From e1b9b6f5b80530620b7df2a0bebfd8941eadad3b Mon Sep 17 00:00:00 2001
From: Matt Strapp <matt@mattstrapp.net>
Date: Tue, 5 Apr 2022 17:47:36 +0200
Subject: Add Shibboleth login support

Signed-off-by: Matt Strapp <matt@mattstrapp.net>
---
 src/routes/middleware/saml.ts | 52 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 44 insertions(+), 8 deletions(-)

(limited to 'src/routes/middleware/saml.ts')

diff --git a/src/routes/middleware/saml.ts b/src/routes/middleware/saml.ts
index cce29a2..5904d6e 100644
--- a/src/routes/middleware/saml.ts
+++ b/src/routes/middleware/saml.ts
@@ -1,13 +1,49 @@
 import BasicAuthenticator from 'umn-shib-nodejs';
 import { Request, Response, NextFunction } from 'express';
 
-const saml = function (req: Request, res: Response, next: NextFunction): void {
+/**
+ * Express Middleware to check if the user is authenticated with Shibboleth, wraps {@link isLoggedIn}
+ * @param req Express request object
+ * @param res Express response object
+ * @param next Express next function
+ */
+export default function saml(
+  req: Request,
+  res: Response,
+  next: NextFunction
+): void {
   const authenticator = new BasicAuthenticator(req, res);
-  if (!authenticator.hasSession()) {
-    res.redirect(authenticator.buildLoginURL());
-    return;
-  }
-  next();
-};
+  if (isLoggedIn(req)) next();
+  else res.redirect(authenticator.buildLoginURL());
+}
 
-export default saml;
+/**
+ * A much simpler way to respond to a user that is not logged in for API calls.
+ * @param req Express request object
+ * @param res Express response object
+ * @param next Express next function
+ */
+export function saml_api(
+  req: Request,
+  res: Response,
+  next: NextFunction
+): void {
+  if (isLoggedIn(req)) next();
+  else res.status(401).json({ error: 'Not logged in.' });
+}
+
+/**
+ * Rudimentary check to see if the user is logged in by checking if the user has a session cookie
+ * @param req Express request object
+ * @returns true if the user is logged in, false otherwise
+ */
+function isLoggedIn(req: Request): boolean {
+  /* 
+    Shibboleth token always contains _shibsession_, so we can check for that
+    Is this a good way to check if the user is logged in?
+    Not even slightly.
+    But it works.
+  */
+  const cookies = JSON.stringify(req.cookies);
+  return cookies.includes('_shibsession_');
+}
-- 
cgit v1.2.3