Add allowlists for demo apps

GSA-TTS · Aug 20, 2024 · e8bd32c · e8bd32c
1 parent 10b9c83
commit e8bd32c
Show file tree

Hide file tree

Showing 8 changed files with 70 additions and 4 deletions.
diff --git a/apps/server-doj/src/server.ts b/apps/server-doj/src/server.ts
@@ -20,5 +20,18 @@ export const createCustomServer = async (ctx: {
         'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:tts-10x-atj-dev-server-doj',
       //clientSecret: '', // secrets.loginGovClientSecret,
     },
+    isUserAuthorized: async (email: string) => {
+      return [
+        // 10x team members
+        'daniel.naab@gsa.gov',
+        'jim.moffet@gsa.gov',
+        'ethan.gardner@gsa.gov',
+        'natasha.pierre-louis@gsa.gov',
+        'emily.lordahl@gsa.gov',
+        // DOJ test users
+        'deserene.h.worsley@usdoj.gov',
+        'jordan.pendergrass@usdoj.gov',
+      ].includes(email);
+    },
   });
 };
diff --git a/apps/server-kansas/src/server.ts b/apps/server-kansas/src/server.ts
@@ -20,5 +20,14 @@ export const createCustomServer = async (ctx: {
         'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:tts-10x-atj-dev-server-doj',
       //clientSecret: '', // secrets.loginGovClientSecret,
     },
+    isUserAuthorized: async (email: string) => {
+      return [
+        'daniel.naab@gsa.gov',
+        'jim.moffet@gsa.gov',
+        'ethan.gardner@gsa.gov',
+        'natasha.pierre-louis@gsa.gov',
+        'emily.lordahl@gsa.gov',
+      ].includes(email);
+    },
   });
 };
diff --git a/packages/auth/src/context/base.ts b/packages/auth/src/context/base.ts
@@ -14,7 +14,8 @@ export class BaseAuthContext implements AuthContext {
     public provider: LoginGov,
     public getCookie: (name: string) => string | undefined,
     public setCookie: (cookie: Cookie) => void,
-    public setUserSession: (userSession: UserSession) => void
+    public setUserSession: (userSession: UserSession) => void,
+    public isUserAuthorized: (email: string) => Promise<boolean>
   ) {}
 
   async getLucia() {

diff --git a/packages/auth/src/context/test.ts b/packages/auth/src/context/test.ts
@@ -15,13 +15,15 @@ type Options = {
   getCookie: (name: string) => string | undefined;
   setCookie: (cookie: Cookie) => void;
   setUserSession: (userSession: UserSession) => void;
+  isUserAuthorized: (email: string) => Promise<boolean>;
 };
 
 export const createTestAuthContext = async (opts?: Partial<Options>) => {
   const options: Options = {
     getCookie: opts?.getCookie || vi.fn(),
     setCookie: opts?.setCookie || vi.fn(),
     setUserSession: opts?.setUserSession || vi.fn(),
+    isUserAuthorized: opts?.isUserAuthorized || vi.fn(async () => true),
   };
   const dbContext = await createInMemoryDatabaseContext();
   const database = createDatabaseGateway(dbContext);
@@ -36,7 +38,8 @@ export const createTestAuthContext = async (opts?: Partial<Options>) => {
     }),
     options.getCookie,
     options.setCookie,
-    options.setUserSession
+    options.setUserSession,
+    options.isUserAuthorized
   );
 };
 
@@ -48,7 +51,8 @@ export class TestAuthContext implements AuthContext {
     public provider: LoginGov,
     public getCookie: (name: string) => string | undefined,
     public setCookie: (cookie: Cookie) => void,
-    public setUserSession: (userSession: UserSession) => void
+    public setUserSession: (userSession: UserSession) => void,
+    public isUserAuthorized: (email: string) => Promise<boolean>
   ) {}
 
   async getLucia() {

diff --git a/packages/auth/src/index.ts b/packages/auth/src/index.ts
@@ -23,4 +23,5 @@ export type AuthContext = {
   setCookie: (cookie: Cookie) => void;
   setUserSession: (userSession: UserSession) => void;
   getLucia: () => Promise<Lucia>;
+  isUserAuthorized: (email: string) => Promise<boolean>;
 };
diff --git a/packages/auth/src/services/process-provider-callback.test.ts b/packages/auth/src/services/process-provider-callback.test.ts
@@ -3,6 +3,7 @@ import { beforeEach, describe, expect, it, vi } from 'vitest';
 import { processProviderCallback } from './process-provider-callback';
 import { createTestAuthContext } from '../context/test';
 import { AuthContext } from '..';
+import { success } from '@atj/common';
 
 describe('processProviderCallback', () => {
   let ctx: AuthContext;
@@ -101,4 +102,29 @@ describe('processProviderCallback', () => {
       },
     });
   });
+
+  it('fails with unauthorized email', async () => {
+    const ctx = await createTestAuthContext({
+      isUserAuthorized: async () => false,
+    });
+    const result = await processProviderCallback(
+      ctx,
+      {
+        code: 'params-code',
+        state: 'params-state',
+      },
+      {
+        code: 'params-code',
+        state: 'params-state',
+        nonce: 't0j5AY5k4oLAcxfaZdRsMfVZGBCgBjlfihgoVq34YGo',
+      }
+    );
+    expect(result).toEqual({
+      error: {
+        message: 'permission denied',
+        status: 403,
+      },
+      success: false,
+    });
+  });
 });
diff --git a/packages/auth/src/services/process-provider-callback.ts b/packages/auth/src/services/process-provider-callback.ts
@@ -67,6 +67,10 @@ export const processProviderCallback = async (
   if (!userDataResult.success) {
     return userDataResult;
   }
+  const isAuthorized = await ctx.isUserAuthorized(userDataResult.data.email);
+  if (!isAuthorized) {
+    return r.failure({ status: 403, message: 'permission denied' });
+  }
   let userId = await ctx.db.getUserId(userDataResult.data.email);
   if (!userId) {
     const newUser = await ctx.db.createUser(userDataResult.data.email);

diff --git a/packages/server/src/context.ts b/packages/server/src/context.ts
@@ -23,6 +23,7 @@ export type ServerOptions = {
   title: string;
   db: DatabaseGateway;
   loginGovOptions: LoginGovOptions;
+  isUserAuthorized: (email: string) => Promise<boolean>;
 };
 
 export const getAstroAppContext = async (Astro: any): Promise<AppContext> => {
@@ -42,6 +43,7 @@ const createAstroAppContext = async (
       Astro,
       db: serverOptions.db,
       loginGovOptions: serverOptions.loginGovOptions,
+      isUserAuthorized: serverOptions.isUserAuthorized,
     }),
     baseUrl: env.BASE_URL,
     formConfig: defaultFormConfig,
@@ -64,6 +66,9 @@ const getDefaultServerOptions = async (): Promise<ServerOptions> => {
       //clientSecret: import.meta.env.SECRET_LOGIN_GOV_PRIVATE_KEY,
       redirectURI: 'http://localhost:4322/signin/callback',
     },
+    isUserAuthorized: async (email: string) => {
+      return true;
+    },
   };
 };
 
@@ -95,10 +100,12 @@ const createDefaultAuthContext = async ({
   Astro,
   db,
   loginGovOptions,
+  isUserAuthorized,
 }: {
   Astro: AstroGlobal | APIContext;
   db: DatabaseGateway;
   loginGovOptions: LoginGovOptions;
+  isUserAuthorized: (email: string) => Promise<boolean>;
 }) => {
   const { LoginGov, BaseAuthContext } = await import('@atj/auth');
   return new BaseAuthContext(
@@ -116,7 +123,8 @@ const createDefaultAuthContext = async ({
     function setUserSession({ session, user }) {
       Astro.locals.session = session;
       Astro.locals.user = user;
-    }
+    },
+    isUserAuthorized
   );
 };