proxyauth: user OpenID instead of basic auth

src/proxyauth.js

@@ -22,6 +22,7 @@ const apps = require('./apps.js'),
     HttpSuccess = require('connect-lastmile').HttpSuccess,
     jwt = require('jsonwebtoken'),
     middleware = require('./middleware'),
+    oidc = require('./oidc.js'),
     path = require('path'),
     paths = require('./paths.js'),
     safe = require('safetydance'),
@@ -152,6 +153,19 @@ function auth(req, res, next) {
     next(new HttpSuccess(200, {}));
 }
 
+async function callback(req, res, next) {
+    if (!req.query.code) return next(new HttpError(400, 'missing query argument "code"'));
+
+    debug(`callback: with code ${req.query.code}`);
+
+    req.user = await oidc.getUserByAuthCode(req.query.code);
+
+    // this is one-time use
+    await oidc.consumeAuthCode(req.query.code);
+
+    next();
+}
+
 // endpoint called by login page, username and password posted as JSON body
 async function passwordAuth(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
@@ -226,6 +240,7 @@ function initializeAuthwallExpressSync() {
         .use(router)
         .use(middleware.lastMile());
 
+    router.get ('/callback',  callback, authorize);
     router.get ('/login',     loginPage);
     router.get ('/auth',      jwtVerify, authorizationHeader, auth); // called by nginx before accessing protected page
     router.post('/login',     json, passwordAuth, authorize);