updated is.js, refactored jwt code

app/app/components/auth-settings.js

@@ -23,10 +23,12 @@ export default Ember.Component.extend({
 	KeycloakUrlError: computed.empty('keycloakConfig.url'),
 	KeycloakRealmError: computed.empty('keycloakConfig.realm'),
 	KeycloakClientIdError: computed.empty('keycloakConfig.clientId'),
+	KeycloakPublicKeyError: computed.empty('keycloakConfig.publicKey'),
 	keycloakConfig: { 
 		url: '',
 		realm: '',
-		clientId: ''
+		clientId: '',
+		publicKey: '',
 	},
 
 	didReceiveAttrs() {
@@ -81,6 +83,20 @@ export default Ember.Component.extend({
 						this.$("#keycloak-clientId").focus();
 						return;
 					}
+					if (this.get('KeycloakPublicKeyError')) {
+						this.$("#keycloak-publicKey").focus();
+						return;
+					}
+
+					let pk = this.get('keycloakConfig.publicKey');
+					if (is.not.startWith(pk, '-----BEGIN PUBLIC KEY-----')) {
+						pk = '-----BEGIN PUBLIC KEY-----' + pk;
+					}
+					if (is.not.endWith(pk, '-----END PUBLIC KEY-----')) {
+						pk = pk + '-----END PUBLIC KEY-----' ;
+					}
+
+					this.set('keycloakConfig.publicKey', pk);
 
 					config = this.get('keycloakConfig');
 					break;

app/app/pods/auth/keycloak/route.js

@@ -44,6 +44,8 @@ export default Ember.Route.extend({
 			this.get('kcAuth').fetchProfile(kc).then((profile) => {
 				let data = this.get('kcAuth').mapProfile(kc, profile);
 
+				console.log(kc);
+				console.log(profile);
 				console.log(data);
 
 				// this.get("session").authenticate('authenticator:keycloak', data)

app/app/pods/auth/keycloak/template.hbs

@@ -1,4 +1,4 @@
 <div class="sso-box">
-    <p>Keycloak authentication...</p>
+    <p>Authenticating with Keycloak...</p>
     <img src="/assets/img/busy-gray.gif" />
 </div>

app/app/services/kc-auth.js

@@ -69,6 +69,7 @@ export default Ember.Service.extend({
 			username: profile.username,
 			firstname: profile.firstName,
 			lastname: profile.lastName,
+            remoteId: profile.id
 		};
 	}
 });

app/app/templates/components/auth-settings.hbs

@@ -11,6 +11,10 @@
     </div>
 
     {{#if isKeycloakProvider}}
+        <div class="form-header">
+            <div class="title">Keycloak Configuration</div>
+            <div class="tip">Connection parameters</div>
+        </div>
         <div class="input-control">
             <label>Keycloak Server URL</label>
             <div class="tip">e.g. http://localhost:8888/auth</div>
@@ -26,6 +30,11 @@
             <div class="tip">e.g. account</div>
             {{input id="keycloak-clientId" type="text" value=keycloakConfig.clientId class=(if KeycloakClientIdError 'error')}}
         </div>
+        <div class="input-control">
+            <label>Keycloak Realm Public Key</label>
+            <div class="tip">Copy the RSA public key from Realm Settings &rarr; Keys</div>
+            {{textarea id="keycloak-publicKey" type="text" value=keycloakConfig.publicKey rows=7 class=(if KeycloakPublicKeyError 'error')}}
+        </div>
     {{/if}}
 
     <div class="regular-button button-blue" {{action 'onSave'}}>save</div>

core/api/endpoint/authentication_endpoint.go

@@ -12,22 +12,17 @@
 package endpoint
 
 import (
-	"crypto/rand"
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"strings"
-	"time"
-
-	jwt "github.com/dgrijalva/jwt-go"
 
 	"github.com/documize/community/core/api/endpoint/models"
 	"github.com/documize/community/core/api/entity"
 	"github.com/documize/community/core/api/request"
 	"github.com/documize/community/core/api/util"
-	"github.com/documize/community/core/environment"
 	"github.com/documize/community/core/log"
 	"github.com/documize/community/core/section/provider"
 	"github.com/documize/community/core/utility"
@@ -308,130 +303,3 @@ func preAuthorizeStaticAssets(r *http.Request) bool {
 
 	return false
 }
-
-var jwtKey string
-
-func init() {
-	environment.GetString(&jwtKey, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated",
-		func(t *string, n string) bool {
-			if jwtKey == "" {
-				b := make([]byte, 17)
-				_, err := rand.Read(b)
-				if err != nil {
-					jwtKey = err.Error()
-					log.Error("problem using crypto/rand", err)
-					return false
-				}
-				for k, v := range b {
-					if (v >= 'a' && v <= 'z') || (v >= 'A' && v <= 'Z') || (v >= '0' && v <= '0') {
-						b[k] = v
-					} else {
-						s := fmt.Sprintf("%x", v)
-						b[k] = s[0]
-					}
-				}
-				jwtKey = string(b)
-				log.Info("Please set DOCUMIZESALT or use -salt with this value: " + jwtKey)
-			}
-			return true
-		})
-}
-
-// Generates JSON Web Token (http://jwt.io)
-func generateJWT(user, org, domain string) string {
-	token := jwt.New(jwt.SigningMethodHS256)
-
-	// issuer
-	token.Claims["iss"] = "Documize"
-	// subject
-	token.Claims["sub"] = "webapp"
-	// expiry
-	token.Claims["exp"] = time.Now().Add(time.Hour * 168).Unix()
-	// data
-	token.Claims["user"] = user
-	token.Claims["org"] = org
-	token.Claims["domain"] = domain
-
-	tokenString, _ := token.SignedString([]byte(jwtKey))
-
-	return tokenString
-}
-
-// Check for authorization token.
-// We look for 'Authorization' request header OR query string "?token=XXX".
-func findJWT(r *http.Request) (token string) {
-	header := r.Header.Get("Authorization")
-
-	if header != "" {
-		header = strings.Replace(header, "Bearer ", "", 1)
-	}
-
-	if len(header) > 1 {
-		token = header
-	} else {
-		query := r.URL.Query()
-		token = query.Get("token")
-	}
-
-	if token == "null" {
-		token = ""
-	}
-
-	return
-}
-
-// We take in raw token string and decode it.
-func decodeJWT(tokenString string) (c request.Context, claims map[string]interface{}, err error) {
-	method := "decodeJWT"
-
-	// sensible defaults
-	c.UserID = ""
-	c.OrgID = ""
-	c.Authenticated = false
-	c.Guest = false
-
-	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		return []byte(jwtKey), nil
-	})
-
-	if err != nil {
-		err = fmt.Errorf("bad authorization token")
-		return
-	}
-
-	if !token.Valid {
-		if ve, ok := err.(*jwt.ValidationError); ok {
-			if ve.Errors&jwt.ValidationErrorMalformed != 0 {
-				log.Error("invalid token", err)
-				err = fmt.Errorf("bad token")
-				return
-			} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
-				log.Error("expired token", err)
-				err = fmt.Errorf("expired token")
-				return
-			} else {
-				log.Error("invalid token", err)
-				err = fmt.Errorf("bad token")
-				return
-			}
-		} else {
-			log.Error("invalid token", err)
-			err = fmt.Errorf("bad token")
-			return
-		}
-	}
-
-	c = request.NewContext()
-	c.UserID = token.Claims["user"].(string)
-	c.OrgID = token.Claims["org"].(string)
-
-	if len(c.UserID) == 0 || len(c.OrgID) == 0 {
-		err = fmt.Errorf("%s : unable parse token data", method)
-		return
-	}
-
-	c.Authenticated = true
-	c.Guest = false
-
-	return c, token.Claims, nil
-}

core/api/endpoint/jwt.go

@@ -0,0 +1,153 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+package endpoint
+
+import (
+	"crypto/rand"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+
+	"github.com/documize/community/core/api/request"
+	"github.com/documize/community/core/environment"
+	"github.com/documize/community/core/log"
+)
+
+var jwtKey string
+
+func init() {
+	environment.GetString(&jwtKey, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated",
+		func(t *string, n string) bool {
+			if jwtKey == "" {
+				b := make([]byte, 17)
+				_, err := rand.Read(b)
+				if err != nil {
+					jwtKey = err.Error()
+					log.Error("problem using crypto/rand", err)
+					return false
+				}
+				for k, v := range b {
+					if (v >= 'a' && v <= 'z') || (v >= 'A' && v <= 'Z') || (v >= '0' && v <= '0') {
+						b[k] = v
+					} else {
+						s := fmt.Sprintf("%x", v)
+						b[k] = s[0]
+					}
+				}
+				jwtKey = string(b)
+				log.Info("Please set DOCUMIZESALT or use -salt with this value: " + jwtKey)
+			}
+			return true
+		})
+}
+
+// Generates JSON Web Token (http://jwt.io)
+func generateJWT(user, org, domain string) string {
+	token := jwt.New(jwt.SigningMethodHS256)
+
+	// issuer
+	token.Claims["iss"] = "Documize"
+	// subject
+	token.Claims["sub"] = "webapp"
+	// expiry
+	token.Claims["exp"] = time.Now().Add(time.Hour * 168).Unix()
+	// data
+	token.Claims["user"] = user
+	token.Claims["org"] = org
+	token.Claims["domain"] = domain
+
+	tokenString, _ := token.SignedString([]byte(jwtKey))
+
+	return tokenString
+}
+
+// Check for authorization token.
+// We look for 'Authorization' request header OR query string "?token=XXX".
+func findJWT(r *http.Request) (token string) {
+	header := r.Header.Get("Authorization")
+
+	if header != "" {
+		header = strings.Replace(header, "Bearer ", "", 1)
+	}
+
+	if len(header) > 1 {
+		token = header
+	} else {
+		query := r.URL.Query()
+		token = query.Get("token")
+	}
+
+	if token == "null" {
+		token = ""
+	}
+
+	return
+}
+
+// We take in raw token string and decode it.
+func decodeJWT(tokenString string) (c request.Context, claims map[string]interface{}, err error) {
+	method := "decodeJWT"
+
+	// sensible defaults
+	c.UserID = ""
+	c.OrgID = ""
+	c.Authenticated = false
+	c.Guest = false
+
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		return []byte(jwtKey), nil
+	})
+
+	if err != nil {
+		err = fmt.Errorf("bad authorization token")
+		return
+	}
+
+	if !token.Valid {
+		if ve, ok := err.(*jwt.ValidationError); ok {
+			if ve.Errors&jwt.ValidationErrorMalformed != 0 {
+				log.Error("invalid token", err)
+				err = fmt.Errorf("bad token")
+				return
+			} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
+				log.Error("expired token", err)
+				err = fmt.Errorf("expired token")
+				return
+			} else {
+				log.Error("invalid token", err)
+				err = fmt.Errorf("bad token")
+				return
+			}
+		} else {
+			log.Error("invalid token", err)
+			err = fmt.Errorf("bad token")
+			return
+		}
+	}
+
+	c = request.NewContext()
+	c.UserID = token.Claims["user"].(string)
+	c.OrgID = token.Claims["org"].(string)
+
+	if len(c.UserID) == 0 || len(c.OrgID) == 0 {
+		err = fmt.Errorf("%s : unable parse token data", method)
+		return
+	}
+
+	c.Authenticated = true
+	c.Guest = false
+
+	return c, token.Claims, nil
+}