update 3-2

Author: derisen

1-Authentication/1-sign-in/README-incremental.md

@@ -0,0 +1,148 @@
+const express = require('express');
+const morgan = require('morgan');
+const cors = require('cors');
+
+const rateLimit = require('express-rate-limit');
+
+const passport = require('passport');
+const passportAzureAd = require('passport-azure-ad');
+
+
+const authConfig = require('./authConfig.js');
+const router = require('./routes/index');
+
+const app = express();
+
+/**
+ * If your app is behind a proxy, reverse proxy or a load balancer, consider
+ * letting express know that you are behind that proxy. To do so, uncomment
+ * the line below.
+ */
+
+// app.set('trust proxy',  /* numberOfProxies */);
+
+/**
+ * HTTP request handlers should not perform expensive operations such as accessing the file system,
+ * executing an operating system command or interacting with a database without limiting the rate at
+ * which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks
+ * where an attacker can cause the application to crash or become unresponsive by issuing a large number of
+ * requests at the same time. For more information, visit: https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html
+ */
+const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
+    standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+    legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+});
+
+// Apply the rate limiting middleware to all requests
+app.use(limiter);
+
+app.use(cors());
+
+app.use(express.json())
+app.use(express.urlencoded({ extended: false}));
+app.use(morgan('dev'));
+
+const options = {
+    identityMetadata: `https://${authConfig.metadata.b2cDomain}/${authConfig.credentials.tenantName}/${authConfig.policies.policyName}/${authConfig.metadata.version}/${authConfig.metadata.discovery}`,
+    clientID: authConfig.credentials.clientID,
+    audience: authConfig.credentials.clientID,
+    policyName: authConfig.policies.policyName,
+    isB2C: authConfig.settings.isB2C,
+    validateIssuer: authConfig.settings.validateIssuer,
+    loggingLevel: authConfig.settings.loggingLevel,
+    passReqToCallback: authConfig.settings.passReqToCallback,
+    loggingNoPII: authConfig.settings.loggingNoPII, // set this to true in the authConfig.js if you want to enable logging and debugging
+};
+
+const bearerStrategy = new passportAzureAd.BearerStrategy(options, (req,token, done) => {
+    /**
+     * Below you can do extended token validation and check for additional claims, such as:
+     * - check if the delegated permissions in the 'scp' are the same as the ones declared in the application registration.
+     *
+     * Bear in mind that you can do any of the above checks within the individual routes and/or controllers as well.
+     * For more information, visit: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview
+     */
+
+    /**
+     * Lines below verifies if the caller's client ID is in the list of allowed clients.
+     * This ensures only the applications with the right client ID can access this API.
+     * To do so, we use "azp" claim in the access token. Uncomment the lines below to enable this check.
+     */
+    // if (!myAllowedClientsList.includes(token.azp)) {
+    //     return done(new Error('Unauthorized'), {}, "Client not allowed");
+    // }
+
+    // const myAllowedClientsList = [
+    //     /* add here the client IDs of the applications that are allowed to call this API */
+    // ]
+
+    /**
+     * Access tokens that have no 'scp' (for delegated permissions).
+     */
+    if (!token.hasOwnProperty('scp')) {
+        return done(new Error('Unauthorized'), null, 'No delegated permissions found');
+    }
+
+    done(null, {}, token);
+});
+
+
+app.use(passport.initialize());
+
+passport.use(bearerStrategy);
+
+app.use(
+    '/api',
+    (req, res, next) => {
+        passport.authenticate(
+            'oauth-bearer',
+            {
+                session: false,
+            },
+            (err, user, info) => {
+                if (err) {
+                    /**
+                     * An error occurred during authorization. Either pass the error to the next function
+                     * for Express error handler to handle, or send a response with the appropriate status code.
+                     */
+                    return res.status(401).json({ error: err.message });
+                }
+
+                if (!user) {
+                    // If no user object found, send a 401 response.
+                    return res.status(401).json({ error: 'Unauthorized' });
+                }
+
+                if (info) {
+                    // access token payload will be available in req.authInfo downstream
+                    req.authInfo = info;
+                    return next();
+                }
+            }
+        )(req, res, next);
+    },
+    router, // the router with all the routes
+    (err, req, res, next) => {
+        /**
+         * Add your custom error handling logic here. For more information, see:
+         * http://expressjs.com/en/guide/error-handling.html
+         */
+
+        // set locals, only providing error in development
+        res.locals.message = err.message;
+        res.locals.error = req.app.get('env') === 'development' ? err : {};
+
+        // send error response
+        res.status(err.status || 500).send(err);
+    }
+);
+
+const port = process.env.PORT || 5000;
+
+app.listen(port, () => {
+    console.log('Listening on port ' + port);
+});
+
+module.exports = app;

1-Authentication/2-sign-in-b2c/README-incremental.md

@@ -0,0 +1,20 @@
+/**
+ * Ensures that the access token has the specified delegated permissions.
+ * @param {Object} accessTokenPayload: Parsed access token payload
+ * @param {Array} requiredPermission: list of required permissions
+ * @returns {boolean}
+ */
+const hasRequiredDelegatedPermissions = (accessTokenPayload, requiredPermission) => {
+    const normalizedRequiredPermissions = requiredPermission.map((permission) => permission.toUpperCase());
+    
+    if (accessTokenPayload.hasOwnProperty('scp') && accessTokenPayload.scp.split(' ')
+        .some(claim => normalizedRequiredPermissions.includes(claim.toUpperCase()))) {
+        return true;
+    }
+    return false;
+    
+};
+
+module.exports = {
+    hasRequiredDelegatedPermissions
+}; 

2-Authorization-I/1-call-graph/README-incremental.md

@@ -0,0 +1,33 @@
+const passportConfig = {
+    credentials: {
+        tenantName: 'fabrikamb2c.onmicrosoft.com',
+        clientID: 'e29ac359-6a90-4f9e-b31c-8f64e1ac20cb',
+    },
+    policies: {
+        policyName: 'B2C_1_susi_v2',
+    },
+    metadata: {
+        b2cDomain: 'fabrikamb2c.b2clogin.com',
+        authority: 'login.microsoftonline.com',
+        discovery: '.well-known/openid-configuration',
+        version: 'v2.0',
+    },
+    settings: {
+        isB2C: true,
+        validateIssuer: false,
+        passReqToCallback: true,
+        loggingLevel: 'info',
+        loggingNoPII: false,
+    },
+    protectedRoutes: {
+        todolist: {
+            endpoint: '/api/todolist',
+            delegatedPermissions: {
+                read: ['ToDoList.Read', 'ToDoList.ReadWrite'],
+                write: ['ToDoList.ReadWrite'],
+            },
+        },
+    },
+};
+
+module.exports = passportConfig;

3-Authorization-II/2-call-api-b2c/API/app.js

@@ -0,0 +1,101 @@
+const lowdb = require('lowdb');
+const FileSync = require('lowdb/adapters/FileSync');
+const adapter = new FileSync('./data/db.json');
+const db = lowdb(adapter);
+const { v4: uuidv4 } = require('uuid');
+
+const {
+    hasRequiredDelegatedPermissions,
+} = require('../auth/permissionUtils');
+
+const authConfig = require('../authConfig');
+
+exports.getTodo = (req, res, next) => {
+    if (hasRequiredDelegatedPermissions(req.authInfo, authConfig.protectedRoutes.todolist.delegatedPermissions.read)) {
+        try {
+            /**
+             * The 'oid' (object id) is the only claim that should be used to uniquely identify
+             * a user in an Azure AD tenant. The token might have one or more of the following claim,
+             * that might seem like a unique identifier, but is not and should not be used as such,
+             * especially for systems which act as system of record (SOR):
+             *
+             * - upn (user principal name): might be unique amongst the active set of users in a tenant but
+             * tend to get reassigned to new employees as employees leave the organization and
+             * others take their place or might change to reflect a personal change like marriage.
+             *
+             * - email: might be unique amongst the active set of users in a tenant but tend to get
+             * reassigned to new employees as employees leave the organization and others take their place.
+             */
+            const owner = req.authInfo['oid'];
+            const id = req.params.id;
+
+            const todo = db.get('todos')
+                .filter({ owner: owner })
+                .find({ id: id })
+                .value();
+
+            res.status(200).send(todo);
+        } catch (error) {
+            next(error);
+        }
+    } else {
+        next(new Error('User does not have the required permissions'))
+    }
+}
+
+exports.getTodos = (req, res, next) => {
+    if (hasRequiredDelegatedPermissions(req.authInfo, authConfig.protectedRoutes.todolist.delegatedPermissions.read)) {
+        try {
+            const owner = req.authInfo['oid'];
+
+            const todos = db.get('todos')
+                .filter({ owner: owner })
+                .value();
+
+            res.status(200).send(todos);
+        } catch (error) {
+            next(error);
+        }
+    } else {
+        next(new Error('User does not have the required permissions'))
+    }
+}
+
+exports.postTodo = (req, res, next) => {
+    if (hasRequiredApplicationPermissions(req.authInfo, authConfig.protectedRoutes.todolist.applicationPermissions.write)) {
+        try {
+            const todo = {
+                description: req.body.description,
+                id: uuidv4(),
+                owner: req.authInfo['oid'] // oid is the only claim that should be used to uniquely identify a user in an Azure AD tenant
+            };
+
+            db.get('todos').push(todo).write();
+
+            res.status(200).json(todo);
+        } catch (error) {
+            next(error);
+        }
+    } else (
+        next(new Error('User or application does not have the required permissions'))
+    )
+}
+
+exports.deleteTodo = (req, res, next) => {
+    if (hasRequiredDelegatedPermissions(req.authInfo, authConfig.protectedRoutes.todolist.delegatedPermissions.write)) {
+        try {
+            const id = req.params.id;
+            const owner = req.authInfo['oid'];
+
+            db.get('todos')
+                .remove({ owner: owner, id: id })
+                .write();
+
+            res.status(200).json({ message: "success" });
+        } catch (error) {
+            next(error);
+        }
+    } else {
+        next(new Error('User does not have the required permissions'))
+    }
+}

3-Authorization-II/2-call-api-b2c/API/auth/permissionUtils.js

@@ -0,0 +1,3 @@
+{
+  "todos": []
+}