Merge pull request #8325 from sagemathinc/sso-dot-object-delimiter

sso/auth: customize separator for dot-object

Author: haraldschilly

src/packages/database/settings/auth-sso-types.ts

@@ -80,7 +80,9 @@ export type PassportLoginInfo = { [key in LoginInfoKeys]?: string };
  * The remaining fields, except for type, clientID, clientSecret, and callbackURL, userinfoURL, login_info are passed to that constructor.
  * Additionally, there are default values for some of the fields, e.g. for the SAML2.0 strategy.
  * Please check the hub/auth.ts file for more details.
+ *
  * Regarding the userinfoURL, this is used by OAuth2 to get the profile.
+ *
  * The "login_info" field is a mapping from "cocalc" profile fields, that end up in the DB,
  * to the entries in the generated profile object. The DB entry can only be a string and
  * processing is done by using the "dot-object" npm library.
@@ -91,6 +93,7 @@ export type PassportLoginInfo = { [key in LoginInfoKeys]?: string };
  *   last_name: "name.familyName",
  *   emails: "emails[0].value",
  * }
+ * You can to customize the separator of dot-object, e.g. to process keys with dots, add a "_sep: string" entry.
  */
 export interface PassportStrategyDBConfig {
   type: PassportTypes;

src/packages/pnpm-lock.yaml

@@ -0,0 +1,23 @@
+// just a sanity check for dot-object
+
+import dot from "dot-object";
+
+describe("dot-object", () => {
+  const o = {
+    a: {
+      b: "foo",
+      "cd.1.2": "bar",
+    },
+  };
+
+  it("default delimiter", () => {
+    const v = dot.pick("a.b", o);
+    expect(v).toEqual("foo");
+  });
+
+  it("custom delimiter", () => {
+    const d = new dot("->");
+    const v = d.pick("a->cd.1.2", o);
+    expect(v).toEqual("bar");
+  });
+});

src/packages/server/hub/auth.test.ts

@@ -34,16 +34,17 @@
 // Then restart the hubs.
 
 import Cookies from "cookies";
-import * as dot from "dot-object";
+import dot from "dot-object";
 import type { NextFunction, Request, Response } from "express";
 import * as express from "express";
 import express_session from "express-session";
 import * as _ from "lodash";
 import ms from "ms";
 import passport, { AuthenticateOptions } from "passport";
 import { join as path_join } from "path";
-import { v4 as uuidv4, v4 } from "uuid";
 import safeJsonStringify from "safe-json-stringify";
+import { v4 as uuidv4, v4 } from "uuid";
+
 import passwordHash, {
   verifyPassword,
 } from "@cocalc/backend/auth/password-hash";
@@ -79,6 +80,7 @@ import {
   getOauthCache,
   getPassportCache,
 } from "@cocalc/database/postgres/passport-store";
+import { getServerSettings } from "@cocalc/database/settings";
 import {
   PassportLoginOpts,
   PassportStrategyDB,
@@ -87,6 +89,7 @@ import {
   isOAuth2,
   isSAML,
 } from "@cocalc/database/settings/auth-sso-types";
+import { signInUsingImpersonateToken } from "@cocalc/server/auth/impersonate";
 import {
   BLACKLISTED_STRATEGIES,
   DEFAULT_LOGIN_INFO,
@@ -98,8 +101,6 @@ import {
   GoogleStrategyConf,
   TwitterStrategyConf,
 } from "@cocalc/server/auth/sso/public-strategies";
-import { getServerSettings } from "@cocalc/database/settings";
-import { signInUsingImpersonateToken } from "@cocalc/server/auth/impersonate";
 
 const logger = getLogger("server:hub:auth");
 
@@ -143,7 +144,7 @@ interface HandleReturnOpts {
   type: PassportTypes;
   update_on_login: boolean;
   cookie_ttl_s: number | undefined;
-  login_info: any;
+  login_info;
 }
 
 export class PassportManager {
@@ -655,14 +656,16 @@ export class PassportManager {
         site_url: this.site_url,
       };
 
+      const dotInstance = this.getDot(login_info);
+
       for (const k in login_info) {
         const v = login_info[k];
         const param: string | string[] =
           typeof v == "function"
             ? // v is a LoginInfoDerivator<T>
               v(profile)
             : // v is a string for dot-object
-              dot.pick(v, profile);
+              dotInstance.pick(v, profile);
         login_opts[k] = param;
       }
 
@@ -687,6 +690,18 @@ export class PassportManager {
     };
   }
 
+  private getDot(login_info): DotObject.Dot {
+    // if login_info contains a key "_delimiter", take it from that object and remove it
+    // then instantiate dot with that delimiter and use it to pick the values
+    if (typeof login_info._sep === "string") {
+      const sep = login_info._sep;
+      delete login_info._sep;
+      return new dot(sep);
+    } else {
+      return dot;
+    }
+  }
+
   // right now, we only set this for OAauth2 (SAML knows what to do on its own)
   // This does not encode any information for now.
   private setState(

src/packages/server/hub/auth.ts

@@ -86,7 +86,7 @@
     "cloudflare": "^2.9.1",
     "cookies": "^0.8.0",
     "dayjs": "^1.11.11",
-    "dot-object": "^2.1.4",
+    "dot-object": "^2.1.5",
     "express-session": "^1.18.1",
     "google-auth-library": "^9.4.1",
     "googleapis": "^137.1.0",

src/packages/server/package.json

@@ -160,6 +160,7 @@
                 "full_name": "displayName",
                 "emails": "email",
                 "id": "email",
+                # "_sep": "->", # uncomment this to test _sep, no need to change the values above
             },
             "issuer": "https://cocalc.com",
             "cert": saml20cert