WIP (create account using webid as OIDC _id)

Author: dmitrizagidulin

lib/capability-discovery.js

@@ -11,6 +11,8 @@ const serviceConfigDefaults = {
     'accounts': {
       // 'changePassword': '/api/account/changePassword',
       // 'delete': '/api/accounts/delete',
+
+      // Create new user (see IdentityProvider.post() in identity-provider.js)
       'new': '/api/accounts/new',
       'recover': '/api/accounts/recover',
       'signin': '/api/accounts/signin',

lib/handlers/oidc.js

@@ -20,28 +20,28 @@ module.exports.oidcIssuerHeader = oidcIssuerHeader
  * Usage:
  *
  *   ```
- *   app.use('/api/oidc', oidcHandler.api(corsSettings))
+ *   app.use('/api/oidc', oidcHandler.api(corsSettings, oidcRpClient))
  *   ```
  * @param corsSettings
- * @returns {Router} Express router
+ * @param oidcRpClient
+ * @return {Router} Express router
  */
 function api (corsSettings, oidcRpClient) {
   const router = express.Router('/')
 
   if (corsSettings) {
     router.use(corsSettings)
   }
-
-  // router.post('/signin', bodyParser.urlencoded({extended: false}),
-  //   (req, res, next) => {
-  //     // const userServer = req.body.oidcServer
-  //   })
-  router.get('/rp', authCallback(oidcRpClient), authSessionInit, rpCallback(oidcRpClient))
-  // router.get('/signout', (req, res, next) => {
-  //   req.session.userId = null
-  //   req.session.identified = false
-  //   res.send('signed out...')
-  // })
+  // The /rp (relying party) callback is called at the end of the OIDC signin
+  // process
+  router.get('/rp',
+    // Authenticate the RP callback (exchange code for id token)
+    authCallback(oidcRpClient),
+    // Start up the session
+    authSessionInit,
+    // Redirect the user back to returnToUrl (that they were requesting before
+    //  being forced to sign in)
+    rpCallback(oidcRpClient))
 
   return router
 }
@@ -95,7 +95,6 @@ function authenticate (oidcRpClient) {
  * @param req
  * @param res
  * @param next
- * @returns {*}
  */
 function authSessionInit (req, res, next) {
   if (!req.userInfo) {

lib/identity-provider.js

@@ -524,14 +524,41 @@ IdentityProvider.prototype.getGraph = function (uri, callback) {
     })
 }
 
-// Handle POST requests on account creation
+/**
+ * Handles new account creation (in multi-user mode).
+ * Currently mounted on /api/accounts/new endpoint.
+ * @param req
+ * @param res
+ * @param next
+ */
 IdentityProvider.prototype.post = function (req, res, next) {
-  if (!req.body) {
+  const idpMode = req.app.locals.ldp.idp
+  if (!req.body) {  // This is unlikely to ever be true, express sets body={}
     debug('Options missing')
-    var err = new Error('Settings to create the account have not been passed!')
-    err.status = 406
+    let err = new Error('Settings to create the account have not been passed!')
+    err.status = 400
     return next(err)
   }
+  // Username is required only in MultiUser / idp mode (for both TLS and OIDC)
+  if (idpMode && !req.body.username) {
+    debug('Username missing (IDP mode)')
+    let err = new Error('Username required')
+    err.status = 400
+    return next(err)
+  }
+  if (this.auth === 'oidc') {
+    // OIDC auth required username & pass in both single-user and IDP modes
+    if (!req.body.username) {
+      let err = new Error('Username required')
+      err.status = 400
+      return next(err)
+    }
+    if (!req.body.password) {
+      let err = new Error('Password required')
+      err.status = 400
+      return next(err)
+    }
+  }
 
   var self = this
   var email = req.app.locals.email
@@ -554,24 +581,30 @@ IdentityProvider.prototype.post = function (req, res, next) {
         return callback()
       }
       let trustedClient = oidcRpClient.trustedClient
-      return trustedClient.client.token({
-        grant_type: 'client_credentials',
-        scope: 'realm'
-      })
+      return trustedClient.client
+        .token({
+          grant_type: 'client_credentials',
+          scope: 'realm'
+        })
         .then((tokenResponse) => {
-          let token = { token: tokenResponse.access_token }
+          let createOptions = { token: tokenResponse.access_token }
           // NOTE: Password must be 8+ chars, mix alpha and numbers
           let userData = {
+            _id: agent,
             email: options.email,
             profile: agent,  // WebID URL
             name: options.name,
             password: options.password // || 'swordfish123'
           }
-          return trustedClient.client.users
-            .create(userData, token)
+          return trustedClient.client.users.create(userData, createOptions)
         })
         .then(() => callback())
-        .catch(callback)
+        .catch((err) => {
+          debug('Error creating user: ' + err)
+          let error = new Error('Error creating user on OIDC provider: ' + err)
+          error.status = 400
+          return callback(error)
+        })
     },
     (callback) => {
       // Auth == TLS section only

lib/oidc-rp-client.js

@@ -119,7 +119,7 @@ module.exports = class OidcRpClient {
   /**
    * Returns the Signin page URL for the trusted OIDC provider
    * @param oidcExpress {OIDCExpressClient}
-   * @returns {String}
+   * @return {String}
    */
   urlForSignin (oidcExpress) {
     // return 'https://anvil.local/authorize?stuff'