Merge pull request #318 from topcoder-platform/dice-integration

eisbilir · web-flow · commit 3a301eaa0701 · 2022-08-07T21:43:56.000+03:00
Dice integration
diff --git a/web-assets/auth0/dev-tenant/database/login.js b/web-assets/auth0/dev-tenant/database/login.js
@@ -54,7 +54,9 @@ function login(handleOrEmail, password, callback) {
         handle:user.result.content.handle,
         roles: user.result.content.roles,
         email_verified: user.result.content.emailActive,
-        created_at: user.result.content.createdAt
+        created_at: user.result.content.createdAt,
+        mfa_enabled: user.result.content.mfaEnabled,
+        mfa_verified: user.result.content.mfaVerified
       });
     });
   }
diff --git a/web-assets/auth0/dev-tenant/rules/DICE DID.js b/web-assets/auth0/dev-tenant/rules/DICE DID.js
@@ -0,0 +1,126 @@
+function (user, context, callback) {
+    if (context.clientID === configuration.CLIENT_ACCOUNTS_LOGIN) {
+        console.log("rule:DICE DID:enter");
+
+        if (context.redirect) {
+            console.log("rule:DICE DID:exiting due to context being a redirect");
+            return callback(null, user, context);
+        }
+        const _ = require('lodash');
+        const isAuth0 = (_.get(user, "identities[0].provider") === 'auth0') ? true : false;
+        const isSocial = _.get(user, "identities[0].isSocial");
+        const mfaEnabled = _.get(user, "mfa_enabled", false);
+        const mfaVerified = _.get(user, "mfa_verified", false);
+
+        if (!isAuth0 && !isSocial) {
+            console.log("rule:DICE DID:exiting due to enterprise user");
+            return callback(null, user, context);
+        }
+        if (mfaEnabled && mfaVerified) {
+            if (context.protocol === "redirect-callback") {
+                // User was redirected to the /continue endpoint
+                console.log("rule:DICE DID:User was redirected to the /continue endpoint");
+                if (context.request.query.diceVerificationStatus === 'false') {
+                    return callback('Login Error: Whoops! Something went wrong. Please connect to DICE Platform Admin <a href="mailto:info@diceid.com">dice.wallet@wipro.com</a>.<br> Back to application ', user, context);
+                } else if (context.request.query.otp) {
+                    request.post({
+                        url: 'https://api.' + configuration.DOMAIN + '/v3/users/checkOtp',
+                        json: {
+                            "param": {
+                                "userId": user.userId,
+                                "otp": context.request.query.otp
+                            }
+                        }
+                    }, function (error, response, body) {
+                        if (error) return callback(error, user, context);
+                        if (response.statusCode !== 200) {
+                            return callback('Login Error: Whoops! Something went wrong.', user, context);
+                        }
+                        if (body.result.content.verified === true) {
+                            return callback(null, user, context);
+                        } else {
+                            return callback('Login Error: wrong OTP', user, context);
+                        }
+                    });
+                } else {
+                    const jwt_decode = require('jwt-decode');
+                    request.post({
+                        url: 'https://tc-vcauth-uat.diceid.com/vc/connect/token',
+                        form: {
+                            code: context.request.query.code,
+                            grant_type: 'authorization_code',
+                            client_id: 'topcoder'
+                        }
+                    }, function (error, response, body) {
+                        if (error) return callback(error, user, context);
+                        if (response.statusCode !== 200) {
+                            return callback('Login Error: Whoops! Something went wrong.', user, context);
+                        }
+                        const result = JSON.parse(body);
+                        const decoded = jwt_decode(result.id_token);
+                        console.log("Decoded: ", decoded);
+                        if (decoded.Email !== user.email) {
+                            return callback('Login Error: Credetials do not match', user, context);
+                        }
+                        console.log("rule:DICE DID:credentials approved");
+                        return callback(null, user, context);
+                    });
+                }
+            } else {
+                const maxRetry = 2;
+                const useOtp = function () {
+                    request.post({
+                        url: 'https://api.' + configuration.DOMAIN + '/v3/users/sendOtp',
+                        json: {
+                            "param": {
+                                "userId": user.userId
+                            }
+                        }
+                    }, function (error, response, body) {
+                        if (error) return callback(error, user, context);
+                        if (response.statusCode !== 200) {
+                            return callback('Login Error: Whoops! Something went wrong.', user, context);
+                        }
+                        console.log("rule:DICE DID: redirecting to OTP page");
+                        context.redirect = {
+                            url: `https://accounts-auth0.${configuration.DOMAIN}/check_email.html`
+                        };
+                        return callback(null, user, context);
+                    });
+                };
+                const checkDiceHealth = function (attempt) {
+                    console.log("rule:DICE DID:checking dice health, attempt:" + attempt);
+                    request.get({
+                        url: 'https://tc-vcauth-uat.diceid.com/.well-known/openid-configuration'
+                    }, function (error, response, body) {
+                        if (error || response.statusCode !== 200) {
+                            if (attempt >= maxRetry) {
+                                console.log("rule:DICE DID:dice services down, using otp flow...");
+                                useOtp();
+                            } else {
+                                checkDiceHealth(attempt + 1);
+                            }
+                        } else {
+                            console.log("rule:DICE DID:exiting with redirecting user to QR code page.");
+                            context.redirect = {
+                                url: `https://tc-vcauth-uat.diceid.com/vc/connect/authorize?pres_req_conf_id=Topcoder_2FA&client_id=topcoder&redirect_uri=https%3A%2F%2Fauth.topcoder-dev.com%2Fcontinue&response_type=code&scope=openid%20profile%20vc_authn`
+                            };
+                            return callback(null, user, context);
+                        }
+                    });
+                };
+                if (!global.ENABLE_2FA) {
+                    console.log("rule:DICE DID:dice switch disabled, using otp flow...");
+                    useOtp();
+                } else {
+                    checkDiceHealth(1);
+                }
+            }
+        } else {
+            console.log("rule:DICE DID:exiting due to mfa is not enabled");
+            return callback(null, user, context);
+        }
+    } else {
+        return callback(null, user, context);
+    }
+}
diff --git a/web-assets/auth0/dev-tenant/rules/Disable DID.js b/web-assets/auth0/dev-tenant/rules/Disable DID.js
@@ -0,0 +1,4 @@
+function (user, context, callback) {
+    global.ENABLE_2FA = false;
+    return callback(null, user, context);
+}
diff --git a/web-assets/auth0/dev-tenant/rules/custom.js b/web-assets/auth0/dev-tenant/rules/custom.js
@@ -19,6 +19,7 @@ function (user, context, callback) {
         handle = _.get(user, "nickname", null);
       }
       console.log("Fetch roles for email/handle: ", user.email, handle, provider);
+
       global.AUTH0_CLAIM_NAMESPACE = "https://" + configuration.DOMAIN + "/";
       try {
           request.post({
@@ -33,10 +34,12 @@ function (user, context, callback) {
               if (response.statusCode !== 200) {
                 return callback('Login Error: Whoops! Something went wrong. Looks like your registered email has discrepancy with Authentication. Please connect to our support <a href="mailto:support@topcoder.com">support@topcoder.com</a>. Back to application ', user, context);
               }
-          
               let res = JSON.parse(body);
+              user.mfa_enabled = res.result.content.mfaEnabled;
+              user.mfa_verified = res.result.content.mfaVerified;
               // TODO need to double sure about multiple result or no result 
               let userId = res.result.content.id;
+              user.userId = userId;
               let handle = res.result.content.handle;
               let roles = res.result.content.roles.map(function (role) {
                   return role.roleName;
@@ -45,12 +48,12 @@ function (user, context, callback) {
 
               // TEMP
               let tcsso = res.result.content.regSource || '';
-
+            
               // block wipro/topgear contractor user
-              const topgearBlockMessage = 'Topgear can be accessed only by Wipro Employees. If you are a Wipro employee and not able to access, drop an email to <a href="mailto:ask.topgear@wipro.com"> ask.topgear@wipro.com </a> with the error message.Back to application ';
-              if (roles.indexOf(configuration.TOPGEAR_CONTRACTOR_ROLE) > -1) {
-                return callback(topgearBlockMessage, user, context);
-              }
+            const topgearBlockMessage = 'Topgear can be accessed only by Wipro Employees. If you are a Wipro employee and not able to access, drop an email to <a href=\"mailto:ask.topgear@wipro.com\"> ask.topgear@wipro.com </a> with the error message.Back to application ';
+            if (roles.indexOf(configuration.TOPGEAR_CONTRACTOR_ROLE) > -1) {
+              return callback(topgearBlockMessage, user, context);
+            }
 
               context.idToken[global.AUTH0_CLAIM_NAMESPACE + 'roles'] = roles;
               context.idToken[global.AUTH0_CLAIM_NAMESPACE + 'userId'] = userId;
diff --git a/web-assets/auth0/dev-tenant/rules/global variables and funtions.js b/web-assets/auth0/dev-tenant/rules/global variables and funtions.js
@@ -0,0 +1,17 @@
+function (user, context, callback) {
+    // TODO: implement your rule
+    //user.sachin.userId = 1234;
+    if (!global.init) {
+        global.AUTH0_CLAIM_NAMESPACE = "https://topcoder-dev-test.com/claims/";
+        //global.AUTH0_CLAIM_NAMESPACE = "identityData";
+
+        // Protocols that get custom claims
+        global.CUSTOM_CLAIMS_PROTOCOLS = ['oauth2-refresh-token', 'oauth2-device-code', 'oidc-basic-profile', 'oauth2'];
+
+        // 2FA switch
+        global.ENABLE_2FA = true;
+
+        global.init = true;
+    }
+    callback(null, user, context);
+}
diff --git a/web-assets/auth0/dev-tenant/rules/user-privacy-policy.js b/web-assets/auth0/dev-tenant/rules/user-privacy-policy.js
@@ -1,7 +1,7 @@
 function (user, context, callback) {
     if (context.clientID === configuration.CLIENT_ACCOUNTS_LOGIN) { // client/application specific
         console.log("rule:user-privacy-policy:enter");
-
+        // configuration.M2M_CLIENT_I vgXLK3lICyra8wQonokc7NCJr4UrHmk4 
         const _ = require('lodash');
 
         const loginCount = _.get(context, "stats.loginsCount");
@@ -29,7 +29,7 @@ function (user, context, callback) {
             return callback(null, user, context);
         }
 
-        if (loginCount < 3) {
+        if (loginCount < 10) {
             const getToken = function (tokenCB) {
                 if (global.M2MToken) {
                     console.log('rule:user-privacy-policy:a M2M token is present');
@@ -43,7 +43,7 @@ function (user, context, callback) {
                         tokenCB(null, global.M2MToken);
                         return;
                     }
-                } 
+                }
                 console.log('rule:user-privacy-policy:fetching fresh m2m token');
                 request.post({
                     url: `https://auth0proxy.${configuration.DOMAIN}/token`,
@@ -100,8 +100,10 @@ function (user, context, callback) {
                     callTermApi(token);
                 }
             });
-        } // if login count 
-
-    } // if end  
-    return callback(null, user, context);
-}
+        } else {
+            return callback(null, user, context);
+        }
+    } else {
+        return callback(null, user, context);
+    }
+}
