siwatsystem-public/satitm-sso-node
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

working ish website

Browse source
This commit is contained in:
Siwat Sirichai 2024-05-05 18:13:58 +07:00
parent 5540ac6d81
commit b194d2031d
8 changed files with 271 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

20
config/passport.js
View file

@ -33,7 +33,25 @@ passport.use(
console.log("user:", user);
profile["dn"] = user.dn;
profile["memberOf"] = user.memberOf;
return done(null, profile);
// Is this user a student or a parent?
profile["userType"] = directory.getUserTypeFromDN(profile["dn"]);
let user_type = profile["userType"];
// If the user is a student, query the student's primary parent
// and store the parent's UPN in the session
if (user_type === directory.USER_TYPE.STUDENT) {
let student = await directory.queryUser(username, ["primaryParent"]);
profile["primaryParent"] = student.primaryParent;
}
// If the user is a parent, query the parent's students
// and store the students' UPNs in the session
else if (user_type === directory.USER_TYPE.PARENT) {
let students = await directory.listStudents(username);
profile["students"] = students;
} else {
console.log("Unknown user type");
}
return done(null, profile); // Return the user's profile
}
)
);

42
directory.js
View file

@ -67,10 +67,19 @@ const USER_TYPE = {
// Determine the type of user
// Student is in OU=Students,OU=Users,DC=ad,DC=satitm,DC=chula,DC=ac,DC=th
// Parent is in OU=Parents,OU=Users,DC=ad,DC=satitm,DC=chula,DC=ac,DC=th
function getUserType(req, res) {
function getUserType(req) {
// The user's DN is present in the session as req.user.dn
if (req.user) {
return getUserTypeFromDN(req.user.dn);
}
else {
return USER_TYPE.UNKNOWN;
}
}
function getUserTypeFromDN(dn) {
// To convert DN to OU, remove from first CN= to first ,
let ou = req.user.dn.substring(req.user.dn.indexOf(',') + 1);
let ou = dn.substring(dn.indexOf(',') + 1);
console.log('OU:', ou);
if (ou === 'OU=Students,DC=ad,DC=satitm,DC=chula,DC=ac,DC=th') {
return USER_TYPE.STUDENT;
@ -96,9 +105,38 @@ async function getPrimaryParent(student_upn) {
}
}
async function listStudents(upn) {
// Search for students with the parent's UPN in their primaryParent attribute
let opts = {
filter: `(primaryParent=${upn})`,
scope: 'sub',
attributes: ['userPrincipalName']
};
let students = [];
return new Promise((resolve, reject) => {
satitm_directory.search('DC=ad,DC=satitm,DC=chula,DC=ac,DC=th', opts, function(err, ldapRes) {
ldapRes.on('searchEntry', function(entry) {
console.log('entry: ' + JSON.stringify(entry.object));
students.push(entry.object.userPrincipalName);
});
ldapRes.on('error', function(err) {
console.error('error: ' + err.message);
reject(err);
});
ldapRes.on('end', function(result) {
console.log('status: ' + result.status);
resolve(students);
});
});
});
}
module.exports = {
queryUser: queryUser,
getUserType: getUserType,
getUserTypeFromDN: getUserTypeFromDN,
setPrimaryParent: setPrimaryParent,
listStudents: listStudents,
getPrimaryParent: getPrimaryParent,
USER_TYPE: USER_TYPE
};

11
index.js
View file

@ -20,6 +20,14 @@ app.use(passport.session());
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.get('/selfservice/api/whoami', function (req, res) {
if (!req.isAuthenticated()) {
return res.status(401).send('Unauthorized');
}
// Send user type and upn in json format
res.send({ userType: req.user.userType, upn: req.user.username });
});
let authRoutes = require('./routes/auth.js');
app.use('/', authRoutes);
let psRelationStudentRoutes = require('./routes/ps_relation_student.js');
@ -27,6 +35,9 @@ app.use('/selfservice/api', psRelationStudentRoutes);
let psRelationParentRoutes = require('./routes/ps_relation_parent.js');
app.use('/selfservice/api', psRelationParentRoutes);
// Serve Static Files
app.use("/",express.static('statics'));
let server = https.createServer(http_config.options, app);
server.listen(3000, function () {
console.log('Listening on port 3000');

12
routes/auth.js
View file

@ -14,6 +14,14 @@ router.get('/selfservice/api', function (req, res) {
response += 'Username: ' + req.user.username + '<br>';
response += 'First Name: ' + req.user.first_name + '<br>';
response += 'Last Name: ' + req.user.last_name + '<br>';
usertype_map = ['Unknown', 'Student', 'Parent'];
response += 'User Type: ' + usertype_map[req.user.userType] + '<br>';
if (req.user.userType === directory.USER_TYPE.STUDENT) {
response += 'Primary Parent: ' + req.user.primaryParent + '<br>';
}
else if (req.user.userType === directory.USER_TYPE.PARENT) {
response += 'Students: ' + req.user.students + '<br>';
}
response += '<a href="/selfservice/api/logout">Logout</a>';
res.send(response);
}
@ -25,7 +33,7 @@ router.get('/selfservice/api', function (req, res) {
router.get('/selfservice/api/logout', function (req, res) {
req.logout();
res.redirect('/selfservice/api');
res.redirect('/selfservice');
});
router.get('/selfservice/api/login',
@ -42,7 +50,7 @@ router.get('/selfservice/api', function (req, res) {
});
router.post('/selfservice/api/login/postResponse',
passport.authenticate('saml', { failureRedirect: '/selfservice/api',successRedirect: '/selfservice/api', failureFlash: true }),
passport.authenticate('saml', { failureRedirect: '/selfservice',successRedirect: '/selfservice', failureFlash: true }),
function (req, res) {
console.log('SAML authentication successful');
res.redirect('/selfservice');

20
routes/ps_relation_parent.js
View file

@ -39,6 +39,18 @@ router.get('/parent/:parent_upn/add-student', async function (req, res) {
if(!req.isAuthenticated()) {
return res.status(401).send('Unauthorized');
}
if (!req.query.pairing_code) {
return res.status(400).send('Pairing code not provided');
}
if (!req.params.parent_upn) {
return res.status(400).send('Parent UPN not provided');
}
if (req.user.username !== req.params.parent_upn) {
return res.status(403).send('Forbidden, UPN mismatch');
}
if (req.user.userType !== directory.USER_TYPE.PARENT) {
return res.status(403).send('Forbidden, not a parent');
}
let parent_upn = req.params.parent_upn;
// Is the logged in user a parent with the same UPN as the one in the URL?
// If not, return a 403 Forbidden response
@ -63,10 +75,16 @@ router.get('/parent/:parent_upn/add-student', async function (req, res) {
res.send('Student added');
});
router.get('/parent/:parent_upn', function (req, res) {
router.get('/parent/:parent_upn', async function (req, res) {
if(!req.isAuthenticated()) {
return res.status(401).send('Unauthorized');
}
if (req.user.username !== req.params.parent_upn) {
return res.status(403).send('Forbidden, UPN mismatch');
}
if (req.user.userType !== directory.USER_TYPE.PARENT) {
return res.status(403).send('Forbidden, not a parent');
}
let parent_upn = req.params.parent_upn;
// Is the logged in user a parent with the same UPN as the one in the URL?
// If not, return a 403 Forbidden response

7
routes/ps_relation_student.js
View file

@ -3,6 +3,7 @@
let express = require('express');
let router = express.Router();
let passport = require('passport');
let directory = require('../directory.js');
let database = require('../config/database.js');
let uuid = require('uuid');
@ -24,6 +25,9 @@ router.get('/student/:upn/pairing-code', function (req, res) {
if(!req.isAuthenticated()) {
return res.status(401).send('Unauthorized');
}
if (req.user.userType !== directory.USER_TYPE.STUDENT) {
return res.status(403).send('Forbidden, not a student');
}
let upn = req.params.upn;
// Is the logged in user a student with the same UPN as the one in the URL?
// If not, return a 403 Forbidden response
@ -45,6 +49,9 @@ router.get('/student/:upn', function (req, res) {
if(!req.isAuthenticated()) {
return res.status(401).send('Unauthorized');
}
if (req.user.userType !== directory.USER_TYPE.STUDENT) {
return res.status(403).send('Forbidden, not a student');
}
let upn = req.params.upn;
// Is the logged in user a student with the same UPN as the one in the URL?
// If not, return a 403 Forbidden response

71
statics/selfservice/index.html Normal file
View file

@ -0,0 +1,71 @@
<!DOCTYPE html>
<html>
<head>
<title>Authentication Check</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<style>
body {
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
font-family: Arial, sans-serif;
background-color: #f4f4f4;
}
.box {
display: flex;
flex-direction: column;
justify-content: center;
align-items: center;
padding: 20px;
background-color: white;
box-shadow: 0px 0px 10px rgba(0, 0, 0, 0.1);
}
#loginButton {
margin-top: 20px;
padding: 10px 20px;
background-color: #007BFF;
color: white;
border: none;
cursor: pointer;
align-self: center;
}
</style>
</head>
<body>
<div class="box">
<h2 style="text-align: center;">SATITM<br/>Parent-Student Relationship<br/>Management</h2>
<p id="subtitle">Please log in to continue</p>
<a href="/selfservice/api/login" style="text-decoration: none;">
<button id="loginButton">Login</button>
</a>
</div>
<script>
$(document).ready(function() {
$.get('/selfservice/api/whoami')
.done(function(response) {
if (response.userType == 1) { //Student
window.location.href = '/selfservice/student.html';
} else if (response.userType == 2) { //Parent
window.location.href = '/selfservice/parent.html';
} else { // Unknown, change login button and change subtitle to "Your account is not allowed to access this service. Please log out."
let loginButton = $('#loginButton');
loginButton.text('Logout').on('click', function() {
window.location.href = '/selfservice/api/logout';
});
// Make button red
loginButton.css('background-color', 'red');
$('#subtitle').text('Your account is not allowed to access this service. Please log out.');
}
})
.fail(function() {
$('#loginButton').show().on('click', function() {
window.location.href = '/selfservice/api/login';
});
});
});
</script>
</body>
</html>

94
statics/selfservice/student.html Normal file
View file

@ -0,0 +1,94 @@
<!-- FILEPATH: /D:/Git/satitm-sso-node/statics/selfservice/student.html -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<style>
.student-box {
background-color: #f2f2f2;
border-radius: 10px;
padding: 20px;
box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
max-width: 400px;
margin: 0 auto;
}
.inner-box {
margin-bottom: 20px;
}
h2 {
font-size: 20px;
margin-bottom: 10px;
}
p {
margin: 5px 0;
}
.linked-parent {
margin-bottom: 20px;
}
button {
background-color: #4CAF50;
color: white;
border: none;
padding: 10px 20px;
text-align: center;
text-decoration: none;
display: inline-block;
font-size: 16px;
border-radius: 5px;
cursor: pointer;
}
#generate-token-btn {
background-color: #007bff;
margin-right: 10px;
}
#logout-btn {
background-color: #dc3545;
}
</style>
<div class="student-box">
<div class="inner-box">
<h2>Student Information</h2>
<p><span id="student-name">Name:</span> </p>
<p><span id="student-surname">Surname:</span> </p>
<p><span id="student-email">Email:</span> </p>
</div>
<div class="linked-parent">
<h2>Linked Parent</h2>
<p><span id="linked-parent-info"></span></p>
</div>
<button id="generate-token-btn">Generate Parent Link Token</button>
<a href="/selfservice/api/logout" style="text-decoration: none;">
<button id="logout-btn">Logout</button>
</a>
</div>
<script>
// Get student information on page load
// Student information is at /selfservice/api/student/${upn}
// UPN can be obtained from /selfservice/api/whoami
$(document).ready(function() {
$.get('/selfservice/api/whoami')
.done(function(response) {
$.get(`/selfservice/api/student/${response.upn}`)
.done(function(student) {
$('#student-name').text(`Name: ${student.first_name}`);
$('#student-surname').text(`Surname: ${student.last_name}`);
$('#student-email').text(`Email: ${student.username}`);
})
.fail(function() {
alert('Failed to get student information');
});
})
.fail(function() {
alert('Failed to get user information');
});
});
</script>