learnersguild / rocketchat-lg-sso Goto Github PK

package to support authentication for Rocket.Chat using LearnersGuild SSO

License: ISC License

JavaScript 100.00%

rocketchat-lg-sso's Introduction

DEPRECATED: this repo has been merged into echo-chat

learnersguild:rocketchat-lg-sso

This simple package listens for the creation of the loginLayout template in Rocket.Chat, and initiates a cookie-based login process based on Learners Guild's SSO / Identity Management (IDM) service.

NOTE: This package will likely not be useful for anyone outside of Learners Guild.

Getting Started (Dev)

Be sure you've read the instructions for contributing.

Get your local IDM up and running.
Get your local Rocket.Chat up and running.
Clone this repository.
From your local Rocket.Chat repository's packages folder, add a symlink to this repo, then add the package:
```
 $ ln -s ../rocketchat-lg-sso .
 $ meteor add learnersguild:rocketchat-lg-sso
```
Start the server.
```
 $ learners-guild/start.sh
```

License

See the LICENSE file.

rocketchat-lg-sso's People

Contributors

Watchers

rocketchat-lg-sso's Issues

As a player, I can authenticate with Rocket.Chat using Learners Guild IDM

Backoffice users should be assigned the 'admin' role in Rocket.Chat

fully support moderators: pass only `lgUser` to game-cli and stop storing player information in echo

Depends on: LearnersGuild/echo-cli#67

Inifinite loop on signup attempt

@prattsj commented on Tue Jul 12 2016

from @shereefb:

video screen cap:
http://screencast.com/t/Ws70lHbz

expected:

visits echo.learnersguild.org
redirected to idm sign in page
clicked button to authenticate using github
redirected back to echo and able to use the chat app

actual:

visits echo.learnersguild.org
redirected to idm sign in page
clicked button to authenticate using github
lands on the idm profile page

additional useful info?

logged in day before with both a moderator account in the oakland chapter and a player account in the play-test chapter. due to an issue this caused with voting panel functionality, the player account was deleted.
changes to idm authentication handling were deployed (after successful login) the day before

not clear to me at all that either of these have something to do with the occurrence of this issue.

@jeffreywescott commented on Tue Jul 12 2016

This happened because @tannerwelsh and @shereefb were in the player role but didn't have a corresponding record in the players table in game. We should recover gracefully from this.

authentication via IDM doesn't seem to work on mobile app (iOS)

if no gravatar, sign-in to echo sometimes fails

Only import the default/primary email address from a user's github account

@prattsj commented on Mon Jul 11 2016

My echo profile has every email address associated with my GitHub account, which is unnecessary and perhaps confusing for folks who'd want to send me an email. Most of them are linked only for work on a specific org's repos. My expectation here would have been that only my default/primary email address is imported from GitHub and is shown in my Echo profile.

@jeffreywescott commented on Mon Jul 11 2016

Fair point. In IDM, we allow the user to save their preferred address, and change it later (via the /profile command), but there's no need to pull all the info into echo.

users must be type 'user', bots must be type 'bot'

When creating new users in Rocket.Chat, the user type must be either bot or user if you want to be able to search for them (e.g., to start a direct message).

if `inviteCode=XXX` parameter is passed, redirect to `/sign-up/:inviteCode` on IDM rather than `/sign-in`

Right now, if a user tries to visit the chat service and is not-yet-authenticated, they will be directed to <idm>/sign-in. However, if they haven't yet created an account, it can be confusing -- they might not notice the link beneath the button and will just get an error complaining that they don't yet have an account, forcing them to jump through some hoops.

Since it's likely that the first URL we will send to new players is a chat service URL, it would be nice if we could append an inviteCode=XXX parameter to that, in which case the user would be directed to <idm>/sign-up/:inviteCode instead, which would streamline the sign-up / on-boarding process and minimize confusion.

players should join auto-join #welcome channel and a #{chapter} channel after sign-up

@shereefb commented on Mon Apr 04 2016

TypeError: Cannot read property 'lgUser' of undefined

Trying to work through issues with running the system locally.

Finding this output being repeated in the chat window console:

[LG SSO] fetching new JWT token and updating user info
debug.js:41 Exception in setInterval callback: TypeError: Cannot read property 'lgUser' of undefined
    at fetchJWTAndUpdateUserInfo (http://chat.learnersguild.dev/packages/learnersguild_rocketchat-lg-sso.js?1a7b5a0b3cf2fa08db5ff4b1bf893c542d779fee:265:43)
    at _.extend.withValue (http://chat.learnersguild.dev/packages/meteor.js?9730f4ff059088b3f7f14c0672d155218a1802d4:971:17)
    at http://chat.learnersguild.dev/packages/meteor.js?9730f4ff059088b3f7f14c0672d155218a1802d4:428:45
    at http://chat.learnersguild.dev/packages/meteor.js?9730f4ff059088b3f7f14c0672d155218a1802d4:999:22

A couple of issues are easy to identify:

We should be more defensive in our handling of values returned from the meteor service.
There's no indication in the UX of any auth failure

Not sure what else might need to be addressed..

In DEVELOPMENT mode, both chat.learnersguild.dev and localhost:3000 should be recognized as development Rocket.Chat instances

Migrate Rocket.Chat to a "production" environment on Heroku

paid managed MongoDB instance
right-sized Heroku dyno
reset database

any authentication errors should display an error to the user and redirect them back to IDM

set up continuous deployment

It would be nice if merges to master automatically pushed a new version to meteor. We should add some tests first.

log errors to Sentry

if user has no gravatar for their LG default email address, they cannot sign-in to echo

Jun 24 14:06:44 echo app/web.1:  [LG SSO] found user, updating Rocket.Chat user info 
Jun 24 14:06:44 echo app/web.1:  [LG SSO] setting avatar from gravatar 
Jun 24 14:06:44 echo app/web.1:  Error while handling the setting of the avatar from a url (https://secure.gravatar.com/avatar/48e6c07c5ca7ce9ecdb4be6ec0400d80?default=404&size=200) for prattsj: { [Error: failed [404] 404 Not Found] stack: [Getter] } 
Jun 24 14:06:44 echo app/web.1:  [LG SSO] invalid or expired lgJWT token TypeError: string is not a function 
Jun 24 14:06:44 echo app/web.1:      at [object Object].Meteor.methods.setAvatarFromService (server/methods/setAvatarFromService.coffee:22:109) 
Jun 24 14:06:44 echo app/web.1:      at [object Object].methodsMap.(anonymous function) (server/lib/debug.js:17:26) 
Jun 24 14:06:44 echo app/web.1:      at maybeAuditArgumentChecks (livedata_server.js:1698:12) 
Jun 24 14:06:44 echo app/web.1:      at livedata_server.js:1611:18 
Jun 24 14:06:44 echo app/web.1:      at [object Object]._.extend.withValue (packages/meteor/dynamics_nodejs.js:56:1) 
Jun 24 14:06:44 echo app/web.1:      at [object Object]._.extend.apply (livedata_server.js:1610:45) 
Jun 24 14:06:44 echo app/web.1:      at [object Object]._.extend.call (livedata_server.js:1553:17) 
Jun 24 14:06:44 echo app/web.1:      at [object Object].<anonymous> (server/sso.js:73:12) 
Jun 24 14:06:44 echo app/web.1:      at packages/dispatch_run-as-user/packages/dispatch_run-as-user.js:186:1 
Jun 24 14:06:44 echo app/web.1:      at [object Object]._.extend.withValue (packages/meteor/dynamics_nodejs.js:56:1) 
Jun 24 14:06:44 echo app/web.1:      at Object.Meteor.runAsUser (packages/dispatch_run-as-user/packages/dispatch_run-as-user.js:185:1) 
Jun 24 14:06:44 echo app/web.1:      at setAvatarFromGravatar (server/sso.js:69:10) 
Jun 24 14:06:44 echo app/web.1:      at createOrUpdateUserFromJWT (server/sso.js:114:3)

can't sign-in to chat from more than one location / device

`playerInfo` not stored the first time a player signs-in via IDM

emails, roles, and username not updated for existing users

Within Rocket.Chat when authenticating via IDM, user info isn't updated from the token info.

include phone number on user profile UI in echo

@jeffreywescott commented on Thu Jul 14 2016

@shereefb commented on Tue Jul 12 2016

We are missing a learner today, and their team needed to reach out to NeEddra to get his phone number.

Let's make these easily accessible from the echo in the user profile. And ask everyone to fill them out in the welcome message.

@jeffreywescott commented on Thu Jul 14 2016

Related: LearnersGuild/los#29

if JWT is expired, Rocket.Chat doesn't realize it

Unable to start using echo

@bluemihai commented on Mon Jun 20 2016

Expected vs. Actual

I was attempting to follow the single-sign on link emailed to me to create an account.

Steps to Reproduce

Chatting with Jeffrey, we think that the problem is that my spotty wifi disconnected, and something didn't get copied right.

Environment and Versions

Chrome originally (also tried in FF, and in Rocket.chat+ app with same results)

spike: investigate whether Rocket.Chat supports fine-grained channel permissions

MongoError: cannot use the part (services of services.lgSSO) to traverse the element ({services: null})

The services property of a user doc in the meteor mongo db might, for whatever reason, be null.

The echo-chat app then barfs in the course of trying to handle that user's login:

W20160621-23:42:37.868(-7)? (STDERR) [LG SSO] invalid or expired lgJWT token MongoError: cannot use the part (services of services.lgSSO) to traverse the element ({services: null})
W20160621-23:42:37.868(-7)? (STDERR)     at Object.Future.wait (/Users/essjay-lg/.meteor/packages/meteor-tool/.1.1.10.1crd81d++os.osx.x86_64+web.browser+web.cordova/mt-os.osx.x86_64/dev_bundle/server-lib/node_modules/fibers/future.js:398:15)
W20160621-23:42:37.868(-7)? (STDERR)     at [object Object].<anonymous> (packages/meteor/helpers.js:119:1)
W20160621-23:42:37.868(-7)? (STDERR)     at [object Object].MongoConnection.(anonymous function) [as update] (packages/mongo/mongo_driver.js:736:1)
W20160621-23:42:37.868(-7)? (STDERR)     at Object.CollectionHooks.defineAdvice.self (packages/matb33_collection-hooks/update.js:80:1)
W20160621-23:42:37.868(-7)? (STDERR)     at Object.collection.(anonymous function) [as update] (packages/matb33_collection-hooks/collection-hooks.js:117:1)
W20160621-23:42:37.868(-7)? (STDERR)     at [object Object].Mongo.Collection.(anonymous function) (packages/mongo/collection.js:590:1)
W20160621-23:42:37.869(-7)? (STDERR)     at [object Object].Mongo.Collection.(anonymous function) [as update] (packages/dispatch_run-as-user/packages/dispatch_run-as-user.js:300:1)
W20160621-23:42:37.869(-7)? (STDERR)     at createOrUpdateUserFromJWT (server/sso.js:124:16)
W20160621-23:42:37.869(-7)? (STDERR)     at [object Object].Meteor.publish.Meteor.users.find._id (server/sso.js:145:20)
W20160621-23:42:37.869(-7)? (STDERR)     at accounts_server.js:462:32
W20160621-23:42:37.869(-7)? (STDERR)     at tryLoginMethod (accounts_server.js:239:14)
W20160621-23:42:37.869(-7)? (STDERR)     at AccountsServer.Ap._runLoginHandlers (accounts_server.js:459:18)
W20160621-23:42:37.869(-7)? (STDERR)     at [object Object].methods.login (accounts_server.js:522:27)
W20160621-23:42:37.869(-7)? (STDERR)     at maybeAuditArgumentChecks (livedata_server.js:1698:12)
W20160621-23:42:37.869(-7)? (STDERR)     at livedata_server.js:708:19
W20160621-23:42:37.869(-7)? (STDERR)     at [object Object]._.extend.withValue (packages/meteor/dynamics_nodejs.js:56:1)
W20160621-23:42:37.870(-7)? (STDERR)     at livedata_server.js:706:40
W20160621-23:42:37.870(-7)? (STDERR)     at [object Object]._.extend.withValue (packages/meteor/dynamics_nodejs.js:56:1)
W20160621-23:42:37.870(-7)? (STDERR)     at livedata_server.js:704:46
W20160621-23:42:37.870(-7)? (STDERR)     at tryCallTwo (/Users/essjay-lg/.meteor/packages/promise/.0.5.1.1cab262++os+web.browser+web.cordova/npm/node_modules/meteor-promise/node_modules/promise/lib/core.js:45:5)
W20160621-23:42:37.870(-7)? (STDERR)     at doResolve (/Users/essjay-lg/.meteor/packages/promise/.0.5.1.1cab262++os+web.browser+web.cordova/npm/node_modules/meteor-promise/node_modules/promise/lib/core.js:171:13)
W20160621-23:42:37.870(-7)? (STDERR)     at new Promise (/Users/essjay-lg/.meteor/packages/promise/.0.5.1.1cab262++os+web.browser+web.cordova/npm/node_modules/meteor-promise/node_modules/promise/lib/core.js:65:3)
W20160621-23:42:37.870(-7)? (STDERR)     at [object Object]._.extend.protocol_handlers.method (livedata_server.js:678:23)
W20160621-23:42:37.870(-7)? (STDERR)     at livedata_server.js:548:43

The culprit is here, where there's an assumption that the value of the services property is such that it can be traversed at all:

// server/sso.js
Meteor.users.update(rcUser, {
    $set: {
      'services.lgSSO': lgSSO
    },
  })

rocketchat-lg-sso/server/sso.js

Lines 124 to 128 in e1522e4

 Meteor.users.update(rcUser, { 

 $set: { 

 'services.lgSSO': lgSSO 

 }, 

 })

Players should automatically default their avatar within Rocket.Chat to their gravatar

(requires Mongo file upload)

	Meteor.users.update(rcUser, {
	$set: {
	'services.lgSSO': lgSSO
	},
	})