Merge pull request #210 from FlowFuse/fix-node-auth

Handle httpAdminRoot being moved away from /

lib/auth/httpAuthMiddleware.js

@@ -1,8 +1,12 @@
+const crypto = require('crypto')
+const session = require('express-session')
+const MemoryStore = require('memorystore')(session)
 const { Passport } = require('passport')
 const { Strategy } = require('./strategy')
 
 let options
 let passport
+let httpNodeApp
 
 module.exports = {
     init (_options) {
@@ -32,9 +36,27 @@ module.exports = {
         // exposed by the flows.
 
         passport = new Passport()
+        httpNodeApp = app
+
+        httpNodeApp.use(session({
+        // As the session is only used across the life-span of an auth
+        // hand-shake, we can use a instance specific random string
+            secret: crypto.randomBytes(20).toString('hex'),
+            resave: false,
+            saveUninitialized: false,
+            store: new MemoryStore({
+                checkPeriod: 86400000 // prune expired entries every 24h
+            })
+        }))
+
         app.use(passport.initialize())
 
-        const callbackURL = `${options.baseURL}/_ffAuth/callback`
+        // Need to map `options.baseURL` (the editor url) to the node root url.
+        // We do not support moving node root off / - so we just need to strip off
+        // any path
+
+        const nodeUrl = new URL(options.baseURL)
+        const callbackURL = `${nodeUrl.origin}/_ffAuth/callback`
         const authorizationURL = `${options.forgeURL}/account/authorize`
         const tokenURL = `${options.forgeURL}/account/token`
         const userInfoURL = `${options.forgeURL}/api/v1/user`

package.json

@@ -50,8 +50,10 @@
         "body-parser": "^1.20.2",
         "command-line-args": "^5.2.1",
         "express": "^4.18.2",
+        "express-session": "^1.18.0",
         "got": "^11.8.6",
         "json-stringify-safe": "5.0.1",
+        "memorystore": "^1.6.7",
         "oauth": "^0.9.15",
         "parse-prometheus-text-format": "^1.1.1",
         "passport": "0.6.0",