feat: oauth for chrome extension (#4870)

Previously we had to create a separate API key to give access to chrome extension so we can make calls to the DB. This PR includes logic to initiate a oauth flow with PKCE method which redirects to the `Authorise` screen to give access to server tokens. Implemented in this PR- 1. make `redirectUrl` a non-nullable parameter 2. Add `NODE_ENV` to environment variable service 3. new env variable `CHROME_EXTENSION_REDIRECT_URL` on server side 4. strict checks for redirectUrl 5. try catch blocks on utils db query methods 6. refactor Apollo Client to handle `unauthorized` condition 7. input field to enter server url (for self-hosting) 8. state to show user if its already connected 9. show error if oauth flow is cancelled by user Follow up PR - Renew token logic --------- Co-authored-by: Félix Malfait <felix@twenty.com>
2024-04-24 10:45:16 +01:00
parent 0a7f82333b
commit c63ee519ea
33 changed files with 18564 additions and 15049 deletions
--- a/packages/twenty-server/src/engine/core-modules/auth/auth.resolver.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/auth.resolver.ts
@ -107,6 +107,17 @@ export class AuthResolver {
    return { loginToken };
  }

+  @Mutation(() => ExchangeAuthCode)
+  async exchangeAuthorizationCode(
+    @Args() exchangeAuthCodeInput: ExchangeAuthCodeInput,
+  ) {
+    const tokens = await this.tokenService.verifyAuthorizationCode(
+      exchangeAuthCodeInput,
+    );
+
+    return tokens;
+  }
+
  @Mutation(() => TransientToken)
  @UseGuards(JwtAuthGuard)
  async generateTransientToken(
@ -152,17 +163,6 @@ export class AuthResolver {
    return authorizedApp;
  }

-  @Query(() => ExchangeAuthCode)
-  async exchangeAuthorizationCode(
-    @Args() exchangeAuthCodeInput: ExchangeAuthCodeInput,
-  ) {
-    const tokens = await this.tokenService.verifyAuthorizationCode(
-      exchangeAuthCodeInput,
-    );
-
-    return tokens;
-  }
-
  @Mutation(() => AuthTokens)
  @UseGuards(JwtAuthGuard)
  async generateJWT(
--- a/packages/twenty-server/src/engine/core-modules/auth/dto/authorize-app.input.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/dto/authorize-app.input.ts
@ -14,8 +14,7 @@ export class AuthorizeAppInput {
  @IsOptional()
  codeChallenge?: string;

-  @Field(() => String, { nullable: true })
+  @Field(() => String)
  @IsString()
-  @IsOptional()
-  redirectUrl?: string;
+  redirectUrl: string;
 }
--- a/packages/twenty-server/src/engine/core-modules/auth/services/auth.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/auth.service.ts
@ -14,6 +14,8 @@ import { PasswordUpdateNotifyEmail } from 'twenty-emails';
 import { addMilliseconds } from 'date-fns';
 import ms from 'ms';

+import { NodeEnvironment } from 'src/engine/integrations/environment/interfaces/node-environment.interface';
+
 import { ChallengeInput } from 'src/engine/core-modules/auth/dto/challenge.input';
 import { assert } from 'src/utils/assert';
 import {
@ -197,9 +199,11 @@ export class AuthService {
      {
        id: 'chrome',
        name: 'Chrome Extension',
-        redirectUrl: `${this.environmentService.get(
-          'CHROME_EXTENSION_REDIRECT_URL',
-        )}`,
+        redirectUrl:
+          this.environmentService.get('NODE_ENV') ===
+          NodeEnvironment.development
+            ? authorizeAppInput.redirectUrl
+            : `${this.environmentService.get('CHROME_EXTENSION_REDIRECT_URL')}`,
      },
    ];

@ -211,10 +215,14 @@ export class AuthService {
      throw new NotFoundException(`Invalid client '${clientId}'`);
    }

-    if (!client.redirectUrl && !authorizeAppInput.redirectUrl) {
+    if (!client.redirectUrl || !authorizeAppInput.redirectUrl) {
      throw new NotFoundException(`redirectUrl not found for '${clientId}'`);
    }

+    if (client.redirectUrl !== authorizeAppInput.redirectUrl) {
+      throw new ForbiddenException(`redirectUrl mismatch for '${clientId}'`);
+    }
+
    const authorizationCode = crypto.randomBytes(42).toString('hex');

    const expiresAt = addMilliseconds(new Date().getTime(), ms('5m'));
--- a/packages/twenty-server/src/engine/integrations/environment/environment-variables.ts
+++ b/packages/twenty-server/src/engine/integrations/environment/environment-variables.ts
@ -16,6 +16,7 @@ import {
 } from 'class-validator';

 import { EmailDriver } from 'src/engine/integrations/email/interfaces/email.interface';
+import { NodeEnvironment } from 'src/engine/integrations/environment/interfaces/node-environment.interface';

 import { assert } from 'src/utils/assert';
 import { CastToStringArray } from 'src/engine/integrations/environment/decorators/cast-to-string-array.decorator';
@ -40,6 +41,10 @@ export class EnvironmentVariables {
  @IsBoolean()
  DEBUG_MODE = false;

+  @IsEnum(NodeEnvironment)
+  @IsString()
+  NODE_ENV: NodeEnvironment = NodeEnvironment.development;
+
  @CastToPositiveNumber()
  @IsOptional()
  @IsNumber()
--- a/packages/twenty-server/src/engine/integrations/environment/interfaces/node-environment.interface.ts
+++ b/packages/twenty-server/src/engine/integrations/environment/interfaces/node-environment.interface.ts
@ -0,0 +1,4 @@
+export enum NodeEnvironment {
+  development = 'development',
+  production = 'production',
+}
--- a/packages/twenty-server/src/engine/workspace-manager/demo-objects-prefill-data/companies-demo.json.ts
+++ b/packages/twenty-server/src/engine/workspace-manager/demo-objects-prefill-data/companies-demo.json.ts
--- a/packages/twenty-server/src/engine/workspace-manager/demo-objects-prefill-data/people-demo.json.ts
+++ b/packages/twenty-server/src/engine/workspace-manager/demo-objects-prefill-data/people-demo.json.ts