From 3b9336d3c9c5e57e8e79f3e09e31e72f62eb52e5 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Mon, 13 Mar 2023 17:01:52 +0100
Subject: [PATCH] oidc: Initial auth against our userdb is working

---
 src/oidc.js | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/oidc.js b/src/oidc.js
index 9b96f5cc2..813fe8a51 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -10,6 +10,10 @@ const assert = require('assert'),
     fs = require('fs'),
     path = require('path'),
     paths = require('./paths.js'),
+    BoxError = require('./boxerror.js'),
+    HttpError = require('connect-lastmile').HttpError,
+    users = require('./users.js'),
+    safe = require('safetydance'),
     settings = require('./settings.js');
 
 class CloudronAdapter {
@@ -317,14 +321,28 @@ function attachInteractionRoutes(routePrefix, app, provider) {
         try {
             const { uid, prompt: { name } } = await provider.interactionDetails(req, res);
 
-            debug(`route interaction login post uid:${uid} prompt.name:${name} login:${req.body.login}`);
+            debug(`route interaction login post uid:${uid} prompt.name:${name}`, req.body);
 
             assert.equal(name, 'login');
-            const account = await Account.findByLogin(req.body.login);
 
+            if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
+            if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));
+            if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));
+
+            const { username, password, totpToken } = req.body;
+
+            const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;
+
+            let [error, user] =  await safe(verifyFunc(username, password, users.AP_WEBADMIN, { totpToken }));
+            if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));
+            if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
+            if (error) return next(new HttpError(500, error));
+            if (!user) return next(new HttpError(401, 'Unauthorized'));
+
+            // TODO we may have to check what else the Account class provides, in which case we have to map those things
             const result = {
                 login: {
-                    accountId: account.accountId,
+                    accountId: user.id,
                 },
             };