quick auth

config.json

@@ -0,0 +1,4 @@
+{
+  "auth_jku": "https://www.googleapis.com/oauth2/v3/certs",
+  "client_id": "501118371406-3nuvgor9inia5mqmmm24ff1pmjss2j84.apps.googleusercontent.com"
+}

index.js

@@ -1,4 +1,5 @@
 var Xray = require('x-ray');
+var JWTool = require('fxa-jwtool');
 var async = require('async');
 var _ = require('lodash');
 var fs = require('fs');
@@ -30,14 +31,76 @@ async.map(dashboards, findOutput, function(err, results){
   var output = {}
   var output = _.extend({}, finalResults);
   if (! err && results) {
-    fs.writeFile('public/out.json', JSON.stringify(output))
+    fs.writeFile('static_secure/out.json', JSON.stringify(output))
   }
 });
 
 var express = require('express')
 var serveStatic = require('serve-static')
+var bodyParser = require('body-parser')
+var session = require('express-session')
 
 var app = express()
+app.use(session({ secret: 'todosecret', cookie: { maxAge: 60000 }}))
 
-app.use(serveStatic('public/', {'index': ['index.html']}))
-app.listen(10157)
+app.use(bodyParser.urlencoded());
+app.use(bodyParser.json());
+
+app.use(serveStatic('static/', {'index': ['index.html']}))
+app.use('/static_secure/out.json', function(req, res, next){
+  if(req.session && req.session.email){
+    return res.sendFile(__dirname + '/static_secure/out.json');
+  } else {
+    res.sendStatus(403);
+  }
+});
+
+
+
+var jwtool = new JWTool(['https://www.googleapis.com/oauth2/v3/certs'])
+
+app.post('/api/auth', function (req, res) {
+  if (! req.body.idtoken) {
+    return res.send(401)
+  }
+  // Verify the idtoken's (JWT) signature with the key set from the configured JKU.
+  // (Google's jwt include a `kid` but no `jku`)
+  jwtool.verify(req.body.idtoken, { jku: 'https://www.googleapis.com/oauth2/v3/certs' })
+    .then(
+      function (data) {
+        // ensure the token meets all of our criteria
+        if (
+          data.aud === '501118371406-3nuvgor9inia5mqmmm24ff1pmjss2j84.apps.googleusercontent.com'
+          && data.exp > (Date.now() / 1000)
+          && data.hd === 'mozilla.com'
+        ) {
+          // set a cookie for authenticating against our other endpoints
+          req.session.email = data.email
+          res.send(data)
+        }
+        else {
+          // this user is not authorized
+          res.sendStatus(401)
+        }
+      },
+      function (err) {
+        // the token was not valid
+        res.send(500, err)
+      }
+    )
+})
+
+app.get('/config', function (req, res) {
+  res.type('application/javascript')
+  res.send('var client_id = "501118371406-3nuvgor9inia5mqmmm24ff1pmjss2j84.apps.googleusercontent.com"')
+});
+
+app.post('/api/logout', function(req, res) {
+  if (req.session) {
+    req.session.email = null;
+  }
+  res.sendStatus(200);
+});
+
+app.listen(10157)
+console.log('Started on port 10157!')

package.json

@@ -4,13 +4,17 @@
   "description": "",
   "main": "index.js",
   "scripts": {
+    "start": "node index.js",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "",
   "license": "MPL-2.0",
   "dependencies": {
     "async": "1.5.0",
+    "body-parser": "^1.14.2",
     "express": "4.13.3",
+    "express-session": "^1.13.0",
+    "fxa-jwtool": "^0.7.2",
     "lodash": "3.10.1",
     "serve-static": "1.10.0",
     "x-ray": "2.0.2"

public/index.js

@@ -1,9 +0,0 @@
-$.getJSON( "out.json", function( data ) {
-  var items = [];
-  $.each( data, function( key, val ) {
-    items.push("<a target='_blank' href='" + val + "'><img src='" + val  +"' id='dash" + key + "'/></a>");
-  });
-
-  $('#placeholder').html(items)
-
-});

static/index.css

@@ -15,6 +15,16 @@ h1 {
   padding-top: 20px;
 }
 
+button {
+  background: orange;
+  border: 0;
+  color: white;
+  font-weight: bold;
+  font-size: 34px;
+  padding: 10px;
+  margin: 10px;
+}
+
 img {
   max-width: 400px;
   padding: 5px;

static/index.html

@@ -12,9 +12,13 @@
 <body>
   <h1>fxa-telemetry-dashboards (CONFIDENTIAL)</h1>
   <h2>10% Sample rate. Updated every Thursday.</h2>
-  <div id="placeholder"><img src="spinner.gif"/></div>
+  <button id="login">Login with LDAP</button>
+  <button id="logout" style="display: none">Logout</button>
+  <div id="placeholder"><img id="spinner" style="display: none" src="spinner.gif"/></div>
 
 <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
+<script src="https://apis.google.com/js/platform.js"></script>
+<script src="/config"></script>
 <script src="index.js"></script>
 
 </body>

static/index.js

@@ -0,0 +1,87 @@
+;window.loggedInEmail = null
+
+function logout() {
+  $.post('/api/logout');
+  $('#placeholder').html('');
+}
+
+function updateUI(data) {
+  window.loggedInEmail = data ? data.email : null
+
+  if (loggedInEmail) {
+    $('#spinner').show();
+    $('#login').hide();
+    $('#logout').show();
+    $.getJSON('static_secure/out.json', function (data) {
+      var items = [];
+      $.each(data, function (key, val) {
+        items.push('<a target="_blank" href="' + val + '"><img src="' + val + '" id="dash"' + key + '"/></a>');
+      });
+
+      $('#placeholder').html(items)
+
+    });
+  } else {
+    $('#logout').hide();
+    $('#login').show();
+    logout();
+  }
+}
+
+
+function signInChanged(signedIn) {
+  console.log('signed in: ' + signedIn)
+}
+
+function userChanged(user) {
+  var id_token = user.getAuthResponse().id_token
+  console.log('user changed: ' + id_token)
+  if (id_token) {
+    $.ajax({
+      type: 'POST',
+      url: '/api/auth', // this creates a cookie used to authenicate other api requests
+      data: 'idtoken=' + id_token,
+      contentType: 'application/x-www-form-urlencoded',
+      dataType: 'json',
+      success: updateUI,
+      error: logout
+    })
+  }
+  else {
+    // this case triggers when the page is loaded and a user is not logged in
+    updateUI()
+  }
+}
+
+gapi.load(
+  'auth2',
+  function () {
+    // initialize the auth api with our client_id provided by Google in their
+    // dev console and restrict login to accounts on the mozilla hosted domain.
+    // https://developers.google.com/identity/sign-in/web/devconsole-project
+    //
+    // client_id is set by <script src='/config'>
+    var auth2 = gapi.auth2.init(
+      {
+        client_id: client_id,
+        hosted_domain: 'mozilla.com'
+      }
+    )
+    // listen for sign-in state changes
+    auth2.isSignedIn.listen(signInChanged)
+
+    // listen for changes to current user
+    auth2.currentUser.listen(userChanged)
+
+    // wire up the Sign In button
+    auth2.attachClickHandler(document.getElementById('login'))
+
+    // wire up logout button
+    $('#logout').click(
+      function (ev) {
+        ev.preventDefault()
+        auth2.signOut()
+      }
+    )
+  }
+)