor.planx.dev/auth/microsoft/callback for staging
and https://api.editor.planx.uk/auth/microsoft/callback for prod
| cb(null, obj); | ||
| }); | ||
| // equip passport with auth strategies early on, so we can pass it to route handlers | ||
| const passport = await getPassport(); |
There was a problem hiding this comment.
the fabled top-level await!
freemvmt
changed the title
|
Merging to |
🎫 Ticket: https://trello.com/c/owvV9UZh
Summary
This PR adds the ability to sign into PlanX using a Microsoft account (personal or organisational), which most users (working in local government) are more likely to have to hand as compared to a Google account.
We make use of the existing passportjs implementation, adding a new
microsoft-oidcstrategy which leverages openid-client, which we consider reliable thanks to certification by OpenID themselves.Since this package has some asynchronous behaviour for which the best code pattern involved using top-level awaits, this project induced some bonuses in
api.planx.uk, namely adopting ESM throughout (#3464), which in turn required a migration to Vitest (#3555). We also took the opportunity to bump passportjs to latest (#3502).See also #3221, which I used as a development/demo pizza, and has a much more granular commit structure.
TODO
We will address anything not included here in further PRs.
Jest/ESM issue ✅
The stubborn issue here is that Jest (or
ts-jest, the transformer we're using to transpile.tsfiles into.jsfiles that Jest can read) will not treat files as ES modules (despite following docs to the letter), and hence throws errors like the following:I examine some of the background for this in #3528,
onto which this PR is chained.Below is a non-exhaustive list of possible approaches to this problem, which I've marked complete if they've been fully explored and not provided a solution:
ts-jestpreset instead of manual configalpha5includes a fix which purports to 'allow Node16/NodeNext/Bundler moduleResolution in project's tsconfig', which seems relevantjest.config.js__dirnamenow that API is usingesnext#3507 - doing so revealsReferenceError: await is not defined, which only adds to our case that modules are not being treated as ESMverbatimModuleSyntax(didn't resolve issue, but was edifying - see [api] implement verbatim module syntax in tsconfig #3528)ts-jestwith@swc/jestorbabel-jest(failing examples inapi-add-microsoft-sso-swcandapi-add-microsoft-sso-babelrespectively) - could include using multiple transformers, e.g. babel for.js, ts-jest for.ts.mjs/.mtsfile endings (not a desirable outcome)Worth noting that even Jest advises that ESM support is experimental, and indeed their issue tracking this is very much still open. This could suggest we should lean to some of the latter, more climb down-y options.
🏁 In the end we abandoned Jest in favour of Vitest, which is much more ESM-friendly! See #3555 :)