Merge pull request #228 from lambdaclass/google-sign-in

jrchatruc · web-flow · commit a8a6d1e28de5 · 2020-10-21T11:00:26.000-03:00
Add Google sign in
diff --git a/README.md b/README.md
@@ -56,12 +56,14 @@ The release generated for `prod` expects some config values from the environment
 **NOTE:** Remember to mount the folder where `SSL_CERTFILE` and `SSL_KEYFILE` are stored into the container.
 
 ### Credentials
-#### GitHub login configuration
+#### GitHub and Google login configuration
 
 For the GitHub login option to work, [OAuth cretentials](https://github.com/settings/applications/new)
 need to be generated and set as `GITHUB_CLIENTID` and `GITHUB_SECRET`
 environment variables.
 
+Similarly, use the [Google developers console](https://console.developers.google.com/) to generate the Google credentials and set them as `GOOGLE_CLIENTID` and `GOOGLE_SECRET`.
+
 ### Email providers
 Holiday Pinger supports two different providers for sending emails: Amazon SES and Mailgun. To choose one, set it in the config file (`prod.conf` for the production environment) as 
 ```
diff --git a/priv/ui/src/holiday_ping_ui/auth/events.cljs b/priv/ui/src/holiday_ping_ui/auth/events.cljs
@@ -82,22 +82,22 @@
                  :on-failure      [:error-message "Registration failed"]}}))
 
 (defmethod events/load-view
-  :github-callback [_ _]
-  {:dispatch [:github-code-submit]})
+  :provider-callback [_ [_ provider]]
+  {:dispatch [:provider-code-submit provider]})
 
 (re-frame/reg-event-fx
- :github-code-submit
+ :provider-code-submit
  [(re-frame/inject-cofx :location)]
- (fn [{:keys [location]} _]
+ (fn [{:keys [location]} [_ provider]]
    (let [code (get-in location [:query "code"])]
      {:http-xhrio {:method          :post
-                   :uri             "/api/auth/github/code"
+                   :uri             (str "/api/auth/" provider "/code")
                    :timeout         8000
                    :format          (ajax/json-request-format)
                    :params          {:code code}
                    :response-format (ajax/json-response-format {:keywords? true})
                    :on-success      [:login-success]
-                   :on-failure      [:error-message "GitHub authentication failed"]}})))
+                   :on-failure      [:error-message (str provider " authentication failed")]}})))
 
 (defmethod events/load-view
   :register-confirm [_ _]
diff --git a/priv/ui/src/holiday_ping_ui/auth/views.cljs b/priv/ui/src/holiday_ping_ui/auth/views.cljs
@@ -11,12 +11,9 @@
    [views/section-size "is-one-third-desktop is-half-tablet"
     [:div.card
      [:div.card-content
-      [:div.has-text-centered
-       [:a.button.is-medium.is-primary.is-fullwidth
-        {:data-pushy-ignore true ;; don't try to hadle this uri in the frontend
-         :href              "/oauth/github"}
-        [:span.icon.is-medium [:i.fa.fa-github]]
-        [:span " Login with GitHub"]]]
+      (views/provider-login-button "GitHub" [:i.fa.fa-github])
+      [:br]
+      (views/provider-login-button "Google" [:i.fa.fa-google])
       [:hr]
       [views/message-view]
       [forms/form-view {:submit-text  "Login"
diff --git a/priv/ui/src/holiday_ping_ui/common/views.cljs b/priv/ui/src/holiday_ping_ui/common/views.cljs
@@ -26,6 +26,15 @@
     [:div.columns.is-centered
      (apply vector :div.column {:class (name size)} views)]]])
 
+(defn provider-login-button
+  [provider icon]
+  [:div.has-text-centered
+    [:a.button.is-medium.is-primary.is-fullwidth
+      {:data-pushy-ignore true ;; don't try to handle this uri in the frontend
+        :href              (str "/oauth/" (clojure.string/lower-case provider))}
+      [:span.icon.is-medium icon]
+      [:span (str " Login with " provider)]]])
+
 ;; APP VIEWS
 (defn user-info-view []
   (when @(re-frame/subscribe [:access-token])
diff --git a/priv/ui/src/holiday_ping_ui/core.cljs b/priv/ui/src/holiday_ping_ui/core.cljs
@@ -34,7 +34,7 @@
             :request-password-reset [auth/request-password-reset-view]
             :password-reset-sent    [auth/password-reset-sent-view]
             :submit-password-reset  [auth/submit-password-reset-view]
-            :github-callback        [common/loading-view]
+            :provider-callback      [common/loading-view]
             :holidays               [holidays/holidays-view]
             :not-found              [common/not-found-view]})
 
diff --git a/priv/ui/src/holiday_ping_ui/routes.cljs b/priv/ui/src/holiday_ping_ui/routes.cljs
@@ -15,7 +15,7 @@
                       ["register/confirm"                         :resend-confirmation]
                       ["password"                                 :request-password-reset]
                       ["password/code"                            :submit-password-reset]
-                      ["oauth/github/callback"                    :github-callback]
+                      [["oauth/" [#".+" :provider] "/callback"]   :provider-callback]
                       [true                                       :not-found]]])
 
 (defn parse-url [url]
@@ -45,7 +45,7 @@
   (loging, register, etc.)."
   [view]
   (contains?
-   #{:landing :login :register :github-callback :not-verified
+   #{:landing :login :register :provider-callback :not-verified
      :register-confirm :email-sent :register-confirm-error :resend-confirmation
      :request-password-reset :submit-password-reset :password-reset-sent}
    view))
diff --git a/src/db/db_user.erl b/src/db/db_user.erl
@@ -1,7 +1,6 @@
 -module(db_user).
 
--export([create_holiday_user/3,
-         create_github_user/2,
+-export([create_user/4,
          get/1,
          delete/1,
          get_with_password/1,
@@ -16,18 +15,18 @@
 %% needed so atoms exist.
 user_keys () -> [email, password, name].
 
-create_holiday_user(Email, Name, Password) ->
-  Q = <<"INSERT INTO users(email, name, password, auth_type) "
-        "VALUES($1, $2, $3, 'holiday') RETURNING email, name ">>,
-  case db:query(Q, [Email, Name, Password]) of
+create_user(Email, Name, null, AuthType) ->
+  Q = <<"INSERT INTO users(email, name, auth_type, verified) "
+        "VALUES($1, $2, $3, true) RETURNING email, name ">>,
+  case db:query(Q, [Email, Name, AuthType]) of
     {ok, [Result | []]} -> {ok, Result};
     {error, unique_violation} -> {error, user_already_exists}
-  end.
+  end;
 
-create_github_user(Email, Name) ->
-  Q = <<"INSERT INTO users(email, name, auth_type, verified)"
-        "VALUES($1, $2, 'github', true) RETURNING email, name ">>,
-  case db:query(Q, [Email, Name]) of
+create_user(Email, Name, Password, AuthType) ->
+  Q = <<"INSERT INTO users(email, name, password, auth_type) "
+        "VALUES($1, $2, $3, $4) RETURNING email, name ">>,
+  case db:query(Q, [Email, Name, Password, AuthType]) of
     {ok, [Result | []]} -> {ok, Result};
     {error, unique_violation} -> {error, user_already_exists}
   end.
diff --git a/src/handlers/github_callback_handler.erl b/src/handlers/github_callback_handler.erl
@@ -32,7 +32,9 @@ from_json(Req, State) ->
   Email = get_primary_email(GithubToken),
 
   ok = register_user(Email, Profile),
-  Token = build_holiday_access_token(Email, Profile),
+  Name = get_name(Email, Profile),
+  AvatarUrl = maps:get(avatar_url, Profile),
+  Token = hp_auth:build_holiday_access_token(Email, Name, AvatarUrl),
 
   Encoded = hp_json:encode(#{access_token => Token}),
   Req3 = cowboy_req:set_resp_body(Encoded, Req2),
@@ -71,21 +73,12 @@ register_user(Email, Profile) ->
   %% only attempt to create it if it's not already registered
   case db_user:get(Email) of
     {error, not_found} ->
-      {ok, _} = db_user:create_github_user(Email, get_name(Email, Profile)),
+      {ok, _} = db_user:create_user(Email, get_name(Email, Profile), null, "github"),
       ok;
     {ok, _} ->
       ok
   end.
 
-build_holiday_access_token(Email, Profile) ->
-  Data = #{
-    email => Email,
-    name => get_name(Email, Profile),
-    avatar => maps:get(avatar_url, Profile)
-   },
-  {ok, Token} = hp_auth:token_encode(Data),
-  Token.
-
 get_name(Email, #{name := null}) ->
   Email;
 get_name(_Email, #{name := Name}) ->
diff --git a/src/handlers/github_redirect_handler.erl b/src/handlers/github_redirect_handler.erl
diff --git a/src/handlers/google_callback_handler.erl b/src/handlers/google_callback_handler.erl
@@ -0,0 +1,86 @@
+-module(google_callback_handler).
+
+%%% REST handler that receives the authentication code set by Google in the OAuth callback.
+%%% If the user is new, register it with the data from Google
+%%% In any case, respond with an access_token
+
+-export([init/3,
+         allowed_methods/2,
+         content_types_accepted/2,
+         content_types_provided/2,
+         from_json/2]).
+
+init(_Transport, _Req, []) ->
+  {upgrade, protocol, cowboy_rest}.
+
+allowed_methods(Req, State) ->
+  {[<<"POST">>], Req, State}.
+
+content_types_accepted(Req, State) ->
+  {[{<<"application/json">>, from_json}], Req, State}.
+
+content_types_provided(Req, State) ->
+  {[{<<"application/json">>, to_json}], Req, State}.
+
+from_json(Req, State) ->
+  {ok, Body, Req2} = cowboy_req:body(Req),
+
+  #{code := Code} = hp_json:decode(Body),
+
+  GoogleToken = get_google_access_token(Code),
+  Profile = get_public_profile(GoogleToken),
+
+  Email = get_primary_field(Profile, emailAddresses),
+  Name = get_primary_field(Profile, names),
+  AvatarUrl = get_primary_field(Profile, photos),
+
+  ok = register_user(Email, Name),
+  Token = hp_auth:build_holiday_access_token(Email, Name, AvatarUrl),
+
+  Encoded = hp_json:encode(#{access_token => Token}),
+  Req3 = cowboy_req:set_resp_body(Encoded, Req2),
+  {true, Req3, State}.
+
+%% internal
+get_google_access_token(Code) ->
+  ClientId = list_to_binary(os:getenv("GOOGLE_CLIENTID", false)),
+  ClientSecret = list_to_binary(os:getenv("GOOGLE_SECRET", false)),
+  GoogleBody = #{
+    code => Code,
+    client_id => ClientId,
+    client_secret => ClientSecret,
+    grant_type => << "authorization_code" >>,
+    redirect_uri => << "https://holidaypinger.com/oauth/google/callback" >>
+   },
+
+  {ok, 200, _, GoogleTokenResponse} =
+    hp_request:post_json(<<"https://oauth2.googleapis.com/token">>,
+                         GoogleBody),
+  maps:get(access_token, GoogleTokenResponse).
+
+get_public_profile(GoogleToken) ->
+  {ok, 200, _, Profile} = hp_request:get_json(<<"https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,photos">>,
+                                              [{<<"Authorization">>, <<"Bearer ", GoogleToken/binary>>}]),
+  Profile.
+
+get_primary_field(Profile, Field) ->
+  Fields = maps:get(Field, Profile),
+  [PrimaryField | _] = lists:dropwhile(fun(#{metadata := #{primary := IsPrimary}}) -> not IsPrimary end, Fields),
+  case Field of
+    emailAddresses ->
+      maps:get(value, PrimaryField);
+    names ->
+      maps:get(displayName, PrimaryField);
+    photos ->
+      maps:get(url, PrimaryField)
+  end.
+
+register_user(Email, Name) ->
+  %% only attempt to create it if it's not already registered
+  case db_user:get(Email) of
+    {error, not_found} ->
+      {ok, _} = db_user:create_user(Email, Name, null, "google"),
+      ok;
+    {ok, _} ->
+      ok
+  end.
diff --git a/src/handlers/provider_redirect_handler.erl b/src/handlers/provider_redirect_handler.erl
@@ -0,0 +1,37 @@
+-module(provider_redirect_handler).
+
+%%% HTTP handler that redirects the user to the OAuth endpoint of the corresponding
+%%% provider with the client_id that identifies this application
+
+-export([init/3,
+         handle/2,
+         terminate/3]).
+
+init(_Type, Req, []) ->
+  {ok, Req, no_state}.
+
+handle(Req, State) ->
+  {Provider, _} = cowboy_req:binding(provider, Req),
+  {EnvVar, ProviderUrl} = provider_vars(binary_to_list(Provider)),
+
+  case os:getenv(EnvVar, false) of
+    false ->
+      lager:error([Provider, <<" credentials not found in environment">>]);
+    ClientId ->
+      Url = [ProviderUrl | ClientId],
+      {ok, Req2} = cowboy_req:reply(303, [{<<"location">>, Url}], Req),
+      {ok, Req2, State}
+  end.
+
+terminate(_Reason, _Req, _State) ->
+  ok.
+
+provider_vars("google") ->
+    {"GOOGLE_CLIENTID",
+    [<<"https://accounts.google.com/o/oauth2/auth">>,
+    <<"?response_type=code&redirect_uri=https://holidaypinger.com/oauth/google/callback&scope=email profile&client_id=">>]};
+
+provider_vars("github") ->
+    {"GITHUB_CLIENTID",
+    [<<"http://github.com/login/oauth/authorize">>,
+    <<"?scope=user:email&client_id=">>]}.
diff --git a/src/handlers/user_handler.erl b/src/handlers/user_handler.erl
@@ -33,7 +33,7 @@ from_json(Req, _State) ->
        password := Password
      } ->
       PasswordHash = hp_auth:password_hash(Password),
-      case db_user:create_holiday_user(Email, Name, PasswordHash) of
+      case db_user:create_user(Email, Name, PasswordHash, "holiday") of
         {ok, _User} ->
           hp_auth:reset_verification(Email),
           {{true, "/api/channels"}, Req2, []};
diff --git a/src/holiday_ping_app.erl b/src/holiday_ping_app.erl
@@ -13,7 +13,8 @@ start(_StartType, _StartArgs) ->
                                            {"/js/[...]", cowboy_static, {priv_dir, holiday_ping, "/ui/resources/public/js"}},
                                            {"/css/[...]", cowboy_static, {priv_dir, holiday_ping, "/ui/resources/public/css"}},
                                            {"/img/[...]", cowboy_static, {priv_dir, holiday_ping, "/ui/resources/public/img"}},
-                                           {"/oauth/github", github_redirect_handler, []},
+                                           {"/oauth/:provider", provider_redirect_handler, []},
+                                           {"/api/auth/google/code", google_callback_handler, []},
                                            {"/api/auth/github/code", github_callback_handler, []},
                                            {"/api/users", user_handler, []},
                                            {"/api/users/confirmation", confirmation_handler, []},
diff --git a/src/hp_auth.erl b/src/hp_auth.erl
@@ -6,7 +6,8 @@
          password_match/2,
          authenticate/2,
          reset_verification/1,
-         reset_password/1]).
+         reset_password/1,
+         build_holiday_access_token/3]).
 
 password_hash(Value) ->
   erlpass:hash(Value).
@@ -56,3 +57,12 @@ reset_password(Email) ->
   VerificationCode = base64url:encode(crypto:strong_rand_bytes(20)),
   db_user:reset_password(Email, VerificationCode),
   hp_email:send_password_reset(Email, VerificationCode).
+
+build_holiday_access_token(Email, Name, AvatarUrl) ->
+  Data = #{
+    email => Email,
+    name => Name,
+    avatar => AvatarUrl
+   },
+  {ok, Token} = token_encode(Data),
+  Token.
diff --git a/src/hp_request.erl b/src/hp_request.erl
@@ -19,7 +19,7 @@ get_json(Url, Headers) ->
 
 %% internal
 request_json(Method, Url, Data, Headers) ->
-  Body = hp_json:encode(Data),
+  Body = request_body(Data),
   Headers2 = [{<<"Content-Type">>, <<"application/json">>},
               {<<"Accept">>, <<"application/json">>} | Headers],
   {ok, Status, ResHeaders, ResBody} =
@@ -32,3 +32,13 @@ decode_response(<<"application/json", _/binary>>, ResBody) ->
   hp_json:decode(ResBody);
 decode_response(_, ResBody) ->
   ResBody.
+
+%% Passing Data=null to hp_json:encode means the body becomes null. This makes the google
+%% api break and return a 400 status, hence GET requests pass <<>> in the Body.
+request_body(Data) ->
+  case Data of
+    null ->
+      <<>>;
+    _ ->
+      hp_json:encode(Data)
+  end.
