first commit

services/web/modules/launchpad/app/src/LaunchpadController.mjs

@@ -0,0 +1,256 @@
+import OError from '@overleaf/o-error'
+import { expressify } from '@overleaf/promise-utils'
+import Settings from '@overleaf/settings'
+import Path from 'node:path'
+import { fileURLToPath } from 'node:url'
+import logger from '@overleaf/logger'
+import UserRegistrationHandler from '../../../../app/src/Features/User/UserRegistrationHandler.js'
+import EmailHandler from '../../../../app/src/Features/Email/EmailHandler.js'
+import UserGetter from '../../../../app/src/Features/User/UserGetter.js'
+import { User } from '../../../../app/src/models/User.js'
+import AuthenticationManager from '../../../../app/src/Features/Authentication/AuthenticationManager.js'
+import AuthenticationController from '../../../../app/src/Features/Authentication/AuthenticationController.js'
+import SessionManager from '../../../../app/src/Features/Authentication/SessionManager.js'
+import { hasAdminAccess } from '../../../../app/src/Features/Helpers/AdminAuthorizationHelper.js'
+
+const __dirname = fileURLToPath(new URL('.', import.meta.url))
+
+/**
+ * Container for functions that need to be mocked in tests
+ *
+ * TODO: Rewrite tests in terms of exported functions only
+ */
+const _mocks = {}
+
+_mocks._atLeastOneAdminExists = async () => {
+  const user = await UserGetter.promises.getUser(
+    { isAdmin: true },
+    { _id: 1, isAdmin: 1 }
+  )
+  return Boolean(user)
+}
+
+async function _atLeastOneAdminExists() {
+  return await _mocks._atLeastOneAdminExists()
+}
+
+function getAuthMethod() {
+  if (Settings.ldap) {
+    return 'ldap'
+  } else if (Settings.saml) {
+    return 'saml'
+  } else {
+    return 'local'
+  }
+}
+
+async function launchpadPage(req, res) {
+  // TODO: check if we're using external auth?
+  //   * how does all this work with ldap and saml?
+  const sessionUser = SessionManager.getSessionUser(req.session)
+  const authMethod = getAuthMethod()
+  const adminUserExists = await _atLeastOneAdminExists()
+
+  if (!sessionUser) {
+    if (!adminUserExists) {
+      res.render(Path.resolve(__dirname, '../views/launchpad'), {
+        adminUserExists,
+        authMethod,
+      })
+    } else {
+      AuthenticationController.setRedirectInSession(req)
+      res.redirect('/login')
+    }
+  } else {
+    const user = await UserGetter.promises.getUser(sessionUser._id, {
+      isAdmin: 1,
+    })
+    if (hasAdminAccess(user)) {
+      res.render(Path.resolve(__dirname, '../views/launchpad'), {
+        wsUrl: Settings.wsUrl,
+        adminUserExists,
+        authMethod,
+      })
+    } else {
+      res.redirect('/restricted')
+    }
+  }
+}
+
+async function sendTestEmail(req, res) {
+  const { email } = req.body
+  if (!email) {
+    logger.debug({}, 'no email address supplied')
+    return res.status(400).json({
+      message: 'no email address supplied',
+    })
+  }
+  logger.debug({ email }, 'sending test email')
+  const emailOptions = { to: email }
+  try {
+    await EmailHandler.promises.sendEmail('testEmail', emailOptions)
+    logger.debug({ email }, 'sent test email')
+    res.json({ message: res.locals.translate('email_sent') })
+  } catch (err) {
+    OError.tag(err, 'error sending test email', {
+      email,
+    })
+    throw err
+  }
+}
+
+function registerExternalAuthAdmin(authMethod) {
+  return expressify(async function (req, res) {
+    if (getAuthMethod() !== authMethod) {
+      logger.debug(
+        { authMethod },
+        'trying to register external admin, but that auth service is not enabled, disallow'
+      )
+      return res.sendStatus(403)
+    }
+    const { email } = req.body
+    if (!email) {
+      logger.debug({ authMethod }, 'no email supplied, disallow')
+      return res.sendStatus(400)
+    }
+
+    logger.debug({ email }, 'attempted register first admin user')
+
+    const exists = await _atLeastOneAdminExists()
+
+    if (exists) {
+      logger.debug({ email }, 'already have at least one admin user, disallow')
+      return res.sendStatus(403)
+    }
+
+    const body = {
+      email,
+      password: 'password_here',
+      first_name: email,
+      last_name: '',
+    }
+    logger.debug(
+      { body, authMethod },
+      'creating admin account for specified external-auth user'
+    )
+
+    let user
+    try {
+      user = await UserRegistrationHandler.promises.registerNewUser(body)
+    } catch (err) {
+      OError.tag(err, 'error with registerNewUser', {
+        email,
+        authMethod,
+      })
+      throw err
+    }
+
+    try {
+      const reversedHostname = user.email
+        .split('@')[1]
+        .split('')
+        .reverse()
+        .join('')
+      await User.updateOne(
+        { _id: user._id },
+        {
+          $set: { isAdmin: true, emails: [{ email, reversedHostname }] },
+        }
+      ).exec()
+    } catch (err) {
+      OError.tag(err, 'error setting user to admin', {
+        user_id: user._id,
+      })
+      throw err
+    }
+
+    AuthenticationController.setRedirectInSession(req, '/launchpad')
+    logger.debug(
+      { email, userId: user._id, authMethod },
+      'created first admin account'
+    )
+
+    res.json({ redir: '/launchpad', email })
+  })
+}
+
+async function registerAdmin(req, res) {
+  const { email } = req.body
+  const { password } = req.body
+  if (!email || !password) {
+    logger.debug({}, 'must supply both email and password, disallow')
+    return res.sendStatus(400)
+  }
+
+  logger.debug({ email }, 'attempted register first admin user')
+  const exists = await _atLeastOneAdminExists()
+
+  if (exists) {
+    logger.debug(
+      { email: req.body.email },
+      'already have at least one admin user, disallow'
+    )
+    return res.status(403).json({
+      message: { type: 'error', text: 'admin user already exists' },
+    })
+  }
+
+  const invalidEmail = AuthenticationManager.validateEmail(email)
+  if (invalidEmail) {
+    return res
+      .status(400)
+      .json({ message: { type: 'error', text: invalidEmail.message } })
+  }
+
+  const invalidPassword = AuthenticationManager.validatePassword(
+    password,
+    email
+  )
+  if (invalidPassword) {
+    return res
+      .status(400)
+      .json({ message: { type: 'error', text: invalidPassword.message } })
+  }
+
+  const body = { email, password }
+
+  const user = await UserRegistrationHandler.promises.registerNewUser(body)
+
+  logger.debug({ userId: user._id }, 'making user an admin')
+
+  try {
+    const reversedHostname = user.email
+      .split('@')[1]
+      .split('')
+      .reverse()
+      .join('')
+    await User.updateOne(
+      { _id: user._id },
+      {
+        $set: {
+          isAdmin: true,
+          emails: [{ email, reversedHostname }],
+        },
+      }
+    ).exec()
+  } catch (err) {
+    OError.tag(err, 'error setting user to admin', {
+      user_id: user._id,
+    })
+    throw err
+  }
+
+  logger.debug({ email, userId: user._id }, 'created first admin account')
+  res.json({ redir: '/launchpad' })
+}
+
+const LaunchpadController = {
+  launchpadPage: expressify(launchpadPage),
+  registerAdmin: expressify(registerAdmin),
+  registerExternalAuthAdmin,
+  sendTestEmail: expressify(sendTestEmail),
+  _atLeastOneAdminExists,
+  _mocks,
+}
+
+export default LaunchpadController

services/web/modules/launchpad/app/src/LaunchpadRouter.mjs

@@ -0,0 +1,43 @@
+import logger from '@overleaf/logger'
+
+import LaunchpadController from './LaunchpadController.mjs'
+import AuthenticationController from '../../../../app/src/Features/Authentication/AuthenticationController.js'
+import AuthorizationMiddleware from '../../../../app/src/Features/Authorization/AuthorizationMiddleware.js'
+
+export default {
+  apply(webRouter) {
+    logger.debug({}, 'Init launchpad router')
+
+    webRouter.get('/launchpad', LaunchpadController.launchpadPage)
+    webRouter.post(
+      '/launchpad/register_admin',
+      LaunchpadController.registerAdmin
+    )
+    webRouter.post(
+      '/launchpad/register_ldap_admin',
+      LaunchpadController.registerExternalAuthAdmin('ldap')
+    )
+    webRouter.post(
+      '/launchpad/register_saml_admin',
+      LaunchpadController.registerExternalAuthAdmin('saml')
+    )
+    webRouter.post(
+      '/launchpad/send_test_email',
+      AuthorizationMiddleware.ensureUserIsSiteAdmin,
+      LaunchpadController.sendTestEmail
+    )
+
+    if (AuthenticationController.addEndpointToLoginWhitelist) {
+      AuthenticationController.addEndpointToLoginWhitelist('/launchpad')
+      AuthenticationController.addEndpointToLoginWhitelist(
+        '/launchpad/register_admin'
+      )
+      AuthenticationController.addEndpointToLoginWhitelist(
+        '/launchpad/register_ldap_admin'
+      )
+      AuthenticationController.addEndpointToLoginWhitelist(
+        '/launchpad/register_saml_admin'
+      )
+    }
+  },
+}

services/web/modules/launchpad/app/src/tsconfig.json

@@ -0,0 +1 @@
+{ "extends": "../../../../tsconfig.backend.json" }

services/web/modules/launchpad/app/views/launchpad.pug

@@ -0,0 +1,226 @@
+extends ../../../../app/views/layout-marketing
+
+mixin launchpad-check(section)
+	div(data-ol-launchpad-check=section)
+		span(data-ol-inflight="pending")
+			i.fa.fa-fw.fa-spinner.fa-spin
+			span  #{translate('checking')}
+	
+		span(hidden data-ol-inflight="idle")
+			div(data-ol-result="success")
+				i.fa.fa-check
+				span  #{translate('ok')}
+				button.btn.btn-inline-link
+					span.text-danger  #{translate('retry')}
+			div(hidden data-ol-result="error")
+				i.fa.fa-exclamation
+				span  #{translate('error')}
+				button.btn.btn-inline-link
+					span.text-danger  #{translate('retry')}
+				div.alert.alert-danger
+					span(data-ol-error)
+
+block entrypointVar
+	- entrypoint = 'modules/launchpad/pages/launchpad'
+					
+block vars
+	- metadata = metadata || {}
+	- bootstrap5PageStatus = 'disabled'
+
+block append meta
+	meta(name="ol-adminUserExists" data-type="boolean" content=adminUserExists)
+	meta(name="ol-ideJsPath" content=buildJsPath('ide.js'))
+
+block content
+	script(type="text/javascript", nonce=scriptNonce, src=(wsUrl || '/socket.io') + '/socket.io.js')
+
+	.content.content-alt#main-content
+		.container
+			.row
+				.col-md-8.col-md-offset-2
+					.card.launchpad-body
+						.row
+							.col-md-12
+								.text-center
+									h1 #{translate('welcome_to_sl')}
+									p
+										img(src=buildImgPath('/ol-brand/overleaf-o.svg'))
+
+						<!-- wrapper -->
+						.row
+							.col-md-8.col-md-offset-2
+
+
+								<!-- create first admin form -->
+								if !adminUserExists
+									.row(data-ol-not-sent)
+										.col-md-12
+											h2 #{translate('create_first_admin_account')}
+
+											// Local Auth Form
+											if authMethod === 'local'
+												form(
+													data-ol-async-form
+													data-ol-register-admin
+													action="/launchpad/register_admin"
+													method="POST"
+												)
+													input(name='_csrf', type='hidden', value=csrfToken)
+													+formMessages()
+													.form-group
+														label(for='email') #{translate("email")}
+														input.form-control(
+															type='email',
+															name='email',
+															placeholder="email@example.com"
+															autocomplete="username"
+															required,
+															autofocus="true"
+														)
+													.form-group
+														label(for='password') #{translate("password")}
+														input.form-control#passwordField(
+															type='password',
+															name='password',
+															placeholder="********",
+															autocomplete="new-password"
+															required,
+														)
+													.actions
+														button.btn-primary.btn(
+															type='submit'
+															data-ol-disabled-inflight
+														)
+															span(data-ol-inflight="idle") #{translate("register")}
+															span(hidden data-ol-inflight="pending") #{translate("registering")}…
+
+											// Ldap Form
+											if authMethod === 'ldap'
+												h3 #{translate('ldap')}
+												p
+													| #{translate('ldap_create_admin_instructions')}
+
+												form(
+													data-ol-async-form
+													data-ol-register-admin
+													action="/launchpad/register_ldap_admin"
+													method="POST"
+												)
+													input(name='_csrf', type='hidden', value=csrfToken)
+													+formMessages()
+													.form-group
+														label(for='email') #{translate("email")}
+														input.form-control(
+															type='email',
+															name='email',
+															placeholder="email@example.com"
+															autocomplete="username"
+															required,
+															autofocus="true"
+														)
+													.actions
+														button.btn-primary.btn(
+															type='submit'
+															data-ol-disabled-inflight
+														)
+															span(data-ol-inflight="idle") #{translate("register")}
+															span(hidden data-ol-inflight="pending") #{translate("registering")}…
+
+											// Saml Form
+											if authMethod === 'saml'
+												h3 #{translate('saml')}
+												p
+													| #{translate('saml_create_admin_instructions')}
+
+												form(
+													data-ol-async-form
+													data-ol-register-admin
+													action="/launchpad/register_saml_admin"
+													method="POST"
+												)
+													input(name='_csrf', type='hidden', value=csrfToken)
+													+formMessages()
+													.form-group
+														label(for='email') #{translate("email")}
+														input.form-control(
+															type='email',
+															name='email',
+															placeholder="email@example.com"
+															autocomplete="username"
+															required,
+															autofocus="true"
+														)
+													.actions
+														button.btn-primary.btn(
+															type='submit'
+															data-ol-disabled-inflight
+														)
+															span(data-ol-inflight="idle") #{translate("register")}
+															span(hidden data-ol-inflight="pending") #{translate("registering")}…
+
+									br
+
+								<!-- status indicators -->
+								if adminUserExists
+									.row
+										.col-md-12.status-indicators
+
+											h2 #{translate('status_checks')}
+
+											<!-- websocket -->
+											.row.row-spaced-small
+												.col-sm-5
+													| #{translate('websockets')}
+												.col-sm-7
+													+launchpad-check('websocket')
+
+									<!-- break -->
+									hr.thin
+
+									<!-- other actions -->
+									.row
+										.col-md-12
+											h2 #{translate('other_actions')}
+
+											h3 #{translate('send_test_email')}
+											form.form(
+												data-ol-async-form
+												action="/launchpad/send_test_email"
+												method="POST"
+											)
+												.form-group
+													label(for="email") Email
+													input.form-control(
+														type="text"
+														id="email"
+														name="email"
+														required
+													)
+												button.btn-primary.btn(
+													type='submit'
+													data-ol-disabled-inflight
+												)
+													span(data-ol-inflight="idle") #{translate("send")}
+													span(hidden data-ol-inflight="pending") #{translate("sending")}…
+
+												p
+													+formMessages()
+
+
+
+									<!-- break -->
+									hr.thin
+
+
+									<!-- Go to app -->
+									.row
+										.col-md-12
+											.text-center
+												br
+												p
+													a(href="/admin").btn.btn-info
+														| Go To Admin Panel
+													| &nbsp;
+													a(href="/project").btn.btn-primary
+														| Start Using #{settings.appName}
+												br