Mailspring/packages/isomorphic-core/src/auth-helpers.js

const _ = require('underscore')
const Joi = require('joi');
const IMAPErrors = require('./imap-errors')
const IMAPConnection = require('./imap-connection')

const imapSmtpSettings = Joi.object().keys({
  imap_host: [Joi.string().ip().required(), Joi.string().hostname().required()],
  imap_port: Joi.number().integer().required(),
  imap_username: Joi.string().required(),
  imap_password: Joi.string().required(),
  smtp_host: [Joi.string().ip().required(), Joi.string().hostname().required()],
  smtp_port: Joi.number().integer().required(),
  smtp_username: Joi.string().required(),
  smtp_password: Joi.string().required(),
  ssl_required: Joi.boolean().required(),
}).required();

const resolvedGmailSettings = Joi.object().keys({
  xoauth2: Joi.string().required(),
  expiry_date: Joi.number().integer().required(),
}).required();

const office365Settings = Joi.object().keys({
  name: Joi.string().required(),
  type: Joi.string().valid('office365').required(),
  email: Joi.string().required(),
  password: Joi.string().required(),
  username: Joi.string().required(),
}).required();

const USER_ERRORS = {
  AUTH_500: "Please contact support@nylas.com. An unforeseen error has occurred.",
  IMAP_AUTH: "Incorrect username or password",
  IMAP_RETRY: "We were unable to reach your mail provider. Please try again.",
}

function credentialsForProvider({provider, settings, email}) {
  if (provider === "gmail") {
    const connectionSettings = {
      imap_username: email,
      imap_host: 'imap.gmail.com',
      imap_port: 993,
      smtp_username: email,
      smtp_host: 'smtp.gmail.com',
      smtp_port: 465,
      ssl_required: true,
    }
    const connectionCredentials = {
      xoauth2: settings.xoauth2,
      expiry_date: settings.expiry_date,
    }
    return {connectionSettings, connectionCredentials}
  } else if (provider === "imap") {
    const connectionSettings = _.pick(settings, [
      'imap_host', 'imap_port',
      'smtp_host', 'smtp_port',
      'ssl_required',
    ]);
    const connectionCredentials = _.pick(settings, [
      'imap_username', 'imap_password',
      'smtp_username', 'smtp_password',
    ]);
    return {connectionSettings, connectionCredentials}
  } else if (provider === "office365") {
    const connectionSettings = {
      imap_host: 'outlook.office365.com',
      imap_port: 993,
      smtp_host: 'smtp.office365.com',
      smtp_port: 465,
      ssl_required: true,
    }
    const connectionCredentials = {
      imap_username: email,
      imap_password: settings.password,
      smtp_username: email,
      smpt_password: settings.password,
    }
    return {connectionSettings, connectionCredentials}
  }
  throw new Error(`Invalid provider: ${provider}`)
}

module.exports = {
  imapAuthRouteConfig() {
    return {
      description: 'Authenticates a new account.',
      tags: ['accounts'],
      auth: false,
      validate: {
        payload: {
          email: Joi.string().email().required(),
          name: Joi.string().required(),
          provider: Joi.string().valid('imap', 'gmail', 'office365').required(),
          settings: Joi.alternatives().try(imapSmtpSettings, office365Settings, resolvedGmailSettings),
        },
      },
    }
  },

  imapAuthHandler(accountBuildFn) {
    return (request, reply) => {
      const dbStub = {};
      const connectionChecks = [];
      const {email, provider, name} = request.payload;

      const {connectionSettings, connectionCredentials} = credentialsForProvider(request.payload)

      connectionChecks.push(IMAPConnection.connect({
        settings: Object.assign({}, connectionSettings, connectionCredentials),
        logger: request.logger,
        db: dbStub,
      }));

      Promise.all(connectionChecks).then((conns) => {
        for (const conn of conns) {
          if (conn) { conn.end(); }
        }
        const accountParams = {
          name: name,
          provider: provider,
          emailAddress: email,
          connectionSettings: connectionSettings,
        }
        return accountBuildFn(accountParams, connectionCredentials)
      })
      .then(({account, token}) => {
        const response = account.toJSON();
        response.account_token = token.value;
        return reply(JSON.stringify(response));
      })
      .catch((err) => {
        request.logger.error(err)
        if (err instanceof IMAPErrors.IMAPAuthenticationError) {
          return reply({message: USER_ERRORS.IMAP_AUTH, type: "api_error"}).code(401);
        }
        if (err instanceof IMAPErrors.RetryableError) {
          return reply({message: USER_ERRORS.IMAP_RETRY, type: "api_error"}).code(408);
        }
        return reply({message: USER_ERRORS.AUTH_500, type: "api_error"}).code(500);
      })
    }
  },
}
[*] DRY Auth 2016-12-07 02:42:32 +08:00			`const _ = require('underscore')`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`const Joi = require('joi');`
[*] DRY Auth 2016-12-07 02:42:32 +08:00			`const IMAPErrors = require('./imap-errors')`
			`const IMAPConnection = require('./imap-connection')`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00
			`const imapSmtpSettings = Joi.object().keys({`
			`imap_host: [Joi.string().ip().required(), Joi.string().hostname().required()],`
			`imap_port: Joi.number().integer().required(),`
			`imap_username: Joi.string().required(),`
			`imap_password: Joi.string().required(),`
			`smtp_host: [Joi.string().ip().required(), Joi.string().hostname().required()],`
			`smtp_port: Joi.number().integer().required(),`
			`smtp_username: Joi.string().required(),`
			`smtp_password: Joi.string().required(),`
			`ssl_required: Joi.boolean().required(),`
			`}).required();`

			`const resolvedGmailSettings = Joi.object().keys({`
			`xoauth2: Joi.string().required(),`
[feat] Refresh Gmail access tokens when needed Summary: This is a small patch but it's pretty complex, because of the numbers of moving parts. Gmail has two types of tokens, access and refresh tokens. Access tokens have a limited shelf life of one hour. After that they expire and you need to use your refresh token to get a new one. We've decided to do the access token generation on the server, because we don't feel comfortable giving our users both our Google client id and secret. To do that, I've added an endpoint, `/gmail/auth/refresh` which returns a valid access token as well as an expiration date for the token. The only place where we handle token expiration is in the sync workers. Before trying opening a new connection we check if our access token is expired. If yes, we get a new one from the API. If there's an issue doing this, we notify N1 using `NylasAPIHelpers.handleAuthenticationFailure`. There's a second patch for N1 with tiny related fixes. Test Plan: Tested manually. Will need to test more in the real world. Reviewers: evan, jackie, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3522 2016-12-17 03:38:45 +08:00			`expiry_date: Joi.number().integer().required(),`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`}).required();`

[isomorphic-core] add office365 auth support Summary: Adds support for office 365 Depends on D3532 Test Plan: manual Reviewers: jackie, halla, mark, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3533 2016-12-17 05:53:05 +08:00			`const office365Settings = Joi.object().keys({`
			`name: Joi.string().required(),`
			`type: Joi.string().valid('office365').required(),`
			`email: Joi.string().required(),`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`password: Joi.string().required(),`
[isomorphic-core] add office365 auth support Summary: Adds support for office 365 Depends on D3532 Test Plan: manual Reviewers: jackie, halla, mark, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3533 2016-12-17 05:53:05 +08:00			`username: Joi.string().required(),`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`}).required();`

[isomorphic-core] add more auth error states 2016-12-08 02:10:34 +08:00			`const USER_ERRORS = {`
[feat] Refresh Gmail access tokens when needed Summary: This is a small patch but it's pretty complex, because of the numbers of moving parts. Gmail has two types of tokens, access and refresh tokens. Access tokens have a limited shelf life of one hour. After that they expire and you need to use your refresh token to get a new one. We've decided to do the access token generation on the server, because we don't feel comfortable giving our users both our Google client id and secret. To do that, I've added an endpoint, `/gmail/auth/refresh` which returns a valid access token as well as an expiration date for the token. The only place where we handle token expiration is in the sync workers. Before trying opening a new connection we check if our access token is expired. If yes, we get a new one from the API. If there's an issue doing this, we notify N1 using `NylasAPIHelpers.handleAuthenticationFailure`. There's a second patch for N1 with tiny related fixes. Test Plan: Tested manually. Will need to test more in the real world. Reviewers: evan, jackie, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3522 2016-12-17 03:38:45 +08:00			`AUTH_500: "Please contact support@nylas.com. An unforeseen error has occurred.",`
[isomorphic-core] add more auth error states 2016-12-08 02:10:34 +08:00			`IMAP_AUTH: "Incorrect username or password",`
			`IMAP_RETRY: "We were unable to reach your mail provider. Please try again.",`
			`}`
[*] fix auth 2016-12-07 06:53:24 +08:00
[isomorphic-core] add office365 auth support Summary: Adds support for office 365 Depends on D3532 Test Plan: manual Reviewers: jackie, halla, mark, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3533 2016-12-17 05:53:05 +08:00			`function credentialsForProvider({provider, settings, email}) {`
			`if (provider === "gmail") {`
			`const connectionSettings = {`
			`imap_username: email,`
			`imap_host: 'imap.gmail.com',`
			`imap_port: 993,`
			`smtp_username: email,`
			`smtp_host: 'smtp.gmail.com',`
			`smtp_port: 465,`
			`ssl_required: true,`
			`}`
			`const connectionCredentials = {`
			`xoauth2: settings.xoauth2,`
			`expiry_date: settings.expiry_date,`
			`}`
			`return {connectionSettings, connectionCredentials}`
			`} else if (provider === "imap") {`
			`const connectionSettings = _.pick(settings, [`
			`'imap_host', 'imap_port',`
			`'smtp_host', 'smtp_port',`
			`'ssl_required',`
			`]);`
			`const connectionCredentials = _.pick(settings, [`
			`'imap_username', 'imap_password',`
			`'smtp_username', 'smtp_password',`
			`]);`
			`return {connectionSettings, connectionCredentials}`
			`} else if (provider === "office365") {`
			`const connectionSettings = {`
			`imap_host: 'outlook.office365.com',`
			`imap_port: 993,`
			`smtp_host: 'smtp.office365.com',`
			`smtp_port: 465,`
			`ssl_required: true,`
			`}`
			`const connectionCredentials = {`
			`imap_username: email,`
			`imap_password: settings.password,`
			`smtp_username: email,`
			`smpt_password: settings.password,`
			`}`
			`return {connectionSettings, connectionCredentials}`
			`}`
			throw new Error(`Invalid provider: ${provider}`)
			`}`

[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`module.exports = {`
[*] DRY Auth 2016-12-07 02:42:32 +08:00			`imapAuthRouteConfig() {`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`return {`
			`description: 'Authenticates a new account.',`
			`tags: ['accounts'],`
			`auth: false,`
			`validate: {`
			`payload: {`
			`email: Joi.string().email().required(),`
			`name: Joi.string().required(),`
[isomorphic-core] add office365 auth support Summary: Adds support for office 365 Depends on D3532 Test Plan: manual Reviewers: jackie, halla, mark, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3533 2016-12-17 05:53:05 +08:00			`provider: Joi.string().valid('imap', 'gmail', 'office365').required(),`
			`settings: Joi.alternatives().try(imapSmtpSettings, office365Settings, resolvedGmailSettings),`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`},`
			`},`
			`}`
			`},`
[*] DRY Auth 2016-12-07 02:42:32 +08:00
			`imapAuthHandler(accountBuildFn) {`
			`return (request, reply) => {`
			`const dbStub = {};`
			`const connectionChecks = [];`
[isomorphic-core] add office365 auth support Summary: Adds support for office 365 Depends on D3532 Test Plan: manual Reviewers: jackie, halla, mark, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3533 2016-12-17 05:53:05 +08:00			`const {email, provider, name} = request.payload;`
[*] DRY Auth 2016-12-07 02:42:32 +08:00
[isomorphic-core] add office365 auth support Summary: Adds support for office 365 Depends on D3532 Test Plan: manual Reviewers: jackie, halla, mark, juan Reviewed By: juan Differential Revision: https://phab.nylas.com/D3533 2016-12-17 05:53:05 +08:00			`const {connectionSettings, connectionCredentials} = credentialsForProvider(request.payload)`
[*] DRY Auth 2016-12-07 02:42:32 +08:00
			`connectionChecks.push(IMAPConnection.connect({`
			`settings: Object.assign({}, connectionSettings, connectionCredentials),`
			`logger: request.logger,`
			`db: dbStub,`
			`}));`

			`Promise.all(connectionChecks).then((conns) => {`
			`for (const conn of conns) {`
			`if (conn) { conn.end(); }`
			`}`
			`const accountParams = {`
			`name: name,`
			`provider: provider,`
			`emailAddress: email,`
			`connectionSettings: connectionSettings,`
			`}`
			`return accountBuildFn(accountParams, connectionCredentials)`
			`})`
			`.then(({account, token}) => {`
			`const response = account.toJSON();`
			`response.account_token = token.value;`
[*] fix auth 2016-12-07 06:53:24 +08:00			`return reply(JSON.stringify(response));`
[*] DRY Auth 2016-12-07 02:42:32 +08:00			`})`
			`.catch((err) => {`
[isomorphic-core] add more auth error states 2016-12-08 02:10:34 +08:00			`request.logger.error(err)`
[*] fix auth 2016-12-07 06:53:24 +08:00			`if (err instanceof IMAPErrors.IMAPAuthenticationError) {`
[isomorphic-core] add more auth error states 2016-12-08 02:10:34 +08:00			`return reply({message: USER_ERRORS.IMAP_AUTH, type: "api_error"}).code(401);`
[*] fix auth 2016-12-07 06:53:24 +08:00			`}`
[isomorphic-core] add more auth error states 2016-12-08 02:10:34 +08:00			`if (err instanceof IMAPErrors.RetryableError) {`
			`return reply({message: USER_ERRORS.IMAP_RETRY, type: "api_error"}).code(408);`
			`}`
			`return reply({message: USER_ERRORS.AUTH_500, type: "api_error"}).code(500);`
[*] DRY Auth 2016-12-07 02:42:32 +08:00			`})`
			`}`
			`},`
[isomorphic-core] extract AuthHelpers to DRY 2016-12-06 09:59:47 +08:00			`}`