Merge pull request #1187 from solid/consent-screen

[WIP] Consent screen

Author: kjetilk

common/disclaimer.html

@@ -0,0 +1,44 @@
+<html>
+  <head>
+    <title>Solid Consent Disclaimer</title>
+  </head>
+  <body>
+    <h1 id="grantingaccesstoanapplicationaspartofauthentication">Granting access to an application as part of authentication</h1>
+
+    <p><strong>TL:DR: This is a temporary option that will be removed once we have better ways of granting access to applications. We recommend you grant read and write access by default, but it depends on the application you want to trust.</strong></p>
+
+    <p>Applications provide very useful ways of consuming and producing data. Solid provides functionality that allows you to grant access to applications that you trust. This trust might be misplaced sometimes though, which Solid tries to mitigate to lessen the harm that malicious applications can cause.</p>
+
+    <p>One of the strategies available in Solid is to check the origins of applications, and in solid-server in Node version 5 (NSS5) we set the configuration for this to be true by default. This strengthens the security of instances running on this codebase, but it also makes it more difficult for users to test applications without explicitly granting them access beforehand.</p>
+
+    <p>To facilitate a better user experience, we introduced the option of granting access to applications as part of the authentication process. We believe this is a <a href="https://github.com/solid/node-solid-server/issues/1142">better flow then forcing users to navigate to their profile and use the functionality provided in the trusted applications pane</a>, and offer this as a temporary solution.</p>
+
+    <h2 id="whichmodesshouldigranttheapplication">Which modes should I grant the application?</h2>
+
+    <p>That really depends on what the application needs to do. In general we suggest granting it Read and Write access. </p>
+
+    <p>This is what the various modes allows the application to do:</p>
+
+    <ul>
+      <li><strong>Read:</strong> Allows the application to read resources - this includes navigating through your pod and potentially copy all of your data</li>
+
+      <li><strong>Write:</strong> Allows the application to change and delete resources</li>
+
+      <li><strong>Append:</strong> Allows the application to only append new content to resources, not remove existing content</li>
+
+      <li><strong>Control:</strong> Allows the application to set which access modes agents have (including themself) - by allowing this you essentially allow the application complete control of your pod</li>
+    </ul>
+
+    <p>The last mode is a very powerful mode to grant an application. An application could use this to remove all of your control access, essentially locking you out of your pod. (This would also mean that the application couldn't get access to your pod though, as it is still relying on your authentication.)</p>
+
+    <h2 id="whyisittemporary">Why is it temporary?</h2>
+
+    <p>The way this solutions works "behind the scenes" is that you are granting the application access to all resources that you have access to and that is connected to your profile (in general this would be the pod that was created alongside your WebID). This is probably fine when you want to test an application that you or someone you trust are developing, but it's definitely not the granular access control we want to offer.</p>
+
+    <p>We do not have a solution ready yet, but <a href="https://github.com/solid/webid-oidc-spec">we are working on it</a>. When the solution is specified and implemented in NSS, we will remove the option in the login flow, as you would go through another process of granting applications access that would result in a more granular control.</p>
+
+    <h2 id="learnmore">Learn more</h2>
+
+    <p>The way that we handle access control in Solid is described in <a href="[http://solid.github.io/web-access-control-spec/](http://solid.github.io/web-access-control-spec/)">the Web Access Control specification (WAC)</a>. If you want to understand the reasoning for why we chose to turn origin checking on by default, you can read about it in the <a href="https://www.w3.org/community/solid/wiki/Meetings#20190307_1400CET">Meeting W3 Solid Community Group had March 7th 2019 (last point on the agenda)</a>.</p>
+  </body>
+</html>

default-views/auth/consent.hbs

@@ -10,22 +10,39 @@
 </head>
 <body>
 <div class="container title">
-  <div class="page-title">
-    <h1>Authorize app to use your Web ID?</h1>
-  </div>
+  <h1>Authorize this app to use your data?</h1>
+  <div class="panel panel-default">
+    <div class="panel-body">
+      <div class="page-title">
+        <p>You will be authorizing <strong>{{app_origin}}</strong> to have access to perform the actions indicated below.</p>
+        <p>NOTE: This screen is TEMPORARY. Eventually more fine-tuned controls will be available.</p>
+        <p>For more information see the <a href="/common/disclaimer.html" target="_blank">full explanation</a>.</p>
+      </div>
+      <form method="post" action="/consent">
+
+        <input id="read" type="checkbox" name="access_mode" value="Read" checked>
+        <label for="read">Read your data</label>
+        <br>
+
+        <input id="write" type="checkbox" name="access_mode" value="Write" checked>
+        <label for="write">Write new data</label>
+        <br>
 
-  <form method="post" action="/authorize">
-    <input type="hidden" name="response_type" value="{{response_type}}"/>
-    <input type="hidden" name="display" value="{{display}}"/>
-    <input type="hidden" name="scope" value="{{scope}}"/>
-    <input type="hidden" name="client_id" value="{{client_id}}"/>
-    <input type="hidden" name="redirect_uri" value="{{redirect_uri}}"/>
-    <input type="hidden" name="state" value="{{state}}"/>
-    <input type="hidden" name="nonce" value="{{nonce}}"/>
+        <input id="append" type="checkbox" name="access_mode" value="Append" checked>
+        <label for="append">Add to existing data</label>
+        <br>
 
-    <button type="submit" class="btn btn-primary" name="consent" value="true">Authorize</button>
-    <button type="submit" class="btn btn-default" name="cancel" value="true">Cancel</button>
-  </form>
+        <input id="control" type="checkbox" name="access_mode" value="Control">
+        <label for="control">Control who can access your data</label>
+        <br>
+        <br>
+
+        <button type="submit" class="btn btn-primary" name="consent" value="true">Authorize</button>
+        <button type="submit" class="btn btn-default" name="cancel" value="true">Cancel</button>
+        {{> auth/auth-hidden-fields}}
+      </form>
+    </div>
+  </div>
 </div>
 </body>
 </html>

lib/api/authn/webid-oidc.js

@@ -8,6 +8,7 @@ const { routeResolvedFile } = require('../../utils')
 const bodyParser = require('body-parser').urlencoded({ extended: false })
 const OidcManager = require('../../models/oidc-manager')
 const { LoginRequest } = require('../../requests/login-request')
+const { ConsentRequest } = require('../../requests/consent-request')
 
 const restrictToTopDomain = require('../../handlers/restrict-to-top-domain')
 
@@ -83,6 +84,9 @@ function middleware (oidc) {
 
   router.post('/login/tls', bodyParser, LoginRequest.loginTls)
 
+  router.get('/consent', ConsentRequest.get)
+  router.post('/consent', bodyParser, ConsentRequest.giveConsent)
+
   router.get('/account/password/reset', restrictToTopDomain, PasswordResetEmailRequest.get)
   router.post('/account/password/reset', restrictToTopDomain, bodyParser, PasswordResetEmailRequest.post)
 

lib/requests/auth-request.js

@@ -3,6 +3,8 @@
 const url = require('url')
 const debug = require('./../debug').authentication
 
+const IDToken = require('@solid/oidc-op/src/IDToken')
+
 /**
  * Hidden form fields from the login page that must be passed through to the
  * Authentication request.
@@ -134,6 +136,11 @@ class AuthRequest {
       extracted[p] = value
     }
 
+     // Special case because solid-auth-client does not include redirect in params
+    if (!extracted['redirect_uri'] && params.request) {
+      extracted['redirect_uri'] = IDToken.decode(params.request).payload.redirect_uri
+    }
+
     return extracted
   }
 
@@ -210,6 +217,15 @@ class AuthRequest {
 
     return url.format(signupUrl)
   }
+
+  consentUrl () {
+    let host = this.accountManager.host
+    let consentUrl = url.parse(url.resolve(host.serverUri, '/consent'))
+
+    consentUrl.query = this.authQueryParams
+
+    return url.format(consentUrl)
+  }
 }
 
 AuthRequest.AUTH_QUERY_PARAMS = AUTH_QUERY_PARAMS

lib/requests/consent-request.js

@@ -0,0 +1,233 @@
+'use strict'
+
+const debug = require('./../debug').authentication
+
+const AuthRequest = require('./auth-request')
+
+const url = require('url')
+const intoStream = require('into-stream')
+
+const $rdf = require('rdflib')
+const ACL = $rdf.Namespace('http://www.w3.org/ns/auth/acl#')
+
+/**
+ * Models a local Login request
+ */
+class ConsentRequest extends AuthRequest {
+  /**
+   * @constructor
+   * @param options {Object}
+   *
+   * @param [options.response] {ServerResponse} middleware `res` object
+   * @param [options.session] {Session} req.session
+   * @param [options.userStore] {UserStore}
+   * @param [options.accountManager] {AccountManager}
+   * @param [options.returnToUrl] {string}
+   * @param [options.authQueryParams] {Object} Key/value hashmap of parsed query
+   *   parameters that will be passed through to the /authorize endpoint.
+   * @param [options.authenticator] {Authenticator} Auth strategy by which to
+   *   log in
+   */
+  constructor (options) {
+    super(options)
+
+    this.authenticator = options.authenticator
+    this.authMethod = options.authMethod
+  }
+
+  /**
+   * Factory method, returns an initialized instance of LoginRequest
+   * from an incoming http request.
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   * @param authMethod {string}
+   *
+   * @return {LoginRequest}
+   */
+  static fromParams (req, res) {
+    let options = AuthRequest.requestOptions(req, res)
+
+    return new ConsentRequest(options)
+  }
+
+  /**
+   * Handles a Login GET request on behalf of a middleware handler, displays
+   * the Login page.
+   * Usage:
+   *
+   *   ```
+   *   app.get('/login', LoginRequest.get)
+   *   ```
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   */
+  static async get (req, res) {
+    const request = ConsentRequest.fromParams(req, res)
+
+    const appOrigin = request.getAppOrigin()
+    // Check if is already registered or is data browser
+    if (request.isUserLoggedIn()) {
+      if (
+        appOrigin === req.app.locals.ldp.serverUri ||
+        await request.isAppRegistered(req.app.locals.ldp, appOrigin, request.session.subject._id)
+      ) {
+        request.setUserConsent(appOrigin)
+        request.redirectPostConsent()
+      } else {
+        request.renderForm(null, req)
+      }
+    }
+  }
+
+  /**
+   * Performs the login operation -- loads and validates the
+   * appropriate user, inits the session with credentials, and redirects the
+   * user to continue their auth flow.
+   *
+   * @param request {LoginRequest}
+   *
+   * @return {Promise}
+   */
+  static async giveConsent (req, res) {
+    let accessModes = []
+    let consented = false
+    if (req.body) {
+      accessModes = req.body.access_mode
+      consented = req.body.consent
+    }
+
+    let request = ConsentRequest.fromParams(req, res)
+
+    if (request.isUserLoggedIn()) {
+      const appOrigin = request.getAppOrigin()
+      debug('Providing consent for app sharing')
+
+      if (consented) {
+        await request.registerApp(req.app.locals.ldp, appOrigin, accessModes, request.session.subject._id)
+        request.setUserConsent(appOrigin)
+      }
+
+      // Redirect once that's all done
+      request.redirectPostConsent()
+    }
+  }
+
+  setUserConsent (appOrigin) {
+    if (!this.session.consentedOrigins) {
+      this.session.consentedOrigins = []
+    }
+    if (!this.session.consentedOrigins.includes(appOrigin)) {
+      this.session.consentedOrigins.push(appOrigin)
+    }
+  }
+
+  isUserLoggedIn () {
+    // Ensure the user arrived here by logging in
+    if (!this.session.subject || !this.session.subject._id) {
+      this.response.status(401)
+      this.response.send('User not logged in 2')
+      return false
+    }
+    return true
+  }
+
+  getAppOrigin () {
+    const parsed = url.parse(this.authQueryParams.redirect_uri)
+    return `${parsed.protocol}//${parsed.host}`
+  }
+
+  async getProfileGraph (ldp, webId) {
+    return await new Promise(async (resolve, reject) => {
+      const store = $rdf.graph()
+      const profileText = await ldp.readResource(webId)
+      $rdf.parse(profileText.toString(), store, 'https://localhost:8443/profile/card', 'text/turtle', (error, kb) => {
+        if (error) {
+          reject(error)
+        } else {
+          resolve(kb)
+        }
+      })
+    })
+  }
+
+  async saveProfileGraph (ldp, store, webId) {
+    const text = $rdf.serialize(undefined, store, webId, 'text/turtle')
+    await ldp.put(webId, intoStream(text), 'text/turtle')
+  }
+
+  async isAppRegistered (ldp, appOrigin, webId) {
+    const store = await this.getProfileGraph(ldp, webId)
+    return store.each($rdf.sym(webId), ACL('trustedApp')).find((app) => {
+      return store.each(app, ACL('origin')).find(rdfAppOrigin => rdfAppOrigin.value === appOrigin)
+    })
+  }
+
+  async registerApp (ldp, appOrigin, accessModes, webId) {
+    const store = await this.getProfileGraph(ldp, webId)
+    const origin = $rdf.sym(appOrigin)
+    // remove existing statements on same origin - if it exists
+    store.statementsMatching(null, ACL('origin'), origin).forEach(st => {
+      store.removeStatements([...store.statementsMatching(null, ACL('trustedApp'), st.subject)])
+      store.removeStatements([...store.statementsMatching(st.subject)])
+    })
+
+    // add new triples
+    const application = new $rdf.BlankNode()
+    store.add($rdf.sym(webId), ACL('trustedApp'), application, webId)
+    store.add(application, ACL('origin'), origin, webId)
+    accessModes.forEach(mode => {
+      store.add(application, ACL('mode'), ACL(mode))
+    })
+    await this.saveProfileGraph(ldp, store, webId)
+  }
+
+  /**
+   * Returns a URL to redirect the user to after login.
+   * Either uses the provided `redirect_uri` auth query param, or simply
+   * returns the user profile URI if none was provided.
+   *
+   * @param validUser {UserAccount}
+   *
+   * @return {string}
+   */
+  postConsentUrl () {
+    return this.authorizeUrl()
+  }
+
+  /**
+   * Redirects the Login request to continue on the OIDC auth workflow.
+   */
+  redirectPostConsent () {
+    let uri = this.postConsentUrl()
+    debug('Login successful, redirecting to ', uri)
+    this.response.redirect(uri)
+  }
+
+  /**
+   * Renders the login form
+   */
+  renderForm (error, req) {
+    let queryString = req && req.url && req.url.replace(/[^?]+\?/, '') || ''
+    let params = Object.assign({}, this.authQueryParams,
+      {
+        registerUrl: this.registerUrl(),
+        returnToUrl: this.returnToUrl,
+        enablePassword: this.localAuth.password,
+        enableTls: this.localAuth.tls,
+        tlsUrl: `/login/tls?${encodeURIComponent(queryString)}`
+      })
+
+    if (error) {
+      params.error = error.message
+      this.response.status(error.statusCode)
+    }
+
+    this.response.render('auth/consent', params)
+  }
+}
+
+module.exports = {
+  ConsentRequest
+}