working ish website

config/passport.js

@@ -33,7 +33,25 @@ passport.use(
       console.log("user:", user);
       profile["dn"] = user.dn;
       profile["memberOf"] = user.memberOf;
-      return done(null, profile);
+      // Is this user a student or a parent?
+      profile["userType"] = directory.getUserTypeFromDN(profile["dn"]);
+      let user_type = profile["userType"];
+      // If the user is a student, query the student's primary parent
+      // and store the parent's UPN in the session
+      if (user_type === directory.USER_TYPE.STUDENT) {
+        let student = await directory.queryUser(username, ["primaryParent"]);
+        profile["primaryParent"] = student.primaryParent;
+      }
+      // If the user is a parent, query the parent's students 
+      // and store the students' UPNs in the session
+      else if (user_type === directory.USER_TYPE.PARENT) {
+        let students = await directory.listStudents(username);
+        profile["students"] = students;
+      } else {
+        console.log("Unknown user type");
+      }
+      return done(null, profile); // Return the user's profile
+
     }
   )
 );

directory.js

@@ -67,10 +67,19 @@ const USER_TYPE = {
 // Determine the type of user
 // Student is in OU=Students,OU=Users,DC=ad,DC=satitm,DC=chula,DC=ac,DC=th 
 // Parent is in OU=Parents,OU=Users,DC=ad,DC=satitm,DC=chula,DC=ac,DC=th
-function getUserType(req, res) {
+function getUserType(req) {
   // The user's DN is present in the session as req.user.dn
+  if (req.user) {
+    return getUserTypeFromDN(req.user.dn);
+  }
+  else {
+    return USER_TYPE.UNKNOWN;
+  }
+}
+
+function getUserTypeFromDN(dn) {
   // To convert DN to OU, remove from first CN= to first ,
-  let ou = req.user.dn.substring(req.user.dn.indexOf(',') + 1);
+  let ou = dn.substring(dn.indexOf(',') + 1);
   console.log('OU:', ou);
   if (ou === 'OU=Students,DC=ad,DC=satitm,DC=chula,DC=ac,DC=th') {
     return USER_TYPE.STUDENT;
@@ -96,9 +105,38 @@ async function getPrimaryParent(student_upn) {
   }
 }
 
+async function listStudents(upn) {
+  // Search for students with the parent's UPN in their primaryParent attribute
+  let opts = {
+    filter: `(primaryParent=${upn})`,
+    scope: 'sub',
+    attributes: ['userPrincipalName']
+  };
+  let students = [];
+  return new Promise((resolve, reject) => {
+    satitm_directory.search('DC=ad,DC=satitm,DC=chula,DC=ac,DC=th', opts, function(err, ldapRes) {
+      ldapRes.on('searchEntry', function(entry) {
+        console.log('entry: ' + JSON.stringify(entry.object));
+        students.push(entry.object.userPrincipalName);
+      });
+      ldapRes.on('error', function(err) {
+        console.error('error: ' + err.message);
+        reject(err);
+      });
+      ldapRes.on('end', function(result) {
+        console.log('status: ' + result.status);
+        resolve(students);
+      });
+    });
+  });
+}
+
 module.exports = {
     queryUser: queryUser,
     getUserType: getUserType,
+    getUserTypeFromDN: getUserTypeFromDN,
     setPrimaryParent: setPrimaryParent,
+    listStudents: listStudents,
+    getPrimaryParent: getPrimaryParent,
     USER_TYPE: USER_TYPE
 };

index.js

@@ -20,6 +20,14 @@ app.use(passport.session());
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 
+app.get('/selfservice/api/whoami', function (req, res) {
+  if (!req.isAuthenticated()) {
+    return res.status(401).send('Unauthorized');
+  }
+  // Send user type and upn in json format
+  res.send({ userType: req.user.userType, upn: req.user.username });
+});
+
 let authRoutes = require('./routes/auth.js');
 app.use('/', authRoutes);
 let psRelationStudentRoutes = require('./routes/ps_relation_student.js');
@@ -27,6 +35,9 @@ app.use('/selfservice/api', psRelationStudentRoutes);
 let psRelationParentRoutes = require('./routes/ps_relation_parent.js');
 app.use('/selfservice/api', psRelationParentRoutes);
 
+// Serve Static Files
+app.use("/",express.static('statics'));
+
 let server = https.createServer(http_config.options, app);
 server.listen(3000, function () {
   console.log('Listening on port 3000');

routes/auth.js

@@ -14,6 +14,14 @@ router.get('/selfservice/api', function (req, res) {
       response += 'Username: ' + req.user.username + '<br>';
       response += 'First Name: ' + req.user.first_name + '<br>';
       response += 'Last Name: ' + req.user.last_name + '<br>';
+      usertype_map = ['Unknown', 'Student', 'Parent'];
+      response += 'User Type: ' + usertype_map[req.user.userType] + '<br>';
+      if (req.user.userType === directory.USER_TYPE.STUDENT) {
+        response += 'Primary Parent: ' + req.user.primaryParent + '<br>';
+      } 
+      else if (req.user.userType === directory.USER_TYPE.PARENT) {
+        response += 'Students: ' + req.user.students + '<br>';
+      }
       response += '<a href="/selfservice/api/logout">Logout</a>';
       res.send(response);
     }
@@ -25,7 +33,7 @@ router.get('/selfservice/api', function (req, res) {
   
   router.get('/selfservice/api/logout', function (req, res) {
     req.logout();
-    res.redirect('/selfservice/api');
+    res.redirect('/selfservice');
   });
   
   router.get('/selfservice/api/login',
@@ -42,7 +50,7 @@ router.get('/selfservice/api', function (req, res) {
   });
   
   router.post('/selfservice/api/login/postResponse',
-    passport.authenticate('saml', { failureRedirect: '/selfservice/api',successRedirect: '/selfservice/api', failureFlash: true }),
+    passport.authenticate('saml', { failureRedirect: '/selfservice',successRedirect: '/selfservice', failureFlash: true }),
     function (req, res) {
       console.log('SAML authentication successful');
       res.redirect('/selfservice');

routes/ps_relation_parent.js

@@ -39,6 +39,18 @@ router.get('/parent/:parent_upn/add-student', async function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (!req.query.pairing_code) {
+        return res.status(400).send('Pairing code not provided');
+    }
+    if (!req.params.parent_upn) {
+        return res.status(400).send('Parent UPN not provided');
+    }
+    if (req.user.username !== req.params.parent_upn) {
+        return res.status(403).send('Forbidden, UPN mismatch');
+    }
+    if (req.user.userType !== directory.USER_TYPE.PARENT) {
+        return res.status(403).send('Forbidden, not a parent');
+    }
     let parent_upn = req.params.parent_upn;
     // Is the logged in user a parent with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response
@@ -63,10 +75,16 @@ router.get('/parent/:parent_upn/add-student', async function (req, res) {
     res.send('Student added');
 });
 
-router.get('/parent/:parent_upn', function (req, res) {
+router.get('/parent/:parent_upn', async function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (req.user.username !== req.params.parent_upn) {
+        return res.status(403).send('Forbidden, UPN mismatch');
+    }
+    if (req.user.userType !== directory.USER_TYPE.PARENT) {
+        return res.status(403).send('Forbidden, not a parent');
+    }
     let parent_upn = req.params.parent_upn;
     // Is the logged in user a parent with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response

routes/ps_relation_student.js

@@ -3,6 +3,7 @@
 let express = require('express');
 let router = express.Router();
 let passport = require('passport');
+let directory = require('../directory.js');
 let database = require('../config/database.js');
 let uuid = require('uuid');
 
@@ -24,6 +25,9 @@ router.get('/student/:upn/pairing-code', function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (req.user.userType !== directory.USER_TYPE.STUDENT) {
+        return res.status(403).send('Forbidden, not a student');
+    }
     let upn = req.params.upn;
     // Is the logged in user a student with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response
@@ -45,6 +49,9 @@ router.get('/student/:upn', function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (req.user.userType !== directory.USER_TYPE.STUDENT) {
+        return res.status(403).send('Forbidden, not a student');
+    }
     let upn = req.params.upn;
     // Is the logged in user a student with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response

statics/selfservice/index.html

@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Authentication Check</title>
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
+    <style>
+        body {
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+            font-family: Arial, sans-serif;
+            background-color: #f4f4f4;
+        }
+        .box {
+            display: flex;
+            flex-direction: column;
+            justify-content: center;
+            align-items: center;
+            padding: 20px;
+            background-color: white;
+            box-shadow: 0px 0px 10px rgba(0, 0, 0, 0.1);
+        }
+        #loginButton {
+            margin-top: 20px;
+            padding: 10px 20px;
+            background-color: #007BFF;
+            color: white;
+            border: none;
+            cursor: pointer;
+            align-self: center;
+        }
+    </style>
+</head>
+<body>
+    <div class="box">
+        <h2 style="text-align: center;">SATITM<br/>Parent-Student Relationship<br/>Management</h2>
+        <p id="subtitle">Please log in to continue</p>
+        <a href="/selfservice/api/login" style="text-decoration: none;">
+            <button id="loginButton">Login</button>
+        </a>
+    </div>
+
+    <script>
+        $(document).ready(function() {
+            $.get('/selfservice/api/whoami')
+                .done(function(response) {
+                    if (response.userType == 1) { //Student 
+                        window.location.href = '/selfservice/student.html';
+                    } else if (response.userType == 2) { //Parent
+                        window.location.href = '/selfservice/parent.html';
+                    } else { // Unknown, change login button and change subtitle to "Your account is not allowed to access this service. Please log out."
+                        let loginButton = $('#loginButton');
+                        loginButton.text('Logout').on('click', function() {
+                            window.location.href = '/selfservice/api/logout';
+                        });
+                        // Make button red
+                        loginButton.css('background-color', 'red');
+                        $('#subtitle').text('Your account is not allowed to access this service. Please log out.');
+                    }
+                    
+                })
+                .fail(function() {
+                    $('#loginButton').show().on('click', function() {
+                        window.location.href = '/selfservice/api/login';
+                    });
+                });
+        });
+    </script>
+</body>
+</html>

statics/selfservice/student.html

@@ -0,0 +1,94 @@
+<!-- FILEPATH: /D:/Git/satitm-sso-node/statics/selfservice/student.html -->
+<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
+<style>
+    .student-box {
+        background-color: #f2f2f2;
+        border-radius: 10px;
+        padding: 20px;
+        box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
+        max-width: 400px;
+        margin: 0 auto;
+    }
+
+    .inner-box {
+        margin-bottom: 20px;
+    }
+
+    h2 {
+        font-size: 20px;
+        margin-bottom: 10px;
+    }
+
+    p {
+        margin: 5px 0;
+    }
+
+    .linked-parent {
+        margin-bottom: 20px;
+    }
+
+    button {
+        background-color: #4CAF50;
+        color: white;
+        border: none;
+        padding: 10px 20px;
+        text-align: center;
+        text-decoration: none;
+        display: inline-block;
+        font-size: 16px;
+        border-radius: 5px;
+        cursor: pointer;
+    }
+
+    #generate-token-btn {
+        background-color: #007bff;
+        margin-right: 10px;
+    }
+
+    #logout-btn {
+        background-color: #dc3545;
+    }
+</style>
+
+<div class="student-box">
+    <div class="inner-box">
+        <h2>Student Information</h2>
+        <p><span id="student-name">Name:</span> </p>
+        <p><span id="student-surname">Surname:</span> </p>
+        <p><span id="student-email">Email:</span> </p>
+    </div>
+    
+    <div class="linked-parent">
+        <h2>Linked Parent</h2>
+        <p><span id="linked-parent-info"></span></p>
+    </div>
+    
+    <button id="generate-token-btn">Generate Parent Link Token</button>
+    
+    <a href="/selfservice/api/logout" style="text-decoration: none;">
+        <button id="logout-btn">Logout</button>
+    </a>
+</div>
+
+<script>
+    // Get student information on page load
+    // Student information is at /selfservice/api/student/${upn}
+    // UPN can be obtained from /selfservice/api/whoami
+    $(document).ready(function() {
+        $.get('/selfservice/api/whoami')
+            .done(function(response) {
+                $.get(`/selfservice/api/student/${response.upn}`)
+                    .done(function(student) {
+                        $('#student-name').text(`Name: ${student.first_name}`);
+                        $('#student-surname').text(`Surname: ${student.last_name}`);
+                        $('#student-email').text(`Email: ${student.username}`);
+                    })
+                    .fail(function() {
+                        alert('Failed to get student information');
+                    });
+            })
+            .fail(function() {
+                alert('Failed to get user information');
+            });
+    });
+</script>