Allow login via TLS with externally hosted WebIDs

lib/models/account-manager.js

@@ -345,18 +345,19 @@ class AccountManager {
       username: userData.username,
       email: userData.email,
       name: userData.name,
+      externalWebId: userData.externalWebId,
       webId: userData.webid || userData.webId ||
         this.accountWebIdFor(userData.username)
     }
 
-    if (userConfig.webId && !userConfig.username) {
-      userConfig.username = this.usernameFromWebId(userConfig.webId)
-    }
-
     if (!userConfig.webId && !userConfig.username) {
       throw new Error('Username or web id is required')
     }
 
+    if (userConfig.webId && !userConfig.username) {
+      userConfig.username = this.usernameFromWebId(userConfig.webId)
+    }
+
     return UserAccount.from(userConfig)
   }
 

lib/models/authenticator.js

@@ -3,6 +3,8 @@
 const debug = require('./../debug').authentication
 const validUrl = require('valid-url')
 const webid = require('webid/tls')
+const provider = require('oidc-auth-manager/src/preferred-provider')
+const { domainMatches } = require('oidc-auth-manager/src/oidc-manager')
 
 /**
  * Abstract Authenticator class, representing a local login strategy.
@@ -293,6 +295,10 @@ class TlsAuthenticator extends Authenticator {
     webid.verify(certificate, callback)
   }
 
+  discoverProviderFor (webId) {
+    return provider.discoverProviderFor(webId)
+  }
+
   /**
    * Ensures that the extracted WebID URI is hosted on this server. If it is,
    * returns a UserAccount instance for that WebID, throws an error otherwise.
@@ -304,13 +310,27 @@ class TlsAuthenticator extends Authenticator {
    * @return {UserAccount}
    */
   ensureLocalUser (webId) {
-    if (this.accountManager.externalAccount(webId)) {
-      debug(`WebID URI ${JSON.stringify(webId)} is not a local account`)
+    const serverUri = this.accountManager.host.serverUri
 
-      throw new Error('Cannot login: Selected Web ID is not hosted on this server')
+    // if (this.accountManager.externalAccount(webId)) {
+    if (domainMatches(serverUri, webId)) {
+      // This is a locally hosted Web ID
+      return Promise.resolve(this.accountManager.userAccountFrom({ webId }))
     }
 
-    return this.accountManager.userAccountFrom({ webId })
+    debug(`WebID URI ${JSON.stringify(webId)} is not a local account, verifying preferred provider`)
+
+    return this.discoverProviderFor(webId)
+      .then(preferredProvider => {
+        debug(`Preferred provider for ${webId} is ${preferredProvider}`)
+
+        if (preferredProvider === serverUri) {  // everything checks out
+          return this.accountManager.userAccountFrom({ webId, username: webId, externalWebId: true })
+        }
+
+        throw new Error(`This server is not the preferred provider for Web ID ${webId}`)
+      })
+    // return Promise.reject(new Error('Cannot login: Selected Web ID is not hosted on this server'))
   }
 }
 

package.json

@@ -59,7 +59,7 @@
     "node-forge": "^0.6.38",
     "nodemailer": "^3.1.4",
     "nomnom": "^1.8.1",
-    "oidc-auth-manager": "^0.10.0",
+    "oidc-auth-manager": "^0.11.1",
     "oidc-op-express": "^0.0.3",
     "rdflib": "^0.15.0",
     "recursive-readdir": "^2.1.0",

test/unit/tls-authenticator-test.js

@@ -134,24 +134,44 @@ describe('TlsAuthenticator', () => {
   })
 
   describe('ensureLocalUser()', () => {
-    it('should throw an error if the user is not local to this server', () => {
+    it('should throw an error if external user and this server not the preferred provider', done => {
       let tlsAuth = new TlsAuthenticator({ accountManager })
 
       let externalWebId = 'https://alice.someothersite.com#me'
 
-      expect(() => tlsAuth.ensureLocalUser(externalWebId))
-        .to.throw(/Cannot login: Selected Web ID is not hosted on this server/)
+      tlsAuth.discoverProviderFor = sinon.stub().resolves('https://another-provider.com')
+
+      tlsAuth.ensureLocalUser(externalWebId)
+        .catch(err => {
+          expect(err.message).to.match(/This server is not the preferred provider for Web ID https:\/\/alice.someothersite.com#me/)
+          done()
+        })
     })
 
     it('should return a user instance if the webid is local', () => {
       let tlsAuth = new TlsAuthenticator({ accountManager })
 
       let webId = 'https://alice.example.com/#me'
 
-      let user = tlsAuth.ensureLocalUser(webId)
+      return tlsAuth.ensureLocalUser(webId)
+        .then(user => {
+          expect(user.username).to.equal('alice')
+          expect(user.webId).to.equal(webId)
+        })
+    })
+
+    it('should return a user instance if external user and this server is preferred provider', () => {
+      let tlsAuth = new TlsAuthenticator({ accountManager })
+
+      let externalWebId = 'https://alice.someothersite.com#me'
+
+      tlsAuth.discoverProviderFor = sinon.stub().resolves('https://example.com')
 
-      expect(user.username).to.equal('alice')
-      expect(user.webId).to.equal(webId)
+      tlsAuth.ensureLocalUser(externalWebId)
+        .then(user => {
+          expect(user.username).to.equal(externalWebId)
+          expect(user.webId).to.equal(externalWebId)
+        })
     })
   })