Merge pull request #16 from Azure-Samples/auth-context-sample

Auth context sample

Author: derisen

.gitignore

@@ -68,10 +68,6 @@ typings/
 # Yarn Integrity file
 .yarn-integrity
 
-# dotenv environment variables file
-.env
-.env.test
-
 # parcel-bundler cache (https://parceljs.org/)
 .cache
 

5-AccessControl/1-call-api-roles/README.md

@@ -243,10 +243,6 @@ In a separate console window, execute the following commands:
    npm start
 ```
 
-> For Visual Studio Users
->
-> Clean the solution, rebuild the solution, and run it.  You might want to go into the solution properties and set both projects as startup projects, with the service project starting first.
-
 ## Explore the sample
 
 1. Open your browser and navigate to `http://localhost:3000`.

6-AdvancedScenarios/3-call-api-acrs/API/.env

@@ -0,0 +1,15 @@
+AUTHORITY="login.microsoftonline.com"
+
+TENANT_ID="Enter_the_Tenant_Info_Here"
+CLIENT_ID="Enter_the_Application_Id_Here"
+CLIENT_SECRET="Enter_the_Client_Secret_Here"
+
+REDIRECT_URI="http://localhost:5000/admin/redirect"
+
+API_REQUIRED_PERMISSION="access_as_user"
+
+EXPRESS_SESSION_SECRET="ENTER_YOUR_SECRET_HERE"
+
+CORS_ALLOWED_DOMAINS="http://localhost:3000"
+
+

6-AdvancedScenarios/3-call-api-acrs/API/app.js

@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+const express = require('express');
+const session = require('express-session');
+const methodOverride = require('method-override');
+const cors = require('cors');
+const path = require('path');
+require('dotenv').config();
+
+const msalWrapper = require('msal-express-wrapper');
+const passport = require('passport');
+const BearerStrategy = require('passport-azure-ad').BearerStrategy;
+
+const cache = require('./utils/cachePlugin');
+const todolistRoutes = require('./routes/todolistRoutes');
+const adminRoutes = require('./routes/adminRoutes');
+const routeGuard = require('./utils/routeGuard');
+
+const app = express();
+
+app.set('views', path.join(__dirname, './views'));
+app.set('view engine', 'ejs');
+
+app.use('/css', express.static(path.join(__dirname, 'node_modules/bootstrap/dist/css')));
+app.use('/js', express.static(path.join(__dirname, 'node_modules/bootstrap/dist/js')));
+
+app.use(express.static(path.join(__dirname, './public')));
+
+app.use(methodOverride('_method'));
+app.use(express.urlencoded({ extended: true }));
+app.use(express.json());
+
+/**
+ * We need to enable CORS for client's domain in order to
+ * expose www-authenticate header in response from the web API
+ */
+app.use(cors({
+    origin: process.env.CORS_ALLOWED_DOMAINS, // replace with client domain
+    exposedHeaders: "www-authenticate",
+}));
+
+/**
+ * Using express-session middleware. Be sure to familiarize yourself with available options
+ * and set them as desired. Visit: https://www.npmjs.com/package/express-session
+ */
+ const sessionConfig = {
+    secret: process.env.EXPRESS_SESSION_SECRET,
+    resave: false,
+    saveUninitialized: false,
+    cookie: {
+        secure: false, // set this to true on production
+    }
+}
+
+if (app.get('env') === 'production') {
+
+    /**
+     * In App Service, SSL termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests.
+     * The line below is needed for getting the correct absolute URL for redirectUri configuration. For more information, visit: 
+     * https://docs.microsoft.com/azure/app-service/configure-language-nodejs?pivots=platform-linux#detect-https-session
+     */
+
+    app.set('trust proxy', 1) // trust first proxy e.g. App Service
+    sessionConfig.cookie.secure = true // serve secure cookies
+}
+
+app.use(session(sessionConfig));
+
+// =========== Initialize Passport ==============
+
+const bearerOptions = {
+    identityMetadata: `https://${process.env.AUTHORITY}/${process.env.TENANT_ID}/v2.0/.well-known/openid-configuration`,
+    issuer: `https://${process.env.AUTHORITY}/${process.env.TENANT_ID}/v2.0`,
+    clientID: process.env.CLIENT_ID,
+    audience: process.env.CLIENT_ID, // audience is this application
+    validateIssuer: true,
+    passReqToCallback: false,
+    loggingLevel: "info",
+    scope: [process.env.API_REQUIRED_PERMISSION] // scope you set during app registration
+};
+
+const bearerStrategy = new BearerStrategy(bearerOptions, (token, done) => {
+    // Send user info using the second argument
+    done(null, {}, token);
+});
+
+app.use(passport.initialize());
+
+passport.use(bearerStrategy);
+
+// protected api endpoints
+app.use('/api',
+    passport.authenticate('oauth-bearer', { session: false }), // validate access tokens
+    routeGuard, // check for auth context
+    todolistRoutes
+);
+
+// =========== Initialize MSAL Node Wrapper==============
+
+const appSettings = {
+    appCredentials: {
+        clientId: process.env.CLIENT_ID,
+        tenantId: process.env.TENANT_ID,
+        clientSecret: process.env.CLIENT_SECRET,
+    },
+    authRoutes: {
+        redirect: process.env.REDIRECT_URI, // enter the path component of your redirect URI
+        error: "/admin/error", // the wrapper will redirect to this route in case of any error
+        unauthorized: "/admin/unauthorized" // the wrapper will redirect to this route in case of unauthorized access attempt
+    },
+    remoteResources: {
+        // Microsoft Graph beta authenticationContextClassReference endpoint. For more information,
+        // visit: https://docs.microsoft.com/en-us/graph/api/resources/authenticationcontextclassreference?view=graph-rest-beta
+        msGraphAcrs: {
+            endpoint: "https://graph.microsoft.com/beta/identity/conditionalAccess/policies",
+            scopes: ["Policy.ReadWrite.ConditionalAccess", "Policy.Read.ConditionalAccess"]
+        },
+    }
+}
+
+// instantiate the wrapper
+const authProvider = new msalWrapper.AuthProvider(appSettings, cache);
+
+// initialize the wrapper
+app.use(authProvider.initialize());
+
+// pass down to the authProvider instance to use in router
+app.use('/admin',
+    adminRoutes(authProvider)
+);
+
+const port = process.env.PORT || 5000;
+
+app.listen(port, () => {
+    console.log('Listening on port ' + port);
+});

6-AdvancedScenarios/3-call-api-acrs/API/controllers/adminController.js

@@ -0,0 +1,103 @@
+const AuthContext = require('../models/authContext');
+const msGraph = require('../utils/graphClient');
+
+exports.getHomePage = (req, res, next) => {
+    res.render('home', { isAuthenticated: req.session.isAuthenticated, username: req.session.isAuthenticated ? req.session.account.username : null });
+}
+
+exports.getDetailsPage = (req, res, next) => {
+    try {
+        const acrsList = AuthContext.getAuthContexts();
+        res.render('details', { isAuthenticated: req.session.isAuthenticated, acrsList: acrsList });   
+    } catch (error) {
+        next(error);
+    }
+}
+
+exports.postDetailsPage = async(req, res, next) => {
+    try {
+        const authContext = new AuthContext(
+            req.session.account.idTokenClaims.tid, 
+            req.body.authContext.split(' ')[0], // id
+            req.body.authContext.split(' ')[1], // displayName
+            req.body.operation
+        );
+
+        AuthContext.postAuthContext(authContext);
+        res.redirect('/admin/details');   
+    } catch (error) {
+        next(error);
+    }
+}
+
+exports.deleteDetailsPage = async(req, res, next) => {
+    try {
+        const authContextId = req.body.authContextId;
+        AuthContext.deleteAuthContext(authContextId);
+        res.redirect('/admin/details');   
+    } catch (error) {
+        next(error);
+    }
+}
+
+exports.getDashboardPage = (req, res, next) => {
+    res.render('dashboard', { isAuthenticated: req.session.isAuthenticated, isLoaded: false });
+}
+
+exports.postDashboardPage = async(req, res, next) => {
+    try {
+        // pass the access token to create a graph client
+        const graphClient = msGraph.getAuthenticatedClient(req.session.remoteResources["msGraphAcrs"].accessToken);
+
+        let acrs = await graphClient
+            .api('/identity/conditionalAccess/authenticationContextClassReferences')
+		    .version('beta')
+		    .get();
+
+        // check if acrs is empty   
+        if (acrs.value.length === 0) {
+
+            defaultAcrsList = [
+                {
+                    id: 'c1',
+                    displayName: 'Require strong authentication',
+                    description: 'User needs to perform multifactor authentication',
+                    isAvailable: true
+                },
+                {
+                    id: 'c2',
+                    displayName: 'Require compliant devices',
+                    description: 'Users needs to prove using a compliant device',
+                    isAvailable: true
+                },
+                {
+                    id: 'c3',
+                    displayName: 'Require trusted locations',
+                    description: 'User needs to prove connecting from a trusted location',
+                    isAvailable: true
+                },
+            ]
+
+            try {
+
+                // create default auth contexts
+                defaultAcrsList.forEach(async(ac) => {
+                    await graphClient
+                        .api('/identity/conditionalAccess/authenticationContextClassReferences')
+                        .version('beta')
+                        .post(ac);
+                });
+
+                return res.render('dashboard', { isAuthenticated: req.session.isAuthenticated, isLoaded: true, acrsList: defaultAcrsList });
+            } catch (error) {
+                next(error);
+            }
+        } 
+            
+        res.render('dashboard', { isAuthenticated: req.session.isAuthenticated, isLoaded: true, acrsList: acrs.value });  
+    } catch (error) {
+        console.log(error);
+        next(error);
+    }
+}
+    

6-AdvancedScenarios/3-call-api-acrs/API/controllers/todolistController.js

@@ -0,0 +1,68 @@
+const Todo = require('../models/todo');
+
+exports.getTodo = (req, res) => {
+    const id = req.params.id;
+    const owner = req.authInfo['preferred_username'];
+
+    try {
+        const todo = Todo.getTodo(owner, id);
+        res.status(200).send(todo);
+    } catch (error) {
+        console.log(error);
+        next(error);
+    }
+}
+
+exports.getTodos = (req, res) => {
+    const owner = req.authInfo['preferred_username'];
+
+    try {
+        const todos = Todo.getTodos(owner);
+        res.status(200).send(todos);
+    } catch (error) {
+        console.log(error);
+        next(error);
+    }
+}
+
+exports.postTodo = (req, res) => {
+    const id = req.body.id;
+    const name = req.body.name;
+    const owner = req.authInfo['preferred_username'];
+
+    const newTodo = new Todo(id, name, owner);
+
+    try {
+        Todo.postTodo(newTodo);
+        res.status(200).json({ message: "success" });   
+    } catch (error) {
+        console.log(error);
+        next(error);
+    }
+}
+
+exports.updateTodo = (req, res) => {
+    const id = req.params.id;
+    const owner = req.authInfo['preferred_username'];
+
+    try {
+        Todo.updateTodo(owner, id, req.body)
+        res.status(200).json({ message: "success" });   
+    } catch (error) {
+        console.log(error);
+        next(error);
+    }
+}
+
+exports.deleteTodo = (req, res) => {
+    const id = req.params.id;;
+    const owner = req.authInfo['preferred_username'];
+
+    try {
+        Todo.deleteTodo(id, owner);
+        res.status(200).json({ message: "success" });   
+    } catch (error) {
+        console.log(error);
+        next(error);
+    }
+}

6-AdvancedScenarios/3-call-api-acrs/API/data/cache.json

@@ -0,0 +1,4 @@
+{
+  "todos": [],
+  "acrs": []
+}